Society of Corporate Compliance and Ethics Regional Compliance & Ethics Conference December 4, 2015

Size: px

Start display at page:

Download "Society of Corporate Compliance and Ethics Regional Compliance & Ethics Conference December 4, 2015"

Sandra Young
5 years ago
Views:

business processes and their associated IT systems within a compliance framework Negotiating control identification and design with

1 Society of Corporate Compliance and Ethics Regional Compliance & Ethics Conference December 4, 2015 Agenda: About Resources Global Professionals (RGP), and Tim Eng About Air Liquide America, and Jeff Taylor Overview of Risk Assessing the regulatory risks related to business processes and their associated IT systems within a compliance framework Negotiating control identification and design with resistant business process owners and third party vendors that mitigate regulatory risks Company case study involving PCI DSS risk management. 2 1

About RGP: RGP or Resources Global Professionals helps corporate leaders execute initiatives that impact all parts of a global enterprise including finance and accounting, information management,

2 About RGP: RGP or Resources Global Professionals helps corporate leaders execute initiatives that impact all parts of a global enterprise including finance and accounting, information management, human capital, supply chain management, compliance, risk management, and internal audit. More than 3,000 consultants working in clients tied to our 75 offices around the world. Our consultants typically have years of experience. RGP serves 85 of the Fortune 100 companies. RGP retains 100% of the top 50 companies in America year after year. About Tim Eng: 25 years of industry and consulting experience related to finance, accounting, compliance, internal audit, risk management, and process improvement. Work experience includes: RGP Managing Consultant South Central Region, and National Resource Healthcare Valley Baptist Health System Vice President KPMG Director of Risk & Advisory Services Southwest Founded, grew, and sold a successful claims recovery company. xxx 3 About American Air Liquide: American Air Liquide offers industrial gases and related services to a variety of customers including those in large industry, industrial manufacturing, electronics and healthcare marketplaces. More than 5,000 U.S. employees 2,000+ miles of pipeline Americas headquarters in Houston, Texas More than 200 U.S. locations, including more than 140 industrial gas plants About Jeff Taylor: Career has spanned 30 years in IT and IT Audit, recipient of the 2009 IT GRC (Sox Institute) MVP Award for IT SOX control automated continuous monitoring program, passionate about making regulatory compliance Smarter, not Harder!. Work experience includes: Intel Corporation IT Operations Halliburton IT Audit Supervisor Cardtronics IT Audit Director bp America IT Audit Manager Air Liquide IT Information Compliance Manager 4 2

3 Risk is like fire: If controlled it will help you; if uncontrolled it will rise up and destroy you. Theodore Roosevelt 5 What is Risk and how should it be handled? 6 3

Risk Defined As: Risk Appetite The total amount of exposure that an organization wishes to undertake in order to achieve the financial return or desired outcome based on that risk.

and high margins. 7 Risk Tolerance The amount of uncertainty an organization is willing to accept in total or within a business unit.

4 Risk Defined As: Risk Appetite The total amount of exposure that an organization wishes to undertake in order to achieve the financial return or desired outcome based on that risk. Example: A retail store has a low risk appetite for financial errors on customer credit card accounts, but a high risk appetite for identifying solid trend products with high sales and high margins. 7 Risk Tolerance The amount of uncertainty an organization is willing to accept in total or within a business unit. Example: A hospital ER will triage patients within 30 minutes of arriving in the ER, however, hospital management accepts that in 6% of all cases, a patient in need of non EMTALA assistance will receive care within 4 hours. 8 4

5 Risk Management The identification, assessment, and prioritization of risks followed by the coordinated and economical application of resources to minimize, monitor, and control the probability and/or impact of undesired outcomes related to such risks or to maximize the realization of opportunities that risk presents. Example: The compliance risk of signed physician contracts with a hospital will violate Stark is mitigated by an automated review of the terms and conditions against known Stark violation prone language, and a separate manual review by legal. 9 How do you identify risk in an organization? 1) Conduct a Risk Assessment or Risk Mapping exercise to identify risks in a particular process in a particular department whereby risks fall into some general categories such as: Compliance Financial Operational Strategic 2) Either expand the categories above or break them down into subcategories. This would depend on the particular organization you are working with. 10 5

3) Rank Risks Using Specific Criteria High Criminal or Civil penalties or loss of revenue Medium Reputational risks, or interruption of business Low Findings that don t result in Criminal or Civil

6 3) Rank Risks Using Specific Criteria High Criminal or Civil penalties or loss of revenue Medium Reputational risks, or interruption of business Low Findings that don t result in Criminal or Civil penalties but present opportunities for improvement 11 How do you mitigate risk in an organization? One typically mitigates risk by creating a control and testing the effectiveness of that control on a periodic basis: Each risk should have at least one control Controls can be preventive or detective, as well as manual or automated The ranking of risk should determine the strength of the control and the frequency of testing of the given control Due to variations in the regulatory and internal and external environments, risk and controls may change and should be updated accordingly The amount of Risk Tolerance may dictate which risks are indeed controlled or the extent to which they are controlled 12 6

Assessing the regulatory risks related to business processes and their associated IT systems within a compliance framework: 13 Assessing the regulatory risks related to business processes and their

7 Assessing the regulatory risks related to business processes and their associated IT systems within a compliance framework: 13 Assessing the regulatory risks related to business processes and their associated IT systems within a compliance framework: PCI DSS is a regulatory Requirement! The short answer is no. The long answer is that while it is not currently a federal law, there are state laws that are already in effect (and some that may go into effect) to force components of the PCI Data Security Standard (PCI DSS) into law. PCI compliance is still an evolving state, it is more likely that as time goes on, more and more states will classify credit card information as personal information and find punitive measures to make companies with negligent/nonexistent security accountable. The consequences of not being PCI compliant range from $5,000 to $500,000, which is levied by banks and credit card institutions. Banks may fine based on forensic research prompted by a potential breach. Credit card institutions may impose fines as a punishment for noncompliance. In addition, the risk to a companies reputation should a negative event occur is becoming significantly higher given the number of recent breach events. 14 7

8 The seven critical consequences of failing PCI compliance 1 : Consequence #1: Compensation Costs Trust needs to be rebuilt. You may have to reassure people with compensation in the form of free credit monitoring and/or identity theft insurance, such has been done by Michael s. It s free for your customers but it s not free for you. Consequence #2: Legal Action Hack victims are quick to file suit. Win or lose, legal action costs big time bucks. Some of you may recall, in 2007 TJX (the parent company for TJ MAXX, Marshalls, Home Goods, and Sierra Trading Post) paid in the ballpark of $40.9 million for a data breach that exposed more than 100 million cards to potential fraud. That was almost 7 years ago, and since then, data breaches have only gotten more complicated and costly. 1 Published in Forbes July The seven critical consequences of failing PCI compliance: Consequence #3: Bank Fines The good news: if customers credit cards are actually used to purchase stuff fraudulently, you don t have to foot that bill; the banks do the reimbursing. The bad news: the banks pass on those costs to you in the form of fines. Consequence #4: Federal Audits If you are a big enough player on the commercial field, the Federal Trade Commission, which has the task of monitoring organizations who have failed to comply with PCI and thereby affected large numbers of U.S. citizens, may want to audit you regularly from here on out. They also may decide to fine you themselves. And with federal audits come very strict requirements for compliance. 16 8

9 The seven critical consequences of failing PCI compliance: Consequence #5: Remediation Costs You re also going to have internal remediation costs: costs to investigate what happened, improve your security posture, fire and hire employees whatever it takes to fix your internal information security environment. Consequence #6: Lost Revenue Bad news travels fast. As soon as people know your data has been hacked, compromised, or otherwise messed with, your customers will be leaving trails of dust behind them in their effort to get far away from you. Target s profits dropped $440 million in the fiscal fourth quarter following their hack fiasco. You can see how the total costs of a data breach can easily reach into the millions. For big companies, the figure could top $1 billion over time. With consequences like these, you don t want to risk a PCI compliance failure. 17 The seven critical consequences of failing PCI compliance: Consequence #7: Damaged Reputation Google Neiman Marcus hack, you ll get over half a million results none of which enhance the store s general reputation and standing with their target market. Here are some of the choicer headlines Google returned: 1.1 Million Cards Compromised in Neiman Marcus Hack Neiman Marcus missed 60,000 alerts about card hack Neiman Marcus hack reportedly went undetected for months Damage on this scale can never be fixed, as such. At best, it can be ameliorated with countless hours of reputation management, marketing, and PR. The total costs of a data breach can easily reach into the millions. For big companies, the figure could top $1 billion over time. With consequences like these, you don t want to risk a PCI compliance failure. 18 9

10 Assessing the regulatory risks related to business processes and their associated IT systems within a compliance framework: Approach PCI DSS Compliance Risk Assessment: Management support and oversight Scoping Evaluate the business need for each location and flow of CHD Categorize systems (In/Out of scope of CHD environment?) Assess risk based off applicable Self Assessment Questionnaire (SAQ) Identification of compensating controls and mitigating factors Manage Risk Resolve, Transfer, Accept Complete applicable SAQ and Attestation of Compliance (AOC) Establish compliance ownership Monitor your business, perform periodic audits and reevaluate the control environment. 19 Management Support and Oversight: A critical component for any compliance related project is identifying Management support and key stakeholders. Establish budget and schedule. Scoping: Document the organization s business and data workflows for known and potential instances where cardholder data is stored, processed, or transmitted. After gaining a complete understanding of all people, process, and technologyrelated interactions with the cardholder data, identify and document all locations and flows of the cardholder data. Evaluate the Business need for each location and flow of CHD: If cardholder data is not needed, don t collect it, and securely delete what has been collected. If the cardholder data is required, consider migrating or consolidating it elsewhere in the CDE to reduce scope, improve control, and mitigate risk

11 Categorize Systems: (A big job get help!) Determine whether each system component is in the scope of assessment, and assign it a specific scoping subcategory Document the organization s business and data workflows for known and potential instances where cardholder data is stored, processed, or transmitted After gaining a complete understanding of all people, process, and technologyrelated interactions with the cardholder data, identify and document all locations and flows of the cardholder data. Note: The result of categorizing each system component helps identify the relevant risks to the CDE. Completing this step can be used in support of PCI DSS requirement (i.e., perform an annual risk assessment that identifies threats and vulnerabilities) 21 Assess risk based off applicable Self Assessment Questionnaire (SAQ): Multiple SAQ s exist, each dependent upon your defined environment SAQ D is a good starting point to conduct risk assessment Let s review the different SAQ s More complicated than it appears

12 Assess risk based off applicable Self Assessment Questionnaire (SAQ): SAQ A: Card not present merchants (e commerce or mail/telephone order) that have fully outsourced all cardholder data functions to PCI DSS validated thirdparty service providers, with no electronic storage, processing, or transmission of any cardholder data on the merchant s systems or premises. Not applicable to face to face channels. SAQ A EP: E commerce merchants who outsource all payment processing to PCI DSS validated third parties, and who have a website(s) that doesn t directly receive cardholder data but that can impact the security of the payment transaction. No electronic storage, processing, or transmission of any cardholder data on the merchant s systems or premises. Applicable only to e commerce channels. For e commerce merchants who outsource their transactionprocessing functions to PCI DSS compliant third party service providers, where the merchant website controls how the cardholder data is redirected to the third party service provider. To be eligible for this SAQ, the merchant must not store, process, or transmit cardholder data on any of their systems or premises. 23 Assess risk based off applicable Self Assessment Questionnaire (SAQ): SAQ B: Merchants using only: Imprint machines with no electronic cardholder data storage; and/or Standalone, dial out terminals with no electronic cardholder data storage. (Not applicable to e commerce channels. ) SAQ B IP: Merchants using only standalone, PTS approved payment terminals with an IP connection to the payment processor, with no electronic cardholder data storage. Not applicable to e commerce channels. For merchants who process cardholder data only via standalone, PTS approved point of interaction (POI) devices that have an IP connection to their payment processor, and do not electronically store cardholder data. To be eligible for this SAQ, the merchant must be using payment terminals that are currently listed on the PTS List of Approved POI Devices. Note that the Secure Card Reader (SCR) class of POI devices does not meet the criteria for SAQ B IP, and thus merchant using SCRs are not eligible for this SAQ. SAQ B IP is not applicable to e commerce channels

13 Assess risk based off applicable Self Assessment Questionnaire (SAQ): SAQ C VT: Merchants who manually enter a single transaction at a time via a keyboard into an Internet based virtual terminal solution that is provided and hosted by a PCI DSS validated third party service provider. No electronic cardholder data storage. Not applicable to e commerce channels. SAQ C: Merchants with payment application systems connected to the Internet, no electronic cardholder data storage. Not applicable to e commerce channels. SAQ P2PE HW: P2PE HW Merchants using only hardware payment terminals that are included in and managed via a validated, PCI SSC listed P2PE solution, with no electronic cardholder data storage. Not applicable to e commerce channels. SAQ D: (Merchants and Service Providers) All merchants not included in descriptions for the above SAQ types. SAQ D for Service Providers: All service providers defined by a payment brand as eligible to complete a SAQ. 25 Identification of compensating controls and mitigating factors: If you have known deficiencies, the documentation of compensating controls is required as part of the completion of the SAQ. (Compensating Controls Worksheet). Complete applicable SAQ and Attestation of Compliance (AOC): Dependent upon your Merchant Type, you may simply need to complete and retain on file vs. providing on an annual basis to your bank/providers. Establish Compliance ownership: Management of a compliance program such as PCI requires both dedicated and shared resources If shared resources are unavailable, budget accordingly for support personnel 26 13

14 Negotiating control identification and design with resistant business process owners and third party vendors that mitigate regulatory risks: Manage Risk Resolve, Transfer, Accept: For identified gaps, classify them and determine if you can: Resolve Risk: Remediation may be simple. (i.e., Requirement 12: Maintain a policy that addresses information security for all personnel.) Transfer Risk: Service providers may take accountability of controls for some PCI requirements (i.e., Oracle has a PCI Compliance service.) Accept Risk: Ensure management understands the potential for exposure and document your compensating controls. 27 Monitor your business, perform periodic audits and reevaluate the control environment: Business changes rapidly, and dependent upon those changes determines when you should conduct a periodic reevaluation of the control environment. You may find that due to a recent acquisition or change in business model that you have additional controls that need to be evaluated for design and operational effectiveness

Company case study involving PCI risk management: 29 Company case

Output produced the following deliverables: PCI compliance risk

readiness/upgradable cashier terminals list Strategic/action plan

15 Company case study involving PCI risk management: 29 Company case study involving PCI risk management. Output produced the following deliverables: PCI compliance risk assessment worksheets Payment processing data flow maps EMV readiness/upgradable cashier terminals list Strategic/action plan Executive presentation Draft Self Assessment Questionnaire (SAQ) Draft Attestation of Compliance (AoC) 30 15

PCI 101: Transaction Volumes and Validation Requirements. By Chip Ross January 4, 2019

PCI 101: Transaction Volumes and Validation Requirements By Chip Ross January 4, 2019 Regarding PCI compliance, all entities that store, process or transmit cardholder data are subject to the requirements