Multiple Compliance and Multiple Certifications
(PCI DSS, ISO 27001, BITS FISAP, HIPAA, HITRUST, FISMA NIST 800-53, SOC1, SOC2, EI3PA)
The One Audit service provides the ability for organizations to perform a single audit and certify/comply to multiple regulations including but not limited to PCI DSS, ISO 27001, BITS FISAP, HIPAA, HITRUST, FISMA NIST 800-53 and EI3PA
The solution blends enterprise software solutions, hosted solutions, and managed services to streamline the creation, mapping and updating of internal and external controls, thus empowering IT, Security, and Compliance Managers to COLLECT EVIDENCE AND RISK CONTROLS ONCE AND MAP ACROSS MULTIPLE REGULATIONS!
- Streamlined GRC enabled methodology vs army of expensive auditors
- Simplify multiple regulatory mandates
- Reduce audit preparation and execution time
- Curb compliance costs
- Tried and tested audit methodology
Features of One Audit include:
Single and Centralized Repository for all GRC Information
- Store all your documents, evidences, processes related to compliance in one place and get access to it from anywhere and at any time.
Dashboards and flexible reporting for snapshot views of compliance efforts and progress
- No management system is complete without the ability of having “user customizable” dashboards with colorful charts and graphs. Our dashboard allows you to select predefined charts and graphs or define your own.
Centralize Vendor Compliance Data
- Helps you keep track of Vendors and keep all their risk (and other) related data in one repository.
Schedule Audits for multiple regulations
- Scheduling is easy and automated through periodic reminders built into the ControlCase Audit Manager. You can setup the audit calendar in ControlCase Audit Manager and assign various tasks to be performed at specific and recurring intervals.
How is it accomplished?
It is accomplished through thorough regulatory mapping within the ControlCase GRC platform which enables us to ask audit questions once and report against multiple standards.
Question Number Question PCI DSS ISO 27001 SOC2 SOC1 HIPAA NIST 800-53 63 Provide policy addressing below items
- Defining access needs and privilege assignments for each role.
- Restriction of access to privileged user IDs to least privileges necessary to perform job responsibilities.
- Assignment of access based on individual personnel’s job classification and function
- Documented approval (electronically or in writing) by authorized parties for all access, including listing of specific privileges approved.
7.1 9.1.1, 9.2.3, 9.4.1 S3.2, S3.4, C3.8, C3.10, PI3.2, PI3.5, PI3.6, P8.2.2 Physical security 164.308(a)(3), 164.308(a)(4), 164.312(a)(1) AC-1, AC-6 64 Provide PCI scope Application, server, network devices and database user access (permission) list with business justification for each user – (No need to include the consumer user list for applications)
Also provide supporting system screenshot showing the current added users
Security Posture QA:
- Ensure all applications, OS and DB are in scope of evidence
- Ensure for each that there are no generic ids being used. This would include looking at user lists and also logs to ensure no users logging in using generic ids
7.1.1 9.2.1, 9.4.1 S3.2, S3.4, C3.8,PI3.2, PI3.5, P8.2.2 Information and communication 164.308(a)(3), 164.308(a)(4), 164.312(a)(1), 164.312(a)(2)(i), 164.312(d) AC-1, AC-2, AC-3, AC-14