Cloud Security Concerns And What Can I Do About It?
|
|
- Julian Patrick
- 8 years ago
- Views:
Transcription
1 FishNet Security White Paper Cloud Security Concerns And What Can I Do About It? By Jason Hicks, Senior Consultant Governance, Risk & Compliance CISSP, HISP, CICP Cloud computing promises to provide many advantages over the traditional application delivery model currently in use at most organizations. Cloud computing can offer service elasticity or the ability to rapidly expand and contract available processing capacity. Cloud computing can also make it possible to reduce your yearly outlay for IT hardware and data center-related expenses. Cloud computing provides rapid application deployment and a streamlined development process. To use an analogy, sunshine in most parts of the country is often followed by rain. While cloud computing promises many advantages, it also comes with its own unique challenges. Your data can be located in a variety of places and geographies. Providers may be reluctant to provide you with sufficient data on their security posture to properly assess the risk of utilizing their services. It s possible to find yourself in a situation where an incident has occurred and your staff doesn t have access to the infrastructure necessary to conduct an investigation. You could find your data comingled with the data of others on shared hardware. Rest assured it s not all doom and gloom ahead. I m going to focus on some of the security challenges and opportunities posed by the adoption of cloud-based services and applications. learn more About our Industry Expertise at:
2 2 The Challenges There are significant choices in how an organization deploys cloud-based services. There are multiple architecture choices for example: Internal Private Cloud, Hosted Private Cloud, Public Cloud and, of course, there s a Hybrid option. How does one choose the appropriate deployment model? What about the cost? And what impact will the model we choose have on my organization s security posture? Another challenge is resources. Most information security organizations are stretched thin as it is, and that s without the added work of assessing the security risks associated with Cloud Security. Some feel as if outsourcing certain business operations is a way to outsource risk. This is a dangerous approach, and could not be further from the truth. Sharing sensitive information with third parties does not exclude your organization from the standard obligations associated with data protection. In fact, the sharing of sensitive information with outside organizations increases your risk profile and obligations. Claiming a lack of resources will not provide a defensible position in the face of a data breach or other information security- related incident. Your organization has probably spent a significant amount of time debating what applications and services can move to the Cloud and what provider you re thinking of using. You may already be using cloud-based services or application such as salesforce.com. As the resident security expert, or as we like to say in healthcare the jailable entity you re probably concerned about how all this shared computing infrastructure is going to affect your security posture. If you re like me, you have probably rained on the parade of quite a few excited application development managers thinking they could save a fortune by moving something filled with sensitive data to the ubiquitous Cloud. I can t count on both hands the number of times I ve told folks they can have all the Cloud they want as long as it s in one of our data centers. And yes that means some applications will not be deemed cloud-approved, at least outside of your Internal Private Cloud. Alas times are changing, and the Cloud does pose significant advantages for the right candidate applications. By employing a wellthought out Cloud Architecture and Cloud Governance model, your organization can take advantage of what cloud computing has to offer while maintaining an acceptable level of security. What to do This is a multifaceted challenge that must be addressed systematically and holistically. Step 1: Assess your current applications to determine what could benefit from a cloud-based delivery model An assessment of your current applications should be conducted to determine their criticality to business operations and the sensitivity level of the data they store and process. I recommend breaking them into three groups: By employing a wellthought out Cloud Architecture and Cloud Governance model, your organization can take advantage of what cloud computing has to offer while maintaining an acceptable level of security.
3 3 1. Applications that process low security data 2. Applications that process medium security data 3. Applications that process high security data Once you have an idea of the data sensitivity level of each of your applications, you should also pay attention to identifying applications that need to be rolled out rapidly or that face extremes in processing load. Step 2: Ensure there is a corporate Cloud Strategy and Governance Model in place before rolling out your cloud applications Before your organization makes the leap into cloud-provided applications, it s important to lay the proper groundwork. Just as Rome wasn t built in a day, a well-designed and managed Cloud computing infrastructure requires preparation and planning. Two important documents should be created before your organization starts to deploy cloud-based applications: Cloud Strategy This document will lay out your organizations official approach to cloud-based applications. This should lay out specific criteria to determine what applications or infrastructure will be provided from the Cloud. It s important that this document is approved at a sufficient level of management to ensure that it will be adhered to. This should also include the proposed architecture your organization will be utilizing. This could include building your own Internal Private Cloud, utilizing existing Public/Private Cloud providers or a hybrid approach. Laying the ground rules ahead of time will spare you a significant number of headaches during the qualification and deployment phases. Cloud Governance Model This document lays out the specific security requirements that are necessary in the various stages of your cloud application rollout. It is important to determine the criteria for selecting the classification level of data sensitivity that triggers an application assigned to the Private Cloud or Internal Private Cloud or no cloud, if such a designation is made. Equally important is codifying the security due diligence requirements for selecting a cloud service provider. This should include an initial assessment and ongoing assessment activities. This document should also establish any service-level agreement requirements or security/ performance metrics that will be monitored. Finally, this document should lay out the contractual clauses and legal review process that would be expected before a cloud service provider can be utilized. Enforcing consistent security standards is essential to protecting your sensitive data, corporate reputation and intellectual property. Step 3: Assess the security posture of your proposed cloud service providers At this point you re ready to apply the security due diligence standards you established in your Cloud Governance Framework to your proposed or existing cloud service providers. Ideally, this would involve Just as Rome wasn t built in a day, a welldesigned and managed Cloud computing infrastructure requires preparation and planning.
4 4 reviewing the last assessment if they are ISO certified. I recommend developing your own questionnaire that a cloud service provider would be required to fill out before being approved for use and then again at some predetermined interval such as annually. The Cloud Security Alliance Framework would be a good place to pull your controls from. Another would be Shared Assessments SIG. This gives you a consistent way of measuring the security posture of your cloud service providers. If your contractual agreement allows for more invasive testing, a penetration test of their infrastructure would be another ideal due diligence measure. Often you may find yourself contractually prohibited from performing any in-depth testing. I highly recommend you attempt to get contractual language included that allows for invasive testing. You have your best chance of getting this language inserted before any contracts have been signed. It would also be extremely beneficial if your contract allowed for application penetration testing of your deployed applications. It s equally important to consider the physical security posture of your proposed or existing cloud service providers. Your questionnaire should also probe their physical security posture. This should focus on security of their facilities, their disaster recovery and business continuity capabilities and their methods of media disposal/reuse. If you have special concerns, i.e., you are a healthcare provider or another highly regulated entity, you should include those specific controls in your questionnaire and assessment activities. Step 4: Establish your contractual relationships and service level agreements Once you ve narrowed your list of cloud service providers based on your security assessment activities, it s time to get down to the fine print. While most people s eyes glaze over during the contract negotiation phase, it s a good time to put on your junior lawyer hat. The choices made during this phase can have a profound impact on your organization s satisfaction with cloud delivered applications. In addition to all of the standard things your attorneys are to be looking for, you want to pay special attention to the following items: Nondisclosure of your sensitive information Destruction of your information upon contract termination Ability to conduct an onsite assessment The ability to terminate your contract in the event the provider suffers a breach Either the ability for your incident response/forensic investigation resources to be granted access to the cloud service provider s equipment in the event of an incident or investigation, or the cloud service provider needs to have qualified personnel on hand and agree to make them available to conduct incident response activities, forensic investigations and legal holds. This includes access to the logs created by its network devices, servers and While most people s eyes glaze over during the contract negotiation phase, it s a good time to put on your junior lawyer hat. The choices made during this phase can have a profound impact on your organization s satisfaction with cloud delivered applications.
5 5 other associated equipment. The amount of access to the provider s infrastructure and staff you will receive for security assurance activities. This includes whether they will fill out questionnaires, if they will share sensitive information like diagrams, policies and procedures. This should also entail the amount of testing you will be permitted to undertake. From a testing standpoint, the ideal language would give you the ability to conduct infrastructure and application penetration testing. In practice this will likely be a point of contention between your organization and the cloud security provider. You should insist at the bare minimum that the cloud security provider deliver the results of their own penetration testing activities. You should expect these activities to be undertaken at least annually if not more frequently. A provider that refuses to conduct or share the results of its own penetration testing along with prohibiting you from conducting penetration testing should be excluded from selection. How your data will be stored, backed-up and disposed is another important aspect of your contract negotiations. At a minimum you re going to want to ensure that any data you consider sensitive is not be co-mingled with any other customers data. You should also insist that any backup copies of your data are encrypted. This will ensure that if they are transferred off-site for storage they won t be intercepted ͳͳ ͳͳ by any third parties. How devices that contain your data are disposed of or reused is also important. You want to ensure that any media that contain your data in an unencrypted format is destroyed or degaussed at the provider site before being discarded or returned as a warranty replacement. You should also insist that storage devices containing your data are either securely wiped, assuming it was stored in an unencrypted format, or if your data was stored in encrypted format they should erase the encryption key and reinitialize the storage. If you require any special agreements to be executed as part of the deal. For example, if you re a healthcare provider and your planning on storing patient data in a location provided by your cloud service provider, the provider will need to sign a HIPAA business associate agreement as a condition of getting your business. Finally, it s important to capture any service-level agreements you desire to have in place. This is also the time to be capturing any metrics you would like to be provided with in order to quantify the performance of your cloud provided services. Step 5: Deploy your shiny new cloud-based applications/services Now that you ve established your Cloud Architecture and Cloud Governance models, assessed the
6 6 security posture of your service provider and braved the contract negotiation process, you re ready for the fun part - rolling out your applications. Depending on the delivery model you ve selected this can involve a lot of interconnected steps and people, which is beyond the scope of this white paper. By laying the groundwork above, you should be spared from any major security surprises during this phase. This will allow your IT applications staff to stay focused on the application deployment and not on last-minute security issues. Step 6: Perform in-depth infrastructure and application security testing Now that you have deployed your shiny new applications, you want to make sure your new delivery method has not introduced any security vulnerabilities. The activities in this phase will depend on the provider you selected and the contract provisions you were able to negotiate. You should aim to complete as many of the following as possible: Conducting comprehensive application quality assurance testing to ensure expected functionality is delivered Load testing to determine if your new delivery platform can scale to meet your projected demand Infrastructure and application penetration testing to determine whether any vulnerabilities exist in your newly deployed application or service Ideally you would be able to test the disaster recovery procedure for this application or service. This is not always feasible, and if you re unable to complete this at the time, it should be included in your annual disaster recovery testing Attempt to obtain whatever metrics you have negotiated and ensure the cloud service provider is able to deliver those metrics in the method you agreed Step 7: review your metrics and optimize your application delivery At this point you re ready to kick back and relax and watch your new system perform. Now it s time to ensure that your policies and procedures are updated to reflect your new cloud service delivery method. This is also the time to start reviewing your metrics as specified in your Cloud Governance model. By reviewing your metrics and other application performance data, you will be wellpositioned to continue enhancing your newly deployed application to ensure optimal performance. It s also important to continue your reoccurring security due diligence activities, whether annually as I recommended or at another interval you feel is sufficient. Conclusion Cloud-based services can be a transformative business enabler. Cloud-based services can also be an information security nightmare if not managed correctly. While I can t possibly cover every facet of this growing area in this paper, I hope I have provided you with enough information to get the wheels in your head turning. Cloud-based services are By reviewing your metrics and other application performance data, you will be wellpositioned to continue enhancing your newly deployed application to ensure optimal performance.
7 7 the future and they re inevitable for a decent subset of your applications and services. It s important for the security team members to continue to be seen as business enablers and not as roadblocks. Equally important, take a risk-based approach to your adoption of cloud computing and ensure that your sensitive information is properly protected. By taking a well thought out and balanced approach to cloud computing, you should be able to strike a comfortable posture for your organization. With this paper, we hope to provide you and your organization with enough information to get you thinking about your cloud security posture and what you can do about it. By following the steps outlined above, you ll be well on your way to rolling out cloud-based services and still sleeping at night. For More Information For more information about FishNet Security products and services, call or visit the website at: /company/fishnet-security /fishnetsecurity /fishnetsecurity About FishNet Security FishNet Security, the No. 1 provider of information security solutions that combine technology, services, support and training, enables clients to manage risk, meet compliance requirements and reduce costs while maximizing security effectiveness and operational efficiency. FishNet Security is committed to information security excellence and has a track record of delivering quality solutions to more than 5,000 clients nationwide. learn more About our Industry Expertise at: Security. Last All Modified rights reserved
DUE DILIGENCE Designing and Implementing a Three-Step Cybersecurity Framework for Assessing and Vetting Third Parties (Part One of Two)
DUE DILIGENCE Designing and Implementing a Three-Step Cybersecurity Framework for Assessing and Vetting Third Parties (Part One of Two) By Amy Terry Sheehan Vendors and other third parties are vital to
More informationCloud Security Keeping Data Safe in the Boundaryless World of Cloud Computing
Cloud Security Keeping Data Safe in the Boundaryless World of Cloud Computing Executive Summary As cloud service providers mature, and expand and refine their offerings, it is increasingly difficult for
More informationCloud Computing: Legal Risks and Best Practices
Cloud Computing: Legal Risks and Best Practices A Bennett Jones Presentation Toronto, Ontario Lisa Abe-Oldenburg, Partner Bennett Jones LLP November 7, 2012 Introduction Security and Data Privacy Recent
More informationStrategies for assessing cloud security
IBM Global Technology Services Thought Leadership White Paper November 2010 Strategies for assessing cloud security 2 Securing the cloud: from strategy development to ongoing assessment Executive summary
More informationCloud Computing Safe Harbor or Wild West?
IT Best Practices Series Cloud Computing Safe Harbor or Wild West? With IT expenditures coming under increasing scrutiny, the cloud is being sold as an oasis of practical solutions. It s true that many
More informationSecuring The Cloud With Confidence. Opinion Piece
Securing The Cloud With Confidence Opinion Piece 1 Securing the cloud with confidence Contents Introduction 03 Don t outsource what you don t understand 03 Steps towards control 04 Due diligence 04 F-discovery
More informationThird Party Security: Are your vendors compromising the security of your Agency?
Third Party Security: Are your vendors compromising the security of your Agency? Wendy Nather, Texas Education Agency Michael Wyatt, Deloitte & Touche LLP TASSCC Annual Conference 3 August 2010 Agenda
More information(Instructor-led; 3 Days)
Information Security Manager: Architecture, Planning, and Governance (Instructor-led; 3 Days) Module I. Information Security Governance A. Introduction to Information Security Governance B. Overview of
More informationClinical Trials in the Cloud: A New Paradigm?
Marc Desgrousilliers CTO at Clinovo Clinical Trials in the Cloud: A New Paradigm? Marc Desgrousilliers CTO at Clinovo What is a Cloud? (1 of 3) "Cloud computing is a model for enabling convenient, on-demand
More informationKLC Consulting, Inc. All Rights Reserved. 1 THIRD PARTY (VENDOR) SECURITY RISK MANAGEMENT
1 THIRD PARTY (VENDOR) SECURITY RISK MANAGEMENT About Kyle Lai 2 Kyle Lai, CIPP/G/US, CISSP, CISA, CSSLP, BSI Cert. ISO 27001 LA President of KLC Consulting, Inc. Over 20 years in IT and Security Security
More informationCloud Security Trust Cisco to Protect Your Data
Trust Cisco to Protect Your Data As cloud adoption accelerates, organizations are increasingly placing their trust in third-party cloud service providers (CSPs). But can you fully trust your most sensitive
More informationVENDOR RISK MANAGEMENT UPDATE- ARE YOU AT RISK? Larry L. Llirán, CISA, CISM December 10, 2015 ISACA Puerto Rico Symposium
1 VENDOR RISK MANAGEMENT UPDATE- ARE YOU AT RISK? Larry L. Llirán, CISA, CISM December 10, 2015 ISACA Puerto Rico Symposium 2 Agenda Introduction Vendor Management what is? Available Guidance Vendor Management
More informationWhite Paper THE FIVE STEPS TO MANAGING THIRD-PARTY RISK. By James Christiansen, VP, Information Risk Management
White Paper THE FIVE STEPS TO MANAGING THIRD-PARTY RISK By James Christiansen, VP, Information Management Executive Summary The Common Story of a Third-Party Data Breach It begins with a story in the newspaper.
More informationWhitepaper. Disaster Recovery as a Service (DRaaS): A DR solution for all
Whitepaper Disaster Recovery as a Service (DRaaS): A DR solution for all Disaster Recovery as a service: A DR solution for all Disaster Recovery (DR) is more important today than ever before. Why? Because
More informationCloud Computing: A Question of Trust Maintaining Control and Compliance with Data-centric Information Security
Russ Dietz Vice President & Chief Technology Officer Cloud Computing: A Question of Trust Maintaining Control and Compliance with Data-centric Information Security By Russ Dietz Vice President & Chief
More informationCloud Computing: Contracting and Compliance Issues for In-House Counsel
International In-house Counsel Journal Vol. 6, No. 23, Spring 2013, 1 Cloud Computing: Contracting and Compliance Issues for In-House Counsel SHAHAB AHMED Director Legal and Corporate Affairs, Microsoft,
More informationSecure HIPAA Compliant Cloud Computing
BUSINESS WHITE PAPER Secure HIPAA Compliant Cloud Computing Step-by-step guide for achieving HIPAA compliance and safeguarding your PHI in a cloud computing environment Step-by-Step Guide for Choosing
More informationThe 9 Ugliest Mistakes Made with Data Backup and How to Avoid Them
The 9 Ugliest Mistakes Made with Data Backup and How to Avoid Them If your data is important to your business and you cannot afford to have your operations halted for days even weeks due to data loss or
More informationWHITEPAPER. 7 Reasons Why Businesses are Shifting to Cloud Backup
WHITEPAPER 7 Reasons Why Businesses are Shifting to Cloud Backup Table of Contents Introduction..1 Internal Resource Efficiency..2 Enhance Security.2 Leverage Deduplication Technology..2 Process Validation
More informationFrequently Asked Questions about Cloud and Online Backup
Frequently Asked Questions about Cloud and Online Backup With more companies realizing the importance of protecting their mission-critical data, we know that businesses are also evaluating the resiliency
More informationSample Third Party Management Policy. Establishment date, effective date, and revision procedure
Sample Third Party Management Policy Establishment date, effective date, and revision procedure This policy was established and approved by [Organization Name] on mm,dd,yyyy. The [Organization Name] Information
More informationRunning head: TAKING A DEEPER LOOK AT THE CLOUD: SOLUTION OR 1
Running head: TAKING A DEEPER LOOK AT THE CLOUD: SOLUTION OR 1 Taking a Deeper Look at the Cloud: Solution or Security Risk? LoyCurtis Smith East Carolina University TAKING A DEEPER LOOK AT THE CLOUD:
More informationAuditing Cloud Computing and Outsourced Operations
14 CHAPTER Auditing Cloud Computing and Outsourced Operations In this chapter, we will discuss key controls to look for when you are auditing IT operations that have been outsourced to external companies,
More informationCloud-Based Project Information Management from Aconex: A Guide for IT Professionals
Cloud-Based Project Information Management from Aconex: A Guide for IT Professionals Adopting an Aconex SaaS Solution It s the job of CIOs and IT managers to ensure that their organizations adopt secure
More informationProposal for Online Backup
Proposal for Online Backup Prepared for: Prepared by: Prepared on: Custom Proposal Prepared for Account Manager KeepItSafe 6922 Hollywood Blvd Los Angeles, CA 90028 Ph. 888 965 9988 [Prospect Name] [Company
More informationData voice network cloud. On the most critical Of missions. Yours
Data voice network cloud On the most critical Of missions. Yours When failure is not an option. Let s face it IT is the lifeblood of your business. Big or small, global or local your Business relies on
More information{Moving to the cloud}
{Moving to the cloud} plantemoran.com doesn t mean outsourcing your security controls. Cloud computing is a strategic move. Its impact will have a ripple effect throughout an organization. You don t have
More informationEND TO END DATA CENTRE SOLUTIONS COMPANY PROFILE
END TO END DATA CENTRE SOLUTIONS COMPANY PROFILE About M 2 TD M2 TD is a wholly black Owned IT Consulting Business. M 2 TD is a provider of data center consulting and managed services. In a rapidly changing
More informationINFORMATION SECURITY GOVERNANCE ASSESSMENT TOOL FOR HIGHER EDUCATION
INFORMATION SECURITY GOVERNANCE ASSESSMENT TOOL FOR HIGHER EDUCATION Information security is a critical issue for institutions of higher education (IHE). IHE face issues of risk, liability, business continuity,
More informationMapping Your Path to the Cloud. A Guide to Getting your Dental Practice Set to Transition to Cloud-Based Practice Management Software.
Mapping Your Path to the Cloud A Guide to Getting your Dental Practice Set to Transition to Cloud-Based Practice Management Software. Table of Contents Why the Cloud? Mapping Your Path to the Cloud...4
More informationHITRUST CSF Assurance Program You Need a HITRUST CSF Assessment Now What?
HITRUST CSF Assurance Program You Need a HITRUST CSF Assessment Now What? Introduction This material is designed to answer some of the commonly asked questions by business associates and other organizations
More informationDoes it state the management commitment and set out the organizational approach to managing information security?
Risk Assessment Check List Information Security Policy 1. Information security policy document Does an Information security policy exist, which is approved by the management, published and communicated
More informationInformation security controls. Briefing for clients on Experian information security controls
Information security controls Briefing for clients on Experian information security controls Introduction Security sits at the core of Experian s operations. The vast majority of modern organisations face
More information2014 HIMSS Analytics Cloud Survey
2014 HIMSS Analytics Cloud Survey June 2014 2 Introduction Cloud services have been touted as a viable approach to reduce operating expenses for healthcare organizations. Yet, engage in any conversation
More informationWHITE PAPER. The extensive outsourcing checklist
WHITE PAPER The extensive outsourcing checklist INTRODUCTION When it s time to find an outsourcing provider, many companies just call up the old RFP (Request for Proposal) file on the computer, change
More informationOffice of the City Auditor and Clerk
Office of the City Auditor and Clerk Externally Hosted IBM iseries System Arrangement For Utility Billing System Final Executive Summary Internal Audit Report Internal Audit Project # 08-05 May 28, 2008
More informationCLOUD IN MOTION QUESTIONS EVERY LIFE SCIENCES COMPANY SHOULD ASK BEFORE MOVING TO THE CLOUD. FRANK JACQUETTE, JACQUETTE CONSULTING, INC.
CLOUD IN MOTION QUESTIONS EVERY LIFE SCIENCES COMPANY SHOULD ASK BEFORE MOVING TO THE CLOUD. FRANK JACQUETTE, JACQUETTE CONSULTING, INC. S EVERY LIFE SCIENCES COMPANY SHOULD ASK BEFORE MOVING TO THE CLOUD.
More informationTop 10 Tips and Tools for Meeting Regulatory Requirements and Managing Cloud Computing Providers in the United States and Around the World
Top 10 Tips and Tools for Meeting Regulatory Requirements and Managing Cloud Computing Providers in the United States and Around the World Web Hull Privacy, Data Protection, & Compliance Advisor Society
More informationStrategies for Secure Cloud Computing
WHITE PAPER Cloud Basics Strategies for Secure Cloud Computing An Introduction to Exploring the Cloud There is a lot of buzz these days about cloud computing and how it s going to revolutionize the way
More informationManaging Cloud Computing Risk
Managing Cloud Computing Risk Presented By: Dan Desko; Manager, Internal IT Audit & Risk Advisory Services Schneider Downs & Co. Inc. ddesko@schneiderdowns.com Learning Objectives Understand how to identify
More informationLegal Challenges for U.S. Healthcare Adopters of Cloud Computing
Legal Challenges for U.S. Healthcare Adopters of Cloud Computing by Kevin Erdman and Nigel Stark of Baker & Daniels LLP 1 ABSTRACT U.S. Healthcare companies have begun experimenting with taking business-critical
More informationCloud Computing: What needs to Be Validated and Qualified. Ivan Soto
Cloud Computing: What needs to Be Validated and Qualified Ivan Soto Learning Objectives At the end of this session we will have covered: Technical Overview of the Cloud Risk Factors Cloud Security & Data
More informationIdentifying and Managing Third Party Data Security Risk
Identifying and Managing Third Party Data Security Risk Legal Counsel to the Financial Services Industry Digital Commerce & Payments Series Webinar April 29, 2015 1 Introduction & Overview Today s discussion:
More informationVendor Audit Questionnaire
Vendor Audit Questionnaire The following questionnaire should be completed as thoroughly as possible. When information cannot be provided it should be noted why it cannot be provided. Information may be
More informationSurviving a HIPAA Audit: What you need to know NOW So you can cope THEN. Jonathan Krasner www.beinetworks.com www.hipaasecurenow.
Surviving a HIPAA Audit: What you need to know NOW So you can cope THEN Jonathan Krasner www.beinetworks.com www.hipaasecurenow.com Healthcare IT Landscape Meaningful Use Incentives Technology Advances
More informationFINAL May 2005. Guideline on Security Systems for Safeguarding Customer Information
FINAL May 2005 Guideline on Security Systems for Safeguarding Customer Information Table of Contents 1 Introduction 1 1.1 Purpose of Guideline 1 2 Definitions 2 3 Internal Controls and Procedures 2 3.1
More informationOpen Data Center Alliance Usage: Provider Assurance Rev. 1.1
sm Open Data Center Alliance Usage: Provider Assurance Rev. 1.1 Legal Notice This Open Data Center Alliance SM Usage:Provider Assurance is proprietary to the Open Data Center Alliance, Inc. NOTICE TO USERS
More informationHow Do I know If I Need RCx HOW TO CHOOSE A MANAGED SERVICES PROVIDER. www.netsolus.com
How Do I know If I Need RCx HOW TO CHOOSE A MANAGED SERVICES PROVIDER www.netsolus.com Shifting your IT operations to a managed services provider (MSP) offers a multitude of benefits. Collaborating with
More information5 Cornerstones of Compliance
5 Cornerstones of Compliance DATTO S INFORMATION SECURITY CONTROLS by Feisal Nanji, Datto Chief Security Officer For backup and disaster recovery (BDR) solution providers Security Compliance can be a multi-tiered,
More informationKroll Ontrack VMware Forum. Survey and Report
Kroll Ontrack VMware Forum Survey and Report Contents I. Defining Cloud and Adoption 4 II. Risks 6 III. Challenging Recoveries with Loss 7 IV. Questions to Ask Prior to Engaging in Cloud storage Solutions
More informationTECHNOLOGY STRATEGY AUDIT
TECHNOLOGY STRATEGY AUDIT Executive Summary It is our intention to facilitate the understanding of technology strategy and its integration with business strategies. This guideline is organized as series
More informationINFORMATION TECHNOLOGY SECURITY STANDARDS
INFORMATION TECHNOLOGY SECURITY STANDARDS Version 2.0 December 2013 Table of Contents 1 OVERVIEW 3 2 SCOPE 4 3 STRUCTURE 5 4 ASSET MANAGEMENT 6 5 HUMAN RESOURCES SECURITY 7 6 PHYSICAL AND ENVIRONMENTAL
More informationEffectively using SOC 1, SOC 2, and SOC 3 reports for increased assurance over outsourced operations. kpmg.com
Effectively using SOC 1, SOC 2, and SOC 3 reports for increased assurance over outsourced operations kpmg.com b Section or Brochure name Effectively using SOC 1, SOC 2, and SOC 3 reports for increased
More informationTips For Buying Cloud Infrastructure
27 Tips For Buying Cloud Infrastructure A Comprehensive list of questions to ask yourself when reviewing potential cloud providers By Christopher Wilson @chrisleewilson Table of Contents Intro: Evaluating
More informationToday s Financial Services IT Organization Delivering Security, Value and Performance Amid Major Transformation
Today s Financial Services IT Organization Delivering Security, Value and Performance Amid Major Transformation Assessing the Financial Services Industry Results from Protiviti s 2014 IT Priorities and
More informationChoosing an Effective Managed Security Services Partner. An Allstream / Dell SecureWorks White Paper
Choosing an Effective Managed Security Services Partner An Allstream / Dell SecureWorks White Paper 2 Managed Security and Consulting services can deliver strong value to your security program. A Managed
More informationBuild (develop) and document Acceptance Transition to production (installation) Operations and maintenance support (postinstallation)
It is a well-known fact in computer security that security problems are very often a direct result of software bugs. That leads security researches to pay lots of attention to software engineering. The
More informationIT Security Risk Management Model for Cloud Computing: A Need for a New Escalation Approach.
IT Security Risk Management Model for Cloud Computing: A Need for a New Escalation Approach. Gunnar Wahlgren 1, Stewart Kowalski 2 Stockholm University 1: (wahlgren@dsv.su.se), 2: (stewart@dsv.su.se) ABSTRACT
More informationCloud Computing and Security Risk Analysis Qing Liu Technology Architect STREAM Technology Lab Qing.Liu@chi.frb.org
Cloud Computing and Security Risk Analysis Qing Liu Technology Architect STREAM Technology Lab Qing.Liu@chi.frb.org 1 Disclaimers This presentation provides education on Cloud Computing and its security
More informationChecklist for a Watertight Cloud Computing Contract
Checklist for a Watertight Cloud Computing Contract Companies of all industries are recognizing the need and benefit of moving some if not all of their IT infrastructure to a Cloud whether public or private.
More informationHow to Protect Intellectual Property While Offshore Outsourcing?
WHITE PAPER [Type text] How to Protect Intellectual Property While Offshore Outsourcing? In an era of increasing data theft, it is important for organizations to ensure that the Intellectual Property related
More informationKeep Your Data Secure in the Cloud Using encryption to ensure your online data is protected from compromise
Protection as a Priority TM Keep Your Data Secure in the Cloud to ensure your online data is protected from compromise Abstract The headlines have been dominated lately with massive data breaches exposing
More informationBackup & Disaster Recovery
Backup & Disaster Recovery Backup & Disaster Recovery You already know that a security breach could cost you loss of critical data, your customers, your reputation, and even your business but do you know
More informationWHITE PAPER. 10 Things Every Law Firm Should Know About Improving IT Performance: A Practice Director s Guide
WHITE PAPER 10 Things Every Law Firm Should Know About Improving IT Performance: A Practice Director s Guide To remain successful and experience growth, you must focus on improving your firm s IT performance
More informationITIL v3 Process Cheat Sheets
CEB Infrastructure Leadership Council ITIL v3 Process Cheat Sheets 2014 CEB. All rights reserved. IEC8051414SYN 1 ITIL v3 Process Cheat Sheets The ITIL v3 process cheat sheets include a definition, description
More informationThe Next Generation of Security Leaders
The Next Generation of Security Leaders In an increasingly complex cyber world, there is a growing need for information security leaders who possess the breadth and depth of expertise necessary to establish
More informationWhite Paper on Financial Institution Vendor Management
White Paper on Financial Institution Vendor Management Virtually every organization in the modern economy relies to some extent on third-party vendors that facilitate business operations in a wide variety
More informationbest practice guide The Three Pillars of a Secure Hybrid Cloud Environment
best practice guide The Three Pillars of a Secure Hybrid Cloud Environment best practice guide The Three Pillars of a Secure Hybrid Cloud Environment Introduction How sound risk management, transparency
More informationCloud Security Certification
Cloud Security Certification January 21, 2015 1 Agenda 1. What problem are we solving? 2. Definitions (Attestation vs Certification) 3. Cloud Security Responsibilities and Risk Exposure 4. Who is responsible
More informationRule 30(b)(6) Depositions in Electronic Discovery. Discovering What There Is to Discover
: Discovering What There Is to Discover One of the challenges in electronic discovery is identifying the various sources of electronically stored information (ESI) that could potentially be relevant to
More informationWhy cloud backup? Top 10 reasons
Why cloud backup? Top 10 reasons HP Autonomy solutions Table of contents 3 Achieve disaster recovery with secure offsite cloud backup 4 Free yourself from manual and complex tape backup tasks 4 Get predictable
More informationCloud Computing Security Considerations
Cloud Computing Security Considerations Roger Halbheer, Chief Security Advisor, Public Sector, EMEA Doug Cavit, Principal Security Strategist Lead, Trustworthy Computing, USA January 2010 1 Introduction
More informationCloud Computing and Records Management
GPO Box 2343 Adelaide SA 5001 Tel (+61 8) 8204 8773 Fax (+61 8) 8204 8777 DX:336 srsarecordsmanagement@sa.gov.au www.archives.sa.gov.au Cloud Computing and Records Management June 2015 Version 1 Version
More informationFinally, An Easy Way To Never Have To Deal with Computer Problems Again!
Finally, An Easy Way To Never Have To Deal with Computer Problems Again! Finally, An Easy Way To Keep Your Computers Running Faster, Cleaner, And Problem Free Without The Expense Of A Full-Time IT Staff
More informationINFORMATION TECHNOLOGY OFFICER S QUESTIONNAIRE. Instructions for Completing the Information Technology Examination Officer s Questionnaire
Institution Charter Date of Exam Prepared By INFORMATION TECHLOGY OFFICER S QUESTIONNAIRE Instructions for Completing the Information Technology Examination Officer s Questionnaire The Information Technology
More informationHow To Choose A Cloud Computing Solution
WHITE PAPER How to choose and implement your cloud strategy INTRODUCTION Cloud computing has the potential to tip strategic advantage away from large established enterprises toward SMBs or startup companies.
More informationBest Practices in Healthcare IT Disaster Recovery Planning
BUSINESS WHITE PAPER Best Practices in Healthcare IT Disaster Recovery Planning Assessing your options for leveraging the cloud to enhance compliance, improve recovery objectives, and reduce capital expenditures
More informationLegal Issues in the Cloud: A Case Study. Jason Epstein
Legal Issues in the Cloud: A Case Study Jason Epstein Outline Overview of Cloud Computing Service Models (SaaS, PaaS, IaaS) Deployment Models (Private, Community, Public, Hybrid) Adoption Different types
More informationHow To Protect Your Cloud Data From Being Hacked
1 Once touted in some circles as the centerpiece of future IT strategy, the cloud is undergoing a huge reality check that has dampened some of the enthusiasm. Costly disasters, random outages, and even
More informationPrivacy and Security Guidance Cloud Computing in the MUSH Sector
dentons.com Privacy and Security Guidance Cloud Computing in the MUSH Sector Operational Privacy Risks and Opportunities in Cloud Computing: A Focus on Municipalities, Universities, School Boards, and
More informationSecuring and Auditing Cloud Computing. Jason Alexander Chief Information Security Officer
Securing and Auditing Cloud Computing Jason Alexander Chief Information Security Officer What is Cloud Computing A model for enabling convenient, on-demand network access to a shared pool of configurable
More informationInstructions for Completing the Information Technology Officer s Questionnaire
Instructions for Completing the The (Questionnaire) contains questions covering significant areas of a bank s information technology (IT) function. Your responses to these questions will help determine
More informationThe Advantages of Cloud Contact Center Software
White Paper Cloud Contact Center Software The Advantages of Cloud Contact Center Software A Five9 White Paper, September 2011 In the contact center business, change is constant. New client? Great. New
More informationBusiness Continuity Requires the Best Cloud Storage Options
Requires the Best Cloud Storage Options www.gr e xo.co m Requires the Best Cloud Storage Options Only about 38% of small to medium sized businesses have an IT business continuity plan in place. If you
More informationDiagram Cloud Computing
Diagram Cloud Computing Cloud Computing Diagram 1: Traditional Network Combined with a Single Cloud Computing Application In the above Cloud Computing Diagram, the company has decided to no longer own,
More informationAskAvanade: Answering the Burning Questions around Cloud Computing
AskAvanade: Answering the Burning Questions around Cloud Computing There is a great deal of interest in better leveraging the benefits of cloud computing. While there is a lot of excitement about the cloud,
More informationISO 27001 Controls and Objectives
ISO 27001 s and Objectives A.5 Security policy A.5.1 Information security policy Objective: To provide management direction and support for information security in accordance with business requirements
More informationTERMS OF REFERENCE (TORs) OF CONSULTANTS - (EAG) 1. Reporting Function. The Applications Consultant reports directly to the CIO
TERMS OF REFERENCE (TORs) OF CONSULTANTS - (EAG) Consultant - Enterprise Systems & Applications 1. Reporting Function. The Applications Consultant reports directly to the CIO 2. Qualification and Experience
More informationHOW TO PREPARE FOR A PCI DSS AUDIT
Ebook HOW TO PREPARE FOR A PCI DSS AUDIT 8 TOP COMPLIANCE TIPS FROM QSAS 2015 SecurityMetrics HOW TO PREPARE FOR A PCI DSS AUDIT 8 TOP COMPLIANCE TIPS FROM QSAS INTRODUCTION Payment Card Industry Data
More informationDisaster recovery: Resilient cloud-based disaster recovery
Disaster recovery: Resilient cloud-based disaster recovery Disaster recovery and business continuity applications in the cloud offer the benefits of speed, cost efficiency and availability, eliminating
More informationR345, Information Technology Resource Security 1
R345, Information Technology Resource Security 1 R345-1. Purpose: To provide policy to secure the private sensitive information of faculty, staff, patients, students, and others affiliated with USHE institutions,
More informationThe Elephant in the Room: What s the Buzz Around Cloud Computing?
The Elephant in the Room: What s the Buzz Around Cloud Computing? Warren W. Stippich, Jr. Partner and National Governance, Risk and Compliance Solution Leader Business Advisory Services Grant Thornton
More informationInsights into Cloud Computing
This article was originally published in the November 2010 issue of the Intellectual Property & Technology Law Journal. ARTICLE Insights into Cloud Computing The basic point of cloud computing is to avoid
More informationFLEXIBILITY AGILITY AVAILABILITY BOLSTER YOUR BANK S I.T.
CDW FINANCIAL SERVICES WE GET IT BOLSTER YOUR BANK S I.T. FLEXIBILITY of financial institutions are planning to outsource the same or additional IT services in the next 12 to 18 months.* AGILITY AVAILABILITY
More informationSTATE OF NEW JERSEY Security Controls Assessment Checklist
STATE OF NEW JERSEY Security Controls Assessment Checklist Appendix D to 09-11-P1-NJOIT P.O. Box 212 www.nj.gov/it/ps/ 300 Riverview Plaza Trenton, NJ 08625-0212 Agency/Business (Extranet) Entity Response
More informationSECURITY IN THE HYBRID CLOUD:
SECURITY IN THE HYBRID CLOUD: Putting Rumors to Rest FROM VIRTUALIZATION TO GROWTH OF THE PUBLIC CLOUD IDC predicts that public cloud computing services will grow to a $72.9 billion market in 2015, up
More informationTHE WINDSTREAM HOSTED SOLUTIONS ADVANTAGE. smart solutions. personalized service.
THE WINDSTREAM HOSTED SOLUTIONS ADVANTAGE smart solutions. personalized service. Helping the most important business succeed. Yours. SSAE-16. HIPAA. SOX. GLBA. PCI DSS. Where some see acronyms, you see
More informationBackup vs. Business Continuity: Using RTO to Better Plan for Your Business
Backup vs. Business Continuity: Using RTO to Better Plan for Your Business Executive Summary SMBs in general don t have the same IT budgets and staffs as larger enterprises. Yet just like larger organizations
More informationCLOUD COMPUTING ISSUES FOR SCHOOL DISTRICTS. Presented to the 2013 BRADLEY F. KIDDER LAW CONFERENCE. October 2, 2013
CLOUD COMPUTING ISSUES FOR SCHOOL DISTRICTS Presented to the 2013 BRADLEY F. KIDDER LAW CONFERENCE October 2, 2013 By: Diane M. Gorrow Soule, Leslie, Kidder, Sayward & Loughman, P.L.L.C. 220 Main Street
More information