Putting the Pieces Together:

Transcription

1 Putting the Pieces Together: Leveraging Current Audits to Solve the HITRUST Puzzle

2 Presenter Gene Geiger, A-LIGN Partner - HITRUST Prac77oner CPA CISSP CCSK QSA PCIP ISO 27K LA

3 performance resourceful auditing knowledgeable cybercriminals advisor SOC 2/AT 101 experience virus cybersecurity Agreed Upon Procedures PCI DSS FISMA hacked compliance CFPB ISO ephi FedRAMP hackers cybercrime SOC 1/SSAE 16 ISAE 3402 HITRUST sensitive data audits HIPAA/HITECH auditors focus quality standards security breaches stress-free business people attack phishing team consultant penetration testing

4

5 Agenda Compliance landscape Audit focus Audit consolida7on Implementa7on steps Leveraging MyCSF features

6 Compliance Landscape HIPAA/HITECH PCI DSS FISMA/FedRAMP ISO SSAE 16/SOC 2 Vendor audits HITRUST

7 Audit Focus Why do we undergo audits? Risk mi7ga7on Data protec7on Brand protec7on Contractual obliga7ons Legal/regulatory requirements Compe77ve advantage All audits have similar goals

8 Audit Focus HITRUST PCI DSS SOC 2 FISMA 01. Access control Requirement 7: Restrict access to cardholder data by business need to know CC5.0 CC Related to logical and physical access controls AC-1 Access controls 02. Human resource security Requirement 12: Maintain a policy that addresses informa7on security for all personnel CC1.0 Common criteria related to organiza7on and management PS Personnel security 03. Risk management Requirement 12: Maintain a policy that addresses informa7on security for all personnel CC3.0 Common criteria related to risk management and design and implementa7on of controls RA Risk assessment

9 Audit Leverage Goal Reduce audit impact on the company Develop a consolidated approach Improve management oversight Benefits Easier adop7on/understanding of audits Beaer socialized risk mi7ga7on strategy Reduces audit fa7gue Poten7al to reduce cost

10 ImplementaBon Steps What is your compliance landscape Which audits are you subject to What is your HITRUST audit requirement What is the current HITRUST implementa7on 7meline Develop a plan

11 ImplementaBon Steps Step 1: Leverage what you are already doing Align audit 7mes Align audit teams Create evidence repository Audit once, report many 7mes

12 ImplementaBon Steps Step 2: Map your controls across audits Document controls that sa7sfy the broadest audit criteria MS Excel MyCSF subscrip7on GRC tool

13 ImplementaBon Steps Step 3: Standardize the audit evidence Policies across mul7ple controls U7lize evidence for mul7ple audits Document evidence names to quickly iden7fy year over year

14 ImplementaBon Steps Step 4: Develop internal monitoring program Audit calendar Internal audits Excep7on repor7ng Vulnerability scans Patch management Culture of informa7on security Plan Develop Execute

15 Leveraging MyCSF Features MyCSF annual subscrip7on Documenta7on/evidence repository Controls documented Mapping of controls CSF Control Standard Mapping MyCSF Related Standards tab Administra7ve and Scoping Informa7on Organiza7on informa7on Asset inventory Loca7on inventory

16 Examples HITRUST with PCI DSS 08.b Physical Entry Controls - Physical access rights are reviewed every 90 days and updated accordingly PCI 9.3 Control physical access for onsite personnel to the sensi7ve areas as follows: Access must be authorized and based on individual job func7on PCI Visitors are iden7fied and given a badge or other iden7fica7on that expires and that visibly dis7nguishes the visitors from onsite personnel PCI Control physical access for onsite personnel to the sensi7ve areas as follows: Access must be authorized and based on individual job func7on PCI A visitor log is used to maintain a physical audit trail of visitor ac7vity to the facility as well as computer rooms and data centers where cardholder data is stored or transmiaed

17 Examples HITRUST with FISMA 01.a Access Control Policy - Logical and physical access control rules and rights for each user or group of users for each applica7on are considered together and clearly defined in standard user access profiles (e.g. roles) based on need-to-know, need-to-share, least privilege, and other relevant requirements C-1 Access Control Policy and Procedures The organiza7on develops, disseminates, and reviews/updates [Assignment: organiza7on defined frequency]: A formal, documented access control policy that addresses purpose, scope, roles, responsibili7es, management commitment, coordina7on among organiza7onal en77es, and compliance; and b. Formal, documented procedures to facilitate the implementa7on of the access control policy and associated access controls

18 Examples HITRUST with SOC 2 00.a Informa7on Security Management Program - An Informa7on Security Management Program (ISMP) shall be documented that addresses the overall Security Program of the organiza7on. Management support for the ISMP shall be demonstrated through signed acceptance or approval by management. The ISMP shall consider all the HITRUST Control Objec7ves and document any excluded control domains and the reasons for their exclusion. The ISMP shall be updated at least annually or when there are significant changes in the environment CC1.1 The en7ty has defined organiza7onal structures, repor7ng lines, authori7es, and responsibili7es for the design, development, implementa7on, opera7on, maintenance, and monitoring of the system enabling it to meet its commitments and requirements as they relate to [insert the principle(s) being reported on: security, availability, processing integrity, or confiden7ality or any combina7on thereof] CC 1.2 Responsibility and accountability for designing, developing, implemen7ng, opera7ng, maintaining, monitoring, and approving the en7ty's system controls are assigned to individuals within the en7ty with authority to ensure policies, and other system requirements are effec7vely promulgated and placed in opera7on CC 1.3 Personnel responsible for designing, developing, implemen7ng, opera7ng, maintaining, and monitoring of the system affec7ng [insert the principle(s) being reported on: security, availability, processing integrity, or confiden7ality or any combina7on thereof] have the qualifica7ons and resources to fulfill their responsibili7es

19 QuesBons?