Quality Programs for Regulatory Compliance
Roy Garris, IconATG Regulatory Compliance Practice Manager
Application Vulnerabilities Put Your Business At Risk
v Application Security Facts
– More than 41 million credit and debit card records from only 9 brand name stores were hacked between 2003 and 2008.
– More than 313,000 people filed
complaints of identity theft to the FTC in 2008.
– Every lost record costs $138 USD to the organization who lost it.
v Significant level of breaches
come from the company’s own employees
– Up to 90% of public facing websites are vulnerable to attack
– 3 of the top 10 threats to enterprise security are insider related
– Insider driven fraud costs US
Data Breaches and Protected Information
v What is Protected Information?
– Anything defined as such by Industry Standard (HIPAA, PCI-DSS, GLBA, etc.) and Federal and State Law
– We have identified at least 1,400 separate state regulatory requirements for Protected Information (PI)
– We have identified 56+ data types defined as PI
vWhat is a data breach?
All data breaches follow the same general approach
Achieving any two of these steps constitutes a data breach Data breaches may be electronic or physical
Data Breaches in 2008:
63% involved physical access 37% cyber-only
Centralize & Secure
Identify Reduce & Eliminate Report
IconATG Regulatory Compliance Quality Program
Analyze and Centralize Regulatory
Compliance Requirements
Trace and secure
Protected Information (PI) Protect against data breaches
Monitor Applications Server Federal, State, & Industry Regulations
3
Master Regulatory Requirements1
2
Protected Information Monitor NetworksKey Elements of a Compliance Quality Program
v Prevent Data Breaches
– Protect against internet-based hacking
– Define and implement policies for physical and virtual access
v Qualify for Safe Harbor Provisions to reduce liability
– Identify and Secure Protected Information – Produce evidence of compliance
v Provide Accountability, Traceability and Auditability
– Ensure requirements are demonstrably testedv Being Cost Effective
– Leverage AutomationThe Who, What, When, Where, and Why of Compliance
v Accountability
– Focuses on “who”
– Who requested a change, who approved the change, and who made the change
v Traceability
– Focuses on what (Systems / Code) and why (Requirements)
– A connection from a compliance requirement to its realization in code – Manages changing compliance requirements
v Auditability
– Focuses on when and where
– Producing the evidence to demonstrate you did the job the way you were supposed to do
– Addresses non-IT (operations) related compliance requirements
System 1 System … System n Compliance Policy Compliance Policy Compliance Requirements Compliance Requirements Compliance Tests Change Request Code Approval Server User Interface Database Paper Forms Tape Backup
Compliance Accountability, Traceability, and Auditability
Accountability Traceability Auditability System Requirements System Requirements Development Operations Protected Information Protected Information Vault
Automation Features are Essential to a Cost-Effective
Compliance Quality Program
v Repository
– I have organized my compliance requirements into a single repository – I have created systems requirements for all applications based on the
compliance requirements
v Workflow (Configuration and Change Management)
– Show what build is in production and trace changes to the developer and code
v QA / Test
– I have written test cases for all systems requirements and can trace the test cases back to the compliance requirements
– I have automated my test cases to regression test compliance
v Network and Application Monitoring
Manual compliance Compliance Repository Automated Workflow Lifecycle Compliance Tools 0.00% 5.00% 10.00% 15.00% 20.00% 25.00% 30.00% 35.00% 40.00% 45.00% 50.00% 55.00% 60.00% 65.00% 70.00% 75.00% 80.00% 85.00% 90.00% 95.00% 100.00%
Effort to Comply Per Business Workflow
Compliance Effort and Automation Levels
Identify
Reduce and Eliminate
Key Questions Your Compliance Quality Program Must Address
v How do you demonstrate your compliance?
– Can I prove which build I have in production?
– What are my policies about incidental copies of protected information? – Are there "debug log files" in my production systems that may expose PI?
– Would I have to go on a "safari" through my data to find evidence of compliance?
v Do you know what data is protected by federal, state, and industry regulations?
– How many states protect SSN, tribal identification cards, DNA profiles, and zip codes?
– Which states have requirements that exceed PCI-DSS requirements for protecting card holder data? – What is my exposure to a data breach at one of my third party vendors?
v What things are critical to know about my current regulatory compliance programs?
– Do they specifically address the fact that 63% of data breaches happen outside of IT?
– How do my business processes and IT processes manage changing compliance requirements? – Can I trace from a change in legislation or compliance standard directly to my affected systems?
v Why is automation essential to manage cost?
– Can I afford the impact of purely manual compliance and assessment processes? – Can I track PI through all of my systems and processes in the event of a data breach? – What metrics and reports demonstrate compliance?
Next Steps to Improve Your Compliance Quality Program
v Contact IconATG for:
– Compliance Presentation to your Team – Schedule IconATG’s unique
presentations live via webinar or in-person for your team, and we will address your unique situation and answer specific questions regarding compliance best practices and tools.
– Free AppScan Demo – Schedule 1.5 hour remote demo highlights the
power of AppScan and its value to Development, QA, Security and Compliance groups to help protect against hackers and data breaches.
– Free PCI-DSS 1.2 Self Assessment Review – A Senior IconATG
consultant provides recommendations on your compliance requirements in a 1 hour phone discussion, with a focus on the PCI-DSS 1.2 self
assessment (https://www.pcisecuritystandards.org/saq/index.shtml)
– Free Rational Quality Manager Proof of Technology (POT) – Attend or
send your team to this one day, hands-on event which will provide the deep education on RQM and how its capabilities can be leveraged to support your QA and Test processes.
