how do you effectively bring all three tools to bear for the company as well as your risk management framework?
Case Study Three You have been asked by a Board member to update your security and compliance strategy to include PCI, HIPAA, NIST 800-53 and your risk management framework. As you bring your security and compliance strategy for Maxistar together, you should now have three tools at your disposal the PCI DSS, NIST 800-53 and HIPAAs regulations. You know that you need to complete all three of these activities in addition to establishing and maintaining an effective risk management framework. You are approached by one of the Board members, Geraldine Murray, who asks you a very simple question, How are you going to accomplish completing these tools and establishing a risk framework without massively increasing the number of personnel needed to accomplish the task? She would like to see your plans by April 8th . You did some preliminary look at establishing a security strategy for the company (case Study One). In your research on that topic, you found that most people incorporated into their programs a risk analysis of the company as well as their use of the NIST 800-53 and NIST 800-53a toolsets to establish an in depth approach to securing the company against known risks. However, you did not include the PCI and HIPAA issues that impact the company in your detailed analysis. As you looked at Maxistar, you found that their operation accepts payment card transactions to pay for their medical devices both in the stores and through Internet sales. Your analysis of the companys acceptance of payment cards indicates that that Maxistar must complete the Self-Assessment questionnaire (SAQ) D. In addition, since the company collects and stores the electronic protected health information for its customers, it is also subject to HIPAA Security Rules regulations. So, how do you effectively bring all three tools to bear for the company as well as your risk management framework? You could solve the problem tackling each of these tasks one-by-one. You decide which of the security or compliance standards or regulations causes you the greatest amount of pain, apply 100% of your effects towards reaching compliance with that standard or regulations, then move to the next item. However, since these are all large efforts, you wont be compliant with all of them before the end of this fiscal year, and possible the next. Thats not acceptable to the Board. You could also split your staff into smaller units and have each one of them take one of the standards or regulations and work on it until you reach compliance. However, that imposes a huge work burden on the entire staff who also have to keep up with their normal,daily activities. Again, through your research on how the provisions of NIST 8000-53 and the PCI DSS are intertwined (Case Study Two), you began to see that there is something of a similarity between the two standards that allows you to take the provisions of one of the tools and map them to the various elements of the other tool. In fact, you took several of the provisions of the PCI DSS and rewrote them in the format of the security controls of NIST 800-53a. One of your staff members informed you that she had found a resource on the Internet that actually cross-mapped the provisions of PCI, HIPAA and NIST 800-53. She told you that it was called a Common Authorities Mapping. It maps to a few other standards, but these are the three that you are most interested in. Before she could give you the URL, she was called out of town to assist with her daughters wedding, but she indicated that when she returned in two weeks, she would discuss this with you. Unfortunately, you dont have two weeks to wait, so you need to find the Common Authorities Mapping and lay out your strategy. Once you find the mapping, develop a strategy to incorporate the knowledge you now have on security and compliance programs into an effective adoption to an overall strategy that takes into account the use of the PCI DSS, HIPAA regulations and NIST 800-53. Submit that strategy to me by the last day of class (there is no grace period on submitting this case study). SUGGESTIONS: 1. Since this a 250 point problem, I will expect to see a lot of thought put into the strategy document, not a regurgitation of my slides and lectures. You need to look at this problem as if you are actually presenting this to one of your Board members. 2. If you have never presented to a Board member, I would suggest this approach: o Develop your strategy as an in depth written document that thoroughly vets your thoughts and ideas comprising the strategy. This should be very systematic, laying out the problems through your risk analysis, describing in depth how your risk management framework will mitigate the risks, and finally, how you will effectively use the PCI DSS, HIPAA and NIST 800-53 to bring the company into compliance with those standards and regulations. o Develop a PowerPoint or Keynote presentation that explains your strategy and approach in 8 10 slides maximum. 3. As an Annex to your strategy document, take five elements from the common authorities spreadsheet that are the same among the three standards and develop a NIST -800-53a security and compliance control like you did in Case Study Two. This should illustrate how the results from one test could be applied across all of the standards since each of the standards has that particular security element in common among their controls. HINT: Download the Common Authorities Mappings spreadsheet and open in a separate tab or window