PCI DSS Compliance
If your organization processes credit card data, the Payment Card Industry (PCI) Data Security Standard (DSS) has a number of requirements that SimpleRisk can help you with. In fact, our open source SimpleRisk Core product can be downloaded for free and can be used to check each of the following requirements off your list:
- Requirements 1.5, 2.5, 3.7, 4.3, 5.4, 6.7, 7.3, 8.8, and 11.6: Ensure that related security policies and operational procedures are documented, in use, and known to all affected parties.
- Requirement 2.4: Maintain an inventory of system components that are in scope for PCI DSS.
- Requirement 8.4: Develop, implement, and communicate authentication policies and procedures to all users.
- Requirement 12.1: Establish, publish, maintain, and disseminate a security policy; review the security policy at least annually and update when the environment changes.
- Requirement 12.2: Implement a risk assessment process that is performed at least annually and upon significant changes to the environment that identifies critical assets, threats, and vulnerabilities, and results in a formal assessment.
Getting started with SimpleRisk is incredibly easy! You can download SimpleRisk from our website and install it on your own servers or we offer a free 30 day trial of our SimpleRisk Hosted solution Once you have your SimpleRisk instance up and running, we highly recommend registering your SimpleRisk instance. This is a requirement if you decide you need any of our paid-for SimpleRisk Extras, but it also gives you access to our free Upgrade Extra, which provides a one-click backup and upgrade solution, as well as our free ComplianceForge SCF Extra, which incorporates the Secure Controls Framework directly into SimpleRisk. You can register and download these by going to the Configure -> Register & Upgrade page in your SimpleRisk instance. Once downloaded, select Configure -> Extras, and click on "No" in the Enabled column of the ComplianceForge SCF Extra. Click to "Activate" the Extra and you should see a list of all of the frameworks that have been mapped into the Secure Controls Framework:
As you can see in the screenshot, there are four different framework mappings in the Secure Controls Framework for HIPAA depending on your practice size. Find your appropriate HIPAA standard in the list and then click the ">" button to move it to the Enabled list. Now, click on the "Governance" menu in SimpleRisk and you will see your selected framework in the list of active frameworks:
Click on the "Controls" tab and select your framework name from the "Control Framework" dropdown list. Currently, there are controls in the Secure Controls Framework that have been mapped directly to USHIPAA, 81 controls mapped to HIPAA - HICP Small Practice, 133 controls mapped to HIPAA HICP Medium Practice, and 227 controls mapped to HIPAA - HICP Large Practice.
Now, several of the HIPAA requirements are centered around ensuring that your policies and procedures are documented, in use, and known to all parties. SimpleRisk handles this through the "Document Program" menu under "Governance". Here you can define all of your Policies, Guidelines, Standards, and Procedures. You can tie each one back to the frameworks and controls that you've defined in Governance and set review dates. SimpleRisk can even track versions of these documents as they change. Of course, the HIPAA requirement is to ensure that all of your users have access to these documents, so go to Configure -> Role Management in your SimpleRisk instance and create a new role with the "Allow Access to Governance Menu" checked. Under Configure -> Settings, you can set this as your Default Role. You could even use our Custom Authentication Extra to integrate SimpleRisk with your Single Sign-On provider through SAML so that user accounts will be automatically provisioned with this default role upon login. How simple is that?
Because there will always be exceptions to your defined policies, SimpleRisk can even be used to track exceptions, justifications, approvers, and approval dates. To assist with automating all of this, with our Email Notification Extra, you have the ability to receive messages notifying you of when these exceptions are due for a re-review.
Lastly, HIPAA specifically requires the creation of a formal risk assessment and management process. Based on the NIST 800-30 framework for risk management, it has always been at the core of what SimpleRisk has to offer. Click on the "Risk Management" menu in SimpleRisk and you'll see the capability to Submit a Risk, Plan a Mitigation, and Perform a Review Not sure how to get started with your risk assessment Click on the "Assessments" menu at the top and then select the "HIPAA (April 2016)" assessment from the list.
This questionnaire will walk you through each of the HIPAA requirements, one-by-one, and your answers will be used to create pending risks, which can be added into SimpleRisk with the click of a button!
With our Import-Export Extra, you even have the ability to suck in lists of assets and vulnerabilities from tools such as Rapid7 Nexpose and Tenable.io. Those assets can be tagged to reflect their association with "PCI" and you can set an asset valuation to help move the needle on your risk assessment practices from qualitative to quantitative scoring and then leverage our Risks and Assets report to get at the Maximum Quantitative Loss value for a risk:
As you've seen, our free and open source SimpleRisk Core product can be used to handle a ton of the HIPAA requirements around documenting your policies and procedures, maintaining an inventory of assets, and managing your risks. Those spreadsheets left behind by the auditors typically get filed away on a network share somewhere and seldom get looked at. Wouldn't you rather be using a system where you can manage and interact with your risks as part of an ongoing process? No credit card is required for you to get started today with a free trial or schedule a demo with us to learn more!