1 / 19

Building a Comprehensive Compliance Program

Building a Comprehensive Compliance Program. Lisa McKee, CISA, PCIP, MSSL IIA District Conference August 19-20,2019. Agenda. Why This is Important What is Compliance and the ComPriSec Landscape Developing a Holistic Compliance Program Compliance Workflow Compliance Risks

lhedrick
Download Presentation

Building a Comprehensive Compliance Program

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Building a Comprehensive Compliance Program Lisa McKee, CISA, PCIP, MSSL IIA District Conference August 19-20,2019

  2. Agenda • Why This is Important • What is Compliance and the ComPriSec Landscape • Developing a Holistic Compliance Program • Compliance Workflow • Compliance Risks • Compliance Best Practices

  3. Why This is Important? https://www.google.com/amp/s/www.upguard.com/breaches/verizon-cloud-leak%3fhs_amp=true https://www.cnet.com/news/cloud-database-removed-after-exposing-details-on-80-million-us-households/

  4. Privacy and Security Landscape Emerging U.S. Laws • 2019 - South Carolina Insurance Data Security Act • Washington Privacy Act • New York Right to Know Act • 2018 - California Consumer Privacy Act • Colorado Protections for Consumer Data Privacy Act • California Internet of Things Law • Ohio Cybersecurity Safe Harbor Law • Virginia Breach of Medical Information Notification • NY Cybersecurity Regulation • As of May 18, 2018 at least 36 states, D.C and Puerto Rico introduced/considered more than 265 bills or resolutions related to cybersecurity. • http://www.ncsl.org/research/telecommunications-and-information-technology/cybersecurity-legislation-2018.aspx Exploding International Laws • EU General Data Protection Regulation • Started motion for recent laws and regulations • Australian Data Protection Act 2018 • EU Data Protection Act 2018 • Vietnam Data Privacy • South African Data Protection Act • China Cybersecurity Regulation • French Data Protection Bill of 2018 • Argentina Personal Data Transfer Restrictions Law 2018 • Ghana Cyber Security Directive 2018 • Canada Personal Information Protection and Electronic Documents Act

  5. Compliance vs. ComPriSec • Compliance + Privacy + Security = ComPriSec • The convergence of all three fields • Compliance – Conforming to a rule, such a specification, policy, standard, law, regulation, etc. • Privacy– Ability to protect data in applications or computer systems. • Security – Providing confidentiality, integrity and availabilityof applications and computer systems. • Audit - Ensuring someone or entity is following the rules.

  6. Developing a Compliance Program • Define the scope • Corp IT/Data Centers/Call Centers • Corporate Offices • HR/Marketing • Include Corporate Compliance Responsibilities • PCI/Payment Card Brands • Data Privacy Laws • State Statutes • Cybersecurity Regulations • Healthcare • HR Laws • Inventory of compliance regulations, laws and standards • Based an Industry Standards • ASC X9 • ANSI • ISO • NIST

  7. Define the Scope • People • Employees • Contractors • Processes • Applications • Special services • Technologies • Data center • Call center • Card production • Locations • Corporate offices • Mail facilities/processing plant, etc. • Cloud/outsourced/Vendors • Corp IT • HR • Marketing

  8. Compliance Across the Organization • Information Technology • Accessibility limitations • Database management • Asset inventory • Virtual machines • System availability • Information Security • IT systems • Building security • Remote users • Vendors • Third Parties • Legal and Compliance • Privacy practices • Ethics statements* • Whistleblowing* • Investigations* • Audit, risk, compliance (may be separate) • Other Stakeholders • Employees • Processors/Third Party Vendors • Consumers • Policymakers/Regulators • Human Resources • Compensation and benefits • Talent acquisition/hiring • Employee records • Training and development • Performance Management • Succession Planning • Social media • Remote employees/BYOD • Marketing/Business Development • Digital advertisement • Cookies/consent • Processing activities • Finance • Payroll • Securities and investments • Travel expense reimbursement • Accounts receivable • Accounts payable *May be done by HR or Legal

  9. Compliance Obligations • Include Corporate Compliance Responsibilities • PCI/Payment Card Brands • Data Privacy Laws • State Statutes • Cybersecurity Regulations • Healthcare • HR Laws

  10. Inventory of Compliance Regulations and Standards • Cybersecurity Laws • Chinese Cyber Security (Nov 2018) • New York Cybersecurity Regulation • Ohio cybersecurity law 2018 • Data Breach Laws • Australia Data Breach Notification Law • Federal Information Security and Data Breach Notification Laws • Delaware Computer Security Breaches • Hawaii Security Breach of Personal Information • Indiana Disclosure of Security Breach • Iowa Breach of Security Notification • Kentucky Notification of Computer Security Breach • Louisiana Database Security Breach Notification Law • Massachusetts Security Breaches • Minnesota Breach of Security • Missouri Notice to Consumer for Breach of Security • Montana Computer Security Breach • New Hampshire Notice of Security Breach • New Jersey Disclosure of Breach of Security to Customers • New Mexico Data Breach Notification Act • North Dakota Notice of Security Breach for Personal Information • Pennsylvania Breach of Personal Information Notification Act • South Carolina Breach of Security of Business Data • Virginia Breach of Personal Information Notification • Washington Personal Information Breach Notification • West Virginia Breach of Security of Consumer Information • Wyoming Computer Security Breach Notice to Affected Persons • Guam Notification of Breach of Personal Information • Virgin Islands Disclosure of Breach of Security • Financial Laws • Consumer Financial Protection Act of 2010 • Federal Reserve Bank (FRB) • Office of the Comptroller (OCC) • Truth in Lending Act (TILA) • Government • Federal Information Security Management Act (FISMA) • Internal Revenue Service (IRS) • Healthcare Laws and Regulations • Health Information Technology for Economic and Clinical Health Act (HITECH) • Health Insurance Portability and Accountability Act (HIPAA) • Health Information Trust Alliance (HITRUST) • Virginia Breach of Medical Information Notification • Insurance • South Carolina Department of Insurance Data Security Act 2018 • International Data Privacy Laws • Argentina Personal Data Transfer Restrictions 2018 • Armenia Data Protection Directive 2018 • Asia-Pacific data Protection Law • Australia Privacy Amendment Act 2017 • Austrian Data Protection Act 2018 • Bahrain Personal Data Protection Law 2018 • Belgium data protection 2017 • Brazil Data Protection Law • Brussels • Canada Personal Information Protection and Electronic Documents Act • Canada Privacy Act • Chile Data Protection Act • China • Columbia Data Protection Law (Jan 2017) • Denmark • Dubai International Financial Centre (DIFC) • European Union Privacy • EU Data Protection Act 2018 • European Union General Data Protection Regulation (EU GDPR) • France • French Data Protection Bill of 2018 • Finland • Germany • Greece • Hong Kong • India Personal Data Protection Bill (2018) • Indonesia • Ireland • Italy (Sept 2018) • Kenya • Latin American Data Protection Law • Law of the Republic of Armenia • Luxembourg • Malta • Mexico • Mozambique • Norway • Poland • Portugal • Privacy Shield EU-US • Privacy Shield Swiss-US • eIDAS PSD2 • Qatar • Qatar Financial Centre • Russian Federation • Senegal • Serbia • Singapore • South African Data Protection Act of 2018 • South Korea • Spain • Sweden • Switzerland • Taiwan • Thailand • Turkey • UK Bribery Act 2010 (UK BA) • UK Data Protection Act 2018 • UK (England and Wales) • UK (Scotland) • UK Secure by Design • United Arab Emirates • Vietnam Data Privacy (Jan 2019) • Other • Export Administration Regulations (EAR) • Anti-Boycott Regulations (Part 760 of the EAR) • State Data Privacy Laws • Alabama Deceptive Trade Practices Act • Alaska Personal Information Protection Act • Alaska Unfair Trade Practices and Consumer Protection Act • Arkansas Deceptive Trade Practices Act • California Consumer Privacy Act • CalOPPA • California Preservation and Regulation of Competition • Colorado Consumer Protection Act (Sept 2018) • Delaware Online Privacy and Protection Act • Florida Security of Confidential Information\ • Georgia Identify Theft • Idaho Identify Theft • Illinois Personal Information Protection Act • Kansas Consumer Protection Act • Kansas Protection of Consumer Information • Kentucky Consumer Protection Act • Maine Notice of Risk to Personal Data • Maryland Personal Information Protection Act • Massachusetts Regulations of Business Practice and Consumer Protection Act • Massachusetts Standards for the Protection of Personal Information • Michigan Identify Theft Protection Act • Michigan Consumer Protection Act • Minnesota Prevention of Consumer Protection Fraud Act • Mississippi Consumer Protection Act • Montana Consumer Protection Act • Nebraska Consumer Protection Act • Nevada Security of Personal Information • North Carolina Identity Theft Protection Act • Oregon Consumer Identity Theft Protection Act • Rhode Island Identity Theft Protection Action of 2015 • Rhode Island Safe Destruction of Documents Containing Personal Information • Tennessee Consumer Protection Act • Texas Personal Identity Information • Texas Identity Theft Enforcement and Protection Act • Utah Protection of Personal Information Act • Vermont Protection of Personal Information • Wisconsin Notice of Unauthorized acquisition of Personal Information • Guam Social Security Number Confidentiality Act • Puerto Rico Citizen Information on Data Banks Security Act • US Corporate Laws and Regulations • Equal Employment Opportunity Commission (EEOC) • Americans with Disabilities Act (ADA) • Age Discrimination in Employment Act (ADEA) • Equal Pay Act (EPA) • Americans with Disabilities Act as amended (ADAAA) • Employee Retirement Income Security Act of 1974 (ERISA) • Employee Retirement Income Security Act (ERISA) • Occupational Safety and Health Administration (OSHA) • Sarbanes-Oxley Act (SOX) • SSAE-18 • Title VII of the Civil Rights Act of 1964 • US Department of Treasury Regulations • US Patriot Act of 2001 • Whistleblower Protection Act of 1989 • US Financial Laws and Regulations • Fair Credit Reporting Act (FCRA) • Federal Deposit Insurance Corporation (FDIC) • Federal Financial Institutions Examination Council (FFIEC) • Federal Reserve • Electronic Fund Transfers Act (EFTA) • Federal Trade Commission (FTC) • Fair and Accurate Credit Transactions Act (FACTA) • Fair Credit Reporting Act (FCR)) • Fair Debt Collection Practices Act (FDCPA) • Financial Crimes Enforcement Network (FinCEN) • NACHA Rules • State Money Transmitter Licenses • U.S. Department of Treasury • Bank Secrecy Act (BSA) • US Securities Exchange Commission (SEC) • Anti-Corruption • Insider Trading • Regulation Fair Disclosure (FD) • Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank) • Payment Card Brands • American Express • Discover • Japanese Card Brand (JCB) • Mastercard • Merchant Compliance • Visa • Merchant Compliance • Payment Card Industry Security Standards Council (PCI SSC) • PCI Data Security Standards (PCI DSS) • Payment Application Data Security Standards (PA-DSS) • Point 2 Point Encryption (P2PE) • Personal Identification Number (PIN) • Standards • International Standards Organization 27001 and 27002 (ISO) • National Institute of Standards and Technology (NIST) • Open Web Application Security Program (OWASP) • Accredited Standards Committee X9 (ACS X9) • American National Standards Institute (ANSI)

  11. Based on Industry Standards • ASC X9 - create standards that improve payments and protect financial information globally • ANSI - oversees the creation and use of guidelines directly impacting businesses in nearly every sector • ISO - international standard-setting body composed of representatives from various national standards organizations • NIST - ensure that you are keeping data and systems secure • COBIT – guide the governance and management of information systems for large organizations • SOX - introduced to combat corporate fraud

  12. Principles, Standards and Frameworks Choosing the best one for your organization Compliance Security Privacy • PCI Data Security Standards • COBIT 2019 • COSO • HITRUST • NERC/CIP • NIST • ISO/IEC • SANS • CERT • ANSI • Information Security Manual • Fair Information Practices (FIPs) • Organization for Economic Co-operation and Development (OECD) • Generally Accepted Privacy Principles (GAPP) • Canadian Standards Association Privacy Code • Asia-Pacific Privacy Framework • Binding Corporate Rules (BCRs) • ETSI Standards • International Standards Organization (ISO) • NIST • ANSI • X9 • COBIT 2019 • General Data Protection Regulation(GDPR) • International Standards Organization (ISO) • ITIL (IT Infrastructure Library) • National Institute of Standards and Technology (NIST) • Sarbanes-Oxley Act (SOX) • Frameworks • COBIT 2019 • Health Insurance Portability and Accountability Act (HIPAA) • SOX • ANSI • Federal Risk and Authorization Management Program (FedRAMp)

  13. Compliance Workflow • Who is responsible for identification, communication, etc. of compliance changes • New vs. Updated compliance changes • All treated the same • Different teams have roles • Compliance bulletins • Requirements documents • Action items tracked • Reporting to management, board • Exception process for non-compliance

  14. Components of a Compliance Bulletin • Name of Law • Effective Date • Link to law or other key things • Key points • Internal/External impacts • Departments impacted • Products • Customers

  15. Sample Compliance Bulletin

  16. Compliance Risks • Compliance programs are not holistic • Program is not agile • Changes to compliance requirements are not identified and/or communicated • Lack of support from executive management

  17. Compliance Best Practices • Changes to compliance requirements are identified and communicated to all appropriate stakeholders • Stakeholders take necessary actions • Requirements to meet compliance is tracked, monitored and reported • There is an escalation process to address stakeholders who challenge the need to comply with given requirements • Support from the top down

  18. Questions

  19. Lisa McKeeSecuriKee Dr.Lisa@SecuriKeeDr.comhttps://www.linkedin.com/in/lisammckee/

More Related