Integrated Compliance Webinar.pptx

Integrated Compliance Webinar.pptx
AND AN INTRODUCTION TO THE CONTROLCASE ONE AUDIT™BOOTCAMP YOUR IT COMPLIANCE PARTNER GO BEYOND THE CHECKLIST Integrated Compliance
KISHOR VASWANI Chief Strategy Officer ControlCase ED AMOROSO Founder and CEO TAG Cyber Our Speakers © ControlCase. All Rights Reserved. 2
TAG Cyber is a trusted cyber security research analyst firm, providing unbiased industry insights and recommendations to security solution providers and Fortune 100 enterprises. Founded in 2016 by Dr. Edward Amoroso, former SVP/CSO of AT&T, the company bucks the trend of pay-for-play research by offering in-depth research, market analysis, consulting, and personalized content based on hundreds of engagements with clients and non-clients alike—all from a former practitioner perspective. . Introduction © ControlCase. All Rights Reserved. 3 ControlCase is a global provider of certification, cyber security and continuous compliance services. ControlCase is committed to empowering organizations to develop and deploy strategic information security and compliance programs that are simplified, cost effective and comprehensive in both on-premise and cloud environments. ControlCase offers certifications and a broad spectrum of cyber security services that meet the needs of companies required to certify to PCI DSS,HITRUST, SOC 2 Type II, ISO 27001, PCI PIN, PCI P2PE, PCI TSP, PA DSS, CSA STAR, HIPAA, GDPR, SWIFT and FedRAMP.
ControlCase One AuditTM Bootcamp © ControlCase. All Rights Reserved. 4 Register free at www/controlcase.com/courses 2-hours, on-demand The Bootcamp introduces the concept of achieving multiple certifications at once, called “One Audit”, via our proprietary compliance process, resulting in significant savings and efficiencies.
ControlCase Introduction Challenges Of Multiple Compliance Standards Advantages Of A Single Compliance Framework Using Common Domains And References Unified Evidence Processing Establishing A Program Of On-going Compliance Introduction to the ControlCase One AuditTM Bootcamp Agenda © ControlCase. All Rights Reserved. 5 1 2 3 4 5 6 7
CONTROLCASE INTRODUCTION 1 © ControlCase. All Rights Reserved. 6
ControlCase Snapshot © ControlCase. All Rights Reserved. 7 CERTIFICATION AND CONTINUOUS COMPLIANCE SERVICES Go beyond the auditor’s checklist to: Dramatically cut the time, cost and burden from becoming certified and maintaining IT compliance. • Demonstrate compliance more efficiently and cost effectively (cost certainty) • Improve efficiencies ⁃ Do more with less resources and gain compliance peace of mind • Free up your internal resources to focus on their priorities • Offload much of the compliance burden to a trusted compliance partner 1,000+ 275+ 10,000+ CLIENTS IT SECURITY CERTIFICATIONS SECURITY EXPERTS
Solution © ControlCase. All Rights Reserved. 8 Certification and Continuous Compliance Services “ I’ve worked on both sides of auditing. I have not seen any other firm deliver the same product and service with the same value. No other firm provides that continuous improvement and the level of detail and responsiveness. — Security and Compliance Manager, Data Center
PCI DSS ISO 27001-2 SOC 1,2,3,& Cybersecurity HITRUST CSF HIPAA PCI P2PE GDPR NIST 800-53 PCI PIN PCI PA-DSS FISMA PCI 3DS Certification Services © ControlCase. All Rights Reserved. 9 “ You have 27 seconds to make a first impression. And after our initial meeting, it became clear that they were more interested in helping our business and building a relationship, not just getting the business. — Sr. Director, Information Risk & Compliance, Large Merchant
ControlCase Compliance Hub® © ControlCase. All Rights Reserved. 10
CHALLENGES OF MULTIPLE COMPLIANCE STANDARDS 2 © ControlCase. All Rights Reserved. 11
PCI DSS HIPAA SOC2 ISO 27001 • PCI DSS Language • PCI DSS References • PCI DSS Process • HIPAA Language • HIPAA References • HIPAA Process • SOC2 Language • SOC2 References • SOC2 Process • ISO Language • ISO References • ISO Process Challenges of Multiple Compliance Standards © ControlCase. All Rights Reserved. 12 ENTERPRISE SECURITY AND COMPLIANCE TEAM Support PCI DSS Support HIPAA Support SOC2 Support ISO
Supporting Multiple Compliance Standards • FRAMEWORK TRAINING Security teams must be trained on each of the compliance standards. • DOCUMENTATION Compliance documentation will vary between standards. • PLATFORM TOOLING GRC platform tooling must include support for all frameworks. • ASSESSMENT FEES Pre and post assessments are required for each standard. • STANDARD MAINTENANCE Security teams must track changes in standards. © ControlCase. All Rights Reserved. 13
ADVANTAGES OF A SINGLE COMPLIANCE FRAMEWORK 3 © ControlCase. All Rights Reserved. 14
Language / References / Process Language / References / Process Language / References / Process Language / References / Process ENTERPRISE SECURITY AND COMPLIANCE TEAM Advantages of a Single Compliance Framework © ControlCase. All Rights Reserved. 15 Streamlined Compliance Support Support PCI DSS Support HIPAA Support SOC2 Support ISO 1 COMPLIANCE FRAMEWORK
Supporting a Single Compliance Framework • FRAMEWORK TRAINING Security teams must be trained on 1 framework. • DOCUMENTATION Compliance documentation is simplified to 1 format. • PLATFORM TOOLING Compliance platform tooling can be greatly reduced. • ASSESSMENT FEES Pre and post assessments can focus on a single framework (e.g., questionnaire). • STANDARD MAINTENANCE Teams no longer need to track changes in all standards. © ControlCase. All Rights Reserved. 16
USING COMMON DOMAINS AND REFERENCES 4 © ControlCase. All Rights Reserved. 17
Using Common Domains and References © ControlCase. All Rights Reserved. 18 TERMINOLOGY Common references are required to ensure consistency across all compliance activity. Examples: DEFINITIONS Common explanations are required to avoid gaps in interpretation between different compliance tasks. CONCEPTUAL MODEL Compliance teams must maintain a common underlying conceptual model of how data is collected, generated, processes, stored, and shared. • Asset • Attackers • Availability • Confidentiality • Control • Function • Incident • Integrity • Policy • Security Goal • Stakeholder • Threat • Vulnerability
UNIFIED EVIDENCE PROCESSING 5 © ControlCase. All Rights Reserved. 19
Accurate Collection of Control Evidence © ControlCase. All Rights Reserved. 20 Definition Controls are those functional, procedural, or policy-based mechanisms that ensure proper operation with desired framework requirements. Identification of controls for security and privacy can be performed in multiple ways: DOCUMENTS: • Use of documented functions, procedures, and policies. DISCUSSIONS: • Use of discussions with principals and practitioners. SYSTEM SCANNING: • Use of automated control discovery tools. SECURITY MANAGEMENT: • Use of log review and other security procedures.
On-Going Reference Mapping to Frameworks © ControlCase. All Rights Reserved. 21 Definition A mapping, in the context of security and privacy, involves establishing a relationship between a control and the corresponding framework requirements. Framework mappings can be performed for security and privacy frameworks in multiple ways: MANUAL: • Humans can use spreadsheets and other tools to perform mappings AUTOMATED: • Platforms can relate controls to framework requirements CONTINUOUS: • Automation enables continuous compliance mappings
ESTABLISHING A PROGRAM OF ON-GOING COMPLIANCE 6 © ControlCase. All Rights Reserved. 22
Cost and Time Savings © ControlCase. All Rights Reserved. 23 NORMAL TIME SPENT BY CUSTOMER ON COMPLIANCE & CERTIFICATION (OF 1 ENVIRONMENT WITH 4 PARALLEL CERTIFICATIONS) PCI DSS ISO 27001 SOC2 HIPAA TOTAL Compliance / Evidence Collection 400 hrs. 400 hrs. 400 hrs. 400 hrs. 1,600 hrs. Certification Support 150 hrs. 150 hrs. 150 hrs. 150 hrs. 600 hrs. EVIDENCE COLLECTION & COMPLIANCE TOTAL Time Saved through ControlCase Multi-Regulation Mapping/One Audit™ 900 hrs. Time Saved through Control Case Automation 350 hrs. Total time spent on evidence collection by using another auditor 1,600 hrs. Total time spent on evidence collection partnering with ControlCase 350 hrs. CERTIFICATION SUPPORT TOTAL Total time spent on certification support using another auditor 600 hrs. Total time spent on certification support partnering with ControlCase 600 hrs. * Based on 1 environment with 4 parallel certifications (PCI, ISO, SOC2, HIPAA). TOTAL TIME SPENT ON COMPLIANCE & CERTIFICATION USING ANOTHER AUDITOR 2,200 hrs.* TOTAL TIME SPENT ON COMPLIANCE & CERTIFICATION IN AWS BY PARTNERING WITH CONTROLCASE 950 hrs.* TOTAL TIME SAVED ON COMPLIANCE & CERTIFICATION BY PARTNERING WITH CONTROLCASE 1,250 hrs.*
One Audit™ Approach and Timeline MONTH MONTH MONTH MONTH MONTH MONTH Regulation 1 Regulation 2 Consolidated Pre-Assessment Pre-assessment of regulations using the ControlCase Compliance Hub® platform and Integrated Questionnaires. Real-time Progress Reports and Management Dashboards Audit Report or Attestation of Compliance © ControlCase. All Rights Reserved. 24 1 2 3 4 5 6
PCI DSS ISO 27001 SOC 2 HIPAA Approach and Timeline per Regulation © ControlCase. All Rights Reserved. 25 Condensed Audit Questions 250+ Questions reduced to less than 99 Iterative Approach Partnering with you to get it done Timely Results Average delivery cycle of 3 months Compliance Attestation Sealed, signed, and delivered service Ongoing Monitoring Makes compliance business as usual 1 2 3 4 5 Onsite Audit (2-5 days) Onsite Audit (1-3 days) Certificate Issued Surveillance Audit (1-3 days) Surveillance Audit (1-3 days) 1 2 Mandatory 10 days between Stage 1 & 2 Audit YEAR 1 YEAR 2 YEAR 3 Kick-off Call w/ Intro Scoping Accept — Pass 50% Evidence Upload Accept — Pass 100% Evidence Upload Accept — Pass CPA Evidence Review Final Assertion and Management Representation Letters and SOC 2 Report Delivery 2 3 4 1 Technical Evidence Collection Kickoff Policy and Procedure Review Iterative Review, Remediation Support and Assessment Documentation and Report Delivery 1 2 3 4
Certification Process (After Passing Compliance) © ControlCase. All Rights Reserved. 26 PCI DSS HIPAA ISO 27001 SOC2 TYPE 2
CONTROLCASE ONE AUDITTM BOOTCAMP INTRODUCTION 7 © ControlCase. All Rights Reserved. 27
ControlCase One AuditTM Bootcamp © ControlCase. All Rights Reserved. 28 https://www.controlcase.com/courses/one-audit-bootcamp/
ControlCase One AuditTM Bootcamp ASSESS ONCE, COMPLY TO MANY: PCI DSS, HIPAA, SOC2, & ISO 27001 ControlCase has pioneered a strategy to streamline compliance by creating a set of common domains and references for evidence collection and processing to optimize productivity. This course is an introduction to that strategy. OVERVIEW: This 2-hour on-demand course is geared toward IT professionals and is appropriate for many practitioner roles. The delivery of this self-paced course includes video lectures, real audit question demonstrations, and knowledge check questions throughout, with a certificate document provided at the conclusion of the course. THIS COURSE WILL: • Familiarize you with common IT Security Standards: PCI DSS, HIPAA, SOC 2 & ISO 27001. • Explain at a high level the concept of integrated compliance. • Show you an overview of the One Audit™ Process. • Walk you through specific examples of questions that have been mapped to multiple standards. • On completion of the course, you will receive a One Audit™ Certificate of course completion. © ControlCase. All Rights Reserved. 29
THANK YOU FOR THE OPPORTUNITY TO CONTRIBUTE TO YOUR IT COMPLIANCE PROGRAM. www.controlcase.com contact@controlcase.com ControlCase One Audit BootcampTM Registration Schedule Compliance Discussion

Check these out next

Integrated Compliance Webinar.pptx

Recommandé

Contenu connexe

Présentations pour vous(20)

Similaire à Integrated Compliance Webinar.pptx(20)

Plus de ControlCase(20)

Dernier(20)

Integrated Compliance Webinar.pptx

Notes de l'éditeur