Certification vision, content and streamlining of PCI certification process

Similar documents
Welcome ControlCase Conference. Kishor Vaswani, CEO

LEADING WITH GRC. Approaching Integrated GRC. Knute Ohman, VP, GRC Program Manager. GRC Summit 2017 All Rights Reserved

Have a question? Speak with a member of our team on

Demystifying Governance, Risk, and Compliance (GRC) with 4 Simple Use Cases. Gen Fields Senior Solution Consultant, Federal Government ServiceNow

CSF to Support SOC 2 Repor(ng

Eforms Full Application Guide Returning Contractor

Managing Privacy Risk & Compliance in Financial Services. Brett Hamilton Advisory Solutions Consultant ServiceNow

PCI Compliance. Network Scanning. Getting Started Guide

Data Sheet The PCI DSS

SERVICE DESCRIPTION ISO Lex. Certifications

This fee sheet details all relevant fees for BREEAM-SE. It includes fees for the following:

COBIT 5 Assessor Certification Course

Dan Lobb CRISC Lisa Gable CISM Katie Friebus

QUALITY ASSURANCE POLICY. Quality Assurance Policy. September 2016 Version 2.0 Policy authorised by Responsible Officer

DSA-QAG NMH - Audit Portal Guidance

ISO STANDARD IMPLEMENTATION AND TECHNOLOGY CONSOLIDATION

Eforms Full Application Guide New Contractor

Customer Compliance Portal. User Guide V2.0

Advanced Certifications PA-DSS and P2PE. Erik Winkler, VP, ControlCase

UC SAN DIEGO 2018 MERCHANT PCI DSS CYCLE

ISACA Arizona May 2016 Chapter Meeting

BPS Suite and the OCEG Capability Model. Mapping the OCEG Capability Model to the BPS Suite s product capability.

ISE Canada Executive Forum and Awards

HALO IN ACTION COMPLIANCE DON T LET LEGACY SECURITY TOOLS HOLD UP PCI COMPLIANCE IN THE CLOUD. Automated PCI compliance anytime, anywhere.

Segmentation, Compensating Controls and P2PE Summary

Alternatively you can log in to the portal directly, by using this link -

5/14/2014. Air Operator Certificates (AOC) & Operations Specifications. Module 2 Tour of the Application. 14 May 2014 Page 2.

MyCSF User Guide. Prepared By: HITRUST Frisco Square Blvd. Suite 327. Frisco, Texas P: (469) F: (469)

PCI Compliance Assessment Module

SSAE 18 & new SOC approach to compliance. Moderator Name: Patricio Garcia Managing Partner ControlCase Attestation Services

HITRUST CSF: One Framework

Merchant Guide to PCI DSS

Secure Agile Development

GETTING STARTED WITH THE SIG 2014: A RESPONDENT S GUIDE By Shared Assessments

Certification Program

t a Foresight Consulting, GPO Box 116, Canberra ACT 2601, AUSTRALIA e foresightconsulting.com.

Telos and Amazon Web Services (AWS): Accelerating Secure and Compliant Cloud Deployments

The Future of PCI: Securing payments in a changing world


Audit Report. City & Guilds

SOLUTION BRIEF RSA ARCHER IT & SECURITY RISK MANAGEMENT

Payment Card Industry (PCI) Point-to-Point Encryption. Template for Report on Validation for use with P2PE v2.0 (Revision 1.1) for P2PE Solution

Comprehensive Mitigation

David Jenkins (QSA CISA) Director of PCI and Payment Services

Public Safety Canada. Audit of the Business Continuity Planning Program

PCI DSS 3.2 AWARENESS NOVEMBER 2017

IC L19 - Consolidate Information from across your Infrastructure to create a custom report for PCI DSS Hands-On Lab

National State Auditors Association Vulnerability Management: An Audit Primer September 20, 2018

ISO Professional Services Guide to Implementation and Certification AND

Criteria for Temporary License as Merit Assessor

QCTO Presentation: BankSETA Roadshows. QCTO Presentation - BankSETA Roadshow 2014

PCI DSS v3. Justin

Solution Pack. Managed Services Virtual Private Cloud Security Features Selections and Prerequisites

Introduction to the PCI DSS: What Merchants Need to Know

Eligibility & Certification Process ELIGIBILITY CONFIRMING ELIGIBILITY ELIGIBILITY CRITERION 1: BUILDING CHARACTERISTICS

2018 HIPAA One All Rights Reserved. Beyond HIPAA Compliance to Certification

Update on the Key Initiatives Recommended by NTT Data regarding the Agency Cyber Security Framework

Payment Card Industry (PCI) Data Security Standard Report on Compliance. PCI DSS v3.2.1 Template for Report on Compliance. Revision 1.

University of Sunderland Business Assurance PCI Security Policy

Now on Now: How ServiceNow has transformed its own GRC processes

Embedding GDPR into the SDLC. Sebastien Deleersnyder Siebe De Roovere

COMPASS Corporate User Guide

in PCI Regulated Environments

Forescout. eyeextend for IBM BigFix. Configuration Guide. Version 1.2

Integrated and Separate?

Air Operator Certificates (AOC) & Operations Specifications

Protecting People, Property and the Planet. BREEAM In-Use. Client Training. Part of the BRE Trust

Vulnerability Management

USER GUIDE for Smartsheet VERSION 1, NOVEMBER 2014

Re Authentication Guide

Guide to Online Teacher Training portal

CORRECTIVE ACTIONS USER GUIDE FOR SUPPLIERS

PCI DSS COMPLIANCE 101

ISACA Kansas City Chapter PCI Data Security Standard v2.0 Overview

Total Security Management PCI DSS Compliance Guide

Ensuring Desktop Central Compliance to Payment Card Industry (PCI) Data Security Standard

Embedding GDPR into the SDLC

ForeScout Extended Module for ArcSight

UNDERSTANDING AND CREATING ROSTERS

PCI DSS Q & A to get you started

Ready, Willing & Able. Michael Cover, Manager, Blue Cross Blue Shield of Michigan

Kahootz is a Department of Health approved cloud-based site that provides a secure Online Workspace. GUIDANCE FOR MEET THE SUPPLIER WORKSPACE

ForeScout Extended Module for IBM BigFix

COMPASS User Guide. Version The Competence Management System for Project Professionals.

Certification of Quality Management Systems with respect to Product Compliance

We are allotting approximately 6 weeks for the completion of this course as follows:

The Monsenso Advantage Partner Programme

Using GRC for PCI DSS Compliance

SDLC Maturity Models

Gateway. User instructions for Co-ordinators September 2017 V3.0

Cyber Essentials Questionnaire Guidance

To View Portfolio. Taskstream/Tk20 Campus Wide. Navigation Guide (Student) _ Viewing the edtpa Portfolio

The Impact of GDPR Compliance on IT and Security

Embedding Privacy by Design

ForeScout Extended Module for HPE ArcSight

Critical Infrastructure Protection Version 5

NIAC Membership Application Checklists

Trust is not a Control... But you s1ll have to have it. (Or How I learned to Stop Worrying and (HI)TRUST Control Compliance Suite)

MEASURES TO ENHANCE MARITIME SECURITY. Cyber risk management in Safety Management Systems. Submitted by United States, ICS and BIMCO SUMMARY

HITRUST ON THE CLOUD. Navigating Healthcare Compliance

Transcription:

Certification vision, content and streamlining of PCI certification process

Agenda ControlCase Certification Vision Evidence Collection Approach Evidence Collection Templates Evidence Expiration Process Panel Discussion

ControlCase Certification Vision To ensure PCI certifications are: Consistent Repeatable Accurate Automate PCI certification through add-on CaaS.

Evidence Collection Approach

Evidence collection life-cycle Evidence Status On Dashboard Phase 1 Assessment Kick-off No Evidence Uploaded Phase 2 Evidence Upload Under Evaluation Phase 3 Assessor Evidence Review Incomplete Information Assigned for QA Phase 4 QA Team Evidence Review Under Evaluation Pass

Evidence collection ControlCase evidence collection process is divided into two parts: Scoping questions: Cover the PCI assessment scoping points including in-scope locations, asset inventory (internal and external facing systems), network diagrams and Data Flow Diagrams Scoping questions review helps to confirm the PCI scope and sample set for evidence collection before moving on to controls specific evidence collection Avoids unnecessary evidence collection for improperly selected samples at later stage Scoping question Quality Assurance (QA) is required to pass before moving on to post scoping questions evidence collection PCI ROC Executive Summary review is performed along with scoping question evidence review

Evidence collection Post-scoping questions Covers all the 12 PCI requirement-specific evidences for sample set defined during scoping questions review Evidence status is tracked per categories - No Evidence Uploaded, Under Evaluation, Incomplete Information, Assigned to QA & Pass Upon passing scoping questions, requirement-specific evidences and ROC goes through QA simultaneously Both requirement-specific evidences and ROC are required to pass the QA in order to pass the evidence collection phase

Evidence Collection Templates

Evidence Templates Simplified Evidence Collection with Evidence Templates IT GRC portal with questionnaire and comprehensive set of evidence templates against each question. No need to guess about correct screen/evidence to be captured Provides good technical guidance for most of the questions

Evidence Templates (examples)

Evidence Expiration

Evidence Expiration Evidence Expiration: Is to support Business-As-Usual process To ensure continuous monitoring of security controls and periodic reviews Provides Compliance Dashboard to customers showing which evidences are still fresh or current and which are about to expire based on defined frequency Allows customers to view current evidence status and evidences due at any point of time

Evidence Expiration Evidence Expiration process: The Evidence Expiring applies only for the question(s) with "Pass" status as part of previous completed certification. Expiring evidence changes the relevant question status from "Pass" to "Incomplete Information Expiring evidence question shows up in "Customer Action Required" section under Compliance Dashboard Only Expiring evidence shows up in Upload Evidence Link

Customer Action Required

Evidence(s) Due

Evidence Expiration Process Customer uploaded evidence(s) reflect in daily Evidence Collection criticality report. [i.e., Under Evaluation criticality report] Regular review is performed and status is changed to either "Pass or Incomplete Information. Evidence status which is changed to Pass remains the same until the next defined evidence due date for resubmission. All the evidences expiration configured as per quarterly, semiannual and annual frequency.

Thank You!

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback