Vendor Management– PCI DSS, ISO 27001, EI3PA and HIPAABy Kishor Vaswani, CEO - ControlCase
Agenda
• About PCI DSS, ISO 27001, EI3PA and HIPAA
• Setting up a basic vendor management program
• Challenges in the vendor management space
• Q&A
1
What is Vendor Risk Management
Vendor risk management (VRM) is a comprehensive plan for identifying and decreasing potential business uncertainties and legal liabilities regarding the hiring of 3rd parties (vendors) to provide information technology (IT) products, business process outsourcing and other related services.
2
About PCI DSS, ISO 27001, EI3PA and HIPAA
What is PCI DSS?
Payment Card Industry Data Security Standard:
• Guidelines for securely processing, storing, or transmitting payment card account data
• Established by leading payment card issuers• Maintained by the PCI Security Standards Council
(PCI SSC)
2
What is ISO 27001/ISO 27002
ISO Standard:
• ISO 27001 is the management framework for implementing information security within an organization
• ISO 27002 are the detailed controls from an implementation perspective
6
What is EI3PA?
Experian Security Audit Requirements:
• Experian is one of the three major consumer credit bureaus in the United States
• Guidelines for securely processing, storing, or transmitting Experian Provided Data
• Established by Experian to protect consumer data/credit history data provided by them
4
What is HIPAA?
Health Insurance Portability & Accountability Act of 1996 & HIPAA Omnibus Rule:• Establishes administrative, physical and technical
security and privacy standards• Applies to both healthcare providers and business
associates (3rd parties) • Attributes responsibility for monitoring HIPAA
compliance of business associates to healthcare providers
• Assessment of compliance of business associates due 09/23/13
4
Setting up a basic vendor management program
High Level Process
Register/Inventory vendors Categorize vendors
Map controls to categories
Create vendor risk assessment questionnaire
Create master control checklist
Distribute questionnaire to vendors
Analyze responses and attachments
Track exceptions to closure
Step 1 – Register/Inventory vendors
Step 2 – Categorize vendors
Questions to ask- What type of data do they store, process or transmit (SSN,
Card Numbers, Customer Name, Diagnosis code(s), etc.,)- Is the data in a physical and/or electronic form- What business are they in (Call Center, Recoveries, Managed
Service, Software Development, Printing, Hosting)- What risk factors exist based on Geography (North America,
Asia/Pacific, South America etc.)
Step 2 – Categorize vendors (continued)
Considerations:
Less exposure of disclosure/compromise = less verification (i.e., survey only)
More exposure of disclosure/compromise = more verification and validation (e.g., survey, evidence review, on-site assessment)
Step 3 – Create master control checklist
• Policy Management• Vendor/Third Party Management• Asset and Vulnerability Management• Change Management and Monitoring• Incident and Problem Management• Data Management• Risk Management• Business continuity Management• HR Management• Compliance Project Management
Step 4 – Map controls to categories
Map controls from master list to categories based on- What is relevant to the type of data being stored processed
or transmitted (for e.g. if card data then PCI DSS may be relevant to check for vs. not)
- What is relevant from a business perspective (e.g. call centers third parties have VOIP related controls whereas software development may not)
- What is relevant from a geography perspective (e.g. background checks in USA vs. India may be different and may require testing different controls)
Step 5 – Create vendor risk assessment questionnaire
Step 6 – Distribute risk assessment questionnaire to vendors
Step 7 - Analyze responses and attachments
18 / 32
Step 8 – Track exceptions to closure
19 / 32
Challenges in Vendor Management Space
Challenges
• Redundant Efforts• Cost inefficiencies• Lack of dashboard• Fixing of dispositions• Reducing budgets (Do more with less)
21
ControlCase Solution
Vendor/Third Party Management
12
Management of third parties/vendors Self attestation by third parties/vendors Remediation tracking Includes BITS FISAP content
Reg/Standard Coverage area
ISO 27001 A.6, A.10
PCI 12
EI3PA 12
Why Choose ControlCase?
• Global Reach
› Serving more than 400 clients in 40 countries and rapidly
growing
• Certified Resources
› PCI DSS Qualified Security Assessor (QSA)
› QSA for Point-to-Point Encryption (QSA P2PE)
› Certified ASV vendor
› Certified ISO 27001 Assessment Department
› EI3PA Assessor
23
To Learn More About PCI Compliance or Data Discovery…
• Visit www.controlcase.com
• Call +1.703.483.6383 (US)
• Call +91.9820293399 (India)
• Kishor Vaswani (CEO) –
24
Thank You for Your Time
Top Related