1. Managing Compliance for All Departments
Building a Common Control Framework for everybody!
Michael D’Arezzo, CISSP, CISA
Director of Security Services

2. Agenda What is a common control framework? Where do I begin?
Where can I get help?

3. What is a common control framework?
A simplified set on security and risk controls
Lowest/ Highest “common denominator” for rules and requirements
Simplification for communicating requirements to the organization
Example - NIST Cyber Security Framework

4. Regulatory Compliance
FFIEC
HIPAA
PCI
SOX 404
FERPA

5. Pull it together! Shared controls across frameworks Required policies
Quarterly Requirements
Annual Requirements
Required policies
Easier to manage
Everyone on the same page!

6. Breathe – this is a journey, not a destination!
Where to begin – Step 1
Breathe – this is a journey, not a destination!
This process will take at least 3- 6 months to finish
Will require constant update!
Will require interaction from many people!

7. Communicate to the entire organization you are collecting!
Where to begin – Step 2
Communicate to the entire organization you are collecting!
Utilize the subject matter experts around the organization
Look at previous years submitted documentations
Research Websites for help!

8. Higher Education Compliance Alliance Website

9. Collect all regulatory requirements
Where to begin – Step 3
Collect all regulatory requirements
Title 4/9
FERPA
PCI
HIPAA

10. Find the common controls
Where to begin – Step 4
Find the common controls
Password controls
Vulnerability Scanning/ “Testing” requirements
Documentation/ policy requirements

11. Lay out the controls in to containers
Where to begin – Step 5
Lay out the controls in to containers
Data Classification requirements
Access Controls
Asset Management
Third Party Risk

12. Where to begin – Step 6 Where is the overlap?
Are the password requirements similar, more/less restrictive?
Are the reporting requirements the same for asset management?
Are documented policy requirements similar, more/less restrictive?

13. PCI Compliance Requirement 1 Install and maintain a firewall
Requirement 2 Default vendor passwords
Requirement 3
Protect Cardholder data
Requirement 4 Encrypt data transmission
Requirement 5 Protect all systems
Requirement 6
Develop secure systems / applications
Requirement 7
Restrict access to cardholder data
Requirement 8
Identify and authenticate access
Requirement 9
Restrict physical access to data
Requirement 10
Track and monitor all access to network and data
Requirement 11
Deploy a change-detection mechanism
Requirement 12
Maintain a policy for information security

14. HIPAA Requirement 308 (a 1 i) Security Management Process
Requirement 308 (a 2) Assigned Security Responsibility
Requirement 308 (a 3 i)
Workforce Security
Requirement 308 (a 4)
Information Access Management
Requirement 308 (a 5)
Security Awareness Training
Requirement 308 (a 6)
Security Incident Procedures
Requirement 308 (a 7)
Contingency Plan
Requirement 308 (a 8)
Evaluation
Requirement 308 (b 1)
Business Associate Contracts and Other Arrangements
Requirement 310 (a 2 i)
Facility Security Plan
Requirement 310(b)
Workstation Use
Requirement 310 (c)
Workstation Security
Requirement 310 (d 1)
Device and Media Controls
Requirement312 (a 1)
Access Control
Requirement 312 (b)
Audit Controls
Requirement 312 (c )
Integrity
Requirement 312 (d)
Person or Entity Authentication
Requirement 312 (e)
Transmission Security

15. Common Control Framework
Sample Control Categories
Awareness Training
Access Controls
Third Party Risk
Secure Transmission of Data
Asset Management

16. Common Control Calendar
Compliance
Framework
Annual Audit
Q1 Deliverables
Q2 Deliverables
Q3 Deliverables
Q4 Deliverables
Higher Education Opp Act
Section 488
Preparation of report
PCI
SAQ C
Internal Vuln Scan
Internal and External Scan
HIPAA
SRA
Selection of 3rd party audit
Risk Assessment
Remediation
Title IV
Peer Review for Year 10
IRS
Annual Tax

17. Tips and Tricks Don’t make the controls too open or too restrictive
Make sure the controls make sense to everyone
Don’t try to make controls fit together if they don’t
REVIEW AND UPDATE QUARTERLY!

18. Security Frameworks Available
COBIT – available through ISACA organization
NIST Cyber Security Framework – available free from your tax dollars!
CIS (SANS) Critical Controls – available for free to review

19. Q & A

20. Schedule
Security Through Intel or “Learning from other people’s mistakes”
Thursday 9am – 10am – Mike D’Arezzo
Building an Incident Response Plan
Thursday 4:15 PM – 5:15 PM – Don Murdoch
Penetration Testing for the everyday security analyst
Friday 9am – 10am – Mike D’Arezzo
Portable NFAT Tools, Techniques, and System Build
11:30 – 12:30 – Don Murdoch

21. SLAIT Security Offerings
Governance
Prevention
Response
Risk Assessment
Policy and Procedure
PCI Prep
HIPAA Gap Analysis
Audit Preparation Assistance
Security Organization Review
Security Checkup
Managed Firewall and Endpoint
Secure Infrastructure Design & Review
vISO Program
Awareness Training
Assessment
Vulnerability Scanning
Penetration Testing
Phishing Exercises
ThreatRecon
Pre-breach Preparation
ThreatManage
Breach Response
Cyber Forensics
Technology Partners

22. References Ellen Ng “Integrated IT Control Framework” presentation
Higher Education Compliance
NIST Cybersecurity Framework
COBIT -
CIS Top 20 Critical Controls - controls.cfm