Downloaded 40 times
More Related Content
Similar to Data Protection & Resilience in Focus.pdf
![Automating ISP Networks Using Ansible and IPAM as a Source of Truth [SoT]](https://cdn.slidesharecdn.com/ss_thumbnails/automatingispnetworksusingansibleandipamasasourceoftruthsot-v25-1-251124105117-d7d4ca24-thumbnail.jpg?width=640&height=640&fit=bounds)
Data Protection & Resilience in Focus.pdf
- 1. © ControlCase. AllRights Reserved. DATA PRIVACY & RESILIENCE IN FOCUS What NIS2, DORA, and GDPR Mean for You YOUR IT COMPLIANCE PARTNER GO BEYOND THE CHECKLIST WEBINAR
- 2. Agenda 1 2 3 4 5 About ControlCase The ThreePillars of Cybersecurity Mapping Pillars to Regulatory Landscape ControlCase’s Role in Triple Compliance Q&A 2 About ControlCase About the Landscape About the Services Open Forum ControlCase. All Rights Reserved.
- 3. HOST Chad Leedy Director, StrategicAccounts PRESENTER Ashish Kirtikar President, ControlCase Europe ControlCase. All Rights Reserved.
- 4.
- 5. ControlCase Overview Provider ofCompliance as a Service (CaaS) subscription-based offering bundling proprietary GRC software and managed services Best-in-Class Compliance Platform ControlCase is revolutionizing the way enterprises and organizations deal with the numerous and frequently changing IT compliance and regulatory requirements Proprietary software, including appliance and SaaS solutions, that enable CaaS (GRC and Data Discovery) Compelling proprietary offering combining proprietary software, certification/audits, and managed services on a single platform. One AuditTM enables our clientele to Assess once: Comply to Many Leadership positions in the PCI DSS, SOC 2, ISO 27001, HIPAA, HITRUST, FedRAMP and CMMC domains Serving over 1,000 customers Global footprint with offices in the U.S., LATAM, Europe, India, Canada, and UAE Leverages an offshore delivery infrastructure for competitive advantage IT compliance manager for multiple industry segments including banking, service providers, retail, hospitality, and telecom Global Vision & Solutions Enhancement Founded in 2004 Headquartered in Fairfax, VA Offices in U.S., Canada, India 250+ Employees ControlCase. All Rights Reserved. 5
- 6. ControlCase Snapshot CERTIFICATION ANDCONTINUOUS COMPLIANCE SERVICES Go beyond the auditor’s checklist to: Dramatically reduce the time, cost, and burden of maintaining IT compliance and becoming certified. Demonstrate compliance more efficiently and cost effectively (cost certainty) Offload much of the compliance burden to a trusted compliance partner Improve efficiencies by doing more with less resources and gain compliance peace of mind 1,000+ CLIENTS 10,000+ IT SECURITY CERTIFICATIONS 275+ SECURITY EXPERTS ControlCase. All Rights Reserved. 6
- 7. ControlCase Snapshot –Solution Partnership Approach Compliance HUBTM + Continuous Compliance Services IT Certification Services = & Certification and Continuous Compliance Services ControlCase. All Rights Reserved. 7
- 8. Certification Services One Audit AssessOnce. Comply to Many. ControlCase. All Rights Reserved. 8
- 9. © ControlCase. AllRights Reserved. The 3 Pillars of Cybersecurity
- 10. 3 Pillars ofCyber Security In today's rapidly evolving digital landscape, cybersecurity is majorly built upon three fundamental pillars that work in harmony to protect our digital society: Security | Privacy | Resilience These three interconnected pillars form the foundation of our approach to cyber protection across Europe and the UK, and they are embedded throughout the major regulatory frameworks we'll explore today. Protecting Digital Assets from threats - Technical safeguards - Organizational Measures - Continuous Monitoring - Incident detection, prevention & response Security - Data Protection by Design - Individual Rights - Consent Mechanisms Privacy Ensures individuals maintain control over personal data - Business Continuity Planning - Redundancy & Backup - Crisis Management © ControlCase. All Rights Reserved. 10 Resilience Ensures systems can withstand, adapt to, and recover from disruptions
- 11. 3 Pillars ofCyber Security All three are interconnected as follows: Security enables privacy ---- Privacy drives security ---- Resilience tests both Security © ControlCase. All Rights Reserved. 11 Resilience Privacy
- 12. © ControlCase. AllRights Reserved. Mapping the Pillars to the Regulatory Landscape
- 13. Mapping to Regulatory& Compliance Landscape © ControlCase. All Rights Reserved. 13 In today’s regulatory landscape, the three most prominent assessments that can demonstrate these three pillars and their interlinkage are: Regulation Primary Focus Secondary Focus GDPR Privacy Security, Accountability NIS2 Security Resilience, Governance DORA Resilience Security, Risk Management
- 14. GDPR – Foundationof Privacy © ControlCase. All Rights Reserved. 14 What is GDPR? The General Data Protection Regulation (GDPR) is the toughest privacy and security law in the world. Though it was drafted and passed by the European Union (EU), it imposes obligations onto organizations anywhere, so long as they target or collect data related to people in the EU. Key GDPR Requirements in 2025 Technical and Organizational Measures: You're required to handle data securely by implementing "appropriate technical and organizational measures." Technical measures mean anything from requiring your employees to use two-factor authentication on accounts where personal data are stored to contracting with cloud providers that use end-to-end encryption. Data Breach Notification: If you have a data breach, you have 72 hours to tell the data subjects or face penalties. 2025 GDPR Developments EU Simplification Efforts: On March 13, 2025, the Commissioner for Democracy, Justice, the Rule of Law and Consumer Protection, Michael McGrath, confirmed that the Commission is considering simplifying the GDPR with a view to reducing the burden on smaller businesses. AI and GDPR Integration: The European Data Protection Board (EDPB) identified "the interest in self-determination and retaining control over one's own personal data" as chief among individuals' interests that must be taken into account and balanced, both when personal data is gathered for the development of AI models and with regards to personal data processed once the model is deployed.
- 15. NIS 2 –Framework for Security What is NIS2? The NIS2 Directive establishes a unified legal framework to uphold cybersecurity in 18 critical sectors across the EU. It also calls on Member States to define national cybersecurity strategies and collaborate with the EU for cross-border reaction and enforcement. © ControlCase. All Rights Reserved. 15 Implementation Status: Member States had until 17 October 2024 to transpose the NIS2 Directive into national law. Expanded Scope: NIS2 expands the number of covered sectors from 7 to a total of 15 to protect more vital areas of society. Compared to NIS1, NIS2 dramatically increases the requirements for enforcing cybersecurity. Management Accountability A key aspect of NIS2 is that management bodies of in-scope entities are accountable for the cybersecurity framework, as they must approve the risk management measures taken, oversee their implementation, and can be held liable if the entity fails to comply with NIS2. UK Considerations Post-Brexit While the UK is not directly bound by NIS2, Comparable frameworks include the NIST Cybersecurity Framework in the US and the UK's NIS Regulations, which continue post-Brexit with a similar approach. Key Timeline and Requirements
- 16. DORA – Resiliencefor Financial Organizations © ControlCase. All Rights Reserved. 16 What is DORA? The Digital Operational Resilience Act (DORA) is a regulation introduced by the European Union to strengthen the digital resilience of financial entities. It entered into application on 17 Jan 2025 and ensures that banks, insurance companies, investment firms and other financial entities can withstand, respond to, and recover from ICT (Information and Communication Technology) disruptions, such as cyberattacks or system failures. Key DORA Requirements ICT Risk Management Framework: Develop and maintain a comprehensive ICT risk management framework capable of identifying, monitoring, preventing and mitigating ICT-related risks, with regular reviews and internal audits. Incident Reporting: Establish processes to detect, respond to, and report ICT- related incidents and major operational or security payment-related incidents to the relevant supervisory authorities. Digital Operational Resilience Testing: Put in place a robust digital operational resilience testing program that includes a range of assessments and tools, such as threat-led penetration testing ("TLPT"). Critical Third-Party Providers (CTPPs) Criticality assessments: The ESAs will perform the criticality assessments mandated by DORA and notify ICT third-party service providers of their classification as critical by July 2025. UK Impact Direct Impact on UK Businesses: UK financial entities and ICT service providers operating in the EU will need to comply with DORA's requirements. This includes, for FEs, the need for robust ICT risk management frameworks, incident reporting mechanisms, and digital operational resilience testing. Supply Chain Implications: One of the more nuanced obligations placed on FEs by DORA is to monitor their ICT service supply chains. This theoretically involves not only scrutiny of their immediate providers but of rank 2, 3, 4 etc. subcontractors where such subcontractor "materially underpins" the ICT service being used.
- 17. Industries needing thisTriple Compliance Financial Institutions in Critical Infrastructure Critical Service Providers to Financial Sectors Payment Infrastructure Companies E.g. Banks, Insurance companies, Financial Market Infrastructure E.g. Cloud Providers, Core Banking Providers, Data Center Operators E.g. Payment Networks, Payment Switch Providers, Large Payment Service Providers. © ControlCase. All Rights Reserved. 17
- 18. © ControlCase. AllRights Reserved. ControlCase in the Triple Compliance
- 19. ControlCase Solution –One Audit Assess Once. Comply to Many. ? No. Topic Question ControlCase Integrated Standard PCI DSS 3.2.1 ISO 27001 HIPA A SOC2 4 Scoping Provide your asset list, a list of the software, databases, data storage locations, Sample Sets and other related data elements. CC4 X X X X 28 Data Encryption at rest Provide the following for all filesystems, databases and any backup media: • Details on the method (encryption, hashing, truncation, tokenization) being used to protect covered information in storage • Evidence (screenshots or settings) showing covered information is protected. For encryption method, please share the evidence of it's associated key management. • Documented description of the cryptographic architecture that includes: 1. Details of all algorithms, protocols, and keys used for the protection of cardholder data, including key strength and expiry date 2. The function of each key used in the cryptographic architecture. 3. Inventory of any HSMs and other secure cryptographic devices (SCD) used for key management (to be provided in inventory as part of Q4). CC37 X X X X 44 Logical Access Provide the organizational access control policy. CC63 X X X X 50 Logical Access For all assets identified in the sample provide evidence of logical access account and password features to include: CC69 X X X X 67 Logging and Monitoring For the sample, provide the audit log policy settings. CC95 X X X 67 77 Security Testing Provide external penetration test reports for network and application layer. CC115 X X X 77 © ControlCase. All Rights Reserved. 19
- 20. Compliance Evidence Overlap Regulation(s)Completed Other Regulation status based on questions overlap PCI SOC 2 ISO 27001 HIPAA 100% Complete 49.1% (84) Complete 67% (77) Complete 76.1% (54) Complete 50.9% (87) No Evidence Uploaded 33% (38) No Evidence Uploaded 23.9% (17) No Evidence Uploaded © ControlCase. All Rights Reserved. 20
- 21. Compliance & CertificationTime Savings 1,600 HRS. EVIDENCE COLLECTION* 600 HRS. CERTIFICATION SUPPORT* 350 HRS. EVIDENCE COLLECTION* 600HRS.CERTIFICATION SUPPORT* © ControlCase. All Rights Reserved. * Based on 1 environment with 4 parallel certifications (PCI, ISO, SOC2, HIPAA). 21 2,200 hrs. total time spent on compliance & certification using another auditor* 950 hrs. total time spent on compliance & certification by partnering with ControlCase*
- 22. Three Key Areasof Focus CONTROLCASE SOLUTION CONTINUOUS An effective compliance program for cyber security must provide a stream of continuous, accurate information about posture. AUTOMATED Continuous compliance requires an automated platform that collects and processes data in as close to real-time as can be achieved. INTEGRATED The best compliance programs are integrated into the systems being measured, versus built as after-the- fact overlays. © ControlCase. All Rights Reserved. 22
- 23. Summary – WhyControlCase © ControlCase. All Rights Reserved. 23 They provide excellent service, expertise and technology. And the visibility into my compliance throughout the year and during the audit process provide a lot of value to us. — Dir. of Compliance, SaaS company “
- 24. ControlCase. All RightsReserved. Q&A – Open Forum
- 25. Thank You for theopportunity to participate in your compliance program. www.controlcase.com (US) + 1 703.483.6383 (INDIA) + 91.22.62210800 contact@controlcase.com