Quality Programs for Regulatory Compliance

Transcription

1 Quality Programs for Regulatory Compliance Roy Garris, IconATG Regulatory Compliance Practice Manager (866) Version 1.00

2 Application Vulnerabilities Put Your Business At Risk Application Security Facts More than 41 million credit and debit card records from only 9 brand name stores were hacked between 2003 and More than 313,000 people filed complaints of identity theft to the FTC in Every lost record costs $138 USD to the organization who lost it. Significant level of breaches come from the company s own employees Up to 90% of public facing websites are vulnerable to attack 3 of the top 10 threats to enterprise security are insider related Insider driven fraud costs US enterprises over $600 billion annually Page - 2

3 Data Breaches and Protected Information What is a data breach? All data breaches follow the same general approach Achieving any two of these steps constitutes a data breach Data breaches may be electronic or physical Data Breaches in 2008: 63% involved physical access 37% cyber-only What is Protected Information? Anything defined as such by Industry Standard (HIPAA, PCI-DSS, GLBA, etc.) and Federal and State Law We have identified at least 1,400 separate state regulatory requirements for Protected Information (PI) We have identified 56+ data types defined as PI Page - 3

4 IconATG Regulatory Compliance Quality Program Analyze Remediate Operate Report Centralize & Secure Federal, State, & Industry Regulations Identify Reduce & Eliminate Monitor Applications Master Regulatory Requirements Analyze and Centralize Regulatory Compliance Requirements Protected Information Server Trace and secure Protected Information (PI) Monitor Networks Protect against data breaches Page - 4

5 Key Elements of a Compliance Quality Program Prevent Data Breaches Protect against internet-based hacking Define and implement policies for physical and virtual access Qualify for Safe Harbor Provisions to reduce liability Identify and Secure Protected Information Produce evidence of compliance Provide Accountability, Traceability and Auditability Ensure requirements are demonstrably tested Being Cost Effective Leverage Automation Page - 5

6 The Who, What, When, Where, and Why of Compliance Accountability Focuses on who Who requested a change, who approved the change, and who made the change Traceability Focuses on what (Systems / Code) and why (Requirements) A connection from a compliance requirement to its realization in code Manages changing compliance requirements Auditability Focuses on when and where Producing the evidence to demonstrate you did the job the way you were supposed to do Addresses non-it (operations) related compliance requirements Track an instance of protected information through all systems and processes Page - 6

7 Compliance Accountability, Traceability, and Auditability Traceability Auditability System System Requirements Requirements Compliance Compliance Policy Policy Compliance Compliance Requirements Requirements Protected Protected Information Information Paper Forms Change Request System n System System 1 Vault Approval Development Operations User Interface Code Accountability Server Database Tape Backup Compliance Tests Page - 7

8 Automation Features are Essential to a Cost-Effective Compliance Quality Program Repository I have organized my compliance requirements into a single repository I have created systems requirements for all applications based on the compliance requirements Workflow (Configuration and Change Management) Show what build is in production and trace changes to the developer and code QA / Test I have written test cases for all systems requirements and can trace the test cases back to the compliance requirements I have automated my test cases to regression test compliance Network and Application Monitoring I am proactively monitoring for vulnerability to common hacking strategies Page - 8

9 Compliance Effort and Automation Levels % Identify 95.00% 90.00% Reduce and Eliminate 85.00% 80.00% 75.00% 70.00% 65.00% 60.00% Centralize and Secure 55.00% 50.00% Effort to Comply Per Business Workflow 45.00% 40.00% 35.00% 30.00% 25.00% 20.00% 15.00% 10.00% 5.00% 0.00% Manual compliance Compliance Repository Automated Workflow Lifecycle Compliance Tools Page - 9

10 Key Questions Your Compliance Quality Program Must Address How do you demonstrate your compliance? Can I prove which build I have in production? What are my policies about incidental copies of protected information? Are there "debug log files" in my production systems that may expose PI? Would I have to go on a "safari" through my data to find evidence of compliance? Do you know what data is protected by federal, state, and industry regulations? How many states protect SSN, tribal identification cards, DNA profiles, and zip codes? Which states have requirements that exceed PCI-DSS requirements for protecting card holder data? What is my exposure to a data breach at one of my third party vendors? What things are critical to know about my current regulatory compliance programs? Do they specifically address the fact that 63% of data breaches happen outside of IT? How do my business processes and IT processes manage changing compliance requirements? Can I trace from a change in legislation or compliance standard directly to my affected systems? Why is automation essential to manage cost? Can I afford the impact of purely manual compliance and assessment processes? Can I track PI through all of my systems and processes in the event of a data breach? What metrics and reports demonstrate compliance? Page - 10

11 Next Steps to Improve Your Compliance Quality Program Contact IconATG for: Compliance Presentation to your Team Schedule IconATG s unique presentations live via webinar or in-person for your team, and we will address your unique situation and answer specific questions regarding compliance best practices and tools. Free AppScan Demo Schedule 1.5 hour remote demo highlights the power of AppScan and its value to Development, QA, Security and Compliance groups to help protect against hackers and data breaches. Free PCI-DSS 1.2 Self Assessment Review A Senior IconATG consultant provides recommendations on your compliance requirements in a 1 hour phone discussion, with a focus on the PCI-DSS 1.2 self assessment ( Free Rational Quality Manager Proof of Technology (POT) Attend or send your team to this one day, hands-on event which will provide the deep education on RQM and how its capabilities can be leveraged to support your QA and Test processes. Page - 11

12 Contact IconATG (636) or (866) (toll-free) Page - 12