Vendor Management– PCI DSS, ISO 27001, EI3PA, HIPAA and FFIEC By Kishor Vaswani, CEO - ControlCase
Dec 05, 2014
Vendor Management– PCI DSS, ISO 27001, EI3PA, HIPAA and FFIECBy Kishor Vaswani, CEO - ControlCase
Agenda
• About PCI DSS, ISO 27001, EI3PA and HIPAA
• Setting up a basic vendor management program
• Challenges in the vendor management space
• Q&A
1
What is Vendor Risk Management
Vendor risk management (VRM) is a comprehensive plan for identifying and decreasing potential business uncertainties and legal liabilities regarding the hiring of 3rd parties (vendors) to provide information technology (IT) products, business process outsourcing and other related services.
2
About PCI DSS, ISO 27001, EI3PA, HIPAA and FFIEC
What is PCI DSS?
Payment Card Industry Data Security Standard:
• Guidelines for securely processing, storing, or transmitting payment card account data
• Established by leading payment card issuers• Maintained by the PCI Security Standards Council
(PCI SSC)
3
What is ISO 27001/ISO 27002
ISO Standard:
• ISO 27001 is the management framework for implementing information security within an organization
• ISO 27002 are the detailed controls from an implementation perspective
4
What is EI3PA?
Experian Security Audit Requirements:
• Experian is one of the three major consumer credit bureaus in the United States
• Guidelines for securely processing, storing, or transmitting Experian Provided Data
• Established by Experian to protect consumer data/credit history data provided by them
5
What is HIPAA?
Health Insurance Portability & Accountability Act of 1996 & HIPAA Omnibus Rule:• Establishes administrative, physical and technical
security and privacy standards• Applies to both healthcare providers and business
associates (3rd parties) • Attributes responsibility for monitoring HIPAA
compliance of business associates to healthcare providers
• Assessment of compliance of business associates due 09/23/13
6
Impact to Business Associates and their suppliers
• Business associates must identify, assess and monitor their supporting business associates (BAs of BAs) and provide regular updates to the respective CE
• BAs must establish and define (contractually) security requirements, right to audit, incident reporting clauses with their service providers
• BAs must implement an effective monitoring/assessment process based on the nature of the data exchanged with service providers
• Be able to show due diligence/due care with respect to monitoring their supplier’s security compliance
7
CFPB/FFIEC/OCC Guidance
• Guidance provided by Consumer Financial Protection Bureau (CFPB) – Apr 2012
• Federal Deposit Insurance Corporation (FDIC) guidance issued – Sep 2013
• Office of the Comptroller of the Currency (OCC) – Oct 2013
• All of these regulations require due diligence of vendors in various areas such as risk assessments, contracts, information security, insurance and subcontracting.
8
Setting up a basic vendor management program
High Level Process
Register/Inventory vendors Categorize vendors
Map controls to categories
Create vendor risk assessment questionnaire
Create master control checklist
Distribute questionnaire to vendors
Analyze responses and attachments
Track exceptions to closure
9
Step 1 – Register/Inventory vendors
10
Step 2 – Categorize vendors
Questions to ask- What type of data do they store, process or transmit (SSN,
Card Numbers, Customer Name, Diagnosis code(s), etc.,)- Is the data in a physical and/or electronic form- What business are they in (Call Center, Recoveries, Managed
Service, Software Development, Printing, Hosting)- What risk factors exist based on Geography (North America,
Asia/Pacific, South America etc.)
11
Step 2 – Categorize vendors (continued)
Considerations:
Less exposure of disclosure/compromise = less verification (i.e., survey only)
More exposure of disclosure/compromise = more verification and validation (e.g., survey, evidence review, on-site assessment)
12
Step 3 – Create master control checklist
• Policy Management• Vendor/Third Party Management• Asset and Vulnerability Management• Change Management and Monitoring• Incident and Problem Management• Data Management• Risk Management• Business continuity Management• HR Management• Compliance Project Management
13
Step 4 – Map controls to categories
Map controls from master list to categories based on- What is relevant to the type of data being stored processed
or transmitted (for e.g. if card data then PCI DSS may be relevant to check for vs. not)
- What is relevant from a business perspective (e.g. call centers third parties have VOIP related controls whereas software development may not)
- What is relevant from a geography perspective (e.g. background checks in USA vs. India may be different and may require testing different controls)
14
Step 5 – Create vendor risk assessment questionnaire
15
Step 6 – Distribute risk assessment questionnaire to vendors
16
Step 7 - Analyze responses and attachments
17
Step 8 – Track exceptions to closure
18
Challenges in Vendor Management Space
Challenges
• Redundant Efforts• Cost inefficiencies• Lack of dashboard• Fixing of dispositions• Reducing budgets (Do more with less)
19
ControlCase Solution
Vendor/Third Party Management
20
Management of third parties/vendors Self attestation by third parties/vendors Remediation tracking Includes BITS FISAP content
Reg/Standard Coverage area
ISO 27001 A.6, A.10
PCI 12
EI3PA 12
Why Choose ControlCase?
• Global Reach
› Serving more than 400 clients in 40 countries and rapidly growing
• Certified Resources
› Shared Assessment/BITS FISAP Assessor
› PCI DSS Qualified Security Assessor (QSA)
› QSA for Point-to-Point Encryption (QSA P2PE)
› Certified ASV vendor
› Certified ISO 27001 Assessor
› EI3PA Assessor
› SSAE16, SOC1, SOC2, SOC3 Audits
› HITRUST and HIPAA
21
To Learn More …
• Visit www.controlcase.com
• Call +1 703 483 6383 (North America)
• Call +57 1 678 3716 (South America)
• Call +44 1276 686 048 (Europe)
• Call +971 4440 5958 (Middle East & Africa)
• Call +91 982 029 3399 (Asia Pacific)
• Kishor Vaswani (CEO) – [email protected]
22
Thank You for Your Time