2018 01-25 Introduction to PCI and HIPAA Compliance

Thrive. Grow. Achieve.
Is it time for a Security
and Compliance
Assessment?
Nate Solloway
January 25, 2018

ATTENDEES WILL LEARN:
• Everyone has something to protect
• Compliance Definitions
• State, Federal, and Private Security and Compliance Requirements
• Considerations and Actions to Improve Security and Compliance
– Password Policies
– Mobile Device Management & BYOD
– Process and People Management
• Security tools
– Virus and Spam Management
– Unified Threat Management and Intrusion Detection
– Data Management
– Encryption
– Archiving and data back up
• How Cloud Computing Can Help You Achieve Security and Compliance Goals?
– Defense in Depth
• How Raffa Can Assist You?
HIPAA
GLBA
FISMA
PCI
SOX
FINRA
Notice of Security
Breach
State Laws
Is it time for a Security and Compliance Assessment? Page 2

AGENDA
THE ESSENTIALS OF PCI AND HIPAA COMPLIANCE
The Essentials of Teaching

NASBA ESSENTIALS
The Essentials of Teaching
COURSE UPDATE DATE: JANUARY 24, 2018
COURSE REVIEWED BY: SETH ZARNY
COURSE REVIEW DATE: JANUARY 24, 2018
NASBA FIELD OF STUDY: INFORMATION
TECHNOLOGY

EVERYONE HAS SOMETHING TO
PROTECT
• Intellectual Property
• Human Resources Information
• Your Financial Data
• Your Customer Databases
• Your Customer’s Data
• Marketing and Sales Data
It’s not Just About
compliance with
state and federal
regulations.
It’s about
protecting your
company, your
employees and
your customers
Page 5Is it time for a Security and Compliance Assessment?
Financial
Healthcare Legal
Professional Services

COMPLIANCE DEFINITIONS
Definitions are
generally accepted
by most states
However,
exceptions do
exist on a state by
state basis
Page 6
Personal Information: An individual’s first name or first initial and last name plus
one or more of the following data elements:
1. Social Security number,
2. Driver’s license number or state- issued ID card number
3. Account number, credit card number or debit card number combined with any
security code, access code, PIN or password needed to access an account and
generally applies to computerized data that includes personal information.
Personal Information shall not include publicly available information that is lawfully
made available to the general public from federal, state or local government
records, or widely distributed media. In addition, Personal Information shall not
include publicly available information that is lawfully made available to the general
public from federal, state, or local government records.
Breach of Security: The unlawful and unauthorized acquisition of personal
information that compromises the security, confidentiality, or integrity of personal
information.
DEFINITIONS
Is it Time for a Security and Compliance Assessment?

FEDERAL, STATE & PRIVATE
REQUIREMENTS
It is important to
understand that
these laws don’t
only apply to
health and
financial
institutions.
Page 7
HIPAA: Health Insurance Portability and Accountability Act, a US law designed to
provide privacy standards to protect patients' medical records and other health
information provided to health plans, doctors, hospitals and other health care providers.
Developed by the Department of Health and Human Services, these new standards
provide patients with access to their medical records and more control over how their
personal health information is used and disclosed. They represent a uniform, federal floor
of privacy protections for consumers across the country. State laws providing additional
protections to consumers are not affected by this new rule.
The Gramm-Leach-Bliley Act: (GLB Act or GLBA), is a federal law enacted to control
the ways that financial institutions deal with the private information of individuals. The Act
consists of three sections:
1. The Financial Privacy Rule, which regulates the collection and disclosure of private
financial information
2. The Safeguards Rule, which stipulates that financial institutions must implement
security programs to protect such information
3. The Pretexting provisions, which prohibit the practice of pretexting (accessing private
information using false pretenses).
The Act also requires financial institutions to give customers written privacy notices that
explain their information-sharing practices.

REQUIREMENTS
It is important to
understand that
these laws don’t
only apply to
health and
financial
institutions.
Page 8
HIPAA: Health Insurance Portability and Accountability Act, a US law designed to
provide privacy standards to protect patients' medical records and other health
information provided to health plans, doctors, hospitals and other health care providers.
Developed by the Department of Health and Human Services, these new standards
provide patients with access to their medical records and more control over how their
personal health information is used and disclosed. They represent a uniform, federal floor
of privacy protections for consumers across the country. State laws providing additional
protections to consumers are not affected by this new rule.
The Gramm-Leach-Bliley Act: (GLB Act or GLBA), is a federal law enacted to control
the ways that financial institutions deal with the private information of individuals. The Act
consists of three sections:
1. The Financial Privacy Rule, which regulates the collection and disclosure of private
financial information
2. The Safeguards Rule, which stipulates that financial institutions must implement
security programs to protect such information
3. The Pretexting provisions, which prohibit the practice of pretexting (accessing private
information using false pretenses).
The Act also requires financial institutions to give customers written privacy notices that
explain their information-sharing practices.

REQUIREMENTS
The Payment Card
Industry Council
established rules
governing how
credit card data
would be secured
Page 9
Short for Payment Card Industry (PCI) Data Security Standard (DSS), PCI DSS is a
standard that all organizations, including online retailers, must follow when storing,
processing and transmitting their customer's credit card data.
The Data Security Standard (DSS) was developed and the standard is maintained by
The Payment Card Industry Security Standards Council (PCI SSC). To be PCI
complaint companies must use a firewall between wireless networks and their cardholder
data environment, use the latest security and authentication such as WPA/WPA2 and
also change default settings for wired privacy keys, and use a network intrusion detection
system.
The PCI DSS standard, as of September 2009 (DSS v 1.2), includes 12 requirements for
best security practices
PRIVATE REQUIREMENTS
Payment Card Industry (PCI) Data Security Standard (DSS)

REQUIREMENTS
State laws may
have different
definitions and
broader
requirements than
federal law
Page10
• Definition for “Personal Information” is Broader than the General Definition
• Trigger Notification byAccess
• Require a Risk of HarmAnalysis
• Require Notice to Attorney General or State Agency
• Require Notification Within a Specific Time Frame
• Permit a Private Cause ofAction
• Have an Encryption Safe Harbor
• The Statute is Triggered By a Breach of Security
in Electronic and/or Paper Records
TYPES OF VARIANCES IN STATE LAWS

SECURITY CONSIDERATIONS AND
ACTIONS
Strong password
policy is the first
line of defense
against a data
breach
Page
STRONG PASSWORD POLICIES
Risk: A poorly chosen password may result in unauthorized access and/or exploitation of
company resources. In 2013 Verizon stated that 90% of successful breaches started with a
weak or default password. The increasing strength of password cracking programs
significantly increases the risk associated with poor or weak passwords.
Benefit: Strong password policies help to reduce the risk of a breach. Policies should also
provide guidance to reduce the risk of human error breaches. Strong passwords should
meet these standards at a minimum:
• Lower case characters
• Upper case characters
• Numbers
• "Special characters"(@#$%^&*()_+|~-=`{}[]:";'<>/)
• Contain at least 12 but preferably 15 characters.

ACTIONS
If email or other
company data is
stored on mobile
devices they must
be managed.
Is it Time for a Security and Compliance Assessment? Page
MOBILE DEVICE MANAGEMENT
The solution allows for password management and the ability to wipe of all data if the
device if lost or stolen. Solutions exist for laptops, tablets and smart phones.
Risk: Users cannot be trusted to always do the right thing. Has the potential for conflict
between employees and employers.
Benefit: MDM solutions offer the ability to wipe lost or stolen assets to protect sensitive
information from falling into the wrong hands. One benefit of a clearly stated policy is a
reduction of possible remote wipe disagreements.

ACTIONS
A clear written
policy regarding
BYOD needs to be
in place and
acknowledged by
employees.
Is it Time for a Security and Compliance Assessment? Page13
MOBILE DEVICE MANAGEMENT – BRING YOUR OWN DEVICE (BYOD)
Risk: BYOD security becomes complicated since the devices are personally owned.
Focus should be to restrict what employees are allowed to have on the BYOD
devices.
Benefit: MDM solutions offer the ability to segment BYOD devices so that it is easy to
secure or delete company information off of personal devices, without affecting the user’s
personal data.
BYOD is becoming popular for companies as a way to reduce costs for mobile devices
and keep employees happy. Companies need to have clearly-defined BYOD policies that
employees need to acknowledge in writing. A clear policy must be created and
communicated to all.

ACTIONS
Security is as
much about
people and good
process and well
documented policy
as it is about your
IT infrastructure
Is it Time for a Security and Compliance Assessment? Page 14
PROCESS AND PEOPLE MANAGEMENT

ACTIONS
Security is as
much about
people and good
process and well
documented policy
as it is about your
IT infrastructure
PROCESS AND PEOPLE MANAGEMENT
• Establish a security and compliance
group within the company
• Put in place a clear set of company security
policies
• Build role-based access to applications
• Create management systems for admin
logins and passwords
• Eliminate shared logins/accounts
• Create and adhere to a stringent staff on
boarding off boarding processes & checklists

ACTIONS
Set your security
expectations on
day one with
security policy and
training.
• Set up your accounts in Active Directory and make sure all
• Cloud applications are SAML, ADFS, WS-Fed or O Auth
authenticated
• Use unique identifiers when creating new employee accounts
• Maintain a distribution list to announce new hires
• Run a system audit when employees change departments
• Set the security expectation during the on-boarding process
• Initial and on-going training
Good Security Practices Start on Day One

ACTIONS
Make sure you
have an off
boarding plan that
covers all aspects
of the employees
relationship with
the company
Adhere to a strict employee off-boarding checklist
• Plan for the “two-weeks notice”
• Maintain distribution list for terminations
• Direct the email account of a departing employee to
his/her manager
• Terminate all employee accounts
• Review the applications saved in your employee’s
single sign-on portal
• Make sure to collect all company assets: laptops,
phones, ID badges, software, etc.

SECURITY TOOLS
Security tools
include protection
against viruses,
spyware, and
malware for both
the network and
it’s endpoints.
EMAIL AV (Antivirus & Antispyware)
Scans incoming email for known malicious software, spam and phishing content.
Updates signatures on threats similar to traditional antimalware software.
Risk: Email is the primary entry point for virus and malware, protection here is crucial
to the stability of data integrity & usability.
Benefit: An ounce of prevention is worth a pound of cure - solutions that block hostile
emails before employees can open dangerous attachments is a smart business tool to
utilize. This is focused on the prevention of malware infections or ID theft.

SECURITY TOOLS
Security tools
include protection
against viruses,
spyware, and
malware for both
the network and
it’s endpoints.
SECURITY TOOLS
Antimalware/Antivirus/Anti spyware – Desktop & Server
Software that searches for, removes and prevents the installation of known malicious
software from desktops and laptops and servers.
Risk: Not having antimalware software installed and updated is a sign of negligent
business practices.
Benefit: A crucial layer of protection to keep data and networks secure.
Hosted based firewall
A host based firewall is designed to run on individual workstations and provide rules on
connecting to outside networks.
Risk: Roaming laptops do not have the protection of network firewalls and other
network based security controls.
Benefit: Provides protection for laptops when they are not connected the corporate
network.

SECURITY TOOLS
A basic firewall
Provides
absolutely no
threat detection.
Firewalls allow
and block traffic,
and cannot
respond to
evolving threats
ADVANCE FIREWALL + UTM (Unified Threat Management)
Primary network gateway defense solution for the business community. Solutions evolved
from the traditional firewall, becoming an all-inclusive security appliance that can perform
multiple functions. Combines network firewalling and any of the following: antivirus (AV),
gateway anti-spam, VPN, content filtering, load balancing, data leak prevention and on-
appliance reporting.
Risk: As malware becomes more advanced, not having the tools to identify or block
attacks can leave a business open for attack.
Benefit: Provides a cost-effective, yet comprehensive threat- vector protection. All-in-one
solution provides tighter security tool integration.

SECURITY TOOLS
A basic firewall
Provides
absolutely no
threat detection.
Firewalls allow
and block traffic,
and cannot
respond to
evolving threats
IPS/IDS (Intrusion Protection System/Intrusion Detection System)
Monitors networks for malicious activity; stops, blocks, and reports. Looks for patterns
and matches to known vulnerabilities (included in advanced firewall and UTM platforms)
Risk: As malware becomes more advanced, not having the tools to identify or block
attacks can leave a business open for attack.
Benefit: IPS/IDS solutions help prevent attacks from advanced threats that are able to
bypass traditional firewalls and antimalware solutions.

SECURITY TOOLS
Data files should
be encrypted
both at rest and
during transport.
The way data is
shared has to be
carefully
managed.
Work is an
activity not a
place.
DATA FILE ENCRYPTION
Data file encryption encrypts files and folders selected to be encrypted both on the fly and
at rest.
Risk: Lost or stolen assets are easy to get access to. Once an unauthorized party has
access to the system, all the data on the device can be accessed if it is not encrypted.
Benefit: Provides an additional layer of protection by preventing data from being
accessed by unauthorized parties.

SECURITY TOOLS
Policy based
encryption for
email ensures
that email
containing
sensitive
information are
protected.
EMAIL ENCRYPTION
Email encryption uses either public key or private key encryption to prevent the email
contents from being viewed by anyone except the intended recipients.
Risk: Users routinely send files to the wrong recipients and recipients sometimes
forward on files when they should not. Without encrypted email, one the email is sent,
there is no way to manage who can access it.
Benefit: Provides an additional layer of protection by preventing data from being
accessed by unauthorized parties.

SECURITY TOOLS
Compliant Email
archiving
provides
eDiscovery and
can save
companies time
and money
EMAIL ARCHIVING
The act of preserving and making searchable all email to/from an individual. Email
archiving solutions capture Email content directly from the email application or during the
transmission process.
Risk: Depending on the industry, your company may have a legal requirement to
maintain documents for a certain period of time.
Benefit: In regulated industries, this helps the organization comply with applicable
regulations. It also helps manage old, but possibly important emails that may need to be
accessed in the future.

SECURITY TOOLS
Effect data
backup will allow
a company to
continue to
operate from
anywhere in the
event of a
disaster
BACKUP DATA & RECOVERY
This involves the copying and archiving of computer information for the intent of
restoration. This process is also used to restore lost data following a disaster.
Risk: Without a proven ability to recover from a data loss incident, a company may not
be able to stay in business due to the disruption to its business operations by losing it
critical data and systems.
Benefit: A proper data backup and recovery solution will cover the information that a
company need to survive. This includes what is an acceptable recovery time and which
data is most crucial.

PREVENTION RATHER THAN CURE
Some of the best
strategies have
huge cost savings
over time
The costs are
nothing compared
to the cost of a
breach
Getting our of
scope is better
than maintaining
compliance
Avoid handling or Storing unnecessary data
Use End to End encryption in POS
Use Tokenization in Ecommerce
Don’t request data you don’t need
Have mature data retention AND DELETION processes and procedures
Have an organization certified to protect your data store or handle it
Hosting of HR and Payroll
Certified settlement provider sites for card settlement
SAAS providers for key systems
Manage your access policies to all stored data
Physical Media under lock and key (Paper AND servers)
User name and password complexity to internal and SAAS systems
Separate Guests / disallow Anonymous or alias access
Specifically secure Admin passwords
Manage your People
Provide training programs for data handlers
Disable access on exit
Monitor activity

HOW PAYMENT HANDLING AFFECTS
COMPLIANCE EFFORT (AND RISK) IN PCI
POS Systems
POS with End to
End Encryption
POS with Encryption
and Paper backup
Card Readers with
Dial up
Card Readers on
network
POS but Card is not
stored
POS reads and
may store number
You can reduce
your compliance
effort, Risk and
Costs by OVER
90% by eliminating
credit card
numbers from
your POS.
Encrypted end
point devices are
now commonly
available
Presentation Title / Page 27

ECOMMERCE AND CARD NOT PRESENT
Ecommerce is
inherently more risky.
The card number has
to get into a remote
system somehow.
Employees handling
cards risks distributing
card stored data
(paper, email) – You
may have an
approved gateway but
not get the benefit
Storing the card
number electronically
anywhere steps you
up to the highest level
of risk and cost of
compliance.
Card not Present
Approved and
hosted vendor Cart
and gateway
Bank Virtual
Terminal on Network
PC
Ecommerce but with
Payment Integration
Integrated
Ecommerce, Card
number Stored

THE CLOUD AS AN EFFECTIVE SECURITY
AND COMPLIANCE SOLUTION
A “layered
defense” or
defense in depth
is the best
practice for
security and
Compliance.
“a defense-in-depth strategy can
provide an effective approach to
conceptualize control implementation”
- FINRA Cybersecurity Report
“There is no silver bullet. Therefore, the
best security posture is achieved by
using multiple safeguards. Security
professionals refer to this as “layered
defense” or “defense-in-depth.”
The Cloud Solution

Top tier data
centers provide
certified
enterprise quality
service levels
CLOUD SERVICES – SECURE & RELIABLE
Top Tier Data Centers = Physical Security
Top Tier data centers are fully redundant and audited to meet SSAE 16 and SOC II Type
II standards. They have the following characteristics:
• Fully redundant systems including power, HVAC and Tier-1 ISPs
• Dedicated certified security staff
• Compliant with the PCI data center security components
• Closed-circuit TV monitoring
• Multi-level secure controlled access policies
• Provide enterprise quality service levels

Top tier service
providers
leverage data
centers to deliver
world class
service and
reliability
CLOUD SERVICES – SECURE & RELIABLE
Top Tier Service Providers Deliver Secure Reliable Networks
Top tier cloud service providers use best of breed industry infrastructure providers to build
out highly redundant and reliable networks to support the delivery of cloud services. The
infrastructure includes:
• Enterprise grade servers
• Full component redundancy
• Fully redundant storage
• Fully redundant multi-path switching
• 10 gigE Network connections
• Redundant, enterprise-class firewalls
• Multiple Intrusion Prevention Systems (IPS) employed (host and network)
• Centralized logging
• Event monitoring
• DDoS mitigation

Top tier service
providers
manage software
applications and
the relationship
of all service
providers.
They also
provide technical
support and a
single point of
contact for
companies using
the services.
CLOUD SERVICES – CONTINUALLY MANAGED
Top Tier Service Providers Maintain and Manage and Support Applications
Service Providers and Deliver Support for All Services
Top tier cloud service providers maintain and manage all services on a day to day basis.
• Management and patching of Email software
• Management of security software to latest versions signature files (host and network)
• Management of Networks software firewalls and IDS solutions.
• Platform and console management and upgrades and updates
• Management of relationships and service levels for all providers

THANK YOU!
Nate Solloway
E-mail: nsolloway@raffa.com
Q
A

2018 01-25 Introduction to PCI and HIPAA Compliance

More Related Content

What's hot (19)

Similar to 2018 01-25 Introduction to PCI and HIPAA Compliance (20)

More from Raffa Learning Community (20)

Recently uploaded (20)

2018 01-25 Introduction to PCI and HIPAA Compliance

Editor's Notes