OneAudit™ - Assess Once, Certify to Many

ONE AUDIT™
ASSESS ONCE, COMPLY TO MANY.
YOUR IT COMPLIANCE PARTNER –
GO BEYOND THE CHECKLIST

ControlCase Introduction
Common Challenges
About the Regulations
Best Practices for Integrated Compliance
ControlCase Solution
AGENDA
© 2020 ControlCase. All Rights Reserved. 2
1
2
3
4
5

1 CONTROLCASE INTRODUCTION

ControlCase Snapshot
CERTIFICATION AND CONTINUOUS COMPLIANCE SERVICES
Go beyond the auditor’s checklist to:
Dramatically cut the time, cost and burden from becoming certified and maintaining IT compliance.
• Demonstrate compliance more efficiently
and cost effectively (cost certainty)
• Improve efficiencies
⁃ Do more with less resources and gain
compliance peace of mind
• Free up your internal resources to focus
on their priorities
• Offload much of the compliance burden to
a trusted compliance partner
1,000+ 275+10,000+
CLIENTS IT SECURITY
CERTIFICATIONS
SECURITY
EXPERTS

Solution
“I’ve worked on both sides of
auditing. I have not seen any other
firm deliver the same product and
service with the same value. No
other firm provides that continuous
improvement and the level of detail
and responsiveness.
— Security and Compliance Manager,
Data Center
Certification and Continuous Compliance Services

Certification Services
“You have 27 seconds to make a first
impression. And after our initial
meeting, it became clear that they
were more interested in helping
our business and building a
relationship, not just getting the
business.
— Sr. Director, Information Risk & Compliance,
Large Merchant
ISO 27001
& 27002
SOC 1,2,3 & SOC
for Cybersecurity
HITRUST CSF
PCI P2PE GDPR NIST 800-53
PCI PIN PCI PA-DSS FedRAMP PCI 3DS
PCI DSS
HIPAA
One Audit™ - Assess Once, Comply to Many

ABOUT THE REGULATIONS2

What do the Regulations Mean?
Payment Card Industry Data Security Standard (PCI DSS)
Established by leading payment card issuers - Guidelines for securely
processing, storing, or transmitting payment card account data.
Health Insurance Portability and Accountability Act (HIPAA)
Passed by Congress in 1996 Mandates industry-wide standards for health care
information on electronic billing and other processes and requires the protection
and confidential handling of protected health information.
ISO 27001/ISO 27002 - ISO 27001
The management framework for implementing information security
within an organization. ISO 27002 are the detailed controls from an
implementation perspective.
PCI P2PE
Ensures data is encrypted at Point of Interaction (POI) at merchant end and can
only be decrypted by dedicated environment. Thus ensures point to point
encryption of payment card account data.
PA-DSS
Ensures payment applications support PCI DSS compliance.
PCI 3DS
Physical and logical requirements for entities that implement 3DS Payment
solution to secure card-not-present e-commerce purchases.
SOC 2
Created by the American Institute of Certified Public Accountants (AICPA) to fill the
gap for organizations that were being requested to have a SAS 70 (now SSAE 18).
The purpose of a SOC 2 report is to evaluate an organization’s information systems
relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy.

Common Regulations by Region / Industry
REGION INDUSTRY REGULATION
APAC Business Process Organizations (BPOs) HIPAA, PCI DSS, SOC2, ISO 27001
APAC Payments PCI DSS, PCI SSF, SOC2, ISO 27001, PCI 3DS
APAC Financial Services PCI DSS, PCI SSF, PCI PIN, PCI 3DS, PCI CP
AMERICAS Payments PCI DSS, PCI SSF, SOC2, ISO 27001, PCI 3DS
AMERICAS Cloud Service Providers PCI DSS, PCI SSF, SOC2, ISO 27001, HIPAA
AMERICAS Retail PCI DSS, PCI P2PE, SOC2, ISO 27001, HIPAA
AMERICAS Technology PCI DSS, PCI SSF, SOC2, ISO 27001, HIPAA
COLOMBIA Cloud Services Providers PCI DSS, PCI SSF, SOC2, ISO 27001, HIPAA
EUROPE Cloud Services Providers PCI DSS, PCI SSF, SOC2, ISO 27001

BEST PRACTICES FOR
INTEGRATED COMPLIANCE
3

Building Blocks – Integrated Compliance
Vendor / Third Party Management
Logging and Monitoring
Incident and Problem Management
Risk Management
HR Management
Compliance Project Management
Compliance Management
Asset and Vulnerability Management
Change Management
Data Management
Business Continuity Management
Physical Security
Policy Management

Compliance Management
Test once, comply to multiple regulations
Mapping of controls
Automated data collection
Self assessment data collection
Executive dashboards

Policy Management
REG/STANDARD COVERAGE AREA
ISO 27001 A.5
PCI 12
HIPAA 164.308a1i
FISMA AC-1
FERC/NERC CIP-003-6
Appropriate update of policies and procedures
Link/Mapping to controls and standards
Communication, training and attestation
Cloud:
• No significant difference for cloud
implementation.

Vendor / Third Party Management
ISO 27001 A.6, A.10
PCI 12
HIPAA 164.308b1
FISMA PS-3
FERC/NERC Multiple Requirements
Management of third parties
Attestation/Audit of third parties
Remediation tracking
Cloud:
• Cloud environment such as AWS must be
considered a third party.
• Need to document “compliance matrix” of
requirements responsibility of the cloud provider.

Asset and Vulnerability Management
ISO 27001 A.7, A.12
PCI 6, 11
HIPAA 164.308a8
FISMA RA-5
FERC/NERC CIP-010
Asset list
Management of vulnerabilities and dispositions
Management reporting if unmitigated vulnerability
Linkage to non-compliance
Cloud:
• Vulnerability management of base infrastructure.
• Segregation of environments between
customers.

Logging and Monitoring
ISO 27001 A.7, A.12
PCI 6, 11
HIPAA 164.308a1iiD
FISMA SI-4
Logging
24X7 Monitoring
Cloud:
• Log management of base infrastructure.
• Correlation if cloud and internal logs.

Logging & Monitoring
(SIEM / FIM, etc.)
Change Management
ticketing System
Correlation of logs /
alerts to change
requests
Response / Resolution
process for expected
logs / alerts
Escalation to incident for
unexpected logs / alerts
Logging & Monitoring
(SIEM / FIM, etc.)
1 2 3 4 5
Change Management and Monitoring
ISO 27001 A.10
PCI 1, 6, 10
HIPAA 164.308a6i
FISMA SA-3

Incident and Problem Management
ISO 27001 A.13
PCI 12
HIPAA 164.308a6i
FISMA IR Series
Lost Laptop
Upgrades to
Applications
Changes to
Firewall Rulesets
Intrusion
Alerting
Monitoring
Detection
Reporting
Responding
Approving
Cloud:
• Coordination with third party.
• Inclusion of SLA’s within contracts of third parties.

Data Management
ISO 27001 A.7
PCI 3, 4
HIPAA 164.310d2iv
FERC / NERC CIP-011
Identification of data
Classification of data
Protection of data
Monitoring of data
Cloud:
• No significant reliance on third party for cloud
implementation.

Risk Management Rating
ISO 27001 A.6
PCI 12
HIPAA 164.308a1iiB
FISMA RA-3
Automated risk management
Feed from vulnerability management, DLP,
log management solutions etc.
Cloud:
• Need to get feeds (such as log feeds) from third
parties.
• Need to ensure architecture is such that risk can
be managed irrespective of third-party provider.

Business Continuity Management
ISO 27001 A.14
PCI Not Applicable
HIPAA 164.308a7i
FISMA CP Series
FERC / NERC CIP-009
Business Continuity Planning
Disaster Recovery
BCP / DR Testing
Cloud:
• Cloud provider could be “one of the options” for
failover as part of BCP / DR plan.
• Cloud provider must be a part of tabletop
exercises.

HR Management
ISO 27001 A.8
PCI 12
HIPAA 164.308a3i
FISMA AT-2
FERC / NERC CIP-004
Training
Background Screening
Reference Checks
Cloud:
• No significant impact.

ISO 27001 A.11
PCI 9
HIPAA 164.310
FISMA PE Series
FERC / NERC CIP-006
Badges
Visitor Access
CCTV
Biometric
Physical Security
Cloud:
• Typically responsibility of cloud provider in a
100% cloud enabled environment.

4 COMMON CHALLENGES

Common Challenges
Redundant Efforts
Lack of Compliance Dashboard
Change in Environment
Increased Regulations
Cost Inefficiencies
Fixing of Dispositions
Reliance on Third Parties
Reducing Budgets (Do more with less)

5 CONTROLCASE SOLUTION

Question.
No.
Topic Question ControlCase
Integrated
Standard
PCI DSS
3.2.1
ISO
27001
HIPAA SOC2
4 Scoping Provide your asset list, a list of the software, databases, data storage locations, Sample Sets and other related data elements. CC4 X X X X
28
Data
Encryption
at rest
Provide the following for all filesystems, databases and any backup media:
• Details on the method (encryption, hashing, truncation, tokenization) being used to protect covered information in storage
• Evidence (screenshots or settings) showing covered information is protected. For encryption method, please share the evidence of it's
associated key management.
• Documented description of the cryptographic architecture that includes:
1. Details of all algorithms, protocols, and keys used for the protection of cardholder data, including key strength and expiry date
2. The function of each key used in the cryptographic architecture.
3. Inventory of any HSMs and other secure cryptographic devices (SCD) used for key management (to be provided in inventory
as part of Q4).
CC37 X X X X
44
Logical
Access
Provide the organizational access control policy. CC63 X X X X
50
Logical
Access
For all assets identified in the sample provide evidence of logical access account and password features to include:
CC69 X X X X
67
Logging and
Monitoring
For the sample, provide the audit log policy settings. CC95 X X X 67
77
Security
Testing
Provide external penetration test reports for network and application layer. CC115 X X X 77
ControlCase Solution – One Audit™
- Account lockout policy
- Account lockout duration
- Session timeout policy
- Password length
- Password complexity
- Password history
- Password expiry
One Audit™ - Assess Once, Comply to Many

Compliance Evidence Overlap
Regulation(s) Completed Other Regulation status based on questions overlap
PCI SOC 2 ISO 27001 HIPAA
100% Complete 49.1% (84) Complete 67% (77) Complete 76.1% (54) Complete
50.9% (87) No Evidence Uploaded 33% (38) No Evidence Uploaded 23.9% (17) No Evidence Uploaded

Certification Technology Footprint
ACE
• Automated Compliance Engine
• Can collect evidence such as configurations remotely
CDD
• Data Discovery Solution
• Can scan end user workstations for card data
1 2

1,600 HRS. EVIDENCE COLLECTION* 600 HRS. CERTIFICATION SUPPORT*
350 HRS. EVIDENCE
COLLECTION*
600 HRS. CERTIFICATION SUPPORT*
2,200 hrs. total time
spent on compliance &
certification using
another auditor*
950 hrs. total time spent
on compliance &
certification by partnering
with ControlCase*
Compliance & Certification Time Savings
* Based on 1 environment with 4 parallel certifications (PCI, ISO, SOC2, HIPAA).

Three Key Areas of Focus
CONTROLCASE SOLUTION
CONTINUOUS
An effective compliance program for
cyber security must provide a stream
of continuous, accurate information
about posture.
AUTOMATED
Continuous compliance requires an
automated platform that collects and
processes data in as close to real-time as
can be achieved.
INTEGRATED
The best compliance programs are
integrated into the systems being
measured, versus built as after-the-
fact overlays.

Summary – Why ControlCase
They provide excellent service,
expertise and technology. And,
the visibility into my compliance
throughout the year and during
the audit process provide a lot
of value to us.
— Dir. of Compliance,
SaaS company
“

6 QUESTIONS & ANSWERS

THANK YOU FOR THE
OPPORTUNITY TO CONTRIBUTE TO
YOUR IT COMPLIANCE PROGRAM.
www.controlcase.com
(US) + 1 703.483.6383 (INDIA) + 91.22.62210800
contact@controlcase.com

OneAudit™ - Assess Once, Certify to Many

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Was ist angesagt?

Was ist angesagt? (20)

Ähnlich wie OneAudit™ - Assess Once, Certify to Many

Ähnlich wie OneAudit™ - Assess Once, Certify to Many (20)

Mehr von ControlCase

Mehr von ControlCase (12)

Kürzlich hochgeladen

Kürzlich hochgeladen (20)

OneAudit™ - Assess Once, Certify to Many

Hinweis der Redaktion