SlideShare a Scribd company logo

Vendor Management for PCI DSS, HIPAA, and FFIEC

Download as PPTX, PDF
ControlCase
ControlCase

ControlCase covers the following: •Requirements for PCI DSS, HIPAA, Business Associates, FFIEC and Banking Service Providers •What is Vendor Management •Why is Continual Compliance a challenge in Vendor Management •How to mix technology and manual processes for effective Vendor Management

Technology
1 of 31
VENDOR MANAGEMENT PCI DSS, FISMA, FERC/NERC, HIPAA & ISO 27001 YOUR IT COMPLIANCE PARTNER – GO BEYOND THE CHECKLIST
ControlCase Introduction Challenges About PCI DSS, FISMA, FERC/NERC, HIPAA & ISO 27001 Vendor Management Basic Approach Why ControlCase AGENDA © 2020 ControlCase. All Rights Reserved. 2 1 2 3 4 5
1 CONTROLCASE INTRODUCTION © 2020 ControlCase. All Rights Reserved. 3
ControlCase Snapshot CERTIFICATION AND CONTINUOUS COMPLIANCE SERVICES Go beyond the auditor’s checklist to: Dramatically cut the time, cost and burden from becoming certified and maintaining IT compliance. © 2020 ControlCase. All Rights Reserved. 4 • Demonstrate compliance more efficiently and cost effectively (cost certainty) • Improve efficiencies ⁃ Do more with less resources and gain compliance peace of mind • Free up your internal resources to focus on their priorities • Offload much of the compliance burden to a trusted compliance partner 1,000+ 300+10,000+ CLIENTS IT SECURITY CERTIFICATIONS SECURITY EXPERTS
Solution - Certification and Continuous Compliance Services © 2020 ControlCase. All Rights Reserved. 5 “I’ve worked on both sides of auditing. I have not seen any other firm deliver the same product and service with the same value. No other firm provides that continuous improvement and the level of detail and responsiveness. — Security and Compliance Manager, Data Center Certification and Continuous Compliance Services
Certification Services One Audit™ Assess Once. Comply to Many. © 2020 ControlCase. All Rights Reserved. 6 “You have 27 seconds to make a first impression. And after our initial meeting, it became clear that they were more interested in helping our business and building a relationship, not just getting the business. — Sr. Director, Information Risk & Compliance, Large Merchant PCI DSS ISO 27001 & 27002 SOC 1,2,3 & SOC for Cybersecurity CSA STAR HIPAA PCI P2PE GDPR NIST 800-53 PCI PIN PCI PA-DSS SCA PCI 3DS
ABOUT PCI DSS, FISMA, FERC/NERC, HIPAA & ISO 27001 2 © 2020 ControlCase. All Rights Reserved. 7
What is PCI DSS © 2020 ControlCase. All Rights Reserved. 8 Payment Card Industry Data Security Standard: • Guidelines for securely processing, storing, or transmitting payment card account data • Established by leading payment card issuers • Maintained by the PCI Security Standards Council (PCI SSC)
What is FISMA © 2020 ControlCase. All Rights Reserved. 9 Federal Information Security Management Act (FISMA) of 2002 Requires federal agencies to implement a mandatory set of processes, security controls and information security governance. FISMA objectives: • Align security protections with risk and impact • Establish accountability and performance measures • Empower executives to make informed risk decisions
What is HIPAA © 2020 ControlCase. All Rights Reserved. 10 HIPAA is the acronym for the Health Insurance Portability and Accountability Act that was passed by Congress in 1996. HIPAA does the following: • Provides the ability to transfer and continue health insurance coverage for millions of American workers and their families when they change or lose their jobs • Reduces health care fraud and abuse • Mandates industry-wide standards for health care information on electronic billing and other processes • Requires the protection and confidential handling of protected health information
What is ISO 27001/ISO 27002 © 2020 ControlCase. All Rights Reserved. 11 ISO Standard: • ISO 27001 is the management framework for implementing information security within an organization • ISO 27002 are the detailed controls from an implementation perspective
What is FERC/NERC © 2020 ControlCase. All Rights Reserved. 12 Federal Energy Regulatory Commission (FERC) The Federal Energy Regulatory Commission (FERC) is the United States federal agency with jurisdiction over interstate electricity sales, wholesale electric rates, hydroelectric licensing, natural gas pricing, and oil pipeline rates. North American Electric Reliability Corporation (NERC): The North American Electric Reliability Corporation (NERC) is a not-for-profit international regulatory authority whose mission is to ensure the reliability of the bulk power system in North America. Critical Infrastructure Protection Standards • Standards for cyber security protection
VENDOR MANAGEMENT BASIC APPROACH 3 © 2020 ControlCase. All Rights Reserved. 13
REG/STANDARD COVERAGE AREA ISO 27001 A.6, A.10 PCI 12 HIPAA 164.308b1 FISMA PS-3 FERC/NERC Multiple Requirements Why Vendor/Third Party Management? © 2020 ControlCase. All Rights Reserved. 14 • Management of third parties • Attestation/Audit of third parties • Remediation tracking Cloud • Cloud environments must be considered a third party • Need to document “compliance matrix” of requirements which are the responsibility of the cloud provider
High Level Process © 2020 ControlCase. All Rights Reserved. 15 1 Register/Inventory vendors 2 Categorize vendors 3 Create master control checklist 4 Map controls to categories 5 Create vendor risk assessment questionnaire 6 Distribute questionnaire to vendors 7 Analyze responses and attachments 8 Provide a Data Security Rating 9 Track exceptions to closure
Step 1 – Register/Inventory Vendors © 2020 ControlCase. All Rights Reserved. 16
Step 2 – Categorize Vendors QUESTIONS TO ASK • What type of data do they store, process or transmit (SSN, Card Numbers, Customer Name, Diagnosis code(s), etc.,) • Is the data in a physical and/or electronic form • What business are they in (Call Center, Recoveries, Managed Service, Software Development, Printing, Hosting) • What risk factors exist based on Geography (North America, Asia/Pacific, South America etc.) © 2020 ControlCase. All Rights Reserved. 17
Step 2 – Categorize Vendors (contd.) CONSIDERATIONS • Less exposure of disclosure/compromise = less verification (i.e., survey only) • More exposure of disclosure/compromise = more verification and validation (e.g., survey, evidence review, on-site assessment) © 2020 ControlCase. All Rights Reserved. 18
Policy Management Asset and Vulnerability Management Incident and Problem Management Risk Management HR Management Vendor / Third Party Management Change Management and Monitoring Data Management Business Continuity Management Compliance Project Management Step 3 – Create Master Control Checklist © 2020 ControlCase. All Rights Reserved. 19
Step 4 – Map Controls To Categories © 2020 ControlCase. All Rights Reserved. 20 MAP CONTROLS FROM MASTER LIST TO CATEGORIES BASED ON • What is relevant to the type of data being stored processed or transmitted (for e.g. if card data then PCI DSS may be relevant to check for vs. not) • What is relevant from a business perspective (e.g. call centers third parties have VOIP related controls whereas software development may not) • What is relevant from a geography perspective (e.g. background checks in USA vs. India may be different and may require testing different controls)
Step 5 – Create Vendor Risk Questionnaire © 2020 ControlCase. All Rights Reserved. 21
Step 6 – Distribute Questionnaires © 2020 ControlCase. All Rights Reserved. 22
Step 7 – Analyze Responses © 2020 ControlCase. All Rights Reserved. 23
Step 8 – Provide a Data Security Rating for vendor © 2020 ControlCase. All Rights Reserved. 24 Score based on various data points including: • Log Management • Vulnerability Management • Data Leak Prevention or Data Discovery • Other Automated Feeds Collect Data • Logs • Scans and Test Reports • Data Leak • Identity and Access Mgmt. Data Analytics • Analysis of Data Against 15 Int’l Standards Calculate Ratings • Analysis of Data Against 15 Int’l Standards Report • Rating & Remediation Action Plan with Cost Presentation • ControlCase presents to board 1 2 3 4 5
Step 9 – Track Exceptions To Closure © 2020 ControlCase. All Rights Reserved. 25
COMMON CHALLENGES4 © 2020 ControlCase. All Rights Reserved. 26
Redundant Efforts Lack of Compliance Dashboard Change of Environment Increased Regulations Cost Inefficiencies Fixing of Dispositions Reliance on Third Parties Reducing Budgets (Do more with less) Challenges © 2020 ControlCase. All Rights Reserved. 27
WHY CONTROLCASE5 © 2020 ControlCase. All Rights Reserved. 28
Automation and AI © 2020 ControlCase. All Rights Reserved. 29 Automated Data Feed Quarterly Score based on 4 rolling quarters’ worth of data: • Log Management • Vulnerability Management • Data Leak Prevention or Data Discovery • Other Automated Feeds Collect Data • Logs • Scans and Test Reports • Data Leak • Identity and Access Mgmt. Data Analytics • Analysis of Data Against 15 Int’l Standards Calculate Ratings • Analysis of Data Against 15 Int’l Standards Report • Rating & Remediation Action Plan with Cost Presentation • ControlCase presents to board 1 2 3 4 5
Summary – Why ControlCase © 2020 ControlCase. All Rights Reserved. 30 “They provide excellent service, expertise and technology. And, the visibility into my compliance throughout the year and during the audit process provide a lot of value to us. — Dir. of Compliance, SaaS company
THANK YOU FOR THE OPPORTUNITY TO CONTRIBUTE TO YOUR IT COMPLIANCE PROGRAM. www.controlcase.com (US) + 1 703.483.6383 (INDIA) + 91.22.62210800 contact@controlcase.com

Recommended

PCI PIN Security & Key Management Compliance
PCI PIN Security & Key Management CompliancePCI PIN Security & Key Management Compliance
PCI PIN Security & Key Management ComplianceControlCase
 
PCI DSS Business as Usual
PCI DSS Business as UsualPCI DSS Business as Usual
PCI DSS Business as UsualControlCase
 
Continuous Compliance Monitoring
Continuous Compliance MonitoringContinuous Compliance Monitoring
Continuous Compliance MonitoringControlCase
 
Continuous Compliance Monitoring
Continuous Compliance MonitoringContinuous Compliance Monitoring
Continuous Compliance MonitoringControlCase
 
PCI DSS and Other Related Updates
PCI DSS and Other Related UpdatesPCI DSS and Other Related Updates
PCI DSS and Other Related UpdatesControlCase
 
Log Monitoring and File Integrity Monitoring
Log Monitoring and File Integrity MonitoringLog Monitoring and File Integrity Monitoring
Log Monitoring and File Integrity MonitoringControlCase
 
Performing One Audit Using Zero Trust Principles
Performing One Audit Using Zero Trust PrinciplesPerforming One Audit Using Zero Trust Principles
Performing One Audit Using Zero Trust PrinciplesControlCase
 
Vendor risk management webinar 10022019 v1
Vendor risk management webinar 10022019 v1Vendor risk management webinar 10022019 v1
Vendor risk management webinar 10022019 v1ControlCase
 

Recommended

PCI PIN Security & Key Management Compliance
PCI PIN Security & Key Management CompliancePCI PIN Security & Key Management Compliance
PCI PIN Security & Key Management ComplianceControlCase
 
PCI DSS Business as Usual
PCI DSS Business as UsualPCI DSS Business as Usual
PCI DSS Business as UsualControlCase
 
Continuous Compliance Monitoring
Continuous Compliance MonitoringContinuous Compliance Monitoring
Continuous Compliance MonitoringControlCase
 
Continuous Compliance Monitoring
Continuous Compliance MonitoringContinuous Compliance Monitoring
Continuous Compliance MonitoringControlCase
 
PCI DSS and Other Related Updates
PCI DSS and Other Related UpdatesPCI DSS and Other Related Updates
PCI DSS and Other Related UpdatesControlCase
 
Log Monitoring and File Integrity Monitoring
Log Monitoring and File Integrity MonitoringLog Monitoring and File Integrity Monitoring
Log Monitoring and File Integrity MonitoringControlCase
 
Performing One Audit Using Zero Trust Principles
Performing One Audit Using Zero Trust PrinciplesPerforming One Audit Using Zero Trust Principles
Performing One Audit Using Zero Trust PrinciplesControlCase
 
Vendor risk management webinar 10022019 v1
Vendor risk management webinar 10022019 v1Vendor risk management webinar 10022019 v1
Vendor risk management webinar 10022019 v1ControlCase
 
PCI DSS Business as Usual (BAU)
PCI DSS Business as Usual (BAU)PCI DSS Business as Usual (BAU)
PCI DSS Business as Usual (BAU)ControlCase
 
Integrated Compliance – Collect Evidence Once, Certify to Many
Integrated Compliance – Collect Evidence Once, Certify to ManyIntegrated Compliance – Collect Evidence Once, Certify to Many
Integrated Compliance – Collect Evidence Once, Certify to ManyControlCase
 
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIECVendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIECControlCase
 
PCI DSS Compliance Checklist
PCI DSS Compliance ChecklistPCI DSS Compliance Checklist
PCI DSS Compliance ChecklistControlCase
 
Continuous Compliance Monitoring
Continuous Compliance MonitoringContinuous Compliance Monitoring
Continuous Compliance MonitoringControlCase
 
PCI DSS and PA DSS Compliance
PCI DSS and PA DSS CompliancePCI DSS and PA DSS Compliance
PCI DSS and PA DSS ComplianceControlCase
 
SOC 2 Compliance and Certification
SOC 2 Compliance and CertificationSOC 2 Compliance and Certification
SOC 2 Compliance and CertificationControlCase
 
Docker container webinar final
Docker container webinar finalDocker container webinar final
Docker container webinar finalControlCase
 
General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR) General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR) ControlCase
 
Performing PCI DSS Assessments Using Zero Trust Principles
Performing PCI DSS Assessments Using Zero Trust PrinciplesPerforming PCI DSS Assessments Using Zero Trust Principles
Performing PCI DSS Assessments Using Zero Trust PrinciplesControlCase
 
Integrated Compliance
Integrated ComplianceIntegrated Compliance
Integrated ComplianceControlCase
 
Introduction to Token Service Provider (TSP) Certification
Introduction to Token Service Provider (TSP) CertificationIntroduction to Token Service Provider (TSP) Certification
Introduction to Token Service Provider (TSP) CertificationControlCase
 
OneAudit™ - Assess Once, Certify to Many
OneAudit™ - Assess Once, Certify to ManyOneAudit™ - Assess Once, Certify to Many
OneAudit™ - Assess Once, Certify to ManyControlCase
 
PCI DSS Compliance in the Cloud
PCI DSS Compliance in the CloudPCI DSS Compliance in the Cloud
PCI DSS Compliance in the CloudControlCase
 
FedRAMP Certification & FedRAMP Marketplace
FedRAMP Certification & FedRAMP MarketplaceFedRAMP Certification & FedRAMP Marketplace
FedRAMP Certification & FedRAMP MarketplaceControlCase
 
Agiliance Wp Key Steps
Agiliance Wp Key StepsAgiliance Wp Key Steps
Agiliance Wp Key Stepsagiliancecommunity
 
Integrated Compliance
Integrated ComplianceIntegrated Compliance
Integrated ComplianceKimberly Simon MBA
 
Healthcare Compliance: HIPAA and HITRUST
Healthcare Compliance: HIPAA and HITRUSTHealthcare Compliance: HIPAA and HITRUST
Healthcare Compliance: HIPAA and HITRUSTControlCase
 
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIECVendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIECKimberly Simon MBA
 
Managing Multiple Assessments Using Zero Trust Principles
Managing Multiple Assessments Using Zero Trust PrinciplesManaging Multiple Assessments Using Zero Trust Principles
Managing Multiple Assessments Using Zero Trust PrinciplesControlCase
 
Vendor Management - PCI DSS, ISO 27001, E13PA,HIPPA & FFIEC
Vendor Management - PCI DSS, ISO 27001, E13PA,HIPPA & FFIECVendor Management - PCI DSS, ISO 27001, E13PA,HIPPA & FFIEC
Vendor Management - PCI DSS, ISO 27001, E13PA,HIPPA & FFIECControlCase
 
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIECVendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIECKimberly Simon MBA
 

More Related Content

What's hot

PCI DSS Business as Usual (BAU)
PCI DSS Business as Usual (BAU)PCI DSS Business as Usual (BAU)
PCI DSS Business as Usual (BAU)ControlCase
 
Integrated Compliance – Collect Evidence Once, Certify to Many
Integrated Compliance – Collect Evidence Once, Certify to ManyIntegrated Compliance – Collect Evidence Once, Certify to Many
Integrated Compliance – Collect Evidence Once, Certify to ManyControlCase
 
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIECVendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIECControlCase
 
PCI DSS Compliance Checklist
PCI DSS Compliance ChecklistPCI DSS Compliance Checklist
PCI DSS Compliance ChecklistControlCase
 
Continuous Compliance Monitoring
Continuous Compliance MonitoringContinuous Compliance Monitoring
Continuous Compliance MonitoringControlCase
 
PCI DSS and PA DSS Compliance
PCI DSS and PA DSS CompliancePCI DSS and PA DSS Compliance
PCI DSS and PA DSS ComplianceControlCase
 
SOC 2 Compliance and Certification
SOC 2 Compliance and CertificationSOC 2 Compliance and Certification
SOC 2 Compliance and CertificationControlCase
 
Docker container webinar final
Docker container webinar finalDocker container webinar final
Docker container webinar finalControlCase
 
General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR) General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR) ControlCase
 
Performing PCI DSS Assessments Using Zero Trust Principles
Performing PCI DSS Assessments Using Zero Trust PrinciplesPerforming PCI DSS Assessments Using Zero Trust Principles
Performing PCI DSS Assessments Using Zero Trust PrinciplesControlCase
 
Integrated Compliance
Integrated ComplianceIntegrated Compliance
Integrated ComplianceControlCase
 
Introduction to Token Service Provider (TSP) Certification
Introduction to Token Service Provider (TSP) CertificationIntroduction to Token Service Provider (TSP) Certification
Introduction to Token Service Provider (TSP) CertificationControlCase
 
OneAudit™ - Assess Once, Certify to Many
OneAudit™ - Assess Once, Certify to ManyOneAudit™ - Assess Once, Certify to Many
OneAudit™ - Assess Once, Certify to ManyControlCase
 
PCI DSS Compliance in the Cloud
PCI DSS Compliance in the CloudPCI DSS Compliance in the Cloud
PCI DSS Compliance in the CloudControlCase
 
FedRAMP Certification & FedRAMP Marketplace
FedRAMP Certification & FedRAMP MarketplaceFedRAMP Certification & FedRAMP Marketplace
FedRAMP Certification & FedRAMP MarketplaceControlCase
 
Healthcare Compliance: HIPAA and HITRUST
Healthcare Compliance: HIPAA and HITRUSTHealthcare Compliance: HIPAA and HITRUST
Healthcare Compliance: HIPAA and HITRUSTControlCase
 
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIECVendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIECKimberly Simon MBA
 
Managing Multiple Assessments Using Zero Trust Principles
Managing Multiple Assessments Using Zero Trust PrinciplesManaging Multiple Assessments Using Zero Trust Principles
Managing Multiple Assessments Using Zero Trust PrinciplesControlCase
 

What's hot (20)

PCI DSS Business as Usual (BAU)
PCI DSS Business as Usual (BAU)PCI DSS Business as Usual (BAU)
PCI DSS Business as Usual (BAU)
 
Integrated Compliance – Collect Evidence Once, Certify to Many
Integrated Compliance – Collect Evidence Once, Certify to ManyIntegrated Compliance – Collect Evidence Once, Certify to Many
Integrated Compliance – Collect Evidence Once, Certify to Many
 
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIECVendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
 
PCI DSS Compliance Checklist
PCI DSS Compliance ChecklistPCI DSS Compliance Checklist
PCI DSS Compliance Checklist
 
Continuous Compliance Monitoring
Continuous Compliance MonitoringContinuous Compliance Monitoring
Continuous Compliance Monitoring
 
PCI DSS and PA DSS Compliance
PCI DSS and PA DSS CompliancePCI DSS and PA DSS Compliance
PCI DSS and PA DSS Compliance
 
SOC 2 Compliance and Certification
SOC 2 Compliance and CertificationSOC 2 Compliance and Certification
SOC 2 Compliance and Certification
 
Docker container webinar final
Docker container webinar finalDocker container webinar final
Docker container webinar final
 
General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR) General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR)
 
Performing PCI DSS Assessments Using Zero Trust Principles
Performing PCI DSS Assessments Using Zero Trust PrinciplesPerforming PCI DSS Assessments Using Zero Trust Principles
Performing PCI DSS Assessments Using Zero Trust Principles
 
Integrated Compliance
Integrated ComplianceIntegrated Compliance
Integrated Compliance
 
Introduction to Token Service Provider (TSP) Certification
Introduction to Token Service Provider (TSP) CertificationIntroduction to Token Service Provider (TSP) Certification
Introduction to Token Service Provider (TSP) Certification
 
OneAudit™ - Assess Once, Certify to Many
OneAudit™ - Assess Once, Certify to ManyOneAudit™ - Assess Once, Certify to Many
OneAudit™ - Assess Once, Certify to Many
 
PCI DSS Compliance in the Cloud
PCI DSS Compliance in the CloudPCI DSS Compliance in the Cloud
PCI DSS Compliance in the Cloud
 
FedRAMP Certification & FedRAMP Marketplace
FedRAMP Certification & FedRAMP MarketplaceFedRAMP Certification & FedRAMP Marketplace
FedRAMP Certification & FedRAMP Marketplace
 
Agiliance Wp Key Steps
Agiliance Wp Key StepsAgiliance Wp Key Steps
Agiliance Wp Key Steps
 
Integrated Compliance
Integrated ComplianceIntegrated Compliance
Integrated Compliance
 
Healthcare Compliance: HIPAA and HITRUST
Healthcare Compliance: HIPAA and HITRUSTHealthcare Compliance: HIPAA and HITRUST
Healthcare Compliance: HIPAA and HITRUST
 
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIECVendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
 
Managing Multiple Assessments Using Zero Trust Principles
Managing Multiple Assessments Using Zero Trust PrinciplesManaging Multiple Assessments Using Zero Trust Principles
Managing Multiple Assessments Using Zero Trust Principles
 

Similar to Vendor Management for PCI DSS, HIPAA, and FFIEC

Vendor Management - PCI DSS, ISO 27001, E13PA,HIPPA & FFIEC
Vendor Management - PCI DSS, ISO 27001, E13PA,HIPPA & FFIECVendor Management - PCI DSS, ISO 27001, E13PA,HIPPA & FFIEC
Vendor Management - PCI DSS, ISO 27001, E13PA,HIPPA & FFIECControlCase
 
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIECVendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIECKimberly Simon MBA
 
Integrated Compliance
Integrated ComplianceIntegrated Compliance
Integrated ComplianceControlCase
 
Maintaining Data Privacy with Ashish Kirtikar
Maintaining Data Privacy with Ashish KirtikarMaintaining Data Privacy with Ashish Kirtikar
Maintaining Data Privacy with Ashish KirtikarControlCase
 
A systematic approach to pci compliance using rsa archer
A systematic approach to pci compliance using rsa archerA systematic approach to pci compliance using rsa archer
A systematic approach to pci compliance using rsa archerSubhajit Bhuiya
 
Riskfactorypcitheessentials 151125164111-lva1-app6892
Riskfactorypcitheessentials 151125164111-lva1-app6892Riskfactorypcitheessentials 151125164111-lva1-app6892
Riskfactorypcitheessentials 151125164111-lva1-app6892Risk Crew
 
Security for Cloud Computing: 10 Steps to Ensure Success V3.0
Security for Cloud Computing: 10 Steps to Ensure Success V3.0Security for Cloud Computing: 10 Steps to Ensure Success V3.0
Security for Cloud Computing: 10 Steps to Ensure Success V3.0Cloud Standards Customer Council
 
Risk Factory: PCI - The Essentials
Risk Factory: PCI - The EssentialsRisk Factory: PCI - The Essentials
Risk Factory: PCI - The EssentialsRisk Crew
 
Information Security Program & PCI Compliance Planning for your Business
Information Security Program & PCI Compliance Planning for your BusinessInformation Security Program & PCI Compliance Planning for your Business
Information Security Program & PCI Compliance Planning for your BusinessLaura Perry
 
Secrets for Successful Regulatory Compliance Projects
Secrets for Successful Regulatory Compliance ProjectsSecrets for Successful Regulatory Compliance Projects
Secrets for Successful Regulatory Compliance ProjectsChristopher Foot
 
Info Security & PCI(original)
Info Security & PCI(original)Info Security & PCI(original)
Info Security & PCI(original)NCTechSymposium
 
Data Center Audit Standards
Data Center Audit StandardsData Center Audit Standards
Data Center Audit StandardsKeyur Thakore
 
The programmable RegTech Eco System by Liv Apneseth Watson
The programmable RegTech Eco System by Liv Apneseth WatsonThe programmable RegTech Eco System by Liv Apneseth Watson
The programmable RegTech Eco System by Liv Apneseth WatsonWorkiva
 
Nagios Conference 2013 - Jorge Higueros - Trust Management in Monitoring Fina...
Nagios Conference 2013 - Jorge Higueros - Trust Management in Monitoring Fina...Nagios Conference 2013 - Jorge Higueros - Trust Management in Monitoring Fina...
Nagios Conference 2013 - Jorge Higueros - Trust Management in Monitoring Fina...Nagios
 
File Sharing Use Cases in Financial Services
File Sharing Use Cases in Financial ServicesFile Sharing Use Cases in Financial Services
File Sharing Use Cases in Financial ServicesBlackBerry
 
ControlCase CMMC Basics Deck Final.pdf
ControlCase CMMC Basics Deck Final.pdfControlCase CMMC Basics Deck Final.pdf
ControlCase CMMC Basics Deck Final.pdfAmyPoblete3
 
PCI Certification and remediation services
PCI Certification and remediation servicesPCI Certification and remediation services
PCI Certification and remediation servicesTariq Juneja
 
ISO 27001 In The Age Of Privacy
ISO 27001 In The Age Of PrivacyISO 27001 In The Age Of Privacy
ISO 27001 In The Age Of PrivacyControlCase
 

Similar to Vendor Management for PCI DSS, HIPAA, and FFIEC (20)

Vendor Management - PCI DSS, ISO 27001, E13PA,HIPPA & FFIEC
Vendor Management - PCI DSS, ISO 27001, E13PA,HIPPA & FFIECVendor Management - PCI DSS, ISO 27001, E13PA,HIPPA & FFIEC
Vendor Management - PCI DSS, ISO 27001, E13PA,HIPPA & FFIEC
 
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIECVendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
 
Integrated Compliance
Integrated ComplianceIntegrated Compliance
Integrated Compliance
 
Integrated Compliance
Integrated ComplianceIntegrated Compliance
Integrated Compliance
 
Maintaining Data Privacy with Ashish Kirtikar
Maintaining Data Privacy with Ashish KirtikarMaintaining Data Privacy with Ashish Kirtikar
Maintaining Data Privacy with Ashish Kirtikar
 
A systematic approach to pci compliance using rsa archer
A systematic approach to pci compliance using rsa archerA systematic approach to pci compliance using rsa archer
A systematic approach to pci compliance using rsa archer
 
Riskfactorypcitheessentials 151125164111-lva1-app6892
Riskfactorypcitheessentials 151125164111-lva1-app6892Riskfactorypcitheessentials 151125164111-lva1-app6892
Riskfactorypcitheessentials 151125164111-lva1-app6892
 
Security for Cloud Computing: 10 Steps to Ensure Success V3.0
Security for Cloud Computing: 10 Steps to Ensure Success V3.0Security for Cloud Computing: 10 Steps to Ensure Success V3.0
Security for Cloud Computing: 10 Steps to Ensure Success V3.0
 
Risk Factory: PCI - The Essentials
Risk Factory: PCI - The EssentialsRisk Factory: PCI - The Essentials
Risk Factory: PCI - The Essentials
 
Information Security Program & PCI Compliance Planning for your Business
Information Security Program & PCI Compliance Planning for your BusinessInformation Security Program & PCI Compliance Planning for your Business
Information Security Program & PCI Compliance Planning for your Business
 
PCI DSS Compliance Readiness
PCI DSS Compliance ReadinessPCI DSS Compliance Readiness
PCI DSS Compliance Readiness
 
Secrets for Successful Regulatory Compliance Projects
Secrets for Successful Regulatory Compliance ProjectsSecrets for Successful Regulatory Compliance Projects
Secrets for Successful Regulatory Compliance Projects
 
Info Security & PCI(original)
Info Security & PCI(original)Info Security & PCI(original)
Info Security & PCI(original)
 
Data Center Audit Standards
Data Center Audit StandardsData Center Audit Standards
Data Center Audit Standards
 
The programmable RegTech Eco System by Liv Apneseth Watson
The programmable RegTech Eco System by Liv Apneseth WatsonThe programmable RegTech Eco System by Liv Apneseth Watson
The programmable RegTech Eco System by Liv Apneseth Watson
 
Nagios Conference 2013 - Jorge Higueros - Trust Management in Monitoring Fina...
Nagios Conference 2013 - Jorge Higueros - Trust Management in Monitoring Fina...Nagios Conference 2013 - Jorge Higueros - Trust Management in Monitoring Fina...
Nagios Conference 2013 - Jorge Higueros - Trust Management in Monitoring Fina...
 
File Sharing Use Cases in Financial Services
File Sharing Use Cases in Financial ServicesFile Sharing Use Cases in Financial Services
File Sharing Use Cases in Financial Services
 
ControlCase CMMC Basics Deck Final.pdf
ControlCase CMMC Basics Deck Final.pdfControlCase CMMC Basics Deck Final.pdf
ControlCase CMMC Basics Deck Final.pdf
 
PCI Certification and remediation services
PCI Certification and remediation servicesPCI Certification and remediation services
PCI Certification and remediation services
 
ISO 27001 In The Age Of Privacy
ISO 27001 In The Age Of PrivacyISO 27001 In The Age Of Privacy
ISO 27001 In The Age Of Privacy
 

More from ControlCase

PCI DSS v4 - ControlCase Update Webinar Final.pdf
PCI DSS v4 - ControlCase Update Webinar Final.pdfPCI DSS v4 - ControlCase Update Webinar Final.pdf
PCI DSS v4 - ControlCase Update Webinar Final.pdfControlCase
 
ISO 27001 2002 Update Webinar.pdf
ISO 27001 2002 Update Webinar.pdfISO 27001 2002 Update Webinar.pdf
ISO 27001 2002 Update Webinar.pdfControlCase
 
Integrated Compliance Webinar.pptx
Integrated Compliance Webinar.pptxIntegrated Compliance Webinar.pptx
Integrated Compliance Webinar.pptxControlCase
 
2022-Q2-Webinar-ISO_Spanish_Final.pdf
2022-Q2-Webinar-ISO_Spanish_Final.pdf2022-Q2-Webinar-ISO_Spanish_Final.pdf
2022-Q2-Webinar-ISO_Spanish_Final.pdfControlCase
 
French PCI DSS v4.0 Webinaire.pdf
French PCI DSS v4.0 Webinaire.pdfFrench PCI DSS v4.0 Webinaire.pdf
French PCI DSS v4.0 Webinaire.pdfControlCase
 
DFARS CMMC SPRS NIST 800-171 Explainer.pdf
DFARS CMMC SPRS NIST 800-171 Explainer.pdfDFARS CMMC SPRS NIST 800-171 Explainer.pdf
DFARS CMMC SPRS NIST 800-171 Explainer.pdfControlCase
 
Webinar-MSP+ Cyber Insurance Fina.pptx
Webinar-MSP+ Cyber Insurance Fina.pptxWebinar-MSP+ Cyber Insurance Fina.pptx
Webinar-MSP+ Cyber Insurance Fina.pptxControlCase
 
2022-Q3-Webinar-PPT-DataProtectionByDesign.pdf
2022-Q3-Webinar-PPT-DataProtectionByDesign.pdf2022-Q3-Webinar-PPT-DataProtectionByDesign.pdf
2022-Q3-Webinar-PPT-DataProtectionByDesign.pdfControlCase
 
Webinar-Spanish-PCI DSS-4.0.pdf
Webinar-Spanish-PCI DSS-4.0.pdfWebinar-Spanish-PCI DSS-4.0.pdf
Webinar-Spanish-PCI DSS-4.0.pdfControlCase
 
2022 Webinar - ISO 27001 Certification.pdf
2022 Webinar - ISO 27001 Certification.pdf2022 Webinar - ISO 27001 Certification.pdf
2022 Webinar - ISO 27001 Certification.pdfControlCase
 
PCI DSS 4.0 Webinar Final.pptx
PCI DSS 4.0 Webinar Final.pptxPCI DSS 4.0 Webinar Final.pptx
PCI DSS 4.0 Webinar Final.pptxControlCase
 
Webinar - CMMC Certification.pptx
Webinar - CMMC Certification.pptxWebinar - CMMC Certification.pptx
Webinar - CMMC Certification.pptxControlCase
 
HITRUST Certification
HITRUST CertificationHITRUST Certification
HITRUST CertificationControlCase
 
CMMC Certification
CMMC CertificationCMMC Certification
CMMC CertificationControlCase
 

More from ControlCase (14)

PCI DSS v4 - ControlCase Update Webinar Final.pdf
PCI DSS v4 - ControlCase Update Webinar Final.pdfPCI DSS v4 - ControlCase Update Webinar Final.pdf
PCI DSS v4 - ControlCase Update Webinar Final.pdf
 
ISO 27001 2002 Update Webinar.pdf
ISO 27001 2002 Update Webinar.pdfISO 27001 2002 Update Webinar.pdf
ISO 27001 2002 Update Webinar.pdf
 
Integrated Compliance Webinar.pptx
Integrated Compliance Webinar.pptxIntegrated Compliance Webinar.pptx
Integrated Compliance Webinar.pptx
 
2022-Q2-Webinar-ISO_Spanish_Final.pdf
2022-Q2-Webinar-ISO_Spanish_Final.pdf2022-Q2-Webinar-ISO_Spanish_Final.pdf
2022-Q2-Webinar-ISO_Spanish_Final.pdf
 
French PCI DSS v4.0 Webinaire.pdf
French PCI DSS v4.0 Webinaire.pdfFrench PCI DSS v4.0 Webinaire.pdf
French PCI DSS v4.0 Webinaire.pdf
 
DFARS CMMC SPRS NIST 800-171 Explainer.pdf
DFARS CMMC SPRS NIST 800-171 Explainer.pdfDFARS CMMC SPRS NIST 800-171 Explainer.pdf
DFARS CMMC SPRS NIST 800-171 Explainer.pdf
 
Webinar-MSP+ Cyber Insurance Fina.pptx
Webinar-MSP+ Cyber Insurance Fina.pptxWebinar-MSP+ Cyber Insurance Fina.pptx
Webinar-MSP+ Cyber Insurance Fina.pptx
 
2022-Q3-Webinar-PPT-DataProtectionByDesign.pdf
2022-Q3-Webinar-PPT-DataProtectionByDesign.pdf2022-Q3-Webinar-PPT-DataProtectionByDesign.pdf
2022-Q3-Webinar-PPT-DataProtectionByDesign.pdf
 
Webinar-Spanish-PCI DSS-4.0.pdf
Webinar-Spanish-PCI DSS-4.0.pdfWebinar-Spanish-PCI DSS-4.0.pdf
Webinar-Spanish-PCI DSS-4.0.pdf
 
2022 Webinar - ISO 27001 Certification.pdf
2022 Webinar - ISO 27001 Certification.pdf2022 Webinar - ISO 27001 Certification.pdf
2022 Webinar - ISO 27001 Certification.pdf
 
PCI DSS 4.0 Webinar Final.pptx
PCI DSS 4.0 Webinar Final.pptxPCI DSS 4.0 Webinar Final.pptx
PCI DSS 4.0 Webinar Final.pptx
 
Webinar - CMMC Certification.pptx
Webinar - CMMC Certification.pptxWebinar - CMMC Certification.pptx
Webinar - CMMC Certification.pptx
 
HITRUST Certification
HITRUST CertificationHITRUST Certification
HITRUST Certification
 
CMMC Certification
CMMC CertificationCMMC Certification
CMMC Certification
 

Recently uploaded

A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesAssure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesThousandEyes
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersNicole Novielli
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...Scott Andery
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsNathaniel Shimoni
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentPim van der Noll
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Alkin Tezuysal
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesThousandEyes
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPathCommunity
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Farhan Tariq
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersRaghuram Pandurangan
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Manual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance AuditManual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance AuditSkynet Technologies
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 

Recently uploaded (20)

A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesAssure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software Developers
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directions
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to Hero
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Manual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance AuditManual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance Audit
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 

Vendor Management for PCI DSS, HIPAA, and FFIEC

  • 1. VENDOR MANAGEMENT PCI DSS, FISMA, FERC/NERC, HIPAA & ISO 27001 YOUR IT COMPLIANCE PARTNER – GO BEYOND THE CHECKLIST
  • 2. ControlCase Introduction Challenges About PCI DSS, FISMA, FERC/NERC, HIPAA & ISO 27001 Vendor Management Basic Approach Why ControlCase AGENDA © 2020 ControlCase. All Rights Reserved. 2 1 2 3 4 5
  • 3. 1 CONTROLCASE INTRODUCTION © 2020 ControlCase. All Rights Reserved. 3
  • 4. ControlCase Snapshot CERTIFICATION AND CONTINUOUS COMPLIANCE SERVICES Go beyond the auditor’s checklist to: Dramatically cut the time, cost and burden from becoming certified and maintaining IT compliance. © 2020 ControlCase. All Rights Reserved. 4 • Demonstrate compliance more efficiently and cost effectively (cost certainty) • Improve efficiencies ⁃ Do more with less resources and gain compliance peace of mind • Free up your internal resources to focus on their priorities • Offload much of the compliance burden to a trusted compliance partner 1,000+ 300+10,000+ CLIENTS IT SECURITY CERTIFICATIONS SECURITY EXPERTS
  • 5. Solution - Certification and Continuous Compliance Services © 2020 ControlCase. All Rights Reserved. 5 “I’ve worked on both sides of auditing. I have not seen any other firm deliver the same product and service with the same value. No other firm provides that continuous improvement and the level of detail and responsiveness. — Security and Compliance Manager, Data Center Certification and Continuous Compliance Services
  • 6. Certification Services One Audit™ Assess Once. Comply to Many. © 2020 ControlCase. All Rights Reserved. 6 “You have 27 seconds to make a first impression. And after our initial meeting, it became clear that they were more interested in helping our business and building a relationship, not just getting the business. — Sr. Director, Information Risk & Compliance, Large Merchant PCI DSS ISO 27001 & 27002 SOC 1,2,3 & SOC for Cybersecurity CSA STAR HIPAA PCI P2PE GDPR NIST 800-53 PCI PIN PCI PA-DSS SCA PCI 3DS
  • 7. ABOUT PCI DSS, FISMA, FERC/NERC, HIPAA & ISO 27001 2 © 2020 ControlCase. All Rights Reserved. 7
  • 8. What is PCI DSS © 2020 ControlCase. All Rights Reserved. 8 Payment Card Industry Data Security Standard: • Guidelines for securely processing, storing, or transmitting payment card account data • Established by leading payment card issuers • Maintained by the PCI Security Standards Council (PCI SSC)
  • 9. What is FISMA © 2020 ControlCase. All Rights Reserved. 9 Federal Information Security Management Act (FISMA) of 2002 Requires federal agencies to implement a mandatory set of processes, security controls and information security governance. FISMA objectives: • Align security protections with risk and impact • Establish accountability and performance measures • Empower executives to make informed risk decisions
  • 10. What is HIPAA © 2020 ControlCase. All Rights Reserved. 10 HIPAA is the acronym for the Health Insurance Portability and Accountability Act that was passed by Congress in 1996. HIPAA does the following: • Provides the ability to transfer and continue health insurance coverage for millions of American workers and their families when they change or lose their jobs • Reduces health care fraud and abuse • Mandates industry-wide standards for health care information on electronic billing and other processes • Requires the protection and confidential handling of protected health information
  • 11. What is ISO 27001/ISO 27002 © 2020 ControlCase. All Rights Reserved. 11 ISO Standard: • ISO 27001 is the management framework for implementing information security within an organization • ISO 27002 are the detailed controls from an implementation perspective
  • 12. What is FERC/NERC © 2020 ControlCase. All Rights Reserved. 12 Federal Energy Regulatory Commission (FERC) The Federal Energy Regulatory Commission (FERC) is the United States federal agency with jurisdiction over interstate electricity sales, wholesale electric rates, hydroelectric licensing, natural gas pricing, and oil pipeline rates. North American Electric Reliability Corporation (NERC): The North American Electric Reliability Corporation (NERC) is a not-for-profit international regulatory authority whose mission is to ensure the reliability of the bulk power system in North America. Critical Infrastructure Protection Standards • Standards for cyber security protection
  • 13. VENDOR MANAGEMENT BASIC APPROACH 3 © 2020 ControlCase. All Rights Reserved. 13
  • 14. REG/STANDARD COVERAGE AREA ISO 27001 A.6, A.10 PCI 12 HIPAA 164.308b1 FISMA PS-3 FERC/NERC Multiple Requirements Why Vendor/Third Party Management? © 2020 ControlCase. All Rights Reserved. 14 • Management of third parties • Attestation/Audit of third parties • Remediation tracking Cloud • Cloud environments must be considered a third party • Need to document “compliance matrix” of requirements which are the responsibility of the cloud provider
  • 15. High Level Process © 2020 ControlCase. All Rights Reserved. 15 1 Register/Inventory vendors 2 Categorize vendors 3 Create master control checklist 4 Map controls to categories 5 Create vendor risk assessment questionnaire 6 Distribute questionnaire to vendors 7 Analyze responses and attachments 8 Provide a Data Security Rating 9 Track exceptions to closure
  • 16. Step 1 – Register/Inventory Vendors © 2020 ControlCase. All Rights Reserved. 16
  • 17. Step 2 – Categorize Vendors QUESTIONS TO ASK • What type of data do they store, process or transmit (SSN, Card Numbers, Customer Name, Diagnosis code(s), etc.,) • Is the data in a physical and/or electronic form • What business are they in (Call Center, Recoveries, Managed Service, Software Development, Printing, Hosting) • What risk factors exist based on Geography (North America, Asia/Pacific, South America etc.) © 2020 ControlCase. All Rights Reserved. 17
  • 18. Step 2 – Categorize Vendors (contd.) CONSIDERATIONS • Less exposure of disclosure/compromise = less verification (i.e., survey only) • More exposure of disclosure/compromise = more verification and validation (e.g., survey, evidence review, on-site assessment) © 2020 ControlCase. All Rights Reserved. 18
  • 19. Policy Management Asset and Vulnerability Management Incident and Problem Management Risk Management HR Management Vendor / Third Party Management Change Management and Monitoring Data Management Business Continuity Management Compliance Project Management Step 3 – Create Master Control Checklist © 2020 ControlCase. All Rights Reserved. 19
  • 20. Step 4 – Map Controls To Categories © 2020 ControlCase. All Rights Reserved. 20 MAP CONTROLS FROM MASTER LIST TO CATEGORIES BASED ON • What is relevant to the type of data being stored processed or transmitted (for e.g. if card data then PCI DSS may be relevant to check for vs. not) • What is relevant from a business perspective (e.g. call centers third parties have VOIP related controls whereas software development may not) • What is relevant from a geography perspective (e.g. background checks in USA vs. India may be different and may require testing different controls)
  • 21. Step 5 – Create Vendor Risk Questionnaire © 2020 ControlCase. All Rights Reserved. 21
  • 22. Step 6 – Distribute Questionnaires © 2020 ControlCase. All Rights Reserved. 22
  • 23. Step 7 – Analyze Responses © 2020 ControlCase. All Rights Reserved. 23
  • 24. Step 8 – Provide a Data Security Rating for vendor © 2020 ControlCase. All Rights Reserved. 24 Score based on various data points including: • Log Management • Vulnerability Management • Data Leak Prevention or Data Discovery • Other Automated Feeds Collect Data • Logs • Scans and Test Reports • Data Leak • Identity and Access Mgmt. Data Analytics • Analysis of Data Against 15 Int’l Standards Calculate Ratings • Analysis of Data Against 15 Int’l Standards Report • Rating & Remediation Action Plan with Cost Presentation • ControlCase presents to board 1 2 3 4 5
  • 25. Step 9 – Track Exceptions To Closure © 2020 ControlCase. All Rights Reserved. 25
  • 26. COMMON CHALLENGES4 © 2020 ControlCase. All Rights Reserved. 26
  • 27. Redundant Efforts Lack of Compliance Dashboard Change of Environment Increased Regulations Cost Inefficiencies Fixing of Dispositions Reliance on Third Parties Reducing Budgets (Do more with less) Challenges © 2020 ControlCase. All Rights Reserved. 27
  • 28. WHY CONTROLCASE5 © 2020 ControlCase. All Rights Reserved. 28
  • 29. Automation and AI © 2020 ControlCase. All Rights Reserved. 29 Automated Data Feed Quarterly Score based on 4 rolling quarters’ worth of data: • Log Management • Vulnerability Management • Data Leak Prevention or Data Discovery • Other Automated Feeds Collect Data • Logs • Scans and Test Reports • Data Leak • Identity and Access Mgmt. Data Analytics • Analysis of Data Against 15 Int’l Standards Calculate Ratings • Analysis of Data Against 15 Int’l Standards Report • Rating & Remediation Action Plan with Cost Presentation • ControlCase presents to board 1 2 3 4 5
  • 30. Summary – Why ControlCase © 2020 ControlCase. All Rights Reserved. 30 “They provide excellent service, expertise and technology. And, the visibility into my compliance throughout the year and during the audit process provide a lot of value to us. — Dir. of Compliance, SaaS company
  • 31. THANK YOU FOR THE OPPORTUNITY TO CONTRIBUTE TO YOUR IT COMPLIANCE PROGRAM. www.controlcase.com (US) + 1 703.483.6383 (INDIA) + 91.22.62210800 contact@controlcase.com