Consolidated Audit Program (CAP) A multi-compliance approach

Similar documents
Compliance, Security and Risk Management Relationship Advice. Andrew Hicks, Director Coalfire

Microsoft s Compliance Framework for Online Services

Third Party Risk Management 12 April 2012

HITRUST CSF Assurance Program

IT Cloud / Data Security Vendor Risk Management Associated with Data Security. September 9, 2014

HIPAA and HITRUST - FAQ

GRC Stack Research Sponsorship

Service Organization Control (SOC) Reports Focus on SOC 2 Reporting Standard

HITRUST CSF Assurance Program You Need a HITRUST CSF Assessment Now What?

Obtaining CSF Certification Lessons Learned and Why Do It

Security & IT Governance: Strategies to Building a Sustainable Model for Your Organization

Information Security Management System for Microsoft s Cloud Infrastructure

Developing National Frameworks & Engaging the Private Sector

PCI DSS READINESS AND RESPONSE

How To Be A Successful Compliance Officer

WHITE PAPER Leveraging GRC for PCI DSS Compliance. By: Chris Goodwin, Co-founder and CTO, LockPath

3rd Party Assurance & Information Governance outlook IIA Ireland Annual Conference Straightforward Security and Compliance

Anypoint Platform Cloud Security and Compliance. Whitepaper

PCI Compliance for Cloud Applications

PCI DSS. Payment Card Industry Data Security Standard.

IIA Conference. September 18, Paige Needling Director, Global Information Security Recall, Inc.

Cloud Security Benchmark: Top 10 Cloud Service Providers Appendix A E January 5, 2015

PCI DSS Overview. By Kishor Vaswani CEO, ControlCase

Information Security ISO Standards. Feb 11, Glen Bruce Director, Enterprise Risk Security & Privacy

Robert Brammer. Senior Advisor to the Internet2 CEO Internet2 NET+ Security Assessment Forum. 8 April 2014

Secure Cloud Hosting for Healthcare Organizations

Building an Effective

Compliance Doesn t Mean Security Achieving Security and Compliance with the latest Regulations and Standards

SECURITY RISK MANAGEMENT

Well-Documented Controls Reduce Risk and Support Compliance Initiatives

Uncheck Yourself. by Karen Scarfone. Build a Security-First Approach to Avoid Checkbox Compliance. Principal Consultant Scarfone Cybersecurity

Using the HITRUST CSF to Assess Cybersecurity Preparedness 1 of 6

Vendor Risk Management Financial Organizations

IT Security & Compliance Risk Assessment Capabilities

Ecom Infotech. Page 1 of 6

Trend Micro VMware Solution Guide Summary for Payment Card Industry Data Security Standard

The University of Alabama at Birmingham. Information Technology. Strategic Plan

IT Security & Compliance. On Time. On Budget. On Demand.

BIOS Steven Penn, Senior Director CSF Development And Educa9on Programs Bryan Cline, PhD Senior Advisor

Hot Topics in IT. CUAV Conference May 2012

Data Security Standard (DSS) Compliance. SIFMA June 13, 2012

Key USP s. Multiple PCI level GRC tool

IT audit updates. Current hot topics and key considerations. IT risk assessment leading practices

Puzzled about PCI compliance? Proactive ways to navigate through the standard for compliance

The ABCs of DaaS. Enabling Data as a Service for Application Delivery, Business Intelligence, and Compliance Reporting.

Whitepaper: 7 Steps to Developing a Cloud Security Plan

Introduction to PCI DSS Compliance. May 18, :15 p.m. 2:15 p.m.

Risky Business. Is Your Cybersecurity in Cruise Control? ISACA Austin Chapter Meeting May 5, 2015

Compliance, Audits and Fire Drills: In the Way of Real Security?

Managing data security and privacy risk of third-party vendors

Dodging Breaches from Dodgy Vendors: Tackling Vendor Risk Management in Healthcare

SUPPLY CHAIN ASSURANCE FRAMEWORK: THE SUPPLY CHAIN STANDARDS TRANSLATOR

Securing the Microsoft Cloud

EMC CONSULTING SECURITY STANDARDS AND COMPLIANCE SERVICES

PCI Compliance. Top 10 Questions & Answers

Network Test Labs Inc Security Assessment Service Description Complementary Service Offering for New Clients

Cloud Services Overview

Are You Ready For PCI v 3.0. Speaker: Corbin DelCarlo Institution: McGladrey LLP Date: October 6, 2014

Total Protection for Compliance: Unified IT Policy Auditing

CORL Dodging Breaches from Dodgy Vendors

PCI Compliance and the Cloud: What You Can and What You Can t Outsource Presented By:

HOW SECURE IS YOUR PAYMENT CARD DATA?

White Paper Achieving PCI Data Security Standard Compliance through Security Information Management. White Paper / PCI

Introduction to QualysGuard IT Compliance SaaS Services. Marek Skalicky, CISM, CRISC Regional Account Manager for Central & Adriatic Eastern Europe

Governance, Risk, and Compliance (GRC) White Paper

Cloud Security. DLT Solutions LLC June #DLTCloud

HITRUST CSF Assurance Program

GEARS Cyber-Security Services

Whitepaper Data Governance Roadmap for IT Executives Valeh Nazemoff

VENDOR MANAGEMENT. General Overview

Compliance and the Cloud: What You Can and What You Can t Outsource

Frequently Asked Questions about the HITRUST Risk Management Framework

Continuous Network Monitoring

Mobile Device Payment Card Processing: How Secure is It? Richard Poworski CISSP, ISP, ITCP, SCF, PCI QSA, PCIP Managing Consultant

Responsible Big Data Governance: Preventing Regulatory Overreaction

How To Ensure Account Information Security

PCI Compliance. PCI DSS v3.1. Dan Lobb CRISC. Lisa Gable CISM

Data Security & PCI Compliance & PCI Compliance Securing Your Contact Center Securing Your Contact Session Name :

PCI Compliance Top 10 Questions and Answers

Cloud models and compliance requirements which is right for you?

Payment Card Industry Data Security Standards

The Cloud Security Alliance

The Next Generation of Security Leaders

Big Data, Big Risk, Big Rewards. Hussein Syed

PCI DATA SECURITY STANDARD OVERVIEW

Department of Management Services. Request for Information

With Eversync s cloud data tiering, the customer can tier data protection as follows:

Redhawk Network Security, LLC Layton Ave., Suite One, Bend, OR

Transcription:

Consolidated Audit Program (CAP) A multi-compliance approach ISSA CONFERENCE Carlos Pelaez, Director, Coalfire May 14, 2015

About Coalfire We help our clients recognize and control cybersecurity risk, maintain compliance with all major industry and government standards, and provide automated threat assessment solutions. Providing clients with: Detailed risk assessment that outlines immediate threats and how to manage gaps in security operations More experience, with the average consultant holding 4-5 IT certifications and over 10 years of industry expertise Managed costs through Consolidated Audit Program across PCI/HIPAA/FISMA/SOC/ISO and more

Part One (11AM) Why are we talking about this? Compliance Challenges Consolidated Audit Program Reducing Cost and Risk Part Two (3PM) UCF Defined UCF Demo Example work product Questions

Consolidated Audit Program (CAP) Explained PART ONE

Why are we talking about this? Are we secure? Board of Directors/Management asking questions Technology outpacing compliance Who do you work with? Dependence on 3 rd parties Service providers demand compliance evidence

Challenges for compliance teams IT security and compliance budgets o Need to do more with less o Focus on risk o Regulations and standards increasing in number and complexity Subject matter expertise hard to find o Need for control mapping comes in bursts o Takes time to update controls when standards refresh o What-if scenarios out of reach Existing GRC tools do not offer enough functionality o Need to focus on embedding controls in organization s DNA o Need to define clear ownership of controls o Need to associate assets and make an inventory for cyber security

Methodology Explained CONSOLIDATED AUDIT PROGRAM

CAP from Customer Perspective CAP is an abstract concept CAP is not governed by any regulation, standard, or governance body CAP is often what a customer wants, but cannot articulate CAP seems intuitive Example 1 Surely there must be a better way to get all the audits done Michelle has worked in compliance for over 10 years. She started her career at a global accounting firm and is most comfortable with Sarbanes-Oxley. As head of compliance for a Fortune 500 company, she now oversees all areas including PCI, Healthcare, and SOC. Her financial acumen and audit experience tells her that there must be a way to trim some costs and make it easier for her to manage the teams of compliance staff across the US, which total 10 in her department. She reports to the VP of Internal Audit and he has asked her to be smart about the budget, but also to try to make sure she is thinking of new ideas to make the process easier. Example 2 Working through the compliance hoops is tough, so we are starting with PCI Jack started his career managing the network and computer systems for a large university. With the boom of the internet, he was able to take a key job for Y2K in the MIS department of a Fortune 500 company. After a recent restructure, he was move into the compliance area with a focus on IT security. PCI is his key area of interest for the national retailer he works with and he is gathering bids. Later in the year, he wants to do Healthcare and ISO. He wants to know that he is secure. In his view, his team is not technical enough, but they do their best.

CAP Methodology Governance End Mapping Controls Sequence Audits Identify Audit Overlaps Aligning the Examination Windows Align Examination Windows Identifying Audit Overlaps Sequencing Audits Map Controls Governance Start

Governance What to do: Don t go straight to the market Identify who signs off on each compliance report Consider the impact of failing a Common Control Centralize a Point of Contact Select one compliance domain to be the anchor Consider using Internal Audit as an internal orchestration mechanism What will the escalation process be? Map out the objectives and communicate these early on in the process

Understand What is in Scope Fully understand the domains in scope Each domain has a source Source = Authority Document E.g. PCI comes from the PCI Council, which puts out the Data Security Standard (the latest version is PCI DSS 3.0) E.g. Healthcare comes from Congress, which puts out 3 laws: HIPAA, HIPAA Electronic Health Record Technology, HITECH title within the American Recovery and Reinvestment Act of 2009; the Code of Federal Regulation 45 Part 164; and 2 National Institute of Standards of Technology (800-53 revision 4 and 800-66). All of these combine for 6 Authority Documents.

Mapping Controls The process for control mapping: Mapping requires determining if the control is applicable or not This process can take between 40-120 hours Consider Top Down versus Bottom Up mapping Mapping identifies the business units responsibilities Note that some domains are more prescriptive than others Mapping creates heightened awareness of where the controls originate Allocate at least 3 months to complete this task

Aligning the Examination Windows What can affect the examination window: Some audits cover a period of time, others a point in time Filing dates could restrict when the audit is performed Evidence goes stale after ~3 months Some domains won t correspond with other domains, expect duplication LOE Credentials for auditing each area can impact the efficiency

Identifying Audit Overlaps & Sequencing Audits The process for identifying audit overlaps/ sequencing audits: Understand dependency with 3 rd parties With data in hand, begin the audit planning process Sequence the audits and send the schedule in advance Ensure data provided during audit can be stored centrally and shared Conduct a Post Mortem analysis after each audit Continuously update and improve

Benefits and Building a Business Case CONSOLIDATED AUDIT PROGRAM

Reduce Cost Streamline audit to orchestrate efficiencies o Know precisely the # of controls o Build a budget estimate. Hours per control * # of controls = Total Cost Optimize your time and reduce audit exhaustion o Rule of thumb is: every audit 1 creates 5 hours of internal work for the client o Minimize audit season from year round to 1-2 month window o Stop testing controls that do not mitigate sufficient risk o Eliminate need to refresh controls using a manual process (30-90 hours) Empower the business to stay focused on core mission Organize the process and avoid wasteful spending

Why it isn t just about reducing fees 30% of Budget -Charter Call -RFI -Audit Plan -Assign Staff -Evaluate Risk -Orchestrate Audit Domain 2 Unique Controls Domain 1 Unique Controls Domain 3 Unique Controls Common Controls Domain 4 Unique Controls 40% of Budget -Interview staff -Collect Samples -Control Mapping -Onsite Testing -Rely on common controls 30% of Budget -Exit Meeting -Deliverable -QA Work -Share common report

Order Matters Determining which type to perform first: ISO cannot rely on other types and cannot share information Double overlap audits may happen when you introduce ISO PCI requires QSA test controls HIPAA and SOC can rely on other controls (can usually go last) Federal will have its own idiosyncrasies Examination windows and sample sizes can vary between domains

CAP as a Solution Why CAP is beneficial: Save the client time (x people * hours per audit * # of audits) Reduce audit exhaustion Use a framework that updates quarterly, like the UCF Track higher risk controls more closely (common controls) Focus on improving the audit process: Coordination up front Orchestrating an efficient audit Socialize findings and help them through each step One auditor to hold accountable Showcase our expertise in each area and why it makes us unique

Challenges for Service Providers w/ PCI New technology changes the compliance landscape New and often times conflicting requirements between standards PCI DSS 3.0 Service Providers PCI DSS3.0 Self Assessment Questionnaire (SAQ) A/B/C/D PCI DSS 3.1 ROC (NEW) Virtualization and cloud services Mobile devices and new methods of payments PCI 3.1 introduces additional responsibility with these controls: o 8.5.1 Additional requirement for service providers: Service providers with remote access to customer premises (for example, for support of POS systems or servers) must use a unique authentication credential (such as a password/phrase) for each customer. o 12.8.5 Maintain information about which PCI DSS requirements are managed by each service provider, and which are managed by the entity. o 12.9 Additional requirement for service providers: Service providers acknowledge in writing to customers that they are responsible for the security of cardholder data the service provider possesses or otherwise stores, processes, or transmits on behalf of the customer, or to the extent that they could impact the security of the customer s cardholder data environment.

Challenges for Service Providers w/ Federal New and often times conflicting requirements between standards NIST SP 800-53 Revision 3 to Revision 4 transition o Relocated, removed and consolidated controls which to follow? Addition of draft baseline for FedRAMP High Impact system level o Uplift from Agency required controls under FISMA to FedRAMP Continuous monitoring impacts? o Weekly, monthly updates from the traditional quarterly updates Use of VMware, and other cloud solutions, changes architecture

Challenges for healthcare compliance New technology changes the compliance landscape o Wearable devices o Wireless devices in the room o Digital records available for download o Mobile apps taking on more healthcare functionality New and often times conflicting standards o HIPAA and/or HITRUST o Overlap with Other Domains? o Merging frameworks in the works o Use of VMware, and other cloud solutions, changes architecture

Customizing a solution to meet your needs Path to completeness and accuracy begins with controls o How many controls does HIPAA introduce? o How much overlap do you have with other domains? UCF tool has identified 28 regulatory standards under Healthcare and Life Sciences. CFS narrows this to 170 HIPAA controls

Questions?

Unified Compliance Framework (UCF) Definition and Demo PART TWO

Unified Compliance Framework (UCF) UCF was developed to answer the following questions: Can the organization s existing controls be used for attestation under multiple regulatory initiatives? Which regulatory initiatives overlap with others? Which regulatory initiatives fill the gaps left by others?

Unified Compliance Framework (UCF) Coalfire is using the UCF as the CAP control library 30,000+ overlapping citations from 900+ regulation standards, guides, across 38 countries Includes mapping of over 5,000 IT control statements Coalfire has corporate developer license @ $250 per domain license Authority Documents (AD) Updated within 3 months of issuance Contains all historical instances & deprecated records Coalfire has mapped these to Coalfire audit plans Citations Broken out into smallest control level Language from AD included with traceable reference 1 citation is mapped to many controls (1:*) Controls Normalizes control based on UCF control language Identifies common controls Grouped by AD with industry label i.e. Healthcare, PCI

Understand the compliance food chain The UCF is a legal framework Every control must be mapped to the source document There is no tool -- just an Excel Spreadsheet and SQL scripts Every analysis is a manual process; scoping takes 2-3 hours alone Every organization is different Process enables you to jump-start the process Confirm all of the domains Easily add or remove domains Understand the context for the controls

The Science of Compliance DEMO

Example: PCI 3.0 and SOC 2 Overlap PCI 3.0 and AT101 (AICPA standard used by SOC2) o How many controls overlap? o What s the incremental cost? o SOC2 o Cloud Security Alliance (CSA) framework o Depends on which of 5 Trust Service Principles (TSP) Common Criteria / Security Availability Confidentiality Information Processing Privacy SOC2 AND PCI 3.0 OVERLAP Common Controls, 36, 8% SOC2 Unique, 147, 34% PCI 3.0 Unique, 257, 58%

Reduce Risk UCF tool provides a common control ID and language o Easier to identify control overlaps o Highlight the common controls and emphasize dependency o External auditor can leverage the same language tool (no cross walking) UCF reference of the citation can let you: o Trace the control with legal language o Allow control owners to understand the story UCF metadata includes: o Control Owner o Association of a control with an asset o Ability to enter audit procedures Focus on embedding the controls into organization, not mapping

Sample Work Product WALKTHROUGH

Carlos Peláez Director, Coalfire 877.224.8077 ext. 7079 Carlos.Pelaez@coalfire.com www.coalfire.com Craig Isaacs CEO, Unified Compliance 510.962.5192 cisaacs@unifiedcompliance.com www.unifiedcompliance.com

Coalfire Whitepapers: Whitepaper - FedRAMP and FISMA: Controls and Authorization Differences VMware VCE Product Applicability Guide for Compliance with HIPAA VMware FedRAMP Architecture Design Guide VMware PCI 3.0 Architecture Design Guide Other Interesting Links: Largest Data Breaches Federal Cybersecurity Breaches Mount Despite Increased Spending ISO: Trust and confidence in cloud privacy HITRUST-AICPA Advisory Panel & Working Group SANS Healthcare Cyberthreat Report

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information