INSIGHTS Presentation Series
Secrets for Successful Regulatory Compliance Projects
12 PCI DSS requirements and risk assessment key considerations
AICPA SOC 1, SOC 2, SOC 3 and 5 Trust Principles explained
Initial adherence and ongoing compliance best practices
RDX: Chris Foot
MegaplanIT: Michael Vitolo
Date: 9/21/2017
Webinar
Video Inside

• Presenters
• About RDX and MegaplanIT
• Regulatory Standards Overview
• AICPA SOC Assessment
• PCI DSS Assessment
• MegaplanIT PCI Assessment Approach
• RDX Assessment Best Practices for Maintaining Compliance
• Contact Us

Presenters
Michael Vitolo
PCI-QSA | PA-QSA | CISSP | CISM | CISA | CRISC | CGEIT | OSWP
Managing Partner | MegaplanIT, LLC.
Over 18 years working in the Security Industry of which 12 in PCI-DSS
mikev@megaplanit.com |
www.megaplanit.com
Chris Foot
Vice President – Delivery Strategies and Technologies
Oracle ACE Alumni
cfoot@rdx.com
www.rdx.com

The Largest Pure Play Provider of
Managed Data Infrastructure Services
20
YEARS OF
SERVICE DELIVERY
EXPERIENCE
Database Platforms
SQL Server
Oracle
PostgreSQL*
DB2
MongoDB*
MySQL*
Operating Systems
Unix/Linux*Windows
Edge Technologies
SQL Server BI
Oracle EBS
SharePoint
Exchange
Environment
450+ Customers
10,000 Servers
200+ DBAs
Fortune 100s
Startups
All Verticals
Cloud Systems
Amazon AWS/RDS
Oracle Cloud DB
DBPaaS
Msoft Azure
IaaS (dozens)
Hybrid Cloud
* All distributions

RDX Compliance Experience
• Achieved first SOC 1 Type 2 in 2011
• Achieved first SOC 2 Type 2 in 2016
• Achieved first PCI Attestation in 2013
• Engaged MegaplanIT in 2016 to provide
QSA examination of our environment
RDX is also required to adhere to hundreds of customer specific
security frameworks, best practices and individual controls

About MegaplanIT, LLC
MegaplanIT, LLC. is an information security and compliance firm specializing
in over 30 high-level services designed to protect cardholder data, secure in-
scope networks, systems, and websites applications to ensure that your
organization is both secure and compliant.
MegaplanIT leverages over fifteen years of applied knowledge in the areas of
Governance, Risk Mitigation, Information Security, Penetration Testing,
Compliance, and Project Management to ensure your goals are consistently
met in a timely and efficient manner.

MegaplanIT Services
• PCI DSS Assessment
• PA DSS Assessment
• P2PE Assessment
• HIPAA Security and Privacy Assessment
• ISO 27001/27002 Risk Assessment
• Shared AUP Assessment
• NIST 800-171
• NIST 800-53
• NIST Cybersecurity
• 3rd Party Risk Assessment
• Policy and Procedure Development
• Trusted Advisory and Remediation Assistance
• Internal Penetration Testing
• External Penetration Testing
• Web and Application Penetration Testing
• Mobile Penetration Testing
• Social Engineering
• Wireless Penetration Testing
• Reverse Engineering
• Internal and External Scanning
• Approved Scanning Vendor (ASV)
• Password Cracking
• Security Architecture Review
• Cloud Architecture Review
• Managed Security Services
COMPLIANCE
SERVICES
INFORMATION SECURITY
SERVICES

PCI DSS - Payment Card Industry Data Security Standard
 Information security standard for organizations that handle branded credit cards from the major card
providers
PA DSS - Payment Application Data Security Standard
 Data standard for payment applications, which include any software or hardware that stores,
processes or transmits electronic credit card data
ISO 27000 - International Standards Organization
 Internationally recognized set of standards that provide best practice recommendations on
information security management
HIPAA/HITECH - Health Insurance Portability and Accountability Act
 Health Insurance Portability and Accountability Act (HIPAA) requires any organizations that process
and/or maintain healthcare-related information to meet security standards in the handling of patient
Protected Health Information (PHI)
NERC CIP - North American Electric Reliability Corporation
 Establishes mandatory reliability standards, including the Critical Infrastructure Protection (CIP) plan
These standards aim to maintain and improve the efficiency of North America’s bulk power system
while ensuring its continued security and reliability
Wide Range of Standards

Wide Range of Standards
SSAE 16/18 - Statement on Standards for Attestation Engagements
 Internal control reports on the services provided by a service organization providing valuable
information that users need to assess and address the risks associated with an outsourced service
NIST - National Institute of Standards and Technology
 A measurement standards laboratory, and a non-regulatory agency of the United States Department of
Commerce. Its mission is to promote innovation and industrial competitiveness
 NIST SP 800-171 provides federal agencies with regulations for protecting the confidentiality of
Controlled Unclassified Information (CUI) when the CUI resides in nonfederal information
systems/organizations
 NIST SP 800-53 provides a catalog of controls that support the development of secure and resilient
federal information systems. These controls are the operational, technical, and management
safeguards used by information systems to maintain the integrity, confidentiality, and security of
federal information systems
 NIST Cybersecurity Framework was published in February 2014, following a collaborative process
involving industry, academia, and government agencies, as directed by a presidential executive order.
It is a set of optional standards, best practices, and recommendations for improving cybersecurity at
the organizational level

Payment Card Industry Standards Council
The PCI Security Standards Council is a global
open body formed to develop, enhance,
disseminate, and assist with the understanding of
security standards for payment account security
It also provides critical tools needed for implementation of the standards such as
assessment and scanning qualifications, self-assessment questionnaires, training, and
education and certification programs
Executive Committee
• American Express
• MasterCard
• Discover
• JCB International
• Visa
Board of Advisors*
• Amazon
• Citigroup
• Cisco
• Wal-Mart
• Wells Fargo
• Target
• PayPal
• Walt Disney
• Exxon
• Microsoft
Not inclusive*

What is a Qualified Security Assessor?
Qualified Security Assessor (QSA) companies are independent security
organizations that have been qualified by the PCI Security Standards
Council to validate an entity’s adherence to PCI DSS. QSA Employees are
individuals who are employed by a QSA Company and have satisfied and
continue to satisfy all QSA Requirements
• Assist in the validation of their clients scope for the assessment
• Verify all technical information given by Merchant or Service Provider, Including documentation
and sample of controls
• Perform an onsite for the duration of the assessment to conduct interviews
• Adherence to the PCI DSS Requirements and Security Assessment Procedures
• Select business facilities and system components where sampling is employed
• Evaluate any compensating controls which are required to be above and beyond the original
requirement
• Produce the final Report on Compliance and Attestation of Compliance

Payment Card Industry Security Standards
• PCI DSS is a set of industry standards, not a legal requirement
• Standards are enforced by the major card brands who created the PCI Council
• Financial penalties are levied by the card brands, not the PCI Council. They can be substantial
• Each major card brand has its own unique set of PCI compliance objectives
• Three types of standards:
 PCI PTS - Manufacturers of PIN transaction security devices
 PCI PA DSS – Payment application vendor software developers
 PCI DSS – Merchants and service providers
 PCI P2PE - covers encryption, decryption, and key management requirements
• Four defined levels:
 Primarily based on card transaction volume
 Other classification criteria may vary according to card brand
 Levels determine security controls and processes required

Roles and Responsibilities
Payment brands’ compliance programs include:
• Tracking and enforcement
• Penalties, fees, compliance deadlines
• Validation process and who needs to validate
• Approval and posting of compliant entities
• Definition of merchant and service provider levels
Payment brands are also responsible for:
• Defining rules for forensic investigations and responding to account data compromises
• Monitoring and facilitating investigations of account data compromises to completion

Roles and Responsibilities
Responsibilities for Merchants and Service Providers:
• Review and understand the PCI security standards
• Understand the compliance validation and reporting requirements defined by the card brands with
regards to the levels
• Validate and report compliance to their acquirer or perhaps a payment card brand as applicable, in
addition to maintaining compliance on an ongoing basis
• PCI Assessment is a review of compliance at a point in time, but must be maintained throughout
the year, and not just at the time of the assessment.
• Merchants and Service Providers should read communications from the card brands, acquirers, and
the Council on an ongoing basis

Non-Compliance Fines, Fees, and Risk
A non-compliant, compromised business could expect:
• Damage to their brand/reputation
• Investigation costs
• Remediation costs
• Fines and fees
- Non-compliance (each brand issues separate fines)
- Re-issuance
- Fraud loss
• Ongoing compliance audits
• Victim notification costs
• Financial loss
• Data loss
• Chargebacks for fraudulent transactions
• Operations disruption
• Sensitive info disclosure
• Denial of service to customers
• Individual executives held liable
• Possibility of business closure

What is PCI DSS?
A set of technical and operational requirements for organizations accepting
or processing payment transactions and for software developers and
manufacturers of applications and devices used in those transactions
Build and Maintain a Secure Network 1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other security
parameters
Protect Cardholder Data 3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management
Program
5. Use and regularly update anti-virus software or programs
6. Develop and maintain secure systems and applications
Implement Strong Access Control
Measures
7. Restrict access to cardholder data by business need-to-know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data
Regularly Monitor and Test Networks 10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
Maintain an Information Security Policy 12. Maintain a policy that addresses information security for employees and
contractors
Individual Audit Control Objectives
https://www.pcisecuritystandards.org/

PCI Compliance – Additional Information
PCI Security
Standards Council
MegaplanIT
• PCI SSC Document Library
• Robust set of documents that range from
glossary of terms to implementation and
ongoing adherence best practices
• Main document containing the
requirements is titled “Requirements and
Security Assessment Procedures”
• Each control objective contains
Requirement definition and description,
testing procedure(s), and guidance
• The Beginner’s Guide to Understanding
PCI Compliance
• 5 Tips to Reduce Your PCI Compliance
Scope
• 10 Ways to Reduce PCI Compliance Costs
• Taking PCI Compliance to the Next Level
• Penetration Testing for PCI

Why AICPA SOC?
• Defacto standard organizations use it to evaluate the quality and security of third party service
providers
• The controlling organization is the AICPA, which has a strong reputation
• The SOC guidelines allow providers to create a set of control objectives that are tailored to the
services they perform. RDX provides a unique offering and wanted to be evaluated on the
activities that were important to our customers in addition to a standardized set of industry
control objectives
• AICPA SOC focuses on service delivery QUALITY and system SECURITY
• The different levels allowed RDX to begin with a SOC 1 engagement and
then move up to a SOC 2 which expands the scope of the audit and the
depth of the examination processes

What are AICPA SOC Reports?
• SSAE stands for Statement of Standards for Attestation Engagements
• Internal control reports that provide information to allow organizations to review, assess and
address the risks of an outsourced service
• Created by the American Institute of Certified Public Accountants’ Auditing Standards Board
• The Statement of Standards establishes requirements and provides guidance on the entire
engagement life-cycle:
 Establishing overall objectives for SSAE audit engagements
 Identifying subject matter and evaluation criteria to be included in engagement
 Measuring and examination procedures
 Procedural best practices
 Reporting standards
AICPA Standards Evolution
 SAS 70 – Issued in April, 1992 by AICPA. Provided guidance to CPAs reporting on a service organization’s
controls relevant to user entities’ financial reporting. SAS 70 was architected to audit controls of financial
reporting, not outsourced services
 SSAE 16 – Issued in April, 2010. Designed to allow practitioners to report on subject matter other than
financial statements. The SSAE 16 focuses on the examination of a service organization’s “system”. Further
updates create SOC 1, SOC 2 and SOC 3 reports to better tailor SSAE engagements to clients’ needs
 SSAE 18 – Issued in May, 2017. Enhances SSAE 16 SOC 1 by increasing focus on risk assessment/reporting and
adding required controls to improve the audited entity’s monitoring of subservice organizations. Subservice
organizations perform services that are relevant to the audited entity’s overall offering
1618

SOC 1 (SSAE 18) Reports
Two SOC 1 Types:
• Type 1 reports focus on the effectiveness of policies and procedures in place at a service
organization at a specified point in time and (1), confirm that controls are actively in
place, (2), measure the effectiveness of the controls and (3), assess how fairly the service
organization's management has presented the controls to you
• Type 2 reports cover policies and procedures currently in operation and test their
effectiveness over a period of time. These reports include everything from the Type 1
report (examination and confirmation of controls in place) plus an analysis of the
controls’ operating effectiveness over a specified period of at least six consecutive
months. Type 2 reports are favored by many user organizations for their thoroughness
When to choose SOC 1:
 Seeking a cost-effective method of preparing for a service audit
 Planning to perform an initial Type 2 service audit
 Your service organization currently identifies control vulnerabilities using an internal reporting
system
 Your organization has not recently performed an audit (financial or regulatory) that included IT
controls

SOC 2 Reports
• Outline the controls in place at your service organization and analyze their confidentiality,
security, processing, integrity, availability of Information
• Provide evidence for your customers and other stakeholders that effective controls are in place
which meet worldwide security concerns
• Intended for a wider range of audiences than SOC 1 reports but are not available to the
general public. Their availability is restricted to those who have a demonstrated need for the
information contained therein, and these reports are often a component of regulatory
oversight, vendor management programs, and internal corporate governance
• SOC 2 engagements include the option of Type 1 and Type 2 reports, as described in the SOC 1
When to choose SOC 2:
 You require third party verification
 Your organization operates a system that is critical to your customers
 Your organization prefers a detailed audit report
 Your organization's system does not affect your customers’ financial reports
 Your organization desires that the audit be performed based on the five Trust Services Principles

SOC 3 Reports
• SOC 3 reports, also known as Trust Services Reports, are more general and are intended for a
broader audience than the other reporting options. They’re designed for anyone interested in
a CPA's opinion about the availability, security, and processing integrity of controls at a service
organization. SOC 3 Reports are often used for marketing purposes, distributed online, or
posted on a service organization's website to prove that they have controls in place to manage
risks associated with outsourcing services
When to choose SOC 3:
 Your organization's reputation relies on the ability to keep information secure, accurate, and private
 Your organization operates a system that is critical to your customers
 Your organization desires an independent review that allows you to display the SOC 3 seal on your
website
 Your organization employs more than ten people and/or exceeds $2 million in annual revenue

RDX’s AICPA SOC and PCI Compliance
Projects Overall Goals
Improve
Support Quality
RDX clients want us
to improve the
quality and security
of their
environments. We
can only
accomplish this by
improving our
environment FIRST
Strengthen
Security
RDX customers
have turned over the
keys to their most
sensitive database
data stores to our
organization.
This is a significant
responsibility
Competitive
Advantage
RDX’s LOB is
extremely
competitive. Our
competitors range
from 2 guys in a
garage to fortune
100s. Certifications
are key competitive
differentiators
Reduce
Costs
RDX chose partners
that have strong
experience and
would provide us
with best practices
to streamline
compliance. RDX is
a learning
organization
$

RDX Compliance Project Hints and Tips
• Create a project team that represents all areas of the business - from backend operations to
front-line technical support teams
 Subject Matter Experts (business OPs, front-line support techs, security team, documentation
specialists)
 Assign Audit Project Manager
 Identify Audit Project Champion
• Encourage assigned personnel to self educate. The team should have a strong knowledge of
the process before contacting potential auditing firms
 RDX created a robust documentation library for both PCI and AICPA SOC during initial stages
 RDX collected information from PCI Security Standards Council, AICPA, and well-known, reputable
auditing and compliance firm websites
• Keep management informed throughout the entire engagement life-cycle
 All compliance projects will incur engagement costs, potential hardware and software purchases as
well as labor costs required to remediate gaps identified in the initial analysis and labor hours required
to collect and present evidence to the auditing firm
 RDX was required to produce such a large volume of evidence that we were compelled to build
internal applications to automate the evidence recording process
• Assign owners to all compliance activities
 Subject areas evaluated during audit (network, HR, security, front line support, back office OPs)
 Evidence gathering and collection
 Ongoing monitoring to identify new anomalies and outliers

RDX Compliance Project Hints and Tips
• One of the most critical meetings with your auditing firm will be to:
 Perform a final review the control objectives
 Agree upon how the evidence will be collected
 Agree upon how the evidence will be reported
 Agree upon the criteria used to determine if the evidence results in a pass/fail
 Establish audit period start and examination dates
 Communication procedures when business changes occur that impact audit
• Build a strong partnership with your auditing firm(s)
 Understand their role in the process
 Their goal is to help you improve your service delivery environment
 Part of that process will be to identify gaps during the initial analysis
 They will also identify exceptions during their audit examinations and report these findings. They
aren’t being adversarial; they’re just doing what you pay them to
• Understand that all audits are ongoing projects. In addition to the audit examinations, you
will be required to:
 Add, modify, and remove control objectives as your business processes evolve
 Modify internal processes to address audit exceptions
 Improve the quality of evidence collection and reporting
 Automate processes, buy/build applications as well as purchase toolsets and products to improve
ability to comply and reduce audit costs
 Constantly monitor evidence to identify anomalies and outliers. Don’t get surprised during the
examination

RDX’s AICPA SOC Compliance Project
• Project execution and best practices can be compared to most traditional internal initiatives. One
difference was the substantial amount of investigation performed to better understand AICPA SOC
requirements and select an auditing vendor
• Identified stakeholders, project champion and assigned selected personnel as project managers and
participants. All participants were assigned a very specific set of responsibilities
• First activity was to collect SOC informational materials and best practices documents from reputable
sources to educate team members
• A traditional vendor evaluation methodology was used to select an auditing vendor. RDX created a
robust set of evaluation metrics that were weighted by importance. Evaluation team members
reviewed information provided by vendors and compiled a short list of competitors. RDX performed
a more in-depth analysis of the surviving competitors and selected the winning vendor
• RDX met with a cross-section of customers to determine the criteria they used to evaluate the quality
of RDX’s support services. Common themes were identified, discussed with auditors, and used to
create a set of audit control objectives that best reflect the key service quality indicators that
measure RDX’s operating effectiveness
• The audit control objectives included all activities related to physical and logical security controls,
data privacy, organization and administration, vendor management, work request and ticket
management, incident management, and monitoring installation and configuration

RDX’s AICPA SOC Best Practices
• Create a project team that represents all areas of the business - from backend operations to
front-line technical support teams
 Subject Matter Experts (business OPs, front-line support techs, security team, documentation
specialists)
 Assign Audit Project Manager
 Identify Audit Project Champion
• Build a robust educational library. Materials should range from glossary of terms and
overviews to in-depth “how-to” documents and best practices
 AICPA website
 Auditing and compliance firm websites provide a wealth of information to draw from
• Encourage your project team to self educate. The team should have a strong knowledge of
the audit controls and examination processes before contacting potential auditing firms
• Keep management informed throughout the entire engagement life-cycle
 All compliance projects will incur engagement costs, potential hardware and software purchases as
well as labor costs required to remediate gaps identified in the initial analysis and labor hours required
to collect and present evidence to the auditing firm
 RDX was required to produce such a large volume of evidence that we were compelled to build
internal applications to automate the evidence recording process

RDX’s AICPA SOC Best Practices
• Select the appropriate firm to perform the audit
 The firm should be a member of the AICPA
 Have a strong track record with SOC audits
 Experience in auditing organizations that are in, or close to, your line of business (LOB)
 Check references
 Name recognition is important. The more widely known your auditing firm is, the more credibility
your SOC reports will have with potential customers
 Easy to work with. Firm but fair
• Work with your auditing firm to determine which SOC report best fits your needs
• Create a set of control objectives that:
 Allows customers to easily evaluate the quality and security of the services you provide
 RDX solicited a cross-section of customers to discuss how they evaluated the quality of our
services
 Allows your organization to internally evaluate the quality and security of the services you provide.
Selecting control objectives that you feel are important is critical. The goal of the process is to improve
your environment (it isn’t just to create marketing spin)
• Work with your auditing firm to evaluate your third party applications and service providers
to determine if your ability to deliver support to your customers is dependent upon their
services. You may need to include them in your control objectives
 Third party applications your shop uses as well as service providers
 Review your service providers’ SOC reports with your auditors
 Agree upon what should be included
 Meet with your service provider to discuss gaps

SOC 2 Type 2 Benefits to RDX
Dedicated project that focuses on two subject areas
that are critical to our business - service delivery
quality and system security
Demonstrates to customers that RDX is being held
to a rigorous industry standard
Competitive differentiation. SOC 2 Type 2 audits are
broad in scope and deep in details. They are
significant undertakings

Why PCI DSS?
PCI compliance allows
RDX to more easily and
quickly comply with
other regulatory
frameworks
Stringent controls, well
defined requirements
and test procedures.
Controls evolve as new
threats are identified
RDX uses PCI as the
foundation to build our
overall security
architecture upon
PCI is the industry
standard businesses
use to evaluate
security
FOUNDATION
CONSUMER
CONFIDENCE
ROBUST
CONTROLS
NEW
COMPLIANCES

PCI is the Foundation of Our Security
Architecture
PCI
Security
Training Endpoint
Security
Config.
Standards
VPN/IPSEC
Logging
&
Monitoring
IDS/FIM
Change
Control
Threat
Detection
Secure
Development
Access
Control
Patch
Management
Firewall
Unique
Accounts
RDX expands PCI controls to cover our entire network

• Business operations change frequently. You must be aware of their impact on PCI compliance
activities
 New lines of business
 New business processes
 Business growth
 Improvements to current business processes
 Automation
 New applications
 New organizational units, roles and personnel
• Maintain a steady stream of high quality communications with your PCI auditing firm
 Discuss any potential changes to compliance activities immediately to reduce confusion during
examination period
 Continuously monitoring your evidence allows you to identify new anomalies or outliers. Address
them immediately with your auditing firm
• Perform spot checks on evidence. Tailor evidence evaluation schedules based on occurrence of
past issues, potential for exceptions, volume of evidence produced, importance to examination
process
RDX’s PCI Best Practices

RDX’s PCI Best Practices
• Encourage assigned personnel to self educate. The team should have a strong knowledge of
the process before contacting potential auditing firms
 RDX downloaded the PCI compliance document, copied each control into a spreadsheet and added
columns for apply/does not apply, dependent upon third-party vendor, additional product purchases
required, how to comply, who complies, level of effort to comply, evidence for compliance, questions
for auditor and notes
• Select the appropriate firm to perform the audit
 The firm should be a Qualified Security Assessor (QSA)
 QSAs are held to a high standard by PCI Standards Council
 Experience in auditing organizations that are in, or close to, your line of business (LOB)
 Check references
 Name recognition is important. The more widely known your auditing firm is, the more credibility
your PCI will have with potential customers
• Work with your auditing firm to determine which PCI Level you should adhere to
• Work with your auditing firm to evaluate your third party applications and service providers
to determine if your ability to achieve PCI compliance is dependent upon their services. You
may need to include them in your control objectives
 Third party applications your shop uses as well as service providers
 Review your service providers’ SOC and PCI reports with your auditors
 Agree upon what should be included
 Meet with your service provider to discuss gaps

• Compliance Project Details
• Selecting Audit Compliance Firms
• Lessons Learned
• Ongoing Compliance Challenges
• Streamlining and Improving Evidence
Collection and Reporting
• Audit Compliance Best Practices
Contact Us For Additional Information
• PCI DSS Assessments
• Trusted Advisory and Remediation
Assistance
• Internal/External Penetration Testing
• Internal/External ASV Scanning
• PCI DSS GAP assessments
• Quarterly Health Checks
• Policy and Procedure Development
• Compliance Project Management
• Web/Mobile Penetration Testing
• Managed Security Services Provider
And our real
core competency:
Remote
Data Infrastructure
Management
DATABASE EXPERTSSECURITY EXPERTS

Next Month’s Presentation – Microsoft BI Intelligence Overview
and Power BI Demo
The RDX Report - Sign up by emailing info@rdx.com
Microsoft CosmosDB – NoSQL Competition Killer, Power BI Videos, Amazon
AWS, Microsoft Azure and Oracle Cloud IaaS Architecture Deep Dives
LinkedIn
Selecting Cloud DBMS, NoSQL Architectures, Rising Interest in Open Source
Relational Databases, Database Security Series, Improving Customer Service
cfoot@rdx.com
mikev@megaplanit.com
RDX Report Signup
View YouTube Video of this Presentation
20YEARS OF
SERVICE DELIVERY
EXPERIENCE