Add to collection(s) Add to saved
  1. Business
  2. Management
  3. Project Management

DCW – Navigating Compliance Requirements

advertisement 
Navigating
Compliance
Requirements
DCM 6.2 Regs and Codes
linford&co llp
Navigating Compliance
Requirements
Data centers may choose to comply with many different rules and regulations
such as, HIPAA, SSAE 16 (f. SAS 70), ISO, LEED, etc. We will break down the
requirements and discuss where overlaps exist, how to leverage work between
audits, and how to minimize audit impact.
Myriad of Regulations,
Frameworks and Standards
HIPAA
PCI DSS
FISMA
SSAE 16 /
SOC 1
ISO
27001
SOC 2,
SOC 3
LEED
HIPAA
• Health Insurance Portability and Accountability Act of
1996
• Privacy rule
• Security rule – Three types of safeguards
• Administrative
• Physical
• Technical
• Required vs. addressable specifications
• Why would a data center choose to be HIPAA compliant?
• House ePHI for clients
HIPAA Continued
• How to demonstrate compliance
• No HIPAA “certification”
• Self audit
• Independent audit
• Cost of compliance
• Resource to implement required policies and procedures and
perform self assessment
• Independent audit – 10K to 100K – depending on size and
complexity
• Cost of breach
FISMA
• Federal Information Security Management Act of 2002
• Requirements
•
•
•
•
Categorize information systems according to risk level (FIPS 199)
Security controls
Risk management
System security plan
• Why would a data center need to be compliant with FISMA?
• House federal agency clients or contractors to federal agencies
FISMA Continued
• How to demonstrate compliance
• No FISMA “certification”
• Independent audit
• Cost of compliance
• Resource to implement required policies and
procedures, perform risk assessment, implement
controls to remediate gaps
• Independent audit – 20K to 100K – depending on size
and complexity
ISO 27001:2005
• Information security standards published by the
International Organization for Standardization (ISO)
and the International Electrotechnical Commission
(IEC) in 2005
• Requirements
• Specifies a security management system
• Required Every three years
• Why might a data center choose to be ISO certified?
• Data center is located outside of the United States
• Data center does business with European clients
ISO 27001:2005 Continued
• How to demonstrate compliance
• Certification by an ISO Registrar
• Cost of compliance
• Readiness assessment and consultations necessary
• Separate ISO Registrar necessary
• 50K to 100K+ Every Triennial
Payment Card Industry
Data Security Standard – (PCI DSS)
• Created by credit card companies to protect
cardholder data
• Requirements
• 12 PCI DSS requirements
• Service dependent
• Why might a data center choose to be PCI certified?
• Have credit card merchants or PSPs for clients
• Client requirements
PCI DSS Continued
• How to demonstrate compliance
• Self assessment questionnaires (SAQ)
• PCI Report of Compliance (ROC)
• Listing on Credit Card Company’s Directory
• Cost of compliance
• Only QSAs Can Perform
• 15K to 100K+ Per Annum
LEED System
• LEED - Leadership in Energy and Environmental Design –
Designed by the US Green Building Council in 1998.
• Requirements
• Voluntary
• Energy efficiency evaluation
• Four categories (Certified, Silver, Gold, and Platinum)
• Why might a data center choose to be LEED certified?
• Lower operating costs and increased asset value
• Demonstrate energy efficiency to clients and prospects
• Qualify for tax rebates, zoning allowances and other incentives
LEED Continued
• How to demonstrate compliance
• Project must satisfy LEED prerequisites and earn a minimum of 40
points on a 110 point LEED rating scale
• Independent, third party verification that a company meets LEED
• Cost of compliance
• Implement LEED prerequisites to earn enough points to satisfy
desired level of LEED certification – cost varies by project
• Certifications fees vary by project size, the average cost is $2000
Service Organization Control
Audits - SOC 1, 2, 3
• SOC 1 / SSAE 16 – (f. SAS 70) – Statement on Standards for
Attestation Engagements
• Internal Controls over Financial Reporting (ICFR)
• SOC 2 and SOC 3
• Security, Availability, Processing Integrity, Confidentiality, or
Privacy
• Detailed vs High-Level
• Why might a data center choose to obtain a SOC report?
• Hosting General Ledger or ERP Systems
• User Auditors’ Requirement
SOC 1, 2, 3 Continued
• How to demonstrate compliance
• Internal Controls In Place
• Design Effectiveness
• Operating Effectiveness
• Cost of compliance
• Only CPA Firms with Specialists Can Perform
• 15K – $1M+ Per Annum
Ways to Demonstrate Compliance
• Internal Testing
• Independent Audits
• Various External Audits
Cost of Compliance
• Expensive
• Value Judgment
• How much is the customer or potential customer worth to
company?
• How much are lost or failed opportunities worth?
• Quality of Audit Firm
• Reports must be accepted by user organizations
• Get it right the first time
• Questions to ask…
Framework Overlap
• Many of the regulations and frameworks overlap
• How to demonstrate compliance
• One audit, multiple reports
Framework Overlap
HIPAA
PCI
FISMA
SOC 2
Information
Security Policy
X
X
X
X
Logical Access
X
X
X
X
Physical Access
X
X
X
X
Encryption
X
X
X
X
Employee Sanction
X
Risk Assessment
X
X
X
X
Antivirus
X
X
X
X
Logging
X
X
X
Framework Drilldown
• Risk management is a common theme within many
information security standards
• HIPAA - 164.308(a)(1)(ii)(A)
• FISMA - §3544(a)(b)(1)
• ISO 27001 – Clause 4.2.1
• SOC 2 – 3.1 within the Security, Availability,
Processing Integrity, and Confidentiality Trust
Services Principles
• PCI – 12.2.1
Sample Risk Assessment
Scale 1 to 5
2
1
1
1
1
1
1
1
2
2
1
1
2
1
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Safeguard
Availability
HUMAN
Explosion
Burglary/Extortion
Vandalism
Bomb Threat
Terrorism
Riots/Civil Disturbance
Work Stoppage
Data Entry
Improper Handling of Sensitive Data
Unauthorized Access to Data/Theft
Malicious Damage/Destruction of Software/Hardware
Unauthorized Physical Access
Unauthorized Modification of Software/Hardware
Virus/Worm/Malicious code
Impact
Integrity
Likelihood
Confidentiality
Threat Sources
X
X User awareness and physical access controls
User awareness and physical access controls
X Emergency operations procedures
User awareness and physical access controls
User awareness and physical access controls
Emergency operations procedures
Error Auditing
User awareness training, physical & technical access controls
X Physical & technical access controls, firewall, IDS
X Physical & technical access controls, firewall, IDS
X Physical access controls, user awareness, visitor sign-in procedures
X Access control & auditing procedures
X Physical & technical access controls, firewall, IDS, Workstation Security
Tips for Successfully Passing an
Audit
1. Have one or more established, positive, goals
2. Establish expectations with training
3. Evaluate your strengths, assess your weaknesses,
identify your exposures
4. Review prior audit results
5. Practice, practice, practice
Tips for Successfully Passing an
Audit – Cont.
6. Copy when you can
7. Be ready to respond as issues arise
8. Coaching staff
9. Document and train on processes
10. Have fun!
Thank You
Newel Linford and Robert Pierce
newel@linfordco.com
rob@linfordco.com
www.linfordco.com
linford&co llp
Related documents
LEED Presentation 2 from 2/14/13 Meeting
LEED Presentation 2 from 2/14/13 Meeting
Green Building
Green Building
Looking Green & Being Green Using Sustainable Construction
Looking Green & Being Green Using Sustainable Construction
ISO 27002 vs PCI DSS 3.0
ISO 27002 vs PCI DSS 3.0
Implementation of an Enterprise-Wide Risk Management Framework
Implementation of an Enterprise-Wide Risk Management Framework
Menzies Residence “Sage Lodge” 3807 N. Elkridge Trail, Eden, UT
Menzies Residence “Sage Lodge” 3807 N. Elkridge Trail, Eden, UT
Evolution of an Automated Internal Audit Management System
Evolution of an Automated Internal Audit Management System
Audit Poster - BSG Colonoscopy Audit
Audit Poster - BSG Colonoscopy Audit
Cubilis by Stardekk
Cubilis by Stardekk
LGFMA Presentation - Internal Audit Program Model
LGFMA Presentation - Internal Audit Program Model
FAQs - Research Computing
FAQs - Research Computing
Download
advertisement