1. VENDOR MANAGEMENT
PCI DSS, FISMA, FERC/NERC,
HIPAA & ISO 27001
YOUR IT COMPLIANCE PARTNER –
GO BEYOND THE CHECKLIST

2. ControlCase Introduction
Challenges
About PCI DSS, FISMA, FERC/NERC,
HIPAA & ISO 27001
Vendor Management Basic Approach
Why ControlCase
AGENDA
© 2020 ControlCase. All Rights Reserved. 2
1
2
3
4
5

3. 1 CONTROLCASE INTRODUCTION
© 2020 ControlCase. All Rights Reserved. 3

4. ControlCase Snapshot
CERTIFICATION AND CONTINUOUS COMPLIANCE SERVICES
Go beyond the auditor’s checklist to:
Dramatically cut the time, cost and burden from becoming certified and maintaining IT compliance.
© 2020 ControlCase. All Rights Reserved. 4
• Demonstrate compliance more efficiently
and cost effectively (cost certainty)
• Improve efficiencies
⁃ Do more with less resources and gain
compliance peace of mind
• Free up your internal resources to focus
on their priorities
• Offload much of the compliance burden to
a trusted compliance partner
1,000+ 300+10,000+
CLIENTS IT SECURITY
CERTIFICATIONS
SECURITY
EXPERTS

5. Solution - Certification and Continuous Compliance Services
© 2020 ControlCase. All Rights Reserved. 5
“I’ve worked on both sides of
auditing. I have not seen any other
firm deliver the same product and
service with the same value. No
other firm provides that continuous
improvement and the level of detail
and responsiveness.
— Security and Compliance Manager,
Data Center
Certification and Continuous Compliance Services

6. Certification Services
One Audit™
Assess Once. Comply to Many.
© 2020 ControlCase. All Rights Reserved. 6
“You have 27 seconds to make a first
impression. And after our initial
meeting, it became clear that they
were more interested in helping
our business and building a
relationship, not just getting the
business.
— Sr. Director, Information Risk & Compliance,
Large Merchant
PCI DSS ISO 27001
& 27002
SOC 1,2,3 & SOC
for Cybersecurity
CSA STAR
HIPAA PCI P2PE GDPR NIST 800-53
PCI PIN PCI PA-DSS SCA PCI 3DS

7. ABOUT PCI DSS, FISMA,
FERC/NERC, HIPAA & ISO 27001
2
© 2020 ControlCase. All Rights Reserved. 7

8. What is PCI DSS
© 2020 ControlCase. All Rights Reserved. 8
Payment Card Industry Data Security Standard:
• Guidelines for securely processing, storing, or
transmitting payment card account data
• Established by leading payment card issuers
• Maintained by the PCI Security Standards Council
(PCI SSC)

9. What is FISMA
© 2020 ControlCase. All Rights Reserved. 9
Federal Information Security Management Act
(FISMA) of 2002
Requires federal agencies to implement a mandatory
set of processes, security controls and information
security governance.
FISMA objectives:
• Align security protections with risk and impact
• Establish accountability and performance measures
• Empower executives to make informed risk decisions

10. What is HIPAA
© 2020 ControlCase. All Rights Reserved. 10
HIPAA is the acronym for the Health Insurance
Portability and Accountability Act that was passed
by Congress in 1996. HIPAA does the following:
• Provides the ability to transfer and continue health
insurance coverage for millions of American workers
and their families when they change or lose their jobs
• Reduces health care fraud and abuse
• Mandates industry-wide standards for health care
information on electronic billing and other processes
• Requires the protection and confidential handling
of protected health information

11. What is ISO 27001/ISO 27002
© 2020 ControlCase. All Rights Reserved. 11
ISO Standard:
• ISO 27001 is the management framework for
implementing information security within an organization
• ISO 27002 are the detailed controls from an
implementation perspective

12. What is FERC/NERC
© 2020 ControlCase. All Rights Reserved. 12
Federal Energy Regulatory Commission (FERC)
The Federal Energy Regulatory Commission (FERC) is the
United States federal agency with jurisdiction over interstate
electricity sales, wholesale electric rates, hydroelectric
licensing, natural gas pricing, and oil
pipeline rates.
North American Electric Reliability Corporation (NERC):
The North American Electric Reliability Corporation (NERC)
is a not-for-profit international regulatory authority whose
mission is to ensure the reliability of the bulk power system
in North America.
Critical Infrastructure Protection Standards
• Standards for cyber security protection

13. VENDOR MANAGEMENT
BASIC APPROACH
3
© 2020 ControlCase. All Rights Reserved. 13

14. REG/STANDARD COVERAGE AREA
ISO 27001 A.6, A.10
PCI 12
HIPAA 164.308b1
FISMA PS-3
FERC/NERC Multiple Requirements
Why Vendor/Third Party Management?
© 2020 ControlCase. All Rights Reserved. 14
• Management of third parties
• Attestation/Audit of third parties
• Remediation tracking
Cloud
• Cloud environments must be considered a third party
• Need to document “compliance matrix” of requirements
which are the responsibility of the cloud provider

15. High Level Process
© 2020 ControlCase. All Rights Reserved. 15
1
Register/Inventory vendors
2
Categorize vendors
3
Create master control checklist
4
Map controls to categories
5
Create vendor risk
assessment questionnaire
6
Distribute questionnaire
to vendors
7
Analyze responses
and attachments
8
Provide a Data Security Rating
9
Track exceptions to closure

16. Step 1 – Register/Inventory Vendors
© 2020 ControlCase. All Rights Reserved. 16

17. Step 2 – Categorize Vendors
QUESTIONS TO ASK
• What type of data do they store, process or transmit (SSN, Card Numbers, Customer Name, Diagnosis
code(s), etc.,)
• Is the data in a physical and/or electronic form
• What business are they in (Call Center, Recoveries, Managed Service, Software Development, Printing,
Hosting)
• What risk factors exist based on Geography (North America, Asia/Pacific, South America etc.)
© 2020 ControlCase. All Rights Reserved. 17

18. Step 2 – Categorize Vendors (contd.)
CONSIDERATIONS
• Less exposure of disclosure/compromise = less verification (i.e., survey only)
• More exposure of disclosure/compromise = more verification and validation (e.g., survey, evidence review,
on-site assessment)
© 2020 ControlCase. All Rights Reserved. 18

19. Policy Management
Asset and Vulnerability Management
Incident and Problem Management
Risk Management
HR Management
Vendor / Third Party Management
Change Management and Monitoring
Data Management
Business Continuity Management
Compliance Project Management
Step 3 – Create Master Control Checklist
© 2020 ControlCase. All Rights Reserved. 19

20. Step 4 – Map Controls To Categories
© 2020 ControlCase. All Rights Reserved. 20
MAP CONTROLS FROM MASTER LIST TO CATEGORIES BASED ON
• What is relevant to the type of data being stored processed or transmitted (for e.g. if card data then PCI
DSS may be relevant to check for vs. not)
• What is relevant from a business perspective (e.g. call centers third parties have VOIP related controls
whereas software development may not)
• What is relevant from a geography perspective (e.g. background checks in USA vs. India may be different
and may require testing different controls)

21. Step 5 – Create Vendor Risk Questionnaire
© 2020 ControlCase. All Rights Reserved. 21

22. Step 6 – Distribute Questionnaires
© 2020 ControlCase. All Rights Reserved. 22

23. Step 7 – Analyze Responses
© 2020 ControlCase. All Rights Reserved. 23

24. Step 8 – Provide a Data Security Rating for vendor
© 2020 ControlCase. All Rights Reserved. 24
Score based on various data points including:
• Log Management
• Vulnerability Management
• Data Leak Prevention or Data Discovery
• Other Automated Feeds
Collect Data
• Logs
• Scans and Test Reports
• Data Leak
• Identity and Access
Mgmt.
Data Analytics
• Analysis of Data Against
15 Int’l Standards
Calculate Ratings
• Analysis of Data Against
15 Int’l Standards
Report
• Rating & Remediation
Action Plan with Cost
Presentation
• ControlCase presents
to board
1 2 3 4 5

25. Step 9 – Track Exceptions To Closure
© 2020 ControlCase. All Rights Reserved. 25

26. COMMON CHALLENGES4
© 2020 ControlCase. All Rights Reserved. 26

27. Redundant Efforts
Lack of Compliance Dashboard
Change of Environment
Increased Regulations
Cost Inefficiencies
Fixing of Dispositions
Reliance on Third Parties
Reducing Budgets (Do more with less)
Challenges
© 2020 ControlCase. All Rights Reserved. 27

28. WHY CONTROLCASE5
© 2020 ControlCase. All Rights Reserved. 28

29. Automation and AI
© 2020 ControlCase. All Rights Reserved. 29
Automated Data Feed
Quarterly Score based on 4 rolling quarters’ worth of data:
• Log Management
• Vulnerability Management
• Data Leak Prevention or Data Discovery
• Other Automated Feeds
Collect Data
• Logs
• Scans and Test Reports
• Data Leak
• Identity and Access
Mgmt.
Data Analytics
• Analysis of Data Against
15 Int’l Standards
Calculate Ratings
• Analysis of Data Against
15 Int’l Standards
Report
• Rating & Remediation
Action Plan with Cost
Presentation
• ControlCase presents
to board
1 2 3 4 5

30. Summary – Why ControlCase
© 2020 ControlCase. All Rights Reserved. 30
“They provide excellent service,
expertise and technology. And,
the visibility into my compliance
throughout the year and during
the audit process provide a lot
of value to us.
— Dir. of Compliance,
SaaS company

31. THANK YOU FOR THE
OPPORTUNITY TO CONTRIBUTE TO
YOUR IT COMPLIANCE PROGRAM.
www.controlcase.com
(US) + 1 703.483.6383 (INDIA) + 91.22.62210800
contact@controlcase.com