SlideShare une entreprise Scribd logo

Secrets for Successful Regulatory Compliance Projects

Télécharger en tant que PPTX, PDF
C
Christopher Foot

This document provides information about an upcoming webinar on regulatory compliance best practices presented by RDX and MegaplanIT. The webinar will cover an overview of regulatory standards like PCI DSS and AICPA SOC assessments. It will discuss MegaplanIT's PCI assessment approach and RDX's best practices for maintaining compliance. Presenters will include Michael Vitolo from MegaplanIT and Chris Foot from RDX.

Technologie
1  sur  35
INSIGHTS Presentation Series Secrets for Successful Regulatory Compliance Projects 12 PCI DSS requirements and risk assessment key considerations AICPA SOC 1, SOC 2, SOC 3 and 5 Trust Principles explained Initial adherence and ongoing compliance best practices RDX: Chris Foot MegaplanIT: Michael Vitolo Date: 9/21/2017 Webinar Video Inside
• Presenters • About RDX and MegaplanIT • Regulatory Standards Overview • AICPA SOC Assessment • PCI DSS Assessment • MegaplanIT PCI Assessment Approach • RDX Assessment Best Practices for Maintaining Compliance • Contact Us
Presenters Michael Vitolo PCI-QSA | PA-QSA | CISSP | CISM | CISA | CRISC | CGEIT | OSWP Managing Partner | MegaplanIT, LLC. Over 18 years working in the Security Industry of which 12 in PCI-DSS mikev@megaplanit.com | www.megaplanit.com Chris Foot Vice President – Delivery Strategies and Technologies Oracle ACE Alumni cfoot@rdx.com www.rdx.com
The Largest Pure Play Provider of Managed Data Infrastructure Services 20 YEARS OF SERVICE DELIVERY EXPERIENCE Database Platforms SQL Server Oracle PostgreSQL* DB2 MongoDB* MySQL* Operating Systems Unix/Linux*Windows Edge Technologies SQL Server BI Oracle EBS SharePoint Exchange Environment 450+ Customers 10,000 Servers 200+ DBAs Fortune 100s Startups All Verticals Cloud Systems Amazon AWS/RDS Oracle Cloud DB DBPaaS Msoft Azure IaaS (dozens) Hybrid Cloud * All distributions
RDX Compliance Experience • Achieved first SOC 1 Type 2 in 2011 • Achieved first SOC 2 Type 2 in 2016 • Achieved first PCI Attestation in 2013 • Engaged MegaplanIT in 2016 to provide QSA examination of our environment RDX is also required to adhere to hundreds of customer specific security frameworks, best practices and individual controls
About MegaplanIT, LLC MegaplanIT, LLC. is an information security and compliance firm specializing in over 30 high-level services designed to protect cardholder data, secure in- scope networks, systems, and websites applications to ensure that your organization is both secure and compliant. MegaplanIT leverages over fifteen years of applied knowledge in the areas of Governance, Risk Mitigation, Information Security, Penetration Testing, Compliance, and Project Management to ensure your goals are consistently met in a timely and efficient manner.
MegaplanIT Services • PCI DSS Assessment • PA DSS Assessment • P2PE Assessment • HIPAA Security and Privacy Assessment • ISO 27001/27002 Risk Assessment • Shared AUP Assessment • NIST 800-171 • NIST 800-53 • NIST Cybersecurity • 3rd Party Risk Assessment • Policy and Procedure Development • Trusted Advisory and Remediation Assistance • Internal Penetration Testing • External Penetration Testing • Web and Application Penetration Testing • Mobile Penetration Testing • Social Engineering • Wireless Penetration Testing • Reverse Engineering • Internal and External Scanning • Approved Scanning Vendor (ASV) • Password Cracking • Security Architecture Review • Cloud Architecture Review • Managed Security Services COMPLIANCE SERVICES INFORMATION SECURITY SERVICES
PCI DSS - Payment Card Industry Data Security Standard  Information security standard for organizations that handle branded credit cards from the major card providers PA DSS - Payment Application Data Security Standard  Data standard for payment applications, which include any software or hardware that stores, processes or transmits electronic credit card data ISO 27000 - International Standards Organization  Internationally recognized set of standards that provide best practice recommendations on information security management HIPAA/HITECH - Health Insurance Portability and Accountability Act  Health Insurance Portability and Accountability Act (HIPAA) requires any organizations that process and/or maintain healthcare-related information to meet security standards in the handling of patient Protected Health Information (PHI) NERC CIP - North American Electric Reliability Corporation  Establishes mandatory reliability standards, including the Critical Infrastructure Protection (CIP) plan These standards aim to maintain and improve the efficiency of North America’s bulk power system while ensuring its continued security and reliability Wide Range of Standards
Wide Range of Standards SSAE 16/18 - Statement on Standards for Attestation Engagements  Internal control reports on the services provided by a service organization providing valuable information that users need to assess and address the risks associated with an outsourced service NIST - National Institute of Standards and Technology  A measurement standards laboratory, and a non-regulatory agency of the United States Department of Commerce. Its mission is to promote innovation and industrial competitiveness  NIST SP 800-171 provides federal agencies with regulations for protecting the confidentiality of Controlled Unclassified Information (CUI) when the CUI resides in nonfederal information systems/organizations  NIST SP 800-53 provides a catalog of controls that support the development of secure and resilient federal information systems. These controls are the operational, technical, and management safeguards used by information systems to maintain the integrity, confidentiality, and security of federal information systems  NIST Cybersecurity Framework was published in February 2014, following a collaborative process involving industry, academia, and government agencies, as directed by a presidential executive order. It is a set of optional standards, best practices, and recommendations for improving cybersecurity at the organizational level
Payment Card Industry Standards Council The PCI Security Standards Council is a global open body formed to develop, enhance, disseminate, and assist with the understanding of security standards for payment account security It also provides critical tools needed for implementation of the standards such as assessment and scanning qualifications, self-assessment questionnaires, training, and education and certification programs Executive Committee • American Express • MasterCard • Discover • JCB International • Visa Board of Advisors* • Amazon • Citigroup • Cisco • Wal-Mart • Wells Fargo • Target • PayPal • Walt Disney • Exxon • Microsoft Not inclusive*
What is a Qualified Security Assessor? Qualified Security Assessor (QSA) companies are independent security organizations that have been qualified by the PCI Security Standards Council to validate an entity’s adherence to PCI DSS. QSA Employees are individuals who are employed by a QSA Company and have satisfied and continue to satisfy all QSA Requirements • Assist in the validation of their clients scope for the assessment • Verify all technical information given by Merchant or Service Provider, Including documentation and sample of controls • Perform an onsite for the duration of the assessment to conduct interviews • Adherence to the PCI DSS Requirements and Security Assessment Procedures • Select business facilities and system components where sampling is employed • Evaluate any compensating controls which are required to be above and beyond the original requirement • Produce the final Report on Compliance and Attestation of Compliance
Payment Card Industry Security Standards • PCI DSS is a set of industry standards, not a legal requirement • Standards are enforced by the major card brands who created the PCI Council • Financial penalties are levied by the card brands, not the PCI Council. They can be substantial • Each major card brand has its own unique set of PCI compliance objectives • Three types of standards:  PCI PTS - Manufacturers of PIN transaction security devices  PCI PA DSS – Payment application vendor software developers  PCI DSS – Merchants and service providers  PCI P2PE - covers encryption, decryption, and key management requirements • Four defined levels:  Primarily based on card transaction volume  Other classification criteria may vary according to card brand  Levels determine security controls and processes required
Roles and Responsibilities Payment brands’ compliance programs include: • Tracking and enforcement • Penalties, fees, compliance deadlines • Validation process and who needs to validate • Approval and posting of compliant entities • Definition of merchant and service provider levels Payment brands are also responsible for: • Defining rules for forensic investigations and responding to account data compromises • Monitoring and facilitating investigations of account data compromises to completion
Roles and Responsibilities Responsibilities for Merchants and Service Providers: • Review and understand the PCI security standards • Understand the compliance validation and reporting requirements defined by the card brands with regards to the levels • Validate and report compliance to their acquirer or perhaps a payment card brand as applicable, in addition to maintaining compliance on an ongoing basis • PCI Assessment is a review of compliance at a point in time, but must be maintained throughout the year, and not just at the time of the assessment. • Merchants and Service Providers should read communications from the card brands, acquirers, and the Council on an ongoing basis
Non-Compliance Fines, Fees, and Risk A non-compliant, compromised business could expect: • Damage to their brand/reputation • Investigation costs • Remediation costs • Fines and fees - Non-compliance (each brand issues separate fines) - Re-issuance - Fraud loss • Ongoing compliance audits • Victim notification costs • Financial loss • Data loss • Chargebacks for fraudulent transactions • Operations disruption • Sensitive info disclosure • Denial of service to customers • Individual executives held liable • Possibility of business closure
What is PCI DSS? A set of technical and operational requirements for organizations accepting or processing payment transactions and for software developers and manufacturers of applications and devices used in those transactions Build and Maintain a Secure Network 1. Install and maintain a firewall configuration to protect cardholder data 2. Do not use vendor-supplied defaults for system passwords and other security parameters Protect Cardholder Data 3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across open, public networks Maintain a Vulnerability Management Program 5. Use and regularly update anti-virus software or programs 6. Develop and maintain secure systems and applications Implement Strong Access Control Measures 7. Restrict access to cardholder data by business need-to-know 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data Regularly Monitor and Test Networks 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes Maintain an Information Security Policy 12. Maintain a policy that addresses information security for employees and contractors Individual Audit Control Objectives https://www.pcisecuritystandards.org/
PCI Compliance – Additional Information PCI Security Standards Council MegaplanIT • PCI SSC Document Library • Robust set of documents that range from glossary of terms to implementation and ongoing adherence best practices • Main document containing the requirements is titled “Requirements and Security Assessment Procedures” • Each control objective contains Requirement definition and description, testing procedure(s), and guidance • The Beginner’s Guide to Understanding PCI Compliance • 5 Tips to Reduce Your PCI Compliance Scope • 10 Ways to Reduce PCI Compliance Costs • Taking PCI Compliance to the Next Level • Penetration Testing for PCI
Why AICPA SOC? • Defacto standard organizations use it to evaluate the quality and security of third party service providers • The controlling organization is the AICPA, which has a strong reputation • The SOC guidelines allow providers to create a set of control objectives that are tailored to the services they perform. RDX provides a unique offering and wanted to be evaluated on the activities that were important to our customers in addition to a standardized set of industry control objectives • AICPA SOC focuses on service delivery QUALITY and system SECURITY • The different levels allowed RDX to begin with a SOC 1 engagement and then move up to a SOC 2 which expands the scope of the audit and the depth of the examination processes
What are AICPA SOC Reports? • SSAE stands for Statement of Standards for Attestation Engagements • Internal control reports that provide information to allow organizations to review, assess and address the risks of an outsourced service • Created by the American Institute of Certified Public Accountants’ Auditing Standards Board • The Statement of Standards establishes requirements and provides guidance on the entire engagement life-cycle:  Establishing overall objectives for SSAE audit engagements  Identifying subject matter and evaluation criteria to be included in engagement  Measuring and examination procedures  Procedural best practices  Reporting standards AICPA Standards Evolution  SAS 70 – Issued in April, 1992 by AICPA. Provided guidance to CPAs reporting on a service organization’s controls relevant to user entities’ financial reporting. SAS 70 was architected to audit controls of financial reporting, not outsourced services  SSAE 16 – Issued in April, 2010. Designed to allow practitioners to report on subject matter other than financial statements. The SSAE 16 focuses on the examination of a service organization’s “system”. Further updates create SOC 1, SOC 2 and SOC 3 reports to better tailor SSAE engagements to clients’ needs  SSAE 18 – Issued in May, 2017. Enhances SSAE 16 SOC 1 by increasing focus on risk assessment/reporting and adding required controls to improve the audited entity’s monitoring of subservice organizations. Subservice organizations perform services that are relevant to the audited entity’s overall offering 1618
SOC 1 (SSAE 18) Reports Two SOC 1 Types: • Type 1 reports focus on the effectiveness of policies and procedures in place at a service organization at a specified point in time and (1), confirm that controls are actively in place, (2), measure the effectiveness of the controls and (3), assess how fairly the service organization's management has presented the controls to you • Type 2 reports cover policies and procedures currently in operation and test their effectiveness over a period of time. These reports include everything from the Type 1 report (examination and confirmation of controls in place) plus an analysis of the controls’ operating effectiveness over a specified period of at least six consecutive months. Type 2 reports are favored by many user organizations for their thoroughness When to choose SOC 1:  Seeking a cost-effective method of preparing for a service audit  Planning to perform an initial Type 2 service audit  Your service organization currently identifies control vulnerabilities using an internal reporting system  Your organization has not recently performed an audit (financial or regulatory) that included IT controls
SOC 2 Reports • Outline the controls in place at your service organization and analyze their confidentiality, security, processing, integrity, availability of Information • Provide evidence for your customers and other stakeholders that effective controls are in place which meet worldwide security concerns • Intended for a wider range of audiences than SOC 1 reports but are not available to the general public. Their availability is restricted to those who have a demonstrated need for the information contained therein, and these reports are often a component of regulatory oversight, vendor management programs, and internal corporate governance • SOC 2 engagements include the option of Type 1 and Type 2 reports, as described in the SOC 1 When to choose SOC 2:  You require third party verification  Your organization operates a system that is critical to your customers  Your organization prefers a detailed audit report  Your organization's system does not affect your customers’ financial reports  Your organization desires that the audit be performed based on the five Trust Services Principles
SOC 3 Reports • SOC 3 reports, also known as Trust Services Reports, are more general and are intended for a broader audience than the other reporting options. They’re designed for anyone interested in a CPA's opinion about the availability, security, and processing integrity of controls at a service organization. SOC 3 Reports are often used for marketing purposes, distributed online, or posted on a service organization's website to prove that they have controls in place to manage risks associated with outsourcing services When to choose SOC 3:  Your organization's reputation relies on the ability to keep information secure, accurate, and private  Your organization operates a system that is critical to your customers  Your organization desires an independent review that allows you to display the SOC 3 seal on your website  Your organization employs more than ten people and/or exceeds $2 million in annual revenue
RDX’s AICPA SOC and PCI Compliance Projects Overall Goals Improve Support Quality RDX clients want us to improve the quality and security of their environments. We can only accomplish this by improving our environment FIRST Strengthen Security RDX customers have turned over the keys to their most sensitive database data stores to our organization. This is a significant responsibility Competitive Advantage RDX’s LOB is extremely competitive. Our competitors range from 2 guys in a garage to fortune 100s. Certifications are key competitive differentiators Reduce Costs RDX chose partners that have strong experience and would provide us with best practices to streamline compliance. RDX is a learning organization $
RDX Compliance Project Hints and Tips • Create a project team that represents all areas of the business - from backend operations to front-line technical support teams  Subject Matter Experts (business OPs, front-line support techs, security team, documentation specialists)  Assign Audit Project Manager  Identify Audit Project Champion • Encourage assigned personnel to self educate. The team should have a strong knowledge of the process before contacting potential auditing firms  RDX created a robust documentation library for both PCI and AICPA SOC during initial stages  RDX collected information from PCI Security Standards Council, AICPA, and well-known, reputable auditing and compliance firm websites • Keep management informed throughout the entire engagement life-cycle  All compliance projects will incur engagement costs, potential hardware and software purchases as well as labor costs required to remediate gaps identified in the initial analysis and labor hours required to collect and present evidence to the auditing firm  RDX was required to produce such a large volume of evidence that we were compelled to build internal applications to automate the evidence recording process • Assign owners to all compliance activities  Subject areas evaluated during audit (network, HR, security, front line support, back office OPs)  Evidence gathering and collection  Ongoing monitoring to identify new anomalies and outliers
RDX Compliance Project Hints and Tips • One of the most critical meetings with your auditing firm will be to:  Perform a final review the control objectives  Agree upon how the evidence will be collected  Agree upon how the evidence will be reported  Agree upon the criteria used to determine if the evidence results in a pass/fail  Establish audit period start and examination dates  Communication procedures when business changes occur that impact audit • Build a strong partnership with your auditing firm(s)  Understand their role in the process  Their goal is to help you improve your service delivery environment  Part of that process will be to identify gaps during the initial analysis  They will also identify exceptions during their audit examinations and report these findings. They aren’t being adversarial; they’re just doing what you pay them to • Understand that all audits are ongoing projects. In addition to the audit examinations, you will be required to:  Add, modify, and remove control objectives as your business processes evolve  Modify internal processes to address audit exceptions  Improve the quality of evidence collection and reporting  Automate processes, buy/build applications as well as purchase toolsets and products to improve ability to comply and reduce audit costs  Constantly monitor evidence to identify anomalies and outliers. Don’t get surprised during the examination
RDX’s AICPA SOC Compliance Project • Project execution and best practices can be compared to most traditional internal initiatives. One difference was the substantial amount of investigation performed to better understand AICPA SOC requirements and select an auditing vendor • Identified stakeholders, project champion and assigned selected personnel as project managers and participants. All participants were assigned a very specific set of responsibilities • First activity was to collect SOC informational materials and best practices documents from reputable sources to educate team members • A traditional vendor evaluation methodology was used to select an auditing vendor. RDX created a robust set of evaluation metrics that were weighted by importance. Evaluation team members reviewed information provided by vendors and compiled a short list of competitors. RDX performed a more in-depth analysis of the surviving competitors and selected the winning vendor • RDX met with a cross-section of customers to determine the criteria they used to evaluate the quality of RDX’s support services. Common themes were identified, discussed with auditors, and used to create a set of audit control objectives that best reflect the key service quality indicators that measure RDX’s operating effectiveness • The audit control objectives included all activities related to physical and logical security controls, data privacy, organization and administration, vendor management, work request and ticket management, incident management, and monitoring installation and configuration
RDX’s AICPA SOC Best Practices • Create a project team that represents all areas of the business - from backend operations to front-line technical support teams  Subject Matter Experts (business OPs, front-line support techs, security team, documentation specialists)  Assign Audit Project Manager  Identify Audit Project Champion • Build a robust educational library. Materials should range from glossary of terms and overviews to in-depth “how-to” documents and best practices  AICPA website  Auditing and compliance firm websites provide a wealth of information to draw from • Encourage your project team to self educate. The team should have a strong knowledge of the audit controls and examination processes before contacting potential auditing firms • Keep management informed throughout the entire engagement life-cycle  All compliance projects will incur engagement costs, potential hardware and software purchases as well as labor costs required to remediate gaps identified in the initial analysis and labor hours required to collect and present evidence to the auditing firm  RDX was required to produce such a large volume of evidence that we were compelled to build internal applications to automate the evidence recording process
RDX’s AICPA SOC Best Practices • Select the appropriate firm to perform the audit  The firm should be a member of the AICPA  Have a strong track record with SOC audits  Experience in auditing organizations that are in, or close to, your line of business (LOB)  Check references  Name recognition is important. The more widely known your auditing firm is, the more credibility your SOC reports will have with potential customers  Easy to work with. Firm but fair • Work with your auditing firm to determine which SOC report best fits your needs • Create a set of control objectives that:  Allows customers to easily evaluate the quality and security of the services you provide  RDX solicited a cross-section of customers to discuss how they evaluated the quality of our services  Allows your organization to internally evaluate the quality and security of the services you provide. Selecting control objectives that you feel are important is critical. The goal of the process is to improve your environment (it isn’t just to create marketing spin) • Work with your auditing firm to evaluate your third party applications and service providers to determine if your ability to deliver support to your customers is dependent upon their services. You may need to include them in your control objectives  Third party applications your shop uses as well as service providers  Review your service providers’ SOC reports with your auditors  Agree upon what should be included  Meet with your service provider to discuss gaps
SOC 2 Type 2 Benefits to RDX Dedicated project that focuses on two subject areas that are critical to our business - service delivery quality and system security Demonstrates to customers that RDX is being held to a rigorous industry standard Competitive differentiation. SOC 2 Type 2 audits are broad in scope and deep in details. They are significant undertakings
Why PCI DSS? PCI compliance allows RDX to more easily and quickly comply with other regulatory frameworks Stringent controls, well defined requirements and test procedures. Controls evolve as new threats are identified RDX uses PCI as the foundation to build our overall security architecture upon PCI is the industry standard businesses use to evaluate security FOUNDATION CONSUMER CONFIDENCE ROBUST CONTROLS NEW COMPLIANCES
PCI is the Foundation of Our Security Architecture PCI Security Training Endpoint Security Config. Standards VPN/IPSEC Logging & Monitoring IDS/FIM Change Control Threat Detection Secure Development Access Control Patch Management Firewall Unique Accounts RDX expands PCI controls to cover our entire network
• Business operations change frequently. You must be aware of their impact on PCI compliance activities  New lines of business  New business processes  Business growth  Improvements to current business processes  Automation  New applications  New organizational units, roles and personnel • Maintain a steady stream of high quality communications with your PCI auditing firm  Discuss any potential changes to compliance activities immediately to reduce confusion during examination period  Continuously monitoring your evidence allows you to identify new anomalies or outliers. Address them immediately with your auditing firm • Perform spot checks on evidence. Tailor evidence evaluation schedules based on occurrence of past issues, potential for exceptions, volume of evidence produced, importance to examination process RDX’s PCI Best Practices
RDX’s PCI Best Practices • Encourage assigned personnel to self educate. The team should have a strong knowledge of the process before contacting potential auditing firms  RDX downloaded the PCI compliance document, copied each control into a spreadsheet and added columns for apply/does not apply, dependent upon third-party vendor, additional product purchases required, how to comply, who complies, level of effort to comply, evidence for compliance, questions for auditor and notes • Select the appropriate firm to perform the audit  The firm should be a Qualified Security Assessor (QSA)  QSAs are held to a high standard by PCI Standards Council  Experience in auditing organizations that are in, or close to, your line of business (LOB)  Check references  Name recognition is important. The more widely known your auditing firm is, the more credibility your PCI will have with potential customers • Work with your auditing firm to determine which PCI Level you should adhere to • Work with your auditing firm to evaluate your third party applications and service providers to determine if your ability to achieve PCI compliance is dependent upon their services. You may need to include them in your control objectives  Third party applications your shop uses as well as service providers  Review your service providers’ SOC and PCI reports with your auditors  Agree upon what should be included  Meet with your service provider to discuss gaps
• Compliance Project Details • Selecting Audit Compliance Firms • Lessons Learned • Ongoing Compliance Challenges • Streamlining and Improving Evidence Collection and Reporting • Audit Compliance Best Practices Contact Us For Additional Information • PCI DSS Assessments • Trusted Advisory and Remediation Assistance • Internal/External Penetration Testing • Internal/External ASV Scanning • PCI DSS GAP assessments • Quarterly Health Checks • Policy and Procedure Development • Compliance Project Management • Web/Mobile Penetration Testing • Managed Security Services Provider And our real core competency: Remote Data Infrastructure Management DATABASE EXPERTSSECURITY EXPERTS
Next Month’s Presentation – Microsoft BI Intelligence Overview and Power BI Demo The RDX Report - Sign up by emailing info@rdx.com Microsoft CosmosDB – NoSQL Competition Killer, Power BI Videos, Amazon AWS, Microsoft Azure and Oracle Cloud IaaS Architecture Deep Dives LinkedIn Selecting Cloud DBMS, NoSQL Architectures, Rising Interest in Open Source Relational Databases, Database Security Series, Improving Customer Service cfoot@rdx.com mikev@megaplanit.com RDX Report Signup View YouTube Video of this Presentation 20YEARS OF SERVICE DELIVERY EXPERIENCE

Recommandé

PCI PIN Security & Key Management Compliance
PCI PIN Security & Key Management CompliancePCI PIN Security & Key Management Compliance
PCI PIN Security & Key Management Compliance
ControlCase
 
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIECVendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
ControlCase
 
Information Assurance for Accountant 2007
Information Assurance for Accountant 2007Information Assurance for Accountant 2007
Information Assurance for Accountant 2007
Donald E. Hester
 
PCI DSS 3.2
PCI DSS 3.2PCI DSS 3.2
PCI DSS 3.2
Kimberly Simon MBA
 
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIECVendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Kimberly Simon MBA
 
PCI DSS 3.2 - Business as Usual
PCI DSS 3.2 - Business as UsualPCI DSS 3.2 - Business as Usual
PCI DSS 3.2 - Business as Usual
Kimberly Simon MBA
 
PCI-DSS_Overview
PCI-DSS_OverviewPCI-DSS_Overview
PCI-DSS_Overview
sameh Abulfotooh
 
PCI DSS Compliance Checklist
PCI DSS Compliance ChecklistPCI DSS Compliance Checklist
PCI DSS Compliance Checklist
ControlCase
 

Recommandé

PCI PIN Security & Key Management Compliance
PCI PIN Security & Key Management CompliancePCI PIN Security & Key Management Compliance
PCI PIN Security & Key Management Compliance
ControlCase
 
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIECVendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
ControlCase
 
Information Assurance for Accountant 2007
Information Assurance for Accountant 2007Information Assurance for Accountant 2007
Information Assurance for Accountant 2007
Donald E. Hester
 
PCI DSS 3.2
PCI DSS 3.2PCI DSS 3.2
PCI DSS 3.2
Kimberly Simon MBA
 
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIECVendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Kimberly Simon MBA
 
PCI DSS 3.2 - Business as Usual
PCI DSS 3.2 - Business as UsualPCI DSS 3.2 - Business as Usual
PCI DSS 3.2 - Business as Usual
Kimberly Simon MBA
 
PCI-DSS_Overview
PCI-DSS_OverviewPCI-DSS_Overview
PCI-DSS_Overview
sameh Abulfotooh
 
PCI DSS Compliance Checklist
PCI DSS Compliance ChecklistPCI DSS Compliance Checklist
PCI DSS Compliance Checklist
ControlCase
 
Vendor Management for PCI DSS, HIPAA, and FFIEC
Vendor Management for PCI DSS, HIPAA, and FFIECVendor Management for PCI DSS, HIPAA, and FFIEC
Vendor Management for PCI DSS, HIPAA, and FFIEC
ControlCase
 
Introduction to Token Service Provider (TSP) Certification
Introduction to Token Service Provider (TSP) CertificationIntroduction to Token Service Provider (TSP) Certification
Introduction to Token Service Provider (TSP) Certification
ControlCase
 
Pci standards, from participation to implementation and review
Pci standards, from participation to implementation and reviewPci standards, from participation to implementation and review
Pci standards, from participation to implementation and review
isc2-hellenic
 
PCI DSS and PA DSS
PCI DSS and PA DSSPCI DSS and PA DSS
PCI DSS and PA DSS
Kimberly Simon MBA
 
PCI DSS Business as Usual
PCI DSS Business as UsualPCI DSS Business as Usual
PCI DSS Business as Usual
ControlCase
 
Integrated Compliance
Integrated ComplianceIntegrated Compliance
Integrated Compliance
Kimberly Simon MBA
 
Vendor risk management webinar 10022019 v1
Vendor risk management webinar 10022019 v1Vendor risk management webinar 10022019 v1
Vendor risk management webinar 10022019 v1
ControlCase
 
PCI DSSand PA DSS
PCI DSSand PA DSSPCI DSSand PA DSS
PCI DSSand PA DSS
Kimberly Simon MBA
 
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIECVendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Kimberly Simon MBA
 
PCI DSS Compliance Readiness
PCI DSS Compliance ReadinessPCI DSS Compliance Readiness
PCI DSS Compliance Readiness
Al Abbas, PMP, CISSP, MBA, MSc
 
1. PCI Compliance Overview
1. PCI Compliance Overview1. PCI Compliance Overview
1. PCI Compliance Overview
okrantz
 
PCI DSS and PA DSS Compliance
PCI DSS and PA DSS CompliancePCI DSS and PA DSS Compliance
PCI DSS and PA DSS Compliance
ControlCase
 
SFISSA - PCI DSS 3.0 - A QSA Perspective
SFISSA - PCI DSS 3.0 - A QSA PerspectiveSFISSA - PCI DSS 3.0 - A QSA Perspective
SFISSA - PCI DSS 3.0 - A QSA Perspective
Mark Akins
 
Risk Factory: PCI - The Essentials
Risk Factory: PCI - The EssentialsRisk Factory: PCI - The Essentials
Risk Factory: PCI - The Essentials
Risk Crew
 
PCI DSS Business as Usual (BAU)
PCI DSS Business as Usual (BAU)PCI DSS Business as Usual (BAU)
PCI DSS Business as Usual (BAU)
Kimberly Simon MBA
 
Continuous Compliance Monitoring
Continuous Compliance MonitoringContinuous Compliance Monitoring
Continuous Compliance Monitoring
ControlCase
 
Pci ssc quick reference guide
Pci ssc quick reference guidePci ssc quick reference guide
Pci ssc quick reference guide
Mohammad Makchudul Alam (Arif)
 
PCI DSS and PA DSS
PCI DSS and PA DSSPCI DSS and PA DSS
PCI DSS and PA DSS
Kimberly Simon MBA
 
Comsec PCI DSS v3 2 - Overview and Summary of Changes - Webinar
Comsec PCI DSS v3 2 - Overview and Summary of Changes - WebinarComsec PCI DSS v3 2 - Overview and Summary of Changes - Webinar
Comsec PCI DSS v3 2 - Overview and Summary of Changes - Webinar
Ariel Ben-Harosh
 
Alcumus ISOQAR PCIDSS Compliance Presentation
Alcumus ISOQAR PCIDSS Compliance PresentationAlcumus ISOQAR PCIDSS Compliance Presentation
Alcumus ISOQAR PCIDSS Compliance Presentation
Bhargav Upadhyay
 
PCI-DSS for IDRBT
PCI-DSS for IDRBTPCI-DSS for IDRBT
PCI-DSS for IDRBT
Shanmugavel Sankaran
 
PCI Certification and remediation services
PCI Certification and remediation servicesPCI Certification and remediation services
PCI Certification and remediation services
Tariq Juneja
 

Contenu connexe

Tendances

SFISSA - PCI DSS 3.0 - A QSA Perspective
SFISSA - PCI DSS 3.0 - A QSA PerspectiveSFISSA - PCI DSS 3.0 - A QSA Perspective
SFISSA - PCI DSS 3.0 - A QSA Perspective
Mark Akins
 
Risk Factory: PCI - The Essentials
Risk Factory: PCI - The EssentialsRisk Factory: PCI - The Essentials
Risk Factory: PCI - The Essentials
Risk Crew
 
Comsec PCI DSS v3 2 - Overview and Summary of Changes - Webinar
Comsec PCI DSS v3 2 - Overview and Summary of Changes - WebinarComsec PCI DSS v3 2 - Overview and Summary of Changes - Webinar
Comsec PCI DSS v3 2 - Overview and Summary of Changes - Webinar
Ariel Ben-Harosh
 
Alcumus ISOQAR PCIDSS Compliance Presentation
Alcumus ISOQAR PCIDSS Compliance PresentationAlcumus ISOQAR PCIDSS Compliance Presentation
Alcumus ISOQAR PCIDSS Compliance Presentation
Bhargav Upadhyay
 

Tendances (20)

Vendor Management for PCI DSS, HIPAA, and FFIEC
Vendor Management for PCI DSS, HIPAA, and FFIECVendor Management for PCI DSS, HIPAA, and FFIEC
Vendor Management for PCI DSS, HIPAA, and FFIEC
 
Introduction to Token Service Provider (TSP) Certification
Introduction to Token Service Provider (TSP) CertificationIntroduction to Token Service Provider (TSP) Certification
Introduction to Token Service Provider (TSP) Certification
 
Pci standards, from participation to implementation and review
Pci standards, from participation to implementation and reviewPci standards, from participation to implementation and review
Pci standards, from participation to implementation and review
 
PCI DSS and PA DSS
PCI DSS and PA DSSPCI DSS and PA DSS
PCI DSS and PA DSS
 
PCI DSS Business as Usual
PCI DSS Business as UsualPCI DSS Business as Usual
PCI DSS Business as Usual
 
Integrated Compliance
Integrated ComplianceIntegrated Compliance
Integrated Compliance
 
Vendor risk management webinar 10022019 v1
Vendor risk management webinar 10022019 v1Vendor risk management webinar 10022019 v1
Vendor risk management webinar 10022019 v1
 
PCI DSSand PA DSS
PCI DSSand PA DSSPCI DSSand PA DSS
PCI DSSand PA DSS
 
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIECVendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
 
PCI DSS Compliance Readiness
PCI DSS Compliance ReadinessPCI DSS Compliance Readiness
PCI DSS Compliance Readiness
 
1. PCI Compliance Overview
1. PCI Compliance Overview1. PCI Compliance Overview
1. PCI Compliance Overview
 
PCI DSS and PA DSS Compliance
PCI DSS and PA DSS CompliancePCI DSS and PA DSS Compliance
PCI DSS and PA DSS Compliance
 
SFISSA - PCI DSS 3.0 - A QSA Perspective
SFISSA - PCI DSS 3.0 - A QSA PerspectiveSFISSA - PCI DSS 3.0 - A QSA Perspective
SFISSA - PCI DSS 3.0 - A QSA Perspective
 
Risk Factory: PCI - The Essentials
Risk Factory: PCI - The EssentialsRisk Factory: PCI - The Essentials
Risk Factory: PCI - The Essentials
 
PCI DSS Business as Usual (BAU)
PCI DSS Business as Usual (BAU)PCI DSS Business as Usual (BAU)
PCI DSS Business as Usual (BAU)
 
Continuous Compliance Monitoring
Continuous Compliance MonitoringContinuous Compliance Monitoring
Continuous Compliance Monitoring
 
Pci ssc quick reference guide
Pci ssc quick reference guidePci ssc quick reference guide
Pci ssc quick reference guide
 
PCI DSS and PA DSS
PCI DSS and PA DSSPCI DSS and PA DSS
PCI DSS and PA DSS
 
Comsec PCI DSS v3 2 - Overview and Summary of Changes - Webinar
Comsec PCI DSS v3 2 - Overview and Summary of Changes - WebinarComsec PCI DSS v3 2 - Overview and Summary of Changes - Webinar
Comsec PCI DSS v3 2 - Overview and Summary of Changes - Webinar
 
Alcumus ISOQAR PCIDSS Compliance Presentation
Alcumus ISOQAR PCIDSS Compliance PresentationAlcumus ISOQAR PCIDSS Compliance Presentation
Alcumus ISOQAR PCIDSS Compliance Presentation
 

Similaire à Secrets for Successful Regulatory Compliance Projects

Educause+PCI+briefing+4-19-20162345.pptx
Educause+PCI+briefing+4-19-20162345.pptxEducause+PCI+briefing+4-19-20162345.pptx
Educause+PCI+briefing+4-19-20162345.pptx
gealehegn
 
pci-comp pci requirements and controls.ppt
pci-comp pci requirements and controls.pptpci-comp pci requirements and controls.ppt
pci-comp pci requirements and controls.ppt
gealehegn
 
IT Security and Risk Management - Visionet Systems
IT Security and Risk Management - Visionet SystemsIT Security and Risk Management - Visionet Systems
IT Security and Risk Management - Visionet Systems
Visionet Systems, Inc.
 
PCI_Presentation_OASIS
PCI_Presentation_OASISPCI_Presentation_OASIS
PCI_Presentation_OASIS
Dermot Clarke
 
PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)
PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)
PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)
Miminten
 
Information Security Program & PCI Compliance Planning for your Business
Information Security Program & PCI Compliance Planning for your BusinessInformation Security Program & PCI Compliance Planning for your Business
Information Security Program & PCI Compliance Planning for your Business
Laura Perry
 

Similaire à Secrets for Successful Regulatory Compliance Projects (20)

PCI-DSS for IDRBT
PCI-DSS for IDRBTPCI-DSS for IDRBT
PCI-DSS for IDRBT
 
PCI Certification and remediation services
PCI Certification and remediation servicesPCI Certification and remediation services
PCI Certification and remediation services
 
PCI DSS 4.0 Webinar Final.pptx
PCI DSS 4.0 Webinar Final.pptxPCI DSS 4.0 Webinar Final.pptx
PCI DSS 4.0 Webinar Final.pptx
 
Data Center Audit Standards
Data Center Audit StandardsData Center Audit Standards
Data Center Audit Standards
 
Payment Card Industry CMTA NOV 2010
Payment Card Industry CMTA NOV 2010Payment Card Industry CMTA NOV 2010
Payment Card Industry CMTA NOV 2010
 
Vendor Management - PCI DSS, ISO 27001, E13PA,HIPPA & FFIEC
Vendor Management - PCI DSS, ISO 27001, E13PA,HIPPA & FFIECVendor Management - PCI DSS, ISO 27001, E13PA,HIPPA & FFIEC
Vendor Management - PCI DSS, ISO 27001, E13PA,HIPPA & FFIEC
 
Educause+PCI+briefing+4-19-20162345.pptx
Educause+PCI+briefing+4-19-20162345.pptxEducause+PCI+briefing+4-19-20162345.pptx
Educause+PCI+briefing+4-19-20162345.pptx
 
PCI Compliance for Community Colleges @One CISOA 2011
PCI Compliance for Community Colleges @One CISOA 2011PCI Compliance for Community Colleges @One CISOA 2011
PCI Compliance for Community Colleges @One CISOA 2011
 
Protect Cardholder Data and Maintain PCI Compliance with PCI Penetration Testing
Protect Cardholder Data and Maintain PCI Compliance with PCI Penetration TestingProtect Cardholder Data and Maintain PCI Compliance with PCI Penetration Testing
Protect Cardholder Data and Maintain PCI Compliance with PCI Penetration Testing
 
pci-comp pci requirements and controls.ppt
pci-comp pci requirements and controls.pptpci-comp pci requirements and controls.ppt
pci-comp pci requirements and controls.ppt
 
IT Security and Risk Management - Visionet Systems
IT Security and Risk Management - Visionet SystemsIT Security and Risk Management - Visionet Systems
IT Security and Risk Management - Visionet Systems
 
PCI Compliance - Delving Deeper In The Standard
PCI Compliance - Delving Deeper In The StandardPCI Compliance - Delving Deeper In The Standard
PCI Compliance - Delving Deeper In The Standard
 
PCI_Presentation_OASIS
PCI_Presentation_OASISPCI_Presentation_OASIS
PCI_Presentation_OASIS
 
PruebaJLF.pptx
PruebaJLF.pptxPruebaJLF.pptx
PruebaJLF.pptx
 
Pci dss-for-it-providers
Pci dss-for-it-providersPci dss-for-it-providers
Pci dss-for-it-providers
 
PCI DSS
PCI DSSPCI DSS
PCI DSS
 
The emerging pci dss and nist standards
The emerging pci dss and nist standardsThe emerging pci dss and nist standards
The emerging pci dss and nist standards
 
Payment Card Industry Security Standards
Payment Card Industry Security StandardsPayment Card Industry Security Standards
Payment Card Industry Security Standards
 
PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)
PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)
PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)
 
Information Security Program & PCI Compliance Planning for your Business
Information Security Program & PCI Compliance Planning for your BusinessInformation Security Program & PCI Compliance Planning for your Business
Information Security Program & PCI Compliance Planning for your Business
 

Plus de Christopher Foot

Plus de Christopher Foot (11)

Cloud's Hidden Impact on IT Shops
Cloud's Hidden Impact on IT ShopsCloud's Hidden Impact on IT Shops
Cloud's Hidden Impact on IT Shops
 
Selecting a SQL Server Cloud Platform - IaaS, Amazon RDS or Azure SQL DB?
Selecting a SQL Server Cloud Platform - IaaS, Amazon RDS or Azure SQL DB?Selecting a SQL Server Cloud Platform - IaaS, Amazon RDS or Azure SQL DB?
Selecting a SQL Server Cloud Platform - IaaS, Amazon RDS or Azure SQL DB?
 
Migrating On-Premises DBs to Cloud Systems
Migrating On-Premises DBs to Cloud SystemsMigrating On-Premises DBs to Cloud Systems
Migrating On-Premises DBs to Cloud Systems
 
Introduction to Azure SQL DB
Introduction to Azure SQL DBIntroduction to Azure SQL DB
Introduction to Azure SQL DB
 
BI in the Cloud - Microsoft Power BI Overview and Demo
BI in the Cloud - Microsoft Power BI Overview and DemoBI in the Cloud - Microsoft Power BI Overview and Demo
BI in the Cloud - Microsoft Power BI Overview and Demo
 
Rising Interest in Open Source Relational Databases
Rising Interest in Open Source Relational DatabasesRising Interest in Open Source Relational Databases
Rising Interest in Open Source Relational Databases
 
RDX Insights Presentation - Microsoft Business Intelligence
RDX Insights Presentation - Microsoft Business IntelligenceRDX Insights Presentation - Microsoft Business Intelligence
RDX Insights Presentation - Microsoft Business Intelligence
 
NoSQL Architecture Overview
NoSQL Architecture OverviewNoSQL Architecture Overview
NoSQL Architecture Overview
 
Who Will Win the Database Wars?
Who Will Win the Database Wars?Who Will Win the Database Wars?
Who Will Win the Database Wars?
 
Cloud's Hidden Impact on IT Support Organizations
Cloud's Hidden Impact on IT Support OrganizationsCloud's Hidden Impact on IT Support Organizations
Cloud's Hidden Impact on IT Support Organizations
 
Evaluating Cloud Database Offerings
Evaluating Cloud Database OfferingsEvaluating Cloud Database Offerings
Evaluating Cloud Database Offerings
 

Dernier

From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 

Dernier (20)

From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 

Secrets for Successful Regulatory Compliance Projects

  • 1. INSIGHTS Presentation Series Secrets for Successful Regulatory Compliance Projects 12 PCI DSS requirements and risk assessment key considerations AICPA SOC 1, SOC 2, SOC 3 and 5 Trust Principles explained Initial adherence and ongoing compliance best practices RDX: Chris Foot MegaplanIT: Michael Vitolo Date: 9/21/2017 Webinar Video Inside
  • 2. • Presenters • About RDX and MegaplanIT • Regulatory Standards Overview • AICPA SOC Assessment • PCI DSS Assessment • MegaplanIT PCI Assessment Approach • RDX Assessment Best Practices for Maintaining Compliance • Contact Us
  • 3. Presenters Michael Vitolo PCI-QSA | PA-QSA | CISSP | CISM | CISA | CRISC | CGEIT | OSWP Managing Partner | MegaplanIT, LLC. Over 18 years working in the Security Industry of which 12 in PCI-DSS mikev@megaplanit.com | www.megaplanit.com Chris Foot Vice President – Delivery Strategies and Technologies Oracle ACE Alumni cfoot@rdx.com www.rdx.com
  • 4. The Largest Pure Play Provider of Managed Data Infrastructure Services 20 YEARS OF SERVICE DELIVERY EXPERIENCE Database Platforms SQL Server Oracle PostgreSQL* DB2 MongoDB* MySQL* Operating Systems Unix/Linux*Windows Edge Technologies SQL Server BI Oracle EBS SharePoint Exchange Environment 450+ Customers 10,000 Servers 200+ DBAs Fortune 100s Startups All Verticals Cloud Systems Amazon AWS/RDS Oracle Cloud DB DBPaaS Msoft Azure IaaS (dozens) Hybrid Cloud * All distributions
  • 5. RDX Compliance Experience • Achieved first SOC 1 Type 2 in 2011 • Achieved first SOC 2 Type 2 in 2016 • Achieved first PCI Attestation in 2013 • Engaged MegaplanIT in 2016 to provide QSA examination of our environment RDX is also required to adhere to hundreds of customer specific security frameworks, best practices and individual controls
  • 6. About MegaplanIT, LLC MegaplanIT, LLC. is an information security and compliance firm specializing in over 30 high-level services designed to protect cardholder data, secure in- scope networks, systems, and websites applications to ensure that your organization is both secure and compliant. MegaplanIT leverages over fifteen years of applied knowledge in the areas of Governance, Risk Mitigation, Information Security, Penetration Testing, Compliance, and Project Management to ensure your goals are consistently met in a timely and efficient manner.
  • 7. MegaplanIT Services • PCI DSS Assessment • PA DSS Assessment • P2PE Assessment • HIPAA Security and Privacy Assessment • ISO 27001/27002 Risk Assessment • Shared AUP Assessment • NIST 800-171 • NIST 800-53 • NIST Cybersecurity • 3rd Party Risk Assessment • Policy and Procedure Development • Trusted Advisory and Remediation Assistance • Internal Penetration Testing • External Penetration Testing • Web and Application Penetration Testing • Mobile Penetration Testing • Social Engineering • Wireless Penetration Testing • Reverse Engineering • Internal and External Scanning • Approved Scanning Vendor (ASV) • Password Cracking • Security Architecture Review • Cloud Architecture Review • Managed Security Services COMPLIANCE SERVICES INFORMATION SECURITY SERVICES
  • 8. PCI DSS - Payment Card Industry Data Security Standard  Information security standard for organizations that handle branded credit cards from the major card providers PA DSS - Payment Application Data Security Standard  Data standard for payment applications, which include any software or hardware that stores, processes or transmits electronic credit card data ISO 27000 - International Standards Organization  Internationally recognized set of standards that provide best practice recommendations on information security management HIPAA/HITECH - Health Insurance Portability and Accountability Act  Health Insurance Portability and Accountability Act (HIPAA) requires any organizations that process and/or maintain healthcare-related information to meet security standards in the handling of patient Protected Health Information (PHI) NERC CIP - North American Electric Reliability Corporation  Establishes mandatory reliability standards, including the Critical Infrastructure Protection (CIP) plan These standards aim to maintain and improve the efficiency of North America’s bulk power system while ensuring its continued security and reliability Wide Range of Standards
  • 9. Wide Range of Standards SSAE 16/18 - Statement on Standards for Attestation Engagements  Internal control reports on the services provided by a service organization providing valuable information that users need to assess and address the risks associated with an outsourced service NIST - National Institute of Standards and Technology  A measurement standards laboratory, and a non-regulatory agency of the United States Department of Commerce. Its mission is to promote innovation and industrial competitiveness  NIST SP 800-171 provides federal agencies with regulations for protecting the confidentiality of Controlled Unclassified Information (CUI) when the CUI resides in nonfederal information systems/organizations  NIST SP 800-53 provides a catalog of controls that support the development of secure and resilient federal information systems. These controls are the operational, technical, and management safeguards used by information systems to maintain the integrity, confidentiality, and security of federal information systems  NIST Cybersecurity Framework was published in February 2014, following a collaborative process involving industry, academia, and government agencies, as directed by a presidential executive order. It is a set of optional standards, best practices, and recommendations for improving cybersecurity at the organizational level
  • 10. Payment Card Industry Standards Council The PCI Security Standards Council is a global open body formed to develop, enhance, disseminate, and assist with the understanding of security standards for payment account security It also provides critical tools needed for implementation of the standards such as assessment and scanning qualifications, self-assessment questionnaires, training, and education and certification programs Executive Committee • American Express • MasterCard • Discover • JCB International • Visa Board of Advisors* • Amazon • Citigroup • Cisco • Wal-Mart • Wells Fargo • Target • PayPal • Walt Disney • Exxon • Microsoft Not inclusive*
  • 11. What is a Qualified Security Assessor? Qualified Security Assessor (QSA) companies are independent security organizations that have been qualified by the PCI Security Standards Council to validate an entity’s adherence to PCI DSS. QSA Employees are individuals who are employed by a QSA Company and have satisfied and continue to satisfy all QSA Requirements • Assist in the validation of their clients scope for the assessment • Verify all technical information given by Merchant or Service Provider, Including documentation and sample of controls • Perform an onsite for the duration of the assessment to conduct interviews • Adherence to the PCI DSS Requirements and Security Assessment Procedures • Select business facilities and system components where sampling is employed • Evaluate any compensating controls which are required to be above and beyond the original requirement • Produce the final Report on Compliance and Attestation of Compliance
  • 12. Payment Card Industry Security Standards • PCI DSS is a set of industry standards, not a legal requirement • Standards are enforced by the major card brands who created the PCI Council • Financial penalties are levied by the card brands, not the PCI Council. They can be substantial • Each major card brand has its own unique set of PCI compliance objectives • Three types of standards:  PCI PTS - Manufacturers of PIN transaction security devices  PCI PA DSS – Payment application vendor software developers  PCI DSS – Merchants and service providers  PCI P2PE - covers encryption, decryption, and key management requirements • Four defined levels:  Primarily based on card transaction volume  Other classification criteria may vary according to card brand  Levels determine security controls and processes required
  • 13. Roles and Responsibilities Payment brands’ compliance programs include: • Tracking and enforcement • Penalties, fees, compliance deadlines • Validation process and who needs to validate • Approval and posting of compliant entities • Definition of merchant and service provider levels Payment brands are also responsible for: • Defining rules for forensic investigations and responding to account data compromises • Monitoring and facilitating investigations of account data compromises to completion
  • 14. Roles and Responsibilities Responsibilities for Merchants and Service Providers: • Review and understand the PCI security standards • Understand the compliance validation and reporting requirements defined by the card brands with regards to the levels • Validate and report compliance to their acquirer or perhaps a payment card brand as applicable, in addition to maintaining compliance on an ongoing basis • PCI Assessment is a review of compliance at a point in time, but must be maintained throughout the year, and not just at the time of the assessment. • Merchants and Service Providers should read communications from the card brands, acquirers, and the Council on an ongoing basis
  • 15. Non-Compliance Fines, Fees, and Risk A non-compliant, compromised business could expect: • Damage to their brand/reputation • Investigation costs • Remediation costs • Fines and fees - Non-compliance (each brand issues separate fines) - Re-issuance - Fraud loss • Ongoing compliance audits • Victim notification costs • Financial loss • Data loss • Chargebacks for fraudulent transactions • Operations disruption • Sensitive info disclosure • Denial of service to customers • Individual executives held liable • Possibility of business closure
  • 16. What is PCI DSS? A set of technical and operational requirements for organizations accepting or processing payment transactions and for software developers and manufacturers of applications and devices used in those transactions Build and Maintain a Secure Network 1. Install and maintain a firewall configuration to protect cardholder data 2. Do not use vendor-supplied defaults for system passwords and other security parameters Protect Cardholder Data 3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across open, public networks Maintain a Vulnerability Management Program 5. Use and regularly update anti-virus software or programs 6. Develop and maintain secure systems and applications Implement Strong Access Control Measures 7. Restrict access to cardholder data by business need-to-know 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data Regularly Monitor and Test Networks 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes Maintain an Information Security Policy 12. Maintain a policy that addresses information security for employees and contractors Individual Audit Control Objectives https://www.pcisecuritystandards.org/
  • 17. PCI Compliance – Additional Information PCI Security Standards Council MegaplanIT • PCI SSC Document Library • Robust set of documents that range from glossary of terms to implementation and ongoing adherence best practices • Main document containing the requirements is titled “Requirements and Security Assessment Procedures” • Each control objective contains Requirement definition and description, testing procedure(s), and guidance • The Beginner’s Guide to Understanding PCI Compliance • 5 Tips to Reduce Your PCI Compliance Scope • 10 Ways to Reduce PCI Compliance Costs • Taking PCI Compliance to the Next Level • Penetration Testing for PCI
  • 18. Why AICPA SOC? • Defacto standard organizations use it to evaluate the quality and security of third party service providers • The controlling organization is the AICPA, which has a strong reputation • The SOC guidelines allow providers to create a set of control objectives that are tailored to the services they perform. RDX provides a unique offering and wanted to be evaluated on the activities that were important to our customers in addition to a standardized set of industry control objectives • AICPA SOC focuses on service delivery QUALITY and system SECURITY • The different levels allowed RDX to begin with a SOC 1 engagement and then move up to a SOC 2 which expands the scope of the audit and the depth of the examination processes
  • 19. What are AICPA SOC Reports? • SSAE stands for Statement of Standards for Attestation Engagements • Internal control reports that provide information to allow organizations to review, assess and address the risks of an outsourced service • Created by the American Institute of Certified Public Accountants’ Auditing Standards Board • The Statement of Standards establishes requirements and provides guidance on the entire engagement life-cycle:  Establishing overall objectives for SSAE audit engagements  Identifying subject matter and evaluation criteria to be included in engagement  Measuring and examination procedures  Procedural best practices  Reporting standards AICPA Standards Evolution  SAS 70 – Issued in April, 1992 by AICPA. Provided guidance to CPAs reporting on a service organization’s controls relevant to user entities’ financial reporting. SAS 70 was architected to audit controls of financial reporting, not outsourced services  SSAE 16 – Issued in April, 2010. Designed to allow practitioners to report on subject matter other than financial statements. The SSAE 16 focuses on the examination of a service organization’s “system”. Further updates create SOC 1, SOC 2 and SOC 3 reports to better tailor SSAE engagements to clients’ needs  SSAE 18 – Issued in May, 2017. Enhances SSAE 16 SOC 1 by increasing focus on risk assessment/reporting and adding required controls to improve the audited entity’s monitoring of subservice organizations. Subservice organizations perform services that are relevant to the audited entity’s overall offering 1618
  • 20. SOC 1 (SSAE 18) Reports Two SOC 1 Types: • Type 1 reports focus on the effectiveness of policies and procedures in place at a service organization at a specified point in time and (1), confirm that controls are actively in place, (2), measure the effectiveness of the controls and (3), assess how fairly the service organization's management has presented the controls to you • Type 2 reports cover policies and procedures currently in operation and test their effectiveness over a period of time. These reports include everything from the Type 1 report (examination and confirmation of controls in place) plus an analysis of the controls’ operating effectiveness over a specified period of at least six consecutive months. Type 2 reports are favored by many user organizations for their thoroughness When to choose SOC 1:  Seeking a cost-effective method of preparing for a service audit  Planning to perform an initial Type 2 service audit  Your service organization currently identifies control vulnerabilities using an internal reporting system  Your organization has not recently performed an audit (financial or regulatory) that included IT controls
  • 21. SOC 2 Reports • Outline the controls in place at your service organization and analyze their confidentiality, security, processing, integrity, availability of Information • Provide evidence for your customers and other stakeholders that effective controls are in place which meet worldwide security concerns • Intended for a wider range of audiences than SOC 1 reports but are not available to the general public. Their availability is restricted to those who have a demonstrated need for the information contained therein, and these reports are often a component of regulatory oversight, vendor management programs, and internal corporate governance • SOC 2 engagements include the option of Type 1 and Type 2 reports, as described in the SOC 1 When to choose SOC 2:  You require third party verification  Your organization operates a system that is critical to your customers  Your organization prefers a detailed audit report  Your organization's system does not affect your customers’ financial reports  Your organization desires that the audit be performed based on the five Trust Services Principles
  • 22. SOC 3 Reports • SOC 3 reports, also known as Trust Services Reports, are more general and are intended for a broader audience than the other reporting options. They’re designed for anyone interested in a CPA's opinion about the availability, security, and processing integrity of controls at a service organization. SOC 3 Reports are often used for marketing purposes, distributed online, or posted on a service organization's website to prove that they have controls in place to manage risks associated with outsourcing services When to choose SOC 3:  Your organization's reputation relies on the ability to keep information secure, accurate, and private  Your organization operates a system that is critical to your customers  Your organization desires an independent review that allows you to display the SOC 3 seal on your website  Your organization employs more than ten people and/or exceeds $2 million in annual revenue
  • 23. RDX’s AICPA SOC and PCI Compliance Projects Overall Goals Improve Support Quality RDX clients want us to improve the quality and security of their environments. We can only accomplish this by improving our environment FIRST Strengthen Security RDX customers have turned over the keys to their most sensitive database data stores to our organization. This is a significant responsibility Competitive Advantage RDX’s LOB is extremely competitive. Our competitors range from 2 guys in a garage to fortune 100s. Certifications are key competitive differentiators Reduce Costs RDX chose partners that have strong experience and would provide us with best practices to streamline compliance. RDX is a learning organization $
  • 24. RDX Compliance Project Hints and Tips • Create a project team that represents all areas of the business - from backend operations to front-line technical support teams  Subject Matter Experts (business OPs, front-line support techs, security team, documentation specialists)  Assign Audit Project Manager  Identify Audit Project Champion • Encourage assigned personnel to self educate. The team should have a strong knowledge of the process before contacting potential auditing firms  RDX created a robust documentation library for both PCI and AICPA SOC during initial stages  RDX collected information from PCI Security Standards Council, AICPA, and well-known, reputable auditing and compliance firm websites • Keep management informed throughout the entire engagement life-cycle  All compliance projects will incur engagement costs, potential hardware and software purchases as well as labor costs required to remediate gaps identified in the initial analysis and labor hours required to collect and present evidence to the auditing firm  RDX was required to produce such a large volume of evidence that we were compelled to build internal applications to automate the evidence recording process • Assign owners to all compliance activities  Subject areas evaluated during audit (network, HR, security, front line support, back office OPs)  Evidence gathering and collection  Ongoing monitoring to identify new anomalies and outliers
  • 25. RDX Compliance Project Hints and Tips • One of the most critical meetings with your auditing firm will be to:  Perform a final review the control objectives  Agree upon how the evidence will be collected  Agree upon how the evidence will be reported  Agree upon the criteria used to determine if the evidence results in a pass/fail  Establish audit period start and examination dates  Communication procedures when business changes occur that impact audit • Build a strong partnership with your auditing firm(s)  Understand their role in the process  Their goal is to help you improve your service delivery environment  Part of that process will be to identify gaps during the initial analysis  They will also identify exceptions during their audit examinations and report these findings. They aren’t being adversarial; they’re just doing what you pay them to • Understand that all audits are ongoing projects. In addition to the audit examinations, you will be required to:  Add, modify, and remove control objectives as your business processes evolve  Modify internal processes to address audit exceptions  Improve the quality of evidence collection and reporting  Automate processes, buy/build applications as well as purchase toolsets and products to improve ability to comply and reduce audit costs  Constantly monitor evidence to identify anomalies and outliers. Don’t get surprised during the examination
  • 26. RDX’s AICPA SOC Compliance Project • Project execution and best practices can be compared to most traditional internal initiatives. One difference was the substantial amount of investigation performed to better understand AICPA SOC requirements and select an auditing vendor • Identified stakeholders, project champion and assigned selected personnel as project managers and participants. All participants were assigned a very specific set of responsibilities • First activity was to collect SOC informational materials and best practices documents from reputable sources to educate team members • A traditional vendor evaluation methodology was used to select an auditing vendor. RDX created a robust set of evaluation metrics that were weighted by importance. Evaluation team members reviewed information provided by vendors and compiled a short list of competitors. RDX performed a more in-depth analysis of the surviving competitors and selected the winning vendor • RDX met with a cross-section of customers to determine the criteria they used to evaluate the quality of RDX’s support services. Common themes were identified, discussed with auditors, and used to create a set of audit control objectives that best reflect the key service quality indicators that measure RDX’s operating effectiveness • The audit control objectives included all activities related to physical and logical security controls, data privacy, organization and administration, vendor management, work request and ticket management, incident management, and monitoring installation and configuration
  • 27. RDX’s AICPA SOC Best Practices • Create a project team that represents all areas of the business - from backend operations to front-line technical support teams  Subject Matter Experts (business OPs, front-line support techs, security team, documentation specialists)  Assign Audit Project Manager  Identify Audit Project Champion • Build a robust educational library. Materials should range from glossary of terms and overviews to in-depth “how-to” documents and best practices  AICPA website  Auditing and compliance firm websites provide a wealth of information to draw from • Encourage your project team to self educate. The team should have a strong knowledge of the audit controls and examination processes before contacting potential auditing firms • Keep management informed throughout the entire engagement life-cycle  All compliance projects will incur engagement costs, potential hardware and software purchases as well as labor costs required to remediate gaps identified in the initial analysis and labor hours required to collect and present evidence to the auditing firm  RDX was required to produce such a large volume of evidence that we were compelled to build internal applications to automate the evidence recording process
  • 28. RDX’s AICPA SOC Best Practices • Select the appropriate firm to perform the audit  The firm should be a member of the AICPA  Have a strong track record with SOC audits  Experience in auditing organizations that are in, or close to, your line of business (LOB)  Check references  Name recognition is important. The more widely known your auditing firm is, the more credibility your SOC reports will have with potential customers  Easy to work with. Firm but fair • Work with your auditing firm to determine which SOC report best fits your needs • Create a set of control objectives that:  Allows customers to easily evaluate the quality and security of the services you provide  RDX solicited a cross-section of customers to discuss how they evaluated the quality of our services  Allows your organization to internally evaluate the quality and security of the services you provide. Selecting control objectives that you feel are important is critical. The goal of the process is to improve your environment (it isn’t just to create marketing spin) • Work with your auditing firm to evaluate your third party applications and service providers to determine if your ability to deliver support to your customers is dependent upon their services. You may need to include them in your control objectives  Third party applications your shop uses as well as service providers  Review your service providers’ SOC reports with your auditors  Agree upon what should be included  Meet with your service provider to discuss gaps
  • 29. SOC 2 Type 2 Benefits to RDX Dedicated project that focuses on two subject areas that are critical to our business - service delivery quality and system security Demonstrates to customers that RDX is being held to a rigorous industry standard Competitive differentiation. SOC 2 Type 2 audits are broad in scope and deep in details. They are significant undertakings
  • 30. Why PCI DSS? PCI compliance allows RDX to more easily and quickly comply with other regulatory frameworks Stringent controls, well defined requirements and test procedures. Controls evolve as new threats are identified RDX uses PCI as the foundation to build our overall security architecture upon PCI is the industry standard businesses use to evaluate security FOUNDATION CONSUMER CONFIDENCE ROBUST CONTROLS NEW COMPLIANCES
  • 31. PCI is the Foundation of Our Security Architecture PCI Security Training Endpoint Security Config. Standards VPN/IPSEC Logging & Monitoring IDS/FIM Change Control Threat Detection Secure Development Access Control Patch Management Firewall Unique Accounts RDX expands PCI controls to cover our entire network
  • 32. • Business operations change frequently. You must be aware of their impact on PCI compliance activities  New lines of business  New business processes  Business growth  Improvements to current business processes  Automation  New applications  New organizational units, roles and personnel • Maintain a steady stream of high quality communications with your PCI auditing firm  Discuss any potential changes to compliance activities immediately to reduce confusion during examination period  Continuously monitoring your evidence allows you to identify new anomalies or outliers. Address them immediately with your auditing firm • Perform spot checks on evidence. Tailor evidence evaluation schedules based on occurrence of past issues, potential for exceptions, volume of evidence produced, importance to examination process RDX’s PCI Best Practices
  • 33. RDX’s PCI Best Practices • Encourage assigned personnel to self educate. The team should have a strong knowledge of the process before contacting potential auditing firms  RDX downloaded the PCI compliance document, copied each control into a spreadsheet and added columns for apply/does not apply, dependent upon third-party vendor, additional product purchases required, how to comply, who complies, level of effort to comply, evidence for compliance, questions for auditor and notes • Select the appropriate firm to perform the audit  The firm should be a Qualified Security Assessor (QSA)  QSAs are held to a high standard by PCI Standards Council  Experience in auditing organizations that are in, or close to, your line of business (LOB)  Check references  Name recognition is important. The more widely known your auditing firm is, the more credibility your PCI will have with potential customers • Work with your auditing firm to determine which PCI Level you should adhere to • Work with your auditing firm to evaluate your third party applications and service providers to determine if your ability to achieve PCI compliance is dependent upon their services. You may need to include them in your control objectives  Third party applications your shop uses as well as service providers  Review your service providers’ SOC and PCI reports with your auditors  Agree upon what should be included  Meet with your service provider to discuss gaps
  • 34. • Compliance Project Details • Selecting Audit Compliance Firms • Lessons Learned • Ongoing Compliance Challenges • Streamlining and Improving Evidence Collection and Reporting • Audit Compliance Best Practices Contact Us For Additional Information • PCI DSS Assessments • Trusted Advisory and Remediation Assistance • Internal/External Penetration Testing • Internal/External ASV Scanning • PCI DSS GAP assessments • Quarterly Health Checks • Policy and Procedure Development • Compliance Project Management • Web/Mobile Penetration Testing • Managed Security Services Provider And our real core competency: Remote Data Infrastructure Management DATABASE EXPERTSSECURITY EXPERTS
  • 35. Next Month’s Presentation – Microsoft BI Intelligence Overview and Power BI Demo The RDX Report - Sign up by emailing info@rdx.com Microsoft CosmosDB – NoSQL Competition Killer, Power BI Videos, Amazon AWS, Microsoft Azure and Oracle Cloud IaaS Architecture Deep Dives LinkedIn Selecting Cloud DBMS, NoSQL Architectures, Rising Interest in Open Source Relational Databases, Database Security Series, Improving Customer Service cfoot@rdx.com mikev@megaplanit.com RDX Report Signup View YouTube Video of this Presentation 20YEARS OF SERVICE DELIVERY EXPERIENCE