Vendor Risk Management for PCI DSS, ISO 27001, EI3PA and HIPAA

Vendor Management– PCI DSS, ISO 27001, EI3PA and HIPAABy Kishor Vaswani, CEO - ControlCase

Agenda

• About PCI DSS, ISO 27001, EI3PA and HIPAA

• Setting up a basic vendor management program

• Challenges in the vendor management space

• Q&A

1

What is Vendor Risk Management

Vendor risk management (VRM) is a comprehensive plan for identifying and decreasing potential business uncertainties and legal liabilities regarding the hiring of 3rd parties (vendors) to provide information technology (IT) products, business process outsourcing and other related services.

2

About PCI DSS, ISO 27001, EI3PA and HIPAA

What is PCI DSS?

Payment Card Industry Data Security Standard:

• Guidelines for securely processing, storing, or transmitting payment card account data

• Established by leading payment card issuers• Maintained by the PCI Security Standards Council

(PCI SSC)

2

What is ISO 27001/ISO 27002

ISO Standard:

• ISO 27001 is the management framework for implementing information security within an organization

• ISO 27002 are the detailed controls from an implementation perspective

6

What is EI3PA?

Experian Security Audit Requirements:

• Experian is one of the three major consumer credit bureaus in the United States

• Guidelines for securely processing, storing, or transmitting Experian Provided Data

• Established by Experian to protect consumer data/credit history data provided by them

4

What is HIPAA?

Health Insurance Portability & Accountability Act of 1996 & HIPAA Omnibus Rule:• Establishes administrative, physical and technical

security and privacy standards• Applies to both healthcare providers and business

associates (3rd parties) • Attributes responsibility for monitoring HIPAA

compliance of business associates to healthcare providers

• Assessment of compliance of business associates due 09/23/13

4

Setting up a basic vendor management program

High Level Process

Register/Inventory vendors Categorize vendors

Map controls to categories

Create vendor risk assessment questionnaire

Create master control checklist

Distribute questionnaire to vendors

Analyze responses and attachments

Track exceptions to closure

Step 1 – Register/Inventory vendors

Step 2 – Categorize vendors

Questions to ask- What type of data do they store, process or transmit (SSN,

Card Numbers, Customer Name, Diagnosis code(s), etc.,)- Is the data in a physical and/or electronic form- What business are they in (Call Center, Recoveries, Managed

Service, Software Development, Printing, Hosting)- What risk factors exist based on Geography (North America,

Asia/Pacific, South America etc.)

Step 2 – Categorize vendors (continued)

Considerations:

Less exposure of disclosure/compromise = less verification (i.e., survey only)

More exposure of disclosure/compromise = more verification and validation (e.g., survey, evidence review, on-site assessment)

Step 3 – Create master control checklist

• Policy Management• Vendor/Third Party Management• Asset and Vulnerability Management• Change Management and Monitoring• Incident and Problem Management• Data Management• Risk Management• Business continuity Management• HR Management• Compliance Project Management

Step 4 – Map controls to categories

Map controls from master list to categories based on- What is relevant to the type of data being stored processed

or transmitted (for e.g. if card data then PCI DSS may be relevant to check for vs. not)

- What is relevant from a business perspective (e.g. call centers third parties have VOIP related controls whereas software development may not)

- What is relevant from a geography perspective (e.g. background checks in USA vs. India may be different and may require testing different controls)

Step 5 – Create vendor risk assessment questionnaire

Step 6 – Distribute risk assessment questionnaire to vendors

Step 7 - Analyze responses and attachments

18 / 32

Step 8 – Track exceptions to closure

19 / 32

Challenges in Vendor Management Space

Challenges

• Redundant Efforts• Cost inefficiencies• Lack of dashboard• Fixing of dispositions• Reducing budgets (Do more with less)

21

ControlCase Solution

Vendor/Third Party Management

12

Management of third parties/vendors Self attestation by third parties/vendors Remediation tracking Includes BITS FISAP content

Reg/Standard Coverage area

ISO 27001 A.6, A.10

PCI 12

EI3PA 12

Why Choose ControlCase?

• Global Reach

› Serving more than 400 clients in 40 countries and rapidly

growing

• Certified Resources

› PCI DSS Qualified Security Assessor (QSA)

› QSA for Point-to-Point Encryption (QSA P2PE)

› Certified ASV vendor

› Certified ISO 27001 Assessment Department

› EI3PA Assessor

23

To Learn More About PCI Compliance or Data Discovery…

• Visit www.controlcase.com

• Call +1.703.483.6383 (US)

• Call +91.9820293399 (India)

• Kishor Vaswani (CEO) –

kvaswani@controlcase.com

24

Thank You for Your Time