Continual Compliance Monitoring– PCI DSS, HIPAA, FERC/NERC, EI3PA, ISO 27001 and FISMA

By Kishor Vaswani, CEO - ControlCase

Agenda

• About PCI DSS, ISO 27001, NERC, HIPAA, FISMA and EI3PA

• Components for Continual Compliance Monitoring

within IT Standards/Regulations

• Recurrence Frequency and Calendar

• Challenges in Continual Compliance Monitoring

• Q&A

1

About PCI DSS, HIPAA, FERC/NERC, EI3PA, ISO 27001 and FISMA

What is PCI DSS?

Payment Card Industry Data Security Standard:

• Guidelines for securely processing, storing, or transmitting payment card account data

• Established by leading payment card issuers• Maintained by the PCI Security Standards Council

(PCI SSC)

2

What is HIPAA

3

• HIPAA is the acronym for the Health Insurance Portability and Accountability Act that was passed by Congress in 1996. HIPAA does the following:› Provides the ability to transfer and continue health

insurance coverage for millions of American workers and their families when they change or lose their jobs;

› Reduces health care fraud and abuse;› Mandates industry-wide standards for health care

information on electronic billing and other processes; and › Requires the protection and confidential handling of

protected health information

What is FERC/NERC

4

• Federal Energy Regulatory Commission (FERC)› The Federal Energy Regulatory Commission (FERC) is the United

States federal agency with jurisdiction over interstate electricity sales, wholesale electric rates, hydroelectric licensing, natural gas pricing, and oil pipeline rates.

• North American Electric Reliability Corporation (NERC):› The North American Electric Reliability Corporation (NERC) is a

not-for-profit international regulatory authority whose mission is to ensure the reliability of the bulk power system in North America.

• Critical Infrastructure Protection Standards› Standards for cyber security protection

What is EI3PA?

Experian Security Audit Requirements:

• Experian is one of the three major consumer credit bureaus in the United States

• Guidelines for securely processing, storing, or transmitting Experian Provided Data

• Established by Experian to protect consumer data/credit history data provided by them

5

What is ISO 27001/ISO 27002

ISO Standard:

• ISO 27001 is the management framework for implementing information security within an organization

• ISO 27002 are the detailed controls from an implementation perspective

6

What is FISMA

7

• Federal Information Security Management Act (FISMA) of 2002› Requires federal agencies to implement a mandatory set of

processes, security controls and information security governance

• FISMA objectives:› Align security protections with risk and impact› Establish accountability and performance measures› Empower executives to make informed risk decisions

Components of Continual Compliance Monitoring

Continuous Monitoring

8

Test once, comply to multiple regulations Mapping of controls Automated data collection Self assessment data collection Executive dashboards

Continual Compliance Monitoring Domains

• Policy Management• Vendor/Third Party Management• Asset and Vulnerability Management• Log Management• Change Management• Incident and Problem Management• Data Management• Risk Management• Business Continuity Management• HR Management• Physical Security

9

Policy Management

10

Appropriate update of policies and procedures Link/Mapping to controls and standards Communication, training and attestation Monitoring of compliance to corporate policies

Reg/Standard Coverage area

ISO 27001 A.5

PCI 12

EI3PA 12HIPAA 164.308a1iFISMA AC-1FERC/NERC CIP-003-6

Vendor/Third Party Management

11

Management of third parties/vendors Self attestation by third parties/vendors Remediation tracking

Reg/Standard Coverage area

ISO 27001 A.6, A.10

PCI 12

EI3PA 12HIPAA 164.308b1FISMA PS-3FERC/NERC Multiple

Requirements

Asset and Vulnerability Management

12

Asset list Management of vulnerabilities and dispositions Training to development and support staff Management reporting if unmitigated vulnerability Linkage to non compliance

Reg/Standard Coverage area

ISO 27001 A.7, A.12

PCI 6, 11

EI3PA 10, 11HIPAA 164.308a8FISMA RA-5FERC/NERC CIP-010

Logging Management

13

Reg/Standard Coverage area

ISO 27001 A.7, A.12

PCI 6, 11

EI3PA 10, 11HIPAA 164.308a1iiDFISMA SI-4

Logging File Integrity Monitoring 24X7 monitoring Managing volumes of data

Change Management and Monitoring

14

Escalation to incident for unexpected logs/alerts

Response/Resolution process for expected logs/alerts

Correlation of logs/alerts to change requests

Change Management ticketing System

Logging and Monitoring (SIEM/FIM etc.)

Reg/Standard Coverage area

ISO 27001 A.10

PCI 1, 6, 10

EI3PA 1, 9, 10FISMA SA-3

Incident and Problem Management

15

Monitoring Detection Reporting Responding Approving

Lost LaptopChanges to

firewall rulesets

Upgrades to

applications

Intrusion Alerting

Reg/Standard Coverage area

ISO 27001 A.13

PCI 12

EI3PA 12HIPAA 164.308a6iFISMA IR SeriesFERC/NERC CIP-008

Data Management

16

Identification of data Classification of data Protection of data Monitoring of data

Reg/Standard Coverage area

ISO 27001 A.7

PCI 3, 4

EI3PA 3, 4HIPAA 164.310d2ivFERC/NERC CIP-011

Risk Management

17

Input of key criterion Numeric algorithms to compute risk Output of risk dashboards

Reg/Standard Coverage area

ISO 27001 A.6

PCI 12

EI3PA 12HIPAA 164.308a1iiBFISMA RA-3

Business Continuity Management

18

Business Continuity Planning Disaster Recovery BCP/DR Testing Remote Site/Hot Site

Reg/Standard Coverage area

ISO 27001 A.14

PCI Not Applicable

EI3PA Not applicableHIPAA 164.308a7iFISMA CP SeriesFERC/SERC CIP-009

HR Management

19

Training Background Screening Reference Checks

Reg/Standard Coverage area

ISO 27001 A.8

PCI 12

EI3PA 12HIPAA 164.308a3iFISMA AT-2FERC/NERC CIP-004

Physical Security

20

Badges Visitor Access CCTV Biometric

Reg/Standard Coverage area

ISO 27001 A.11

PCI 9

EI3PA 9HIPAA 164.310FISMA PE SeriesFERC/NERC CIP-006

Recurrence Frequency and Calendar

Daily Monitoring Domains

21

• Asset and Vulnerability Management• New Assets• New Vulnerabilities

• Log Management• Response time window

• Change Management• Impact in case of an error• Unknown and insecure applications

• Incident and Problem Management• Root cause of systemic problems• Response to operational and security incidents

Monthly/Quarterly Monitoring Domains

22

• Vendor/Third Party Management• Time taken by third parties to respond

• Data Management• Identification of unknown data

• HR Management• Time taken for training• Time taken for background checks

• Physical Security Management• Time take to install new physical security

components

Annual Monitoring Domains

23

• Policy Management• Annual policy reviews

• Risk Management• Enterprise wide nature of risk assessment

• BCP/DR Management• Time taken to conduct BCP/DR tests

Challenges in Continual Compliance Monitoring

Challenges

• Redundant Efforts• Cost inefficiencies• Lack of dashboard• Fixing of dispositions• Change in environment• Reliance on third parties• Increased regulations• Reducing budgets (Do more with less)

24

Integrated compliance

25

Question. No.

Question PCI DSS 2.0 Reference PCI DSS 3.0 ISO 27002: 2013 SOC2 HIPAA NIST 800-53

37

Provide data Encryption policy explaining encryption controls implemented for Cardholder data data secure storage (e.g. encryption, truncation, masking etc.) – applicable for application, database and backup tapes

- Screenshots showing full PAN data is encrypted with strong encryption while stored (database tables or files) . The captured details should also show the encryption algorithm and strength used - For Backup tapes, screenshot showing the encryption applied (algorithm and strength – e.g. AES 256 bit) through backup solution

Security Posture QA: QSA to verify that encryption is appropriate OR compensating controls are per ControlCase standard.

3.4.a, 3.4.b, 3.4.c, 3.4.d 3.4 10.1.1, 18.1.5 164.312(a)(1)

38

If Disk encryption used for card data data, then is the logical access to encrypted file-system is separate from native operating system user access? (Provide the adequate evidences showing the logical access for local operating system and encrypted file system is with separate user authentication)

Security Posture QA: QSA to verify that encryption is appropriate OR compensating controls are per ControlCase standard.

3.4.1.a 3.4.1 10.1.2 164.312(a)(1)

39

Provide evidence showing restricted access control for Data Encryption Keys (DEK) and Key Encryption Keys (KEK) at store

Security Posture QA: QSA to verify that encryption is appropriate OR compensating controls are per ControlCase standard.

3.5 3.5.2 10.1.2 164.312(a)(1)

40Provide the evidence showing the exact locations where encryption keys are stored (keys should be stored at fewest possible locations)

3.5.3 10.1.2 164.312(a)(1)

Why Choose ControlCase?

• Global Reach

› Serving more than 400 clients in 40 countries and rapidly growing

• Certified Resources

› PCI DSS Qualified Security Assessor (QSA)

› QSA for Point-to-Point Encryption (QSA P2PE)

› Certified ASV vendor

› Certified ISO 27001 Assessment Department

› EI3PA Assessor

› HIPAA Assessor

› HITRUST Assessor

› SOC1, SOC2, SOC3 Assessor

› Shared Assessment Company

26

To Learn More About ControlCase

• Visit www.controlcase.com• Email us at contact@controlcase.com

Thank You for Your Time