OUTSOURCING IT FUNCTIONS IN TIMES OF INCREASED REGULATION AND SECURITY CONCERNS In-House Counsel Conference
|
|
- Lynn Booker
- 8 years ago
- Views:
Transcription
1 OUTSOURCING IT FUNCTIONS IN TIMES OF INCREASED REGULATION AND SECURITY CONCERNS 2016 In-House Counsel Conference
2 INTRODUCTION
3 Presenters: Barbara Murphy Melby Partner Morgan Lewis P: E: Megan Gatto Senior Counsel Independence Blue Cross P: E: Michael L. Pillion Partner Morgan Lewis P: E:
4 4 Discussion Topics The changing IT landscape Enterprise risk management Central oversight of data/operational exposure liability and practical concerns Compliance update Traditional and industry-specific regulations, and how allocation of responsibility may be negotiated Security controls and compliance Security risks in cloud deals Security breach and allocation of risk Third-party vendor management Environment oversight Wrap-up
5 THE CHANGING LANDSCAPE
6 6 The Changing Landscape Cloud Data Analytics Automation IT Services Internet of Things Mobility Business Unit Procurement
7 7 Kosbit: Top 5 IT Outsourcing Trends for 2016 #1: The Internet of Things refers to machine-to-machine communication, centered on the use of data gathering sensors. According to McKinsey, this will be an industry that is worth $11 trillion in Outsourced IT services will play a vital role in the development of advanced devices that can support IOT. #2: Big Data and Analytics many rely on the services that can be provided by IT outsourcing companies because of costeffectiveness and expertise. The price point of investing in big data analytics is just too high for some enterprises, which is why it is expected that many of them will resort to outsourcing in the coming years to take advantage of big data without being too resource-intensive. #4: Cloud Computing According to Markets and Markets, before the end of 2015, cloud computing is an industry that will be worth as much as $121 billion. Those who do not yet embrace the premise of cloud computing can be lagged behind competition, especially not only because of automation, but it is also cost efficient compared to manual processes. #5: Digital Transformation As many enterprises continue to discover automated, scalable, and affordable solutions, outsourcing becomes less attractive. As a result, the challenge in 2016 is for providers of outsourced IT services to rethink how they can create value and mitigate risks to continue being a viable option.
8 8 Leading to New definitions of IT outsourcing Business solutions enabled by technology -- and using business data Increased business demand for such solutions Keeping up with the competition Enhancing the employee and user experience Speed to adoption
9 9
10 10 Coupled with (or maybe because of) Heightened sensitivity to data breaches and security controls at the highest levels Increased regulatory requirements and guidance Outsourcing (by industry) Data protection
11 11 Risk and Legal Response Stay cool and regain control easier said than done What are the solutions Who are the vendors Who is contracting with the vendors Rethink risks and controls big picture Where are the assets Where is the data What are the business critical services Immediate and long-term risk mitigation
12 12 ENTERPRISE RISK MANAGEMENT; COMPLIANCE UPDATE Presented by Megan Gatto
13 13 ENTERPRISE RISK MANAGEMENT Central oversight of data/operational exposure liability and practical concerns
14 14 Practical concerns Overall reliance on cloud or other vendors for day-to-day operation Evaluating worst-case scenarios for service disruption/data loss Diligence regarding disaster recovery/business continuity plans Contractual remedies effective? Mitigating practical consequences of nonperformance
15 15 Liability exposure Contributing factors: Nature of data Personal information/phi Sensitive business information Other information Volume and age of data Not all old data is obsolete Adherence to record-retention policies Location of data Larger vendors may also be larger targets
16 16 Liability exposure Aggregate liability exposure Data on own systems, processed by own employees Outsourced functions Vendors liable for breach of data security obligations, not any data breach Vendors liability for breach of data security obligations can be difficult, although not impossible, to achieve unlimited liability How to manage? Negotiate as best you can Keep your data breach response plan up to date as vendors are added Cyber insurance Requires attention to detail
17 17 COMPLIANCE UPDATE Traditional and industry-specific regulations, and how allocation of responsibility may be negotiated
18 18 What are Laws in your contract? Traditional definition some combination of laws, rules, orders, and binding restrictions of federal, state, or local governmental authorities What about nongovernmental entities, such as industry associations or issuers of licenses, that nevertheless have some control over the customer? Healthcare example: BCBSA
19 19 Responsibility for Compliance Traditional allocation of responsibility often: Vendor retains full responsibility for compliance with Laws applicable to the services, other than Customer Laws Definition of Customer Laws negotiable, but often includes Laws that are specifically applicable to Customer s industry, as opposed to Vendor s customers generally Monitoring responsibility negotiable as to whether Customer must proactively direct Vendor regarding Customer Laws, or whether Vendor must comply with Customer Laws, subject to Vendor s right to request specific instruction Financial responsibility Vendor will comply with Customer Laws (or Customer s directives), but at Customer s expense
20 20 Variations on Compliance When might a Vendor take responsibility for industryspecific Customer Laws? What if a Vendor refuses to commit to comply with industry-specific Customer Laws?
21 21 SECURITY CONTROLS & COMPLIANCE; SECURITY BREACHES AND ALLOCATION OF RISK Presented by Michael L. Pillion
22 22 Security Controls & Compliance; Security Breaches & Allocation of Risk - Outline Security Risks in Cloud Deals Security Controls and Compliance Data Security Requirements Vendor s Data Security Offering Security Standards, Certifications, and Audit DR/BCP Plans Data Delivery and Deletion at Termination Data Security Breaches Vendor s Response Plan Steps to Take After a Breach Allocation of Risk in the Contract
23 23 Security Risks in Cloud Deals Loss of Control Gaps in Policies and Responsibilities Compliance and Legal Risks Data Protection release, loss, and unavailability Data Isolation Failures Handling of Security Incidents detection, reporting, management, and resolution Insecure or Incomplete Data Deletion at Termination Visibility and Audit
24 24 Data Security Requirements Higher level of security for certain data? Legal requirements Requirements of Customer policies Industry-specific requirements Keep at Customer?
25 25 Vendor s Data Security Offering Vendors typically not willing to offer a customized data security approach Customers must conduct gap analysis on Vendor s data security policies vs. Customer s policies, laws, and industry requirements Due diligence and selection of Vendor is more important than the contract Location of servers, both primary and backup Subcontractors/subprocessors What security certifications does Vendor maintain?
26 26 Vendor s Data Security Offering Physical security, commensurate with data sensitivity Logical/system security, to avoid compromise of confidentiality through commingling How data is segregated logical segregation Access by authorized personnel only Regular monitoring of intrusion detection system and reporting Encryption (e.g., for transfers outside firewalls) Use of mobile devices and storage (e.g., laptops, tablets, USB drives, backup tapes), including whether use is permitted Enhanced standards for Personal Information, including PHI Employee privacy and security training
27 27 Security Standards, Certifications & Audit Information Systems Security ISO Series ISO provides requirements for an information security management system ISO provides guidelines for information security standards and practices including the selection, implementation, and management of controls ISO gives guidance on security controls applicable to the provision and use of cloud services ISO establishes control objectives, controls, and guidelines for implementing measures to protect PI for the public cloud environment Audit to and certification to ISO Services Standards
28 28 Security Standards, Certifications & Audit SSAE 16/ISAE 3402 Audit Standards Service Organization Control (SOC) 1 - conducted in accordance with Statement on Standards for Attestation Engagements (SSAE) No. 16 audit of internal controls over financial reporting SOC 1, Type I opinion on the suitability of the design of the service organization s controls to achieve the related control objectives, as of a specified date SOC 1, Type II - same as a Type 1 report with the addition of an opinion on the operating effectiveness of the controls to achieve the related control objectives throughout a specified period
29 29 Security Standards, Certifications & Audit AT101 Audit Standards SOC 2 designed for audits of service providers audit of the security, availability, and processing integrity of a service provider s system, the confidentiality of the information that the system processes or maintains, and the privacy of personal information that the service provider collects, uses, retains, discloses, and disposes of. SOC 2, Type I SOC 2, Type II Customer Audits
30 30 Disaster Recovery/Business Continuity Plans Outages and Resulting Data Loss or Inability to Access Is Just as Big a Risk as Security Breach Risks Data Recovery Sites Definition of Outage and Disaster Data Recovery Times and Recovery Point SLAs Downtime Credits Responsibilities of Customer Under Vendor DR/BCP Plan Coordination with Customer s DR/BCP Plan Testing and Reporting
31 31 Data Delivery and Deletion at Termination Delivery of Data to Customer Allocation of Responsibilities Between Customer and Vendor Format of Data No Deletion by Vendor After Only Passage of Time Deletion of Data by Vendor Complete and Secure Compliance with Data Destruction Laws Deletion Certificate
32 32 Data Security Breach Response Plan Addressing, among other things: Notice to Customer Response contain the breach Investigation how, what data, who has it Remediation Notices required by laws/policies/contracts Credit monitoring required by laws/policies/contracts Other requirements under laws/policies/contracts Responsibility for costs, fines under laws/policies/contracts Changes by Vendor Customer consent required? Notice to Customer required? Is Vendor s data security breach response plan consistent with Customer s? (Each must have one!)
33 33 Security Breaches: Remediation Steps Customer s position is that if the breach involves Customer Data under Vendor s control and Vendor was in breach of its data security obligations: Vendor must either undertake or bear Customer s costs of undertaking the remediation steps that are required by law or a regulatory authority, or that are required by the contract or Customer policies (such as notices to affected individuals, credit monitoring, operation of call centers). Vendor is responsible for fines, penalties, etc., imposed on Customer as a result of the breach. The parties may agree upon additional steps that are reasonable in light of the particular breach. A liability cap (discussed later) may apply to Vendor s responsibility for these costs.
34 34 Security Breaches: Remediation Steps What if the breach involves Customer Data under Vendor s control and Vendor was not in breach of its data security obligations? Customer to bear the cost of notifying affected individuals, etc., as described on previous slide? Vendor still must cooperate with the investigation and take corrective actions as described on the previous slide.
35 35 Contractual Allocation of Risk for Data Security Breaches Major Areas of Damages Exposure Investigating Breaches Remediating Systems Restoring or Re-creating Data Data Breach Notifications and Remediation with Respect to the Individual and Regulators Third-Party Claims by the Individual and Regulators indemnity?
36 36 Limitations on Liability Direct Damage Cap Disclaimer of Indirect and Consequential Damages Exceptions to the Limitations on Liability Breach of Confidentiality Obligations May depend on whether clearly separate from Data Security Obligations Breach of Compliance with Laws Obligations
37 37 Limitations on Liability Exceptions to the Limitations on Liability Breach of Data Security Obligations If Vendor Was in Breach of Its Obligations, as Opposed to Strict Liability May Depend on the Type of Data (e.g., is there a lot of PI or PHI?) May Depend on the Encryption or Other Solution Requirements Maybe Differentiate by Type of Damage: Investigating Breaches Remediating Systems Restoring or Re-creating Data Data Breach Notifications and Remediation Requirements with Respect to the Individual and Regulators Breach of Data Security Obligations
38 38 Secondary Cap for Data Security Issues? Separate or On Top Of Basis Direct Damages Cap? Cover Both Direct Claims and Indemnification Claims? Direct Damages Only, or Indirect Damages as Well What About Consequential Damages?
39 39 Agreeing That Certain Damages Are Recoverable as Direct Contract states that Certain Damages will be recoverable within the Direct Damage Cap as if they were Direct Damages Costs of Complying with Data Breach Laws Costs of Data Remediation Indemnified Losses Governmental Fines
40 40 THIRD-PARTY VENDOR MANAGEMENT AND ENVIRONMENT OVERSIGHT
41 41 Vendor Management Good vendor management is critical to maintaining security control and regulatory compliance, and ultimately mitigating risk Traditional vendor management models Preengagement reviews Contract requirements Ongoing governance
42 42
43 43 Vendor Management First what is the scope? Criticality of service System and/or data access Data storage Pre-engagement reviews Financial viability Experience Customer history Industry reputation Insurance Security controls (questionnaire/assessment) Business continuity
44 44 Vendor Management Contract requirements Location of systems and data Remote access Personnel screening and training Use of third parties Compliance with policies Security controls and compliance Data and systems rights Liability Insurance Audit rights Termination rights Business continuity
45 45 Vendor Management Ongoing governance and oversight Regular reviews Reviews of changes Personnel Sites Security
46 46 Applying the traditional model to new solutions Identify the business solutions with data and security impacts Not just IT Still need diligence, contract requirements, and ongoing governance Location and access to systems and data will remain key Maybe different approach on whose policies and controls Consider using industry standards Need to move fast (or potentially lose out on the review)
47 47 Remodel the Contracting Approach Our way or the highway I like it, but it doesn t always work in leveraged solutions Think about what you need and how to reach a similar (acceptable) outcome Policies Compliance Security Control Liability Create a checklist or amendment with key minimum contract requirements To avoid the battle over whose paper
48 48 For example Customer Data means all text, files, data, output, programs, files, information or material (a) of or submitted by or relating to any of the Customer Entities or any of their users, customers, vendors, personnel or third parties and/or (b) generated, obtained, developed, processed or produced by, as a result of or in connection with the services under the Agreement or the use of the services, software or systems by any of the Customer Entities or any of their users, customers, vendors, personnel or third parties that are provided or made available under the Agreement. As between the Parties, Customer retains all intellectual property and other rights in Customer Data. Customer Data will be considered confidential information of Customer. Customer will have access to and the ability to download any Customer Data stored or controlled by Provider or residing in the hosting environment of Provider or any Provider agents at all times in an encrypted format easily accessible by Customer. Customer will have the right to remove or require Provider to remove Customer Data from the systems of Provider or any Provider agents. Provider will not destroy or purge any Customer Data without Customer s consent and the opportunity to have the Customer Data returned to Customer.
49 49 And another Unless Customer provides prior written consent, all services under the Agreement must be performed in, and all Customer Data must be hosted and stored by Provider in and processed and accessed by Provider from, the United States or the jurisdiction indicated on the applicable order from where the services were requested by Customer or from where the data first originated or was submitted by Customer (the Permitted Jurisdiction ).
50 50 Last one Provider acknowledges and agrees that Customer may engage third parties to assist with the administration and execution of Customer s IT program. Accordingly, third party providers (including their personnel and agents), wherever located of any of the Customer Entities ( Third Party Providers ) will have the right to access and use as directed by Customer the services and products provided or made available under the Agreement. For the purposes of users authorized to access and use the services and products under the Agreement, authorized users include any of the Customer Entities and their respective employees, contractors, consultants, agents and Third Party Providers unless otherwise directed by Customer. As Customer s agents, Third Party Providers may as specified by Customer (a) be the main point of contact regarding the support services; (b) administer support services provided by Provider under the Agreement with Provider; and (c) review, audit and provide remittance on invoices relating to the Agreement.
51 51 Alternatives Does it mean that you need: More upfront review? A different approach to liability? Other ways to mitigate risk? Insurance Alternate solutions Termination
52 52 Environment Oversight Piecing it all together
53 53 Environment Oversight Identify Key Internal Organization(s) Security IT Facilities Business Units Asset Management Training Continuous Monitoring Security Controls Assessment and Testing Policies and Procedures Reporting
54 54 Environment Management Asset inventories Data mappings
55 55 CIS Critical Security Controls CSC 1: Inventory of Authorized and Unauthorized Devices CSC 2: Inventory of Authorized and Unauthorized Software CSC 3: Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers CSC 4: Continuous Vulnerability Assessment and Remediation CSC 5: Controlled Use of Administrative Privileges CSC 6: Maintenance, Monitoring, and Analysis of Audit Logs CSC 7: and Web Browser Protections CSC 8: Malware Defenses CSC 9: Limitation and Control of Network Ports, Protocols, and Services CSC 10: Data Recovery Capability CSC 11: Secure Configurations for Network Devices such as Firewalls, Routers, and Switches CSC 12: Boundary Defense CSC 13: Data Protection CSC 14: Controlled Access Based on the Need to Know CSC 15: Wireless Access Control CSC 16: Account Monitoring and Control CSC 17: Security Skills Assessment and Appropriate Training to Fill Gaps CSC 18: Application Software Security CSC 19: Incident Response and Management CSC 20: Penetration Tests and Red Team Exercises
56 56 Implementing the Critical Security Controls in the Cloud 4 Jon Mark Allen, jm@allensonthe.net The Critical Security Controls are a prioritized, highly focused set of actions that have a community support network to make them implementable, usable, scalable, and compliant with all industry or government security requirements. (Center for Internet Security, 2015, p. 6) These controls assume that an organization has management control over the infrastructure of the environment a condition that is no longer true once cloud resources enter the picture. But those resources can still be protected even with a move to the cloud. The gaps created by this new model can be accounted for by implementing the proper security controls. The security architect must understand how cloud networks are abstracted from traditional hardware and, therefore, how those networks differ in the way they work versus an on-premise data center. (Mogull, 2015, p. 4)
57 57 Good news (continued Implementing the Critical Security Controls in the Cloud 4) Control 1 - Inventory of Authorized and Unauthorized Devices This control is made significantly simpler in a cloud environment. Since customers are charged based on cloud resource utilization, the full list of devices will be shown at any given time (as well as device history) in the AWS console. Even if the OS build didn t include the other management frameworks (e.g. Microsoft s SCCM) that are normally necessary to manage and keep track of assets. Amazon CloudTrail can also be utilized to log those changes to a dedicated S3 storage bucket for review and analysis as needed.
58 58 Final thoughts No control without: good data on the environment good data on the data business acceptance (and adoption) of controls and processes
59 59
60 60 THANK YOU!
61 61 Presenter Profile Barbara Murphy Melby Partner Morgan Lewis P: E: Barbara Melby has been active in the outsourcing and commercial transaction legal market for the last 20 years. As leader of the firm s outsourcing and strategic commercial transactions practice, and one of the leaders of its privacy and cybersecurity practice, she represents clients in such complex transactions as outsourcing, strategic alliances, technology and data-related agreements, and other services transactions. She also advises businesses on privacy and security issues that arise in transactions involving sensitive data and technologies.
62 62 Presenter Profile Michael L. Pillion Partner Morgan Lewis P: E: Michael L. Pillion brings more than 25 years of experience navigating highstakes transactions to his outsourcing, technology, and commercial transactions practice. He has a diverse client base that spans the health insurance, life sciences, energy, financial services, and real estate industries. He counsels clients in structuring, negotiating, realigning, and terminating information technology (IT) outsourcing and business process outsourcing (BPO) transactions, technology transactions including software as a service (SaaS) and cloud deals, complex commercial transactions including joint ventures, and real estate leasing deals.
63 63 Presenter Profile Megan Gatto Senior Counsel Independence Blue Cross P: E: Megan Gatto serves as Senior Counsel in the legal department at Independence Blue Cross. She focuses on commercial agreements such as services and consulting arrangements, outsourcing transactions, technology-related agreements such as licensing, cloud, and as a service solutions, and strategic partnerships.
Addressing the SANS Top 20 Critical Security Controls for Effective Cyber Defense
A Trend Micro Whitepaper I February 2016 Addressing the SANS Top 20 Critical Security Controls for Effective Cyber Defense How Trend Micro Deep Security Can Help: A Mapping to the SANS Top 20 Critical
More informationAn Overview of Information Security Frameworks. Presented to TIF September 25, 2013
An Overview of Information Security Frameworks Presented to TIF September 25, 2013 What is a framework? A framework helps define an approach to implementing, maintaining, monitoring, and improving information
More informationTop Ten Technology Risks Facing Colleges and Universities
Top Ten Technology Risks Facing Colleges and Universities Chris Watson, MBA, CISA, CRISC Manager, Internal Audit and Risk Advisory Services cwatson@schneiderdowns.com April 23, 2012 Overview Technology
More informationCloud Computing: Legal Risks and Best Practices
Cloud Computing: Legal Risks and Best Practices A Bennett Jones Presentation Toronto, Ontario Lisa Abe-Oldenburg, Partner Bennett Jones LLP November 7, 2012 Introduction Security and Data Privacy Recent
More informationRisk Management of Outsourced Technology Services. November 28, 2000
Risk Management of Outsourced Technology Services November 28, 2000 Purpose and Background This statement focuses on the risk management process of identifying, measuring, monitoring, and controlling the
More informationCloud Computing Risks in Financial Services Companies: How Attorneys Can Best Help In An Increasingly SaaS-ified World
Cloud Computing Risks in Financial Services Companies: How Attorneys Can Best Help In An Increasingly SaaS-ified World July 30, 2015 Sutherland Webinar Michael Steinig 202.383.0804 Michael.Steinig@sutherland.com
More informationHITRUST CSF Assurance Program You Need a HITRUST CSF Assessment Now What?
HITRUST CSF Assurance Program You Need a HITRUST CSF Assessment Now What? Introduction This material is designed to answer some of the commonly asked questions by business associates and other organizations
More informationCloud Security Trust Cisco to Protect Your Data
Trust Cisco to Protect Your Data As cloud adoption accelerates, organizations are increasingly placing their trust in third-party cloud service providers (CSPs). But can you fully trust your most sensitive
More informationHIPAA CRITICAL AREAS TECHNICAL SECURITY FOCUS FOR CLOUD DEPLOYMENT
HIPAA CRITICAL AREAS TECHNICAL SECURITY FOCUS FOR CLOUD DEPLOYMENT A Review List This paper was put together with Security in mind, ISO, and HIPAA, for guidance as you move into a cloud deployment Dr.
More informationTHE TOP 4 CONTROLS. www.tripwire.com/20criticalcontrols
THE TOP 4 CONTROLS www.tripwire.com/20criticalcontrols THE TOP 20 CRITICAL SECURITY CONTROLS ARE RATED IN SEVERITY BY THE NSA FROM VERY HIGH DOWN TO LOW. IN THIS MINI-GUIDE, WE RE GOING TO LOOK AT THE
More informationSupplier Information Security Addendum for GE Restricted Data
Supplier Information Security Addendum for GE Restricted Data This Supplier Information Security Addendum lists the security controls that GE Suppliers are required to adopt when accessing, processing,
More informationTHE BLUENOSE SECURITY FRAMEWORK
THE BLUENOSE SECURITY FRAMEWORK Bluenose Analytics, Inc. All rights reserved TABLE OF CONTENTS Bluenose Analytics, Inc. Security Whitepaper ISO 27001/27002 / 1 The Four Pillars of Our Security Program
More informationWhat you need to know about cloud backup: your guide to cost, security and flexibility.
What you need to know about cloud backup: your guide to cost, security and flexibility. Over the last decade, cloud backup, recovery and restore (BURR) options have emerged as a secure, cost-effective
More informationIT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:
IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including: 1. IT Cost Containment 84 topics 2. Cloud Computing Readiness 225
More informationMicrosoft s Compliance Framework for Online Services
Microsoft s Compliance Framework for Online Services Online Services Security and Compliance Executive summary Contents Executive summary 1 The changing landscape for online services compliance 4 How Microsoft
More informationTO: Chief Executive Officers of National Banks, Federal Branches and Data-Processing Centers, Department and Division Heads, and Examining Personnel
AL 2000 12 O OCC ADVISORY LETTER Comptroller of the Currency Administrator of National Banks Subject: Risk Management of Outsourcing Technology Services TO: Chief Executive Officers of National Banks,
More informationAnatomy of a Cloud Computing Data Breach
Anatomy of a Cloud Computing Data Breach Sheryl Falk Mike Olive ACC Houston Chapter ITPEC Practice Group September 18, 2014 1 Agenda Ø Cloud 101 Welcome to Cloud Computing Ø Cloud Agreement Considerations
More informationJumpstarting Your Security Awareness Program
Jumpstarting Your Security Awareness Program Michael Holcomb Director, Information Security HO20110473 1 Jumpstarting Your Security Awareness Program Classification: Confidential Owner: Michael Holcomb
More informationCONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL
CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL WHAT IS CDM? The continuous stream of high profile cybersecurity breaches demonstrates the need to move beyond purely periodic, compliance-based approaches to
More informationClient Security Risk Assessment Questionnaire
Select the appropriate answer from the drop down in the column, and provide a brief description in the section. 1 Do you have a member of your organization with dedicated information security duties? 2
More informationData Security and Privacy Principles for IBM SaaS How IBM Software as a Service is protected by IBM s security-driven culture
Data Security and Privacy Principles for IBM SaaS How IBM Software as a Service is protected by IBM s security-driven culture 2 Data Security and Privacy Principles for IBM SaaS Contents 2 Introduction
More informationData Processing Agreement for Oracle Cloud Services
Data Processing Agreement for Oracle Cloud Services Version December 1, 2013 1. Scope and order of precedence This is an agreement concerning the Processing of Personal Data as part of Oracle s Cloud Services
More informationCritical Controls for Cyber Security. www.infogistic.com
Critical Controls for Cyber Security www.infogistic.com Understanding Risk Asset Threat Vulnerability Managing Risks Systematic Approach for Managing Risks Identify, characterize threats Assess the vulnerability
More informationCloud Service Agreements: Avoiding the Pitfalls of the Cloud as a Commodity. Amy Mushahwar, Esq.
Cloud Service Agreements: Avoiding the Pitfalls of the Cloud as a Commodity Amy Mushahwar, Esq. What s New? Not That Much. Some have their heads in the cloud we prefer to stay down in the weeds and know
More informationWednesday, January 16, 2013
Attorney Advertising Prior results do not guarantee a similar outcome Models used are not clients but may be representative of clients 321 N. Clark Street, Suite 2800, Chicago, IL 60654 312.832.4500 Wednesday,
More informationNegotiating Contracts That Will Keep our Clouds Afloat: You re going to put THAT in a cloud? Meteorologist: Daniel T. Graham
Negotiating Contracts That Will Keep our Clouds Afloat: You re going to put THAT in a cloud? Meteorologist: Daniel T. Graham The dynamic provisioning of IT capabilities, whether hardware, software, or
More informationPage 1. Copyright 2009. MFA - Moody, Famiglietti & Andronico, LLP. All Rights Reserved.
Page 1 Page 2 Page 3 Agenda Defining the Massachusetts Personal Data Security Law Becoming Compliant Page 4 Massachusetts Privacy Law Defining the Massachusetts Personal Data Security Law - 201 CMR 17.00
More informationVENDOR MANAGEMENT. General Overview
VENDOR MANAGEMENT General Overview With many organizations outsourcing services to other third-party entities, the issue of vendor management has become a noted topic in today s business world. Vendor
More informationCyber Security Issues - Brief Business Report
Cyber Security: Are You Prepared? This briefing provides a high-level overview of the cyber security issues that businesses should be aware of. You should talk to a lawyer and an IT specialist for a complete
More informationDESIGNATED CONTRACT MARKET OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE
DESIGNATED CONTRACT MARKET OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE Please provide all relevant documents responsive to the information requests listed within each area below. In addition to the
More informationCloud Vendor Evaluation
Cloud Vendor Evaluation Checklist Life Sciences in the Cloud Cloud Vendor Evaluation Checklist What to evaluate when choosing a cloud vendor in Life Sciences Cloud computing is radically changing business
More informationUNIVERSITY OF MAINE SYSTEM STANDARDS FOR SAFEGUARDING INFORMATION ATTACHMENT C
UNIVERSITY OF MAINE SYSTEM STANDARDS FOR SAFEGUARDING INFORMATION ATTACHMENT C This Attachment addresses the Contractor s responsibility for safeguarding Compliant Data and Business Sensitive Information
More informationHedge Funds & the Cloud: The Pros, Cons and Considerations
Hedge Funds & the Cloud: The Pros, Cons and Considerations By Mary Beth Hamilton, Director of Marketing, Eze Castle Integration The increased use of cloud-based services is undeniable. Analyst firm Forrester
More informationThe Protection Mission a constant endeavor
a constant endeavor The IT Protection Mission a constant endeavor As businesses become more and more dependent on IT, IT must face a higher bar for preparedness Cyber preparedness is the process of ensuring
More informationBuilding a More Secure and Prosperous Texas through Expanded Cybersecurity
Building a More Secure and Prosperous Texas through Expanded Cybersecurity Bob Butler Chairman, Texas Cybersecurity, Education and Economic Development Council April 2013 About the Texas Cybersecurity
More informationHow not to lose your head in the Cloud: AGIMO guidelines released
How not to lose your head in the Cloud: AGIMO guidelines released 07 December 2011 In brief The Australian Government Information Management Office has released a helpful guide on navigating cloud computing
More informationHIPAA: Understanding The Omnibus Rule and Keeping Your Business Compliant
1 HIPAA: Understanding The Omnibus Rule and Keeping Your Business Compliant Introduction U.S. healthcare laws intended to protect patient information (Protected Health Information or PHI) and the myriad
More informationGuidelines for Financial Institutions Outsourcing of Business Activities, Functions, and Processes Date: July 2004
Guidelines for Financial Institutions Outsourcing of Business Activities, Functions, and Processes Date: July 2004 1. INTRODUCTION Financial institutions outsource business activities, functions and processes
More information08/10/2013. Data protection and compliance. Agenda. Data protection life cycle and goals. Introduction. Data protection overview
Data protection and compliance In the cloud and in your data center 1 November 2013 Agenda 1 Introduction 2 Data protection overview 3 Understanding the cloud 4 Where do I start? 5 Wrap-up Page 2 Data
More informationSecurity Management. Keeping the IT Security Administrator Busy
Security Management Keeping the IT Security Administrator Busy Dr. Jane LeClair Chief Operating Officer National Cybersecurity Institute, Excelsior College James L. Antonakos SUNY Distinguished Teaching
More informationSupplier Security Assessment Questionnaire
HALKYN CONSULTING LTD Supplier Security Assessment Questionnaire Security Self-Assessment and Reporting This questionnaire is provided to assist organisations in conducting supplier security assessments.
More informationManaging Cloud Computing Risk
Managing Cloud Computing Risk Presented By: Dan Desko; Manager, Internal IT Audit & Risk Advisory Services Schneider Downs & Co. Inc. ddesko@schneiderdowns.com Learning Objectives Understand how to identify
More informationCloud Computing Contracts Top Issues for Healthcare Providers
Cloud Computing Contracts Top Issues for Healthcare Providers North Carolina Bar Association Health Law Section Annual Meeting NC Bar Center Cary, North Carolina April 23, 2015 Presenters Kathryn Brucks,
More informationHIPAA Security Alert
Shipman & Goodwin LLP HIPAA Security Alert July 2008 EXECUTIVE GUIDANCE HIPAA SECURITY COMPLIANCE How would your organization s senior management respond to CMS or OIG inquiries about health information
More informationTop 20 Critical Security Controls
Top 20 Critical Security Controls July 2015 Contents Compliance Guide 01 02 03 04 Introduction 1 How Rapid7 Can Help 2 Rapid7 Solutions for the Critical Controls 3 About Rapid7 11 01 INTRODUCTION The Need
More informationThe Difference Between Disaster Recovery and Business Continuance
The Difference Between Disaster Recovery and Business Continuance In high school geometry we learned that a square is a rectangle, but a rectangle is not a square. The same analogy applies to business
More informationVendor Management. Outsourcing Technology Services
Vendor Management Outsourcing Technology Services Objectives Board and Senior Management Responsibilities Risk Management Program Risk Assessment Service Provider Selection Contracts Ongoing Monitoring
More informationCLOUD SERVICES FOR EMS
CLOUD SERVICES FOR EMS Greg Biegen EMS Software Director Cloud Operations and Security September 12-14, 2016 Agenda EMS Cloud Services Definitions Hosted Service Managed Services Governance Service Delivery
More informationWritten Information Security Programs: Compliance with the Massachusetts Data Security Regulation
Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation Melissa J. Krasnow, Dorsey & Whitney LLP A Note discussing written information security programs (WISPs)
More informationCloud computing Alessandro Galtieri Pavel Klimov Severin Loeffler
Cloud computing Alessandro Galtieri, Senior Lawyer, Colt Technology Services, London, UK Pavel Klimov, General Counsel EMEA, Unisys, London, UK Severin Loeffler, Assistant General Counsel, Central Eastern
More informationState of Oregon. State of Oregon 1
State of Oregon State of Oregon 1 Table of Contents 1. Introduction...1 2. Information Asset Management...2 3. Communication Operations...7 3.3 Workstation Management... 7 3.9 Log management... 11 4. Information
More informationAttachment A. Identification of Risks/Cybersecurity Governance
Attachment A Identification of Risks/Cybersecurity Governance 1. For each of the following practices employed by the Firm for management of information security assets, please provide the month and year
More informationOUTSOURCING INVOLVING SHARED COMPUTING SERVICES (INCLUDING CLOUD) 6 July 2015
OUTSOURCING INVOLVING SHARED COMPUTING SERVICES (INCLUDING CLOUD) 6 July 2015 Disclaimer and Copyright While APRA endeavours to ensure the quality of this publication, it does not accept any responsibility
More informationThings You Need to Know About Cloud Backup
Things You Need to Know About Cloud Backup Over the last decade, cloud backup, recovery and restore (BURR) options have emerged as a secure, cost-effective and reliable method of safeguarding the increasing
More informationHow Microsoft is taking Privacy by Design to Work. Alan Chan National Technology Officer Microsoft Hong Kong 7 May 2015
How Microsoft is taking Privacy by Design to Work Alan Chan National Technology Officer Microsoft Hong Kong 7 May 2015 Agenda Introducing the New Microsoft Microsoft privacy principle Protecting privacy
More informationPreemptive security solutions for healthcare
Helping to secure critical healthcare infrastructure from internal and external IT threats, ensuring business continuity and supporting compliance requirements. Preemptive security solutions for healthcare
More informationWhat You Need to Know About Cloud Backup: Your Guide to Cost, Security, and Flexibility
Your Guide to Cost, Security, and Flexibility What You Need to Know About Cloud Backup: Your Guide to Cost, Security, and Flexibility 10 common questions answered Over the last decade, cloud backup, recovery
More informationLooking at the SANS 20 Critical Security Controls
Looking at the SANS 20 Critical Security Controls Mapping the SANS 20 to NIST 800-53 to ISO 27002 by Brad C. Johnson The SANS 20 Overview SANS has created the 20 Critical Security Controls as a way of
More informationWhite Paper on Financial Institution Vendor Management
White Paper on Financial Institution Vendor Management Virtually every organization in the modern economy relies to some extent on third-party vendors that facilitate business operations in a wide variety
More informationINFORMATION SECURITY California Maritime Academy
CSU The California State University Office of Audit and Advisory Services INFORMATION SECURITY California Maritime Academy Audit Report 14-54 April 8, 2015 Senior Director: Mike Caldera IT Audit Manager:
More informationTHE BEST PRACTICES FOR DATA SECURITY AND PRIVACY IN VENDOR/ CLIENT RELATIONSHIPS
THE BEST PRACTICES FOR DATA SECURITY AND PRIVACY IN VENDOR/ CLIENT RELATIONSHIPS Data Law Group, P.C. Kari Kelly Deborah Shinbein YOU CAN T OUTSOURCE COMPLIANCE! Various statutes and regulations govern
More informationInstructions for Completing the Information Technology Officer s Questionnaire
Instructions for Completing the The (Questionnaire) contains questions covering significant areas of a bank s information technology (IT) function. Your responses to these questions will help determine
More informationConsiderations for firms thinking of using third-party technology (off-the-shelf) banking solutions
Financial Conduct Authority Considerations for firms thinking of using third-party technology (off-the-shelf) banking solutions Introduction 1. A firm has many choices when designing its operating model
More informationWEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY
WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY DATA LABEL: PUBLIC INFORMATION SECURITY POLICY CONTENTS 1. INTRODUCTION... 3 2. MAIN OBJECTIVES... 3 3. LEGISLATION... 4 4. SCOPE... 4 5. STANDARDS... 4
More informationTechnology Risk Management
1 Monetary Authority of Singapore Technology Risk Guidelines & Notices New Requirements for Financial Services Industry Mark Ames Director, Seminar Program ISACA Singapore 2 MAS Supervisory Framework Impact
More informationCloud Computing Contracts. October 11, 2012
Cloud Computing Contracts October 11, 2012 Lorene Novakowski Karam Bayrakal Covering Cloud Computing Cloud Computing Defined Models Manage Cloud Computing Risk Mitigation Strategy Privacy Contracts Best
More informationSecuring The Cloud With Confidence. Opinion Piece
Securing The Cloud With Confidence Opinion Piece 1 Securing the cloud with confidence Contents Introduction 03 Don t outsource what you don t understand 03 Steps towards control 04 Due diligence 04 F-discovery
More informationINFORMATION TECHNOLOGY SECURITY STANDARDS
INFORMATION TECHNOLOGY SECURITY STANDARDS Version 2.0 December 2013 Table of Contents 1 OVERVIEW 3 2 SCOPE 4 3 STRUCTURE 5 4 ASSET MANAGEMENT 6 5 HUMAN RESOURCES SECURITY 7 6 PHYSICAL AND ENVIRONMENTAL
More informationInformation security due diligence
web applications and websites W A T S O N H A L L Watson Hall Ltd London 020 7183 3710 Edinburgh 0131 510 2001 info@watsonhall.com www.watsonhall.com Identifying information security risk for web applications
More informationFive keys to a more secure data environment
Five keys to a more secure data environment A holistic approach to data infrastructure security Compliance professionals know better than anyone how compromised data can lead to financial and reputational
More informationHIPAA Compliance Evaluation Report
Jun29,2016 HIPAA Compliance Evaluation Report Custom HIPAA Risk Evaluation provided for: OF Date of Report 10/13/2014 Findings Each section of the pie chart represents the HIPAA compliance risk determinations
More informationHow To Protect Your Data From Being Hacked
Data Security and the Cloud TABLE OF CONTENTS DATA SECURITY AND THE CLOUD EXECUTIVE SUMMARY PAGE 3 CHAPTER 1 CHAPTER 2 CHAPTER 3 CHAPTER 4 CHAPTER 5 PAGE 4 PAGE 5 PAGE 6 PAGE 8 PAGE 9 DATA SECURITY: HOW
More informationHITRUST CSF Assurance Program
HITRUST CSF Assurance Program Simplifying the information protection of healthcare data 1 May 2015 2015 HITRUST LLC, Frisco, TX. All Rights Reserved Table of Contents Background CSF Assurance Program Overview
More informationAnypoint Platform Cloud Security and Compliance. Whitepaper
Anypoint Platform Cloud Security and Compliance Whitepaper 1 Overview Security is a top concern when evaluating cloud services, whether it be physical, network, infrastructure, platform or data security.
More informationTeradata and Protegrity High-Value Protection for High-Value Data
Teradata and Protegrity High-Value Protection for High-Value Data 03.16 EB7178 DATA SECURITY Table of Contents 2 Data-Centric Security: Providing High-Value Protection for High-Value Data 3 Visibility:
More informationA COMPLETE GUIDE HOW TO CHOOSE A CLOUD-TO-CLOUD BACKUP PROVIDER FOR THE ENTERPRISE
A COMPLETE GUIDE HOW TO CHOOSE A CLOUD-TO-CLOUD BACKUP PROVIDER FOR THE ENTERPRISE Contents How to Buy Cloud-to-Cloud Backup...................... 4 Wait What is Cloud-to-Cloud Backup?.....................
More informationThe Keys to the Cloud: The Essentials of Cloud Contracting
The Keys to the Cloud: The Essentials of Cloud Contracting September 30, 2014 Bert Kaminski Assistant General Counsel, Oracle North America Ken Adler Partner, Loeb & Loeb LLP Akiba Stern Partner, Loeb
More informationCloud Computing In a Post Snowden World. Guy Wiggins, Kelley Drye & Warren LLP Alicia Lowery Rosenbaum, Microsoft Legal and Corporate Affairs
Cloud Computing In a Post Snowden World Guy Wiggins, Kelley Drye & Warren LLP Alicia Lowery Rosenbaum, Microsoft Legal and Corporate Affairs Guy Wiggins Director of Practice Management Kelley Drye & Warren
More informationWritten Information Security Programs: Compliance with the Massachusetts Data Security Regulation
View the online version at http://us.practicallaw.com/7-523-1520 Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation Melissa J. Krasnow, Dorsey & Whitney LLP
More informationService Schedule for CLOUD SERVICES
Service Schedule for CLOUD SERVICES This Service Schedule is effective for Cloud Services provided on or after 1 September 2013. Terms and Conditions applicable to Cloud Services provided prior to this
More informationWhat you need to know about cloud backup: your guide to cost, security, and flexibility. 8 common questions answered
What you need to know about cloud backup: your guide to cost, security, and flexibility. 8 common questions answered Over the last decade, cloud backup, recovery and restore (BURR) options have emerged
More informationSecurity Controls in Service Management
Interested in learning more about security? SANS Institute InfoSec Reading Room This paper is from the SANS Institute Reading Room site. Reposting is not permitted without express written permission. Security
More informationUniversity of Pittsburgh Security Assessment Questionnaire (v1.5)
Technology Help Desk 412 624-HELP [4357] technology.pitt.edu University of Pittsburgh Security Assessment Questionnaire (v1.5) Directions and Instructions for completing this assessment The answers provided
More information{Moving to the cloud}
{Moving to the cloud} plantemoran.com doesn t mean outsourcing your security controls. Cloud computing is a strategic move. Its impact will have a ripple effect throughout an organization. You don t have
More informationRMS. Privacy Policy for RMS Hosting Plus and RMS(one) Guiding Principles
RMS Privacy Policy for RMS Hosting Plus and RMS(one) Guiding Principles RMS Privacy Policy for RMS Hosting Plus and RMS(one) Guiding Principles RMS aims to provide the most secure, the most private, and
More informationCloud Security and Managing Use Risks
Carl F. Allen, CISM, CRISC, MBA Director, Information Systems Security Intermountain Healthcare Regulatory Compliance External Audit Legal and ediscovery Information Security Architecture Models Access
More informationHIPAA in the Cloud How to Effectively Collaborate with Cloud Providers
How to Effectively Collaborate with Cloud Providers Agenda Overview of Topics Covered Agenda Evolution of the Cloud Comparison of Private vs. Public Clouds Other Regulatory Frameworks Similar to HIPAA
More informationInformation Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis
Information Security Risk Assessment Checklist A High-Level Tool to Assist USG Institutions with Risk Analysis Updated Oct 2008 Introduction Information security is an important issue for the University
More informationPatient Privacy and Security. Presented by, Jeffery Daigrepont
Patient Privacy and Security Presented by, Jeffery Daigrepont Jeffery Daigrepont, SVP No Financial Conflicts to Report Jeffery Daigrepont, Senior Vice President of The Coker Group, specializes in health
More informationeguide: Designing a Continuous Response Architecture Executive s Guide to Windows Server 2003 End of Life
Executive s Guide to Windows Server 2003 End of Life Facts About Windows Server 2003 Introduction On July 14, 2015 Microsoft will end support for Windows Sever 2003 and Windows Server 2003 R2. Like Windows
More informationOverview of Topics Covered
How to Effectively Collaborate with Cloud Providers Agenda Overview of Topics Covered Agenda Evolution of the Cloud Comparison of Private vs. Public Clouds Other Regulatory Frameworks Similar to HIPAA
More informationCloud Computing: Risks and Auditing
IIA Chicago Chapter 53 rd Annual Seminar April 15, 2013, Donald E. Stephens Convention Center @IIAChicago #IIACHI Cloud Computing: Risks Auditing Phil Lageschulte/Partner/KPMG Sailesh Gadia/Director/KPMG
More informationDefending Against Data Beaches: Internal Controls for Cybersecurity
Defending Against Data Beaches: Internal Controls for Cybersecurity Presented by: Michael Walter, Managing Director and Chris Manning, Associate Director Protiviti Atlanta Office Agenda Defining Cybersecurity
More informationReview of the Tax and License Collection and Distribution System
Review of the Tax and License Collection and Distribution System May 4, 2012 Report No. 12-09 Evan A. Lukic, CPA County Auditor Table of Contents Topic Page Executive Summary... 3 Scope, Objectives and
More informationManaged Services. Business Intelligence Solutions
Managed Services Business Intelligence Solutions Business Intelligence Solutions provides an array of strategic technology services for life science companies and healthcare providers. Our Managed Services
More informationInformation Security Program
Stephen F. Austin State University Information Security Program Revised: September 2014 2014 Table of Contents Overview... 1 Introduction... 1 Purpose... 1 Authority... 2 Scope... 2 Information Security
More informationGUIDANCE FOR MANAGING THIRD-PARTY RISK
GUIDANCE FOR MANAGING THIRD-PARTY RISK Introduction An institution s board of directors and senior management are ultimately responsible for managing activities conducted through third-party relationships,
More informationSecuring the Microsoft Cloud
Securing the Microsoft Cloud Securing the Microsoft Cloud Page 1 Securing the Microsoft Cloud Microsoft recognizes that trust is necessary for organizations and consumers to fully embrace and benefit from
More information