Compliance: PCI, HIPAA, SAS70, etc' - PowerPoint PPT Presentation


PPT – Compliance: PCI, HIPAA, SAS70, etc' PowerPoint presentation | free to view - id: 1d3c40-ZWE2Y


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation

Compliance: PCI, HIPAA, SAS70, etc'


... network security and data protection along with State and ... procedures to employ when consumer reporting agencies send them notices of address discrepancy ... – PowerPoint PPT presentation

Number of Views:201
Avg rating:3.0/5.0
Slides: 43
Provided by: lauras71


Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: Compliance: PCI, HIPAA, SAS70, etc'

Compliance PCI, HIPAA, SAS70, etc.
Building an effective compliance program
Eric Wright Frank Dezort
m July 1, 2009
Your Presenters
  • Eric Wright - Shareholder
  • Eric has been involved with Information
    Technology with Schneider Downs for 26 years. He
    specializes in and oversees the design, setup,
    installation and implementation of accounting
    systems and a wide range of ERP software
    solutions for our clients. In addition, Eric has
    managed the IT component of our internal audit,
    IT compliance, and 404 engagements for some of
    this areas largest companies.
  • Frank Dezort Senior Manager
  • Frank serves as a senior manager in both the
    Technical Advisory Services and Internal Audit
    practices. Frank specializes in providing
    technology risk management, internal audit,
    Sarbanes-Oxley, internal control and compliance
    assessments, information security consulting and
    technology advisory services. Frank has over 24
    years of experience in the technology industry.

Schneider Downs Profile
  • Founded in 1956
  • Offices in Pittsburgh, Pennsylvania and Columbus,
  • Approximately 350 personnel and 29 Shareholders
  • The 46th-largest certified public accounting firm
    in the U.S. (AICPA Major Firms Division)
  • Fourth largest certified public accounting firm
    in Western Pennsylvania
  • Registered with the PCAOB
  • Founding member of IGAF Worldwide (1979)

Schneider Downs Profile
  • National firm credentials with regional firm
  • Significant SEC/PCAOB experience
  • Offer the breadth of services and professionals
    with the experience to meet registrants needs
  • Member of IGAF Worldwide, a national and
    international association of firms
  • Dedicated industry groups
  • Manufacturing
  • Construction/Real Estate
  • Transportation
  • Auto Dealers
  • Nonprofit
  • Broad base of clients
  • Private companies
  • Mid-cap public companies

Offering 75 Products and Services
Compliance 1 easy slide
Compliance Timeline
NCUA Mar, 1970
FFIEC Mar, 1979
SAS-70 Apr, 1992
CoBiT Apr, 1996
HIPAA Aug, 1996
FERPA Aug, 1974
COSO Jul, 1985
EU Data Protection Directive Oct, 1995
Compliance Timeline
201 CMR 17.00 Mass. Privacy Law Oct, 2008
CMMI Jan, 2002
FACTA Nov, 2003
TG-3 May, 2006
NSR 597.970 Jun, 2005
PCI Dec, 2004
FISMA Dec, 2002
NY SSN Law Sep, 2006
Basil II Jun, 2004
NERC CIP Aug, 2006
JSOX April, 2008
Nev SB 227 Nevada PCI Law Jan, 2010
ITILv3 May, 2007
SOX Jul, 2002
CA SB1386 Jul, 2003
ISO 27001 Oct, 2005
Full Steam Ahead
USS Compliance
  • US Congress has a number of pending bills which
    may impact the state of compliance, enforcement,
    strengthening the penalties for non-compliance.
  • Legislation is putting organizations on notice
    that gambling with compliance is about to get
    more risky and expensive
  • H.R. 1797 Dubbed the Compete Act of 2009 seeks
    to update SOX including portions containing
    provisions related to network security and data
  • Physician Payment Sunshine Act of 2009 New
    compliance burden on medical industry to monitor
    and disclose financial relationships between
    physicians and medical device and pharmaceutical
  • American Recovery and Reinvestment Act of 2009
    Title XIII Includes expanded enforcement and
    increased penalties for HIPAA compliance
  • State legislation on compliance initiatives being
    passed almost daily

New Electronic World
Public Network
ACH/Wire Transfers
  • Shopping
  • (Credit/Debit)

WHY is this Happening?
  • Change

Increased Risk
  • Reliance on IT Automation
  • Electronic Transactions

Increased Threats
  • Public Networks
  • Reliance on Third Parties
  • Data flowing beyond the walls
  • Successful Breaches
  • Global Presence

Increased Control Requirements
  • Professional Attackers
  • Attacks originate around the world
  • Knowledgeable Attackers
  • Automated controls
  • Data integrity
  • Reliance on electronic data
  • Unacceptable level of data losses

Why Increased Compliance?
  • Failure of organizations to police themselves and
    to uphold a reasonable standard for integrity and
    data security has led to federal and state
    compliance mandates.
  • Large number of data breaches and the massive
    size of the larger events (TJX, Heartland)
  • Changing of the guard in Washington brought
    renewed intensity for network security and data
    protection along with State and location
    government regulations.
  • Cyber Czar New White House Office of cyber
    security reports to the National Security Council
    and National Economic Council.

Why Increased Compliance?
  • Expansion to a global marketplace and global data
    sharing. Origin of threats has expanded to a
    world wide audience International laws lagging,
    International enforcement not defined, Foreign
    Business ethics questionable
  • For-Profit enterprises being developed to market
    and distribute/sell information obtained from
    theft of data and credentials credit card
    purchases, medical coverage, investment accounts
  • Changes in type of services offered and the way
    they are delivered

Why Increased Compliance?
  • National Security Council 60-Day Cyberspace
    Strategy Policy Review Report
  • The government, working with State and local
    partners, should identify procurement strategies
    that will incentivize the market to make more
    secure products and services available to the
  • In addition to cooperation with industry
    partnerships, the review also calls for the
    government to examine laws addressing
    cyber-security, with the White House partnering
    with Congress to ensure that there are adequate

Why Increased Compliance?
  • National Security Council 60-Day Cyberspace
    Strategy Policy Review Report
  • Additional incentive mechanisms that the
    government should explore include adjustments to
    liability considerations (reduced liability in
    exchange for improved security or increased
    liability for the consequences of poor security),
    indemnification, tax incentives, and new
    regulatory requirements and compliance mechanisms
  • Systemic loss of U.S. economic value - Industry
    estimates of losses from intellectual property to
    data theft in 2008 range as high as 1 trillion

Why Increased Compliance?
  • Banking Industry - Troubled Asset Relief Program
  • Banking regulators have said they intend to use
    the stress tests ? along with other safety and
    soundness measurement tools currently in place ?
    to gain a better understanding of a banks
    activities, financial condition and balance
    sheet, commitments and risk structure.
  • Financial institutions will face significant
    challenges as they measure and stress test their
    regulatory compliance and risk management
    programs. They will need to assess and adjust
    processes and controls to accommodate changes in
    regulatory oversight.
  • The best approach will be methodical and
    risk-based with a view toward sustaining
    compliance through changes in regulation and
    regulatory oversight.

Changes to Compliance
  • Payment Card Industry Lifecycle Process for
    Changes to Standard

Changes to Compliance
  • Federal Trade Commission Fair and Accurate Credit
    Transaction Act (FACTA) ID Theft Red Flag Rule
  • Originally applied to all financial institutions
    regulated by the Board of Governors of the
    Federal Reserve System (FRB), Federal Deposit
    Insurance Corporation (FDIC), National Credit
    Union Administration (NCUA), Office of the
    Comptroller of the Currency (OCC), Office of
    Thrift Supervision (OTS), and Federal Trade
    Commission (FTC).
  • Expanded to include FTC overseen Creditors, which
    include state-chartered credit unions, hospitals,
    utilities, mortgage brokers, auto dealers,
    Dentists, Doctors, Colleges, Universities

Changes to Compliance
  • Federal Trade Commission Fair and Accurate Credit
    Transaction Act (FACTA) ID Theft Red Flag Rule
  • Also provide guidance for users of consumer
    reports regarding reasonable policies and
    procedures to employ when consumer reporting
    agencies send them notices of address discrepancy
  • FTC delayed the enforcement date for the Identity
    Theft Red Flags Rule - this time an addition
    three months, to August 1, 2009 most covered
    entities unfamiliar with regulations
  • On August 1, we start our enforcement program and
    will be looking for high-risk entities that have
    done very little to bring themselves into
    compliance with this regulation. For those
    businesses that have in earnest worked to comply
    with the Red Flags, Betsy Broder Assistant
    Director at FTC says they'll not be focused upon
    for enforcement.

Changes to Compliance
  • American Recovery and Reinvestment Act (ARRA).
    The healthcare portion is known as the Health
    Information Technology for Economic and Clinical
    Health Act (HITECH)
  • Contains drastic changes to the Health Insurance
    Portability and Accountability Act (HIPAA). This
    new legislation has significant ramifications, in
    the following areas - enforcement, breach
    notification, implication for business associates
    and use of encryption.
  • HIPAA requires unusable, unreadable, or
    indecipherable to unauthorized individuals while
    in motion. However, healthcare organizations
    found to be distributing PHI via unsecure e-mail.
    Security breaches, even those without any
    discernible risk of harm, will be broadly
    publicized, often dictated by regulations, and
    can be financially catastrophic for non-compliant
    businesses, including a new tiered penalty
    structure ranging from 25,000 to 1.5 million.
  • Healthcare organizations and their business
    associates need to begin to address the new
    requirements in order to be compliant with the
    February deadline.

Changes to Compliance
  • Breaches Not Easy To Hide Breach of Personal
    Information Notification Act.
  • The unauthorized access and acquisition of
    computerized data that MATERIALLY compromises the
    security or confidentiality of personal
    information maintained by the entity as part of a
    database of personal information regarding
    multiple individuals and that causes or the
    entity reasonably believes has caused or will
    cause loss or injury to any resident of this
  • A sole proprietorship, partnership, corporation,
    association or other group, however organized and
    whether or not organized to operate at a profit,
    including a financial institution organized,
    chartered or holding a license or authorization
    certificate under the laws of this Commonwealth,
    any other state, the United States or any other
    country, or the parent or the subsidiary of a
    financial institution

Breach Disclosure Laws
Compliance Viewpoint
  • Compliance viewed as
  • Necessary evil
  • Projects rather than a culture of leading
  • A milestone rather than an approach
  • A checkbox rather than a strategy
  • Discreet steps versus a continuous process
  • Development of security programs specifically to
    pass a compliance test

Static Compliance Model
Compliant and done
  • Risk management should drive compliance
  • Risk and Security process that results in
    compliance by default
  • Compliant is not equal to Secure
  • Was Heartland Payment Systems PCI-DSS Compliant?
  • Was Hannaford Brothers PCI-DSS Compliant
  • Merrick Bank claims to have lost 16 million
    (Paid to Visa and MasterCard) as a result of a
    2005 breach of payment card processor CardSystems
    Solutions and is now seeking legal restitution
    from an IT company it hired to audit the
  • Compliance is a point in time

Continuous Compliance
Continuous Compliance Attributes
  • Compliance is a catalyst for improvement
  • Backing from Senior Management and BOD
  • Strategic alignment of risk management and
    control improvements included in all IT processes
  • Threats are viewed as real-time and continuous
  • Governance and risk management are viewed as
    leading practices

Key Steps to Success
  • Lay the Foundation
  • Less than one third of organizations conduct
    regular IT vulnerability and IT risk assessments
    these provide the foundation for new compliance,
    governance, or risk management initiatives. (What
    are your top 5 risks?)
  • Establish Consistent Policies
  • Less than half of organizations have established
    consistent policies for compliance and risk
    management industry frameworks such as ISO,
    ITIL, and COBIT provide reference and
    significantly accelerate the process.
  • Assign an Owner
  • Less than half of organizations have established
    an executive or team with primary ownership of IT
    compliance and risk initiatives.

Gaining Value from Compliance
  • Compliance becomes a culture rather than a
  • How will this initiative/decision/project effect
  • If it brings risks, are they quantifiable and
  • Will risk be mitigated by our current practices
    and controls or will we have to adopt more
    stringent ones?
  • Compliance is not driven by a mandate but
    contributes to a higher-level value proposition
  • Automation of controls and activities
  • Integrate into existing processes
  • Audits serve as a point-in-time validation rather
    than the reason

Optimization of Controls
  • Re-evaluate controls on a regular basis
  • Goal is to balance controls and risk
  • Challenge whether all controls are key
  • Is control necessary to achieve objective
  • Does residual risk increase if control removed
  • Is there compensating controls
  • Continue to assess the scope of the compliance
  • Limit to processes required by scope of
  • Limit to key controls within each process
  • Limit the systems and applications required to
    meet objectives

Optimization of Controls
  • Isolate the path of data through the network
  • Establish minimum access to all layers within
  • Operating system
  • Database
  • Network
  • Application
  • Segmentation of network through use of internal
    firewalls or switching technology
  • Obtain a detailed understanding from
    auditors/regulators on risks and scope of audit
    or compliance requirements
  • May not mean elimination or reduction of controls

Risk and Compliance Silos
Consolidation of Compliance
Control A
Control 1
Control B
Control 2
Control C
Control 3
Control D
Control 4
Compliance Overlap
Scope A
Control A
Control 1
Control B
Scope B
Control 2
Scope C
Control C
Control 3
Control D
Control 4
Continuous Auditing
  • Key Risk
  • Unauthorized business activities are not detected
    in a timely fashion
  • Potential Impact
  • Data theft
  • Fraud
  • Financial misstatement
  • Recommended Control Activities
  • Implement segregation of duties based on job
  • Identify key business application risks that can
    be monitored electronically (e.g. suspicious
    transactions based on thresholds)
  • Identify key system settings that should not be
    changed without authorization
  • Implement continuous monitoring software and/or
    reporting to alert management when suspicious or
    unauthorized activity takes place

Security Monitoring
  • Key Risks
  • Undetected compromise or attacks (attack
  • Failure to meet regulatory requirements (PCI,
  • Loss or disclosure of sensitive or critical
    information assets
  • Potential Impact
  • Loss of customers/clients (consumer confidence)
  • Decrease in value of organization (stock)
  • Lawsuits/fines (PCI-DSS, State, FTC)
  • Recommended Control Activities
  • Approach security as a process
  • Periodic vulnerability and penetration testing
    including wireless and application
  • Implement Intrusion Detection/Prevention
    monitoring (Managed Security Services)
  • Monitoring of security patches and alerts

Example - Lack of Monitoring
  • TJX Companies
  • Eight major U.S. retailers were allegedly hacked
    by members of an international gang with 45.7
    million payment-card records stolen. (Per SEC
  • Once inside the companies' networks, the alleged
    hackers installed "sniffer" programs that would
    capture card numbers, as well as password and
    account information, as the numbers were
    processed. According to a report in The Wall
    Street Journal in March 2007, the hackers left
    encrypted messages in the TJX systems to tell
    each other which files had been copied. Activity
    continued for 17 months.
  • TJX has said the price of the settlement deal for
    handling the breach would fall within its
    previous estimates of around 256 million.

Example - Lack of Monitoring
  • Heartland Payment Systems
  • Leading payment processing company was
    compromised by intruders that hacked into its
    computers that process 100 million payment card
    transactions per month for 175,000 merchants.
  • Intruders had access to Heartland's system for
    "longer than weeks" in late 2008 (USA Today
    Interview). Heartland was alerted to the breach
    by reports of suspicious transactions from Visa
    and MasterCard.
  • There were two elements to it, one of which was a
    keylogger that got through our firewall, Then
    subsequently it was able to propagate a sniffer
    onto some of the machines in our network. And
    those are what was actually grabbing the
    transactions as they floated over our network.

Data Privacy - Breaches
  • Source Privacy Rights Clearinghouse
  • http//
  • A listing of all reported data breaches involving
    private information in the US since 2005
  • Total number of breaches 600
  • 104 through 4 months - 2009
  • Total number or RECORDS stolen 245 million
  • Examples include public companies, private
    companies, government agencies,
    schools/universities, and not-for-profits
  • 70 of data breaches are off network devices

Progress Being Made - Breaches
  • Source Pittsburgh Post Gazette Tuesday June
    30, 2009
  • Most prolific computer hacker in U.S. history
    pleaded guilty
  • Max Ray Vision used encryption programs to
    disguise extensive hacking into financial
    institutions and data processing centers.
  • Caught with 1.8 Million stolen credit card
    accounts on his computer that resulted in a total
    amount of fraudulent purchases of 86.4 Million
  • Established CardersMarket online forum selling to

Data Privacy - Breach Examples
Data Privacy - Breach Examples
We found a file containing entire blueprints and
avionics package for Marine One, which is the
presidents helicopter.  What appears to be a
defense contractor in Bethesda, MD had a file
sharing program on one of their systems that also
contained highly sensitive blueprints for Marine
Bob Boback, CEO Tiversa
Found on a server hosted at an Iranian IP address