Putting the Pieces Together:

Similar documents
2018 HIPAA One All Rights Reserved. Beyond HIPAA Compliance to Certification

Vendor Management: SSAE 18. Presented by Joseph Kirkpatrick CISSP, CISA, CGEIT, CRISC, QSA Managing Partner

Composite Compliance: Demonstra1ng Suitability of Cloud Layering for Sensi1ve and Regulated Workloads

Business Case Components

Special Publication

New PCI DSS Version 3.0: Can it Reduce Breaches? Dharshan Shanthamurthy, CEO, SISA Informa2on Security Inc. Core Competencies C11

PCI DSS 3.2 AWARENESS NOVEMBER 2017

HITRUST Common Security Framework - Are you prepared?

Exploring Emerging Cyber Attest Requirements

Daxko s PCI DSS Responsibilities

NE HIMSS Vendor Risk. October 9, 2015 MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS

Assessing Medical Device. Cyber Risks in a Healthcare. Environment

Welcome ControlCase Conference. Kishor Vaswani, CEO

SERVICE ORGANIZATION CONTROL (SOC) REPORTS: WHAT ARE THEY?

INTO THE CLOUD WHAT YOU NEED TO KNOW ABOUT ADOPTION AND ENSURING COMPLIANCE

Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV

Information Technology Procedure IT 3.4 IT Configuration Management

ADIENT VENDOR SECURITY STANDARD

Trust is not a Control... But you s1ll have to have it. (Or How I learned to Stop Worrying and (HI)TRUST Control Compliance Suite)

Compliance Is Security. Presented by: Jeff Hall Optiv Security

The Devil is in the Details: The Secrets to Complying with PCI Requirements. Michelle Kaiser Bray Faegre Baker Daniels

PCI DSS Addressing Cyber-Security Threats. ETCAA June Gabriel Leperlier

SSAE 18 & new SOC approach to compliance. Moderator Name: Patricio Garcia Managing Partner ControlCase Attestation Services

HITRUST CSF Roadmap for 2018 and Beyond HITRUST Alliance.

Vendor Security Questionnaire

SOC Reporting / SSAE 18 Update July, 2017

HITRUST ON THE CLOUD. Navigating Healthcare Compliance

Model Approach to Efficient and Cost-Effective Third-Party Assurance

April 17, Ronald Layne Manager, Data Quality and Data Governance

Enterprise Risk Management (ERM) and Cybersecurity. Na9onal Science Founda9on March 14, 2018

Google Cloud & the General Data Protection Regulation (GDPR)

University of Pittsburgh Security Assessment Questionnaire (v1.7)

How to Use PCI DSS for a Stronger IT Security Posture and Streamline your Compliance Efforts. April 24, 2018

Halkyn Consulting Ltd 15 Llys y Nant, Pentre Halkyn HOLYWELL, Flintshire, CH8 8LN

Today s Security Threats: Emerging Issues Keeping CFOs Up at Night Understanding & Protecting Against Information Security Breaches

Cloud Adop)on, Risks & Security & GDPR An Ac)on Guide

MESC Conference Security and Privacy for Medicaid Information Systems. Scott Glover Deloitte & Touche, LLP

Business Context: Key for Successful Risk Management

Navigating the PCI DSS Challenge. 29 April 2011

ISACA Cincinnati Chapter March Meeting

Total Security Management PCI DSS Compliance Guide

CSF to Support SOC 2 Repor(ng

The HITRUST CSF. A Revolutionary Way to Protect Electronic Health Information

Tips for Passing an Audit or Assessment

Ensuring Desktop Central Compliance to Payment Card Industry (PCI) Data Security Standard

PCI Time-Based Requirements as a Starting Point for Business-As-Usual Process Monitoring

DHG presenter. August 17, Addressing the Evolving Cybersecurity Landscape. DHG Birmingham CPE Seminar 1

Cyber Risk Management

Carbon Black PCI Compliance Mapping Checklist

2017 Annual Meeting of Members and Board of Directors Meeting

Security Architecture

Payment Card Industry (PCI) Data Security Standard

Altius IT Policy Collection Compliance and Standards Matrix

Keys to a more secure data environment

SoftLayer Security and Compliance:

Information Security Policy

No IT Audit Staff? How to Hack an IT Audit. Presenters. Mark Bednarz, Partner-In-Charge, Risk Advisory PKF O Connor Davies, LLP

Cyber Security in M&A. Joshua Stone, CIA, CFE, CISA

DeMystifying Data Breaches and Information Security Compliance

Altius IT Policy Collection Compliance and Standards Matrix

ISE Canada Executive Forum and Awards

PCI DSS Compliance and the Cloud

HITRUST CSF: One Framework

Will you be PCI DSS Compliant by September 2010?

Quali&es of an Effec&ve CISO

THE TRIPWIRE NERC SOLUTION SUITE

Using Metrics to Gain Management Support for Cyber Security Initiatives

Background FAST FACTS

SECURITY & PRIVACY DOCUMENTATION

Security Operations & Analytics Services

Mark Hofman SANS Institute/Shearwater Solutions

ISO / IEC 27001:2005. A brief introduction. Dimitris Petropoulos Managing Director ENCODE Middle East September 2006

HP Standard for Information Protection and Security for Suppliers/Partners

DFARS Compliance. SLAIT Consulting SECURITY SERVICES. Mike D Arezzo Director of Security Services. SLAITCONSULTING.com

Payment Card Industry (PCI) Data Security Standard. Summary of Changes from PCI DSS Version to 2.0

Site Data Protection (SDP) Program Update

INTELLIGENCE DRIVEN GRC FOR SECURITY

The IT Search Company

Section 3.9 PCI DSS Information Security Policy Issued: November 2017 Replaces: June 2016

The Project on Capacity Development toward Effec*ve Disaster Risk Management Case Study: Bursa

PCI Policy Compliance Using Information Security Policies Made Easy. PCI Policy Compliance Information Shield Page 1

Art of Performing Risk Assessments

HITRUST CSF Assurance Program HITRUST, Frisco, TX. All Rights Reserved.

What every IT professional needs to know about penetration tests

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

PCI DSS COMPLIANCE 101

01.0 Policy Responsibilities and Oversight

Solution Pack. Managed Services Virtual Private Cloud Security Features Selections and Prerequisites

Credit Union Service Organization Compliance

Information Technology Security Plan Policies, Controls, and Procedures Protect: Identity Management and Access Control PR.AC

AuthAnvil for Retail IT. Exploring how AuthAnvil helps to reach compliance objectives

Cybersecurity Today Avoid Becoming a News Headline

AWS continually manages risk and undergoes recurring assessments to ensure compliance with industry standards.

Compliance & Security in Azure. April 21, 2018

Achieving PCI Compliance: Long and Short Term Strategies

locuz.com SOC Services

Payment Card Industry Internal Security Assessor: Quick Reference V1.0

10/18/2016. Preparing Your Organization for a HHS OIG Information Security Audit. Models for Risk Assessment

The Common Controls Framework BY ADOBE

Cyber Risk Program Maturity Assessment UNDERSTAND AND MANAGE YOUR ORGANIZATION S CYBER RISK.

Transcription:

Putting the Pieces Together: Leveraging Current Audits to Solve the HITRUST Puzzle

Presenter Gene Geiger, A-LIGN Partner - HITRUST Prac77oner CPA CISSP CCSK QSA PCIP ISO 27K LA

performance resourceful auditing knowledgeable cybercriminals advisor SOC 2/AT 101 experience virus cybersecurity Agreed Upon Procedures PCI DSS FISMA hacked compliance CFPB ISO 27001 ephi FedRAMP hackers cybercrime SOC 1/SSAE 16 ISAE 3402 HITRUST sensitive data audits email HIPAA/HITECH auditors focus quality standards security breaches stress-free business people attack phishing team consultant penetration testing

Agenda Compliance landscape Audit focus Audit consolida7on Implementa7on steps Leveraging MyCSF features

Compliance Landscape HIPAA/HITECH PCI DSS FISMA/FedRAMP ISO 27001 SSAE 16/SOC 2 Vendor audits HITRUST

Audit Focus Why do we undergo audits? Risk mi7ga7on Data protec7on Brand protec7on Contractual obliga7ons Legal/regulatory requirements Compe77ve advantage All audits have similar goals

Audit Focus HITRUST PCI DSS SOC 2 FISMA 01. Access control Requirement 7: Restrict access to cardholder data by business need to know CC5.0 CC Related to logical and physical access controls AC-1 Access controls 02. Human resource security Requirement 12: Maintain a policy that addresses informa7on security for all personnel CC1.0 Common criteria related to organiza7on and management PS Personnel security 03. Risk management Requirement 12: Maintain a policy that addresses informa7on security for all personnel CC3.0 Common criteria related to risk management and design and implementa7on of controls RA Risk assessment

Audit Leverage Goal Reduce audit impact on the company Develop a consolidated approach Improve management oversight Benefits Easier adop7on/understanding of audits Beaer socialized risk mi7ga7on strategy Reduces audit fa7gue Poten7al to reduce cost

ImplementaBon Steps What is your compliance landscape Which audits are you subject to What is your HITRUST audit requirement What is the current HITRUST implementa7on 7meline Develop a plan

ImplementaBon Steps Step 1: Leverage what you are already doing Align audit 7mes Align audit teams Create evidence repository Audit once, report many 7mes

ImplementaBon Steps Step 2: Map your controls across audits Document controls that sa7sfy the broadest audit criteria MS Excel MyCSF subscrip7on GRC tool

ImplementaBon Steps Step 3: Standardize the audit evidence Policies across mul7ple controls U7lize evidence for mul7ple audits Document evidence names to quickly iden7fy year over year

ImplementaBon Steps Step 4: Develop internal monitoring program Audit calendar Internal audits Excep7on repor7ng Vulnerability scans Patch management Culture of informa7on security Plan Develop Execute

Leveraging MyCSF Features MyCSF annual subscrip7on Documenta7on/evidence repository Controls documented Mapping of controls CSF Control Standard Mapping MyCSF Related Standards tab Administra7ve and Scoping Informa7on Organiza7on informa7on Asset inventory Loca7on inventory

Examples HITRUST with PCI DSS 08.b Physical Entry Controls - Physical access rights are reviewed every 90 days and updated accordingly PCI 9.3 Control physical access for onsite personnel to the sensi7ve areas as follows: Access must be authorized and based on individual job func7on PCI 9.4.2 Visitors are iden7fied and given a badge or other iden7fica7on that expires and that visibly dis7nguishes the visitors from onsite personnel PCI 9.4.3 Control physical access for onsite personnel to the sensi7ve areas as follows: Access must be authorized and based on individual job func7on PCI 9.4.4 A visitor log is used to maintain a physical audit trail of visitor ac7vity to the facility as well as computer rooms and data centers where cardholder data is stored or transmiaed

Examples HITRUST with FISMA 01.a Access Control Policy - Logical and physical access control rules and rights for each user or group of users for each applica7on are considered together and clearly defined in standard user access profiles (e.g. roles) based on need-to-know, need-to-share, least privilege, and other relevant requirements C-1 Access Control Policy and Procedures The organiza7on develops, disseminates, and reviews/updates [Assignment: organiza7on defined frequency]: A formal, documented access control policy that addresses purpose, scope, roles, responsibili7es, management commitment, coordina7on among organiza7onal en77es, and compliance; and b. Formal, documented procedures to facilitate the implementa7on of the access control policy and associated access controls

Examples HITRUST with SOC 2 00.a Informa7on Security Management Program - An Informa7on Security Management Program (ISMP) shall be documented that addresses the overall Security Program of the organiza7on. Management support for the ISMP shall be demonstrated through signed acceptance or approval by management. The ISMP shall consider all the HITRUST Control Objec7ves and document any excluded control domains and the reasons for their exclusion. The ISMP shall be updated at least annually or when there are significant changes in the environment CC1.1 The en7ty has defined organiza7onal structures, repor7ng lines, authori7es, and responsibili7es for the design, development, implementa7on, opera7on, maintenance, and monitoring of the system enabling it to meet its commitments and requirements as they relate to [insert the principle(s) being reported on: security, availability, processing integrity, or confiden7ality or any combina7on thereof] CC 1.2 Responsibility and accountability for designing, developing, implemen7ng, opera7ng, maintaining, monitoring, and approving the en7ty's system controls are assigned to individuals within the en7ty with authority to ensure policies, and other system requirements are effec7vely promulgated and placed in opera7on CC 1.3 Personnel responsible for designing, developing, implemen7ng, opera7ng, maintaining, and monitoring of the system affec7ng [insert the principle(s) being reported on: security, availability, processing integrity, or confiden7ality or any combina7on thereof] have the qualifica7ons and resources to fulfill their responsibili7es

QuesBons? 888.702.5446 www.a-lign.com info@a-lign.com

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback