Vendor Management– PCI DSS, ISO 27001, EI3PA, HIPAA and FFIECBy Kishor Vaswani, CEO - ControlCase

Agenda

• About PCI DSS, ISO 27001, EI3PA and HIPAA

• Setting up a basic vendor management program

• Challenges in the vendor management space

• Q&A

1

What is Vendor Risk Management

Vendor risk management (VRM) is a comprehensive plan for identifying and decreasing potential business uncertainties and legal liabilities regarding the hiring of 3rd parties (vendors) to provide information technology (IT) products, business process outsourcing and other related services.

2

About PCI DSS, ISO 27001, EI3PA, HIPAA and FFIEC

What is PCI DSS?

Payment Card Industry Data Security Standard:

• Guidelines for securely processing, storing, or transmitting payment card account data

• Established by leading payment card issuers• Maintained by the PCI Security Standards Council

(PCI SSC)

3

What is ISO 27001/ISO 27002

ISO Standard:

• ISO 27001 is the management framework for implementing information security within an organization

• ISO 27002 are the detailed controls from an implementation perspective

4

What is EI3PA?

Experian Security Audit Requirements:

• Experian is one of the three major consumer credit bureaus in the United States

• Guidelines for securely processing, storing, or transmitting Experian Provided Data

• Established by Experian to protect consumer data/credit history data provided by them

5

What is HIPAA?

Health Insurance Portability & Accountability Act of 1996 & HIPAA Omnibus Rule:• Establishes administrative, physical and technical

security and privacy standards• Applies to both healthcare providers and business

associates (3rd parties) • Attributes responsibility for monitoring HIPAA

compliance of business associates to healthcare providers

• Assessment of compliance of business associates due 09/23/13

6

Impact to Business Associates and their suppliers

• Business associates must identify, assess and monitor their supporting business associates (BAs of BAs) and provide regular updates to the respective CE

• BAs must establish and define (contractually) security requirements, right to audit, incident reporting clauses with their service providers

• BAs must implement an effective monitoring/assessment process based on the nature of the data exchanged with service providers

• Be able to show due diligence/due care with respect to monitoring their supplier’s security compliance

7

CFPB/FFIEC/OCC Guidance

• Guidance provided by Consumer Financial Protection Bureau (CFPB) – Apr 2012

• Federal Deposit Insurance Corporation (FDIC) guidance issued – Sep 2013

• Office of the Comptroller of the Currency (OCC) – Oct 2013

• All of these regulations require due diligence of vendors in various areas such as risk assessments, contracts, information security, insurance and subcontracting.

8

Setting up a basic vendor management program

High Level Process

Register/Inventory vendors Categorize vendors

Map controls to categories

Create vendor risk assessment questionnaire

Create master control checklist

Distribute questionnaire to vendors

Analyze responses and attachments

Track exceptions to closure

9

Step 1 – Register/Inventory vendors

10

Step 2 – Categorize vendors

Questions to ask- What type of data do they store, process or transmit (SSN,

Card Numbers, Customer Name, Diagnosis code(s), etc.,)- Is the data in a physical and/or electronic form- What business are they in (Call Center, Recoveries, Managed

Service, Software Development, Printing, Hosting)- What risk factors exist based on Geography (North America,

Asia/Pacific, South America etc.)

11

Step 2 – Categorize vendors (continued)

Considerations:

Less exposure of disclosure/compromise = less verification (i.e., survey only)

More exposure of disclosure/compromise = more verification and validation (e.g., survey, evidence review, on-site assessment)

12

Step 3 – Create master control checklist

• Policy Management• Vendor/Third Party Management• Asset and Vulnerability Management• Change Management and Monitoring• Incident and Problem Management• Data Management• Risk Management• Business continuity Management• HR Management• Compliance Project Management

13

Step 4 – Map controls to categories

Map controls from master list to categories based on- What is relevant to the type of data being stored processed

or transmitted (for e.g. if card data then PCI DSS may be relevant to check for vs. not)

- What is relevant from a business perspective (e.g. call centers third parties have VOIP related controls whereas software development may not)

- What is relevant from a geography perspective (e.g. background checks in USA vs. India may be different and may require testing different controls)

14

Step 5 – Create vendor risk assessment questionnaire

15

Step 6 – Distribute risk assessment questionnaire to vendors

16

Step 7 - Analyze responses and attachments

17

Step 8 – Track exceptions to closure

18

Challenges in Vendor Management Space

Challenges

• Redundant Efforts• Cost inefficiencies• Lack of dashboard• Fixing of dispositions• Reducing budgets (Do more with less)

19

ControlCase Solution

Vendor/Third Party Management

20

Management of third parties/vendors Self attestation by third parties/vendors Remediation tracking Includes BITS FISAP content

Reg/Standard Coverage area

ISO 27001 A.6, A.10

PCI 12

EI3PA 12

Why Choose ControlCase?

• Global Reach

› Serving more than 400 clients in 40 countries and rapidly growing

• Certified Resources

› Shared Assessment/BITS FISAP Assessor

› PCI DSS Qualified Security Assessor (QSA)

› QSA for Point-to-Point Encryption (QSA P2PE)

› Certified ASV vendor

› Certified ISO 27001 Assessor

› EI3PA Assessor

› SSAE16, SOC1, SOC2, SOC3 Audits

› HITRUST and HIPAA

21

To Learn More …

• Visit www.controlcase.com

• Call +1 703 483 6383 (North America)

• Call +57 1 678 3716 (South America)

• Call +44 1276 686 048 (Europe)

• Call +971 4440 5958 (Middle East & Africa)

• Call +91 982 029 3399 (Asia Pacific)

• Kishor Vaswani (CEO) – kvaswani@controlcase.com

22

Thank You for Your Time