Securing the Cloud Infrastructure

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "Securing the Cloud Infrastructure"

Transcription

1 EXECUTIVE STRATEGY BRIEF Microsoft recognizes that security and privacy protections are essential to building the necessary customer trust for cloud computing to reach its full potential. This strategy brief discusses the challenges of providing a trustworthy environment for cloud services, reviews Microsoft s risk-based information security and privacy controls, and describes the compliance framework we follow to ensure our cloud infrastructure meets our commitments and help customers meet their compliance needs.

2 Cloud Security Challenges Cloud computing offers both challenges and opportunities for IT organizations looking to harness the favorable economics and operational flexibility of an online services model. The growing interdependence of public and private services, complex global compliance requirements, and sophistication of threats requires that the hosting environment employ robust policies and processes to protect sensitive information and enable persistent regulatory compliance. For more than 15 years, Microsoft has been addressing the following online service delivery challenges: Growing Interdependence Organizations and their customers will become more interdependent on each other through use of the cloud. With these new dependencies come mutual expectations that platform services and hosted applications be secure and available. Microsoft provides a trustworthy infrastructure, a base upon which public and private sector entities and their partners can build a trustworthy experience for their users. Microsoft actively works with these groups and the development community at large to encourage adoption of security-centric risk management processes. Complex global compliance requirements Regulatory, statutory, and industry compliance is a highly complex area because worldwide each country maintains their own laws that can govern the provisioning and use of online environments. Microsoft must be able to comply with a myriad of regulatory obligations because it has data centers in a number of countries and offers online services to a global customer base. In addition, many industries impose their own unique requirements. Microsoft has implemented a compliance framework to efficiently manage its various compliance obligations without creating undue burden on the business. More dynamic hosting environment Keeping pace with growth and anticipating future needs is essential to running an effective security program. The latest wave of change has already begun with the rapid move to virtualization and a growing adoption of Microsoft s Software-plus-Services strategy, which combines the power and capabilities of computers, mobile devices, online services, and enterprise software. The advent of cloud platforms enables custom applications to be developed by third parties and hosted in the Microsoft cloud. Microsoft maintains strong internal partnerships among security, product, and service delivery teams to provide a trustworthy Microsoft cloud environment while these changes occur. Growing sophistication of threats While pranksters still seek attention through a variety of techniques including domain squatting and man-in-the-middle attacks, more sophisticated malicious attempts aimed at obtaining identities or blocking access to sensitive business data have emerged, along with a more organized underground market for stolen information. Microsoft works closely with law enforcement, industry partners and peers, and research groups to understand and respond to this evolving threat landscape. Additionally, the Microsoft Security Development Lifecycle introduces security and privacy early and throughout the development process. Risk Management Process In addition to the information security management system we have in place, we follow an annual risk management process that looks at evolving risks in the environment and across the industry. We maintain a dedicated team that works through potential risks, calculates the potential disruption, and determines Microsoft s exposure. The risk management team evaluates the effectiveness of controls in place by: Identifying threats and vulnerabilities to the environment Calculating risk Reporting risks across the Microsoft cloud environment Addressing risks based on impact assessment and the associated business case Testing remediation effectiveness and residual risk Managing risks on an ongoing basis This process allows us to focus our efforts on the high-value targets, and then apply appropriate protections to defend our customers and ourselves. Organizations and their customers will become more interdependent on each other through use of the cloud. 2

3 Defense in Depth Defense in depth is a best practice across the industry, and it s an approach we take across our online services and infrastructure. Applying controls at multiple layers involves employing protection mechanisms, developing risk mitigation strategies, and being capable of responding to attacks when they occur. Using multiple security measures of varying strength depending on the sensitivity of the protected asset results in improved capacity to prevent breaches or to lessen the impact of a security incident. When we deploy a service to our datacenters, we assess and address every part of the software stack from the physical controls to prevent unauthorized access to equipment, to encrypting data moving over the network, to locking down the host servers and keeping malware protection up-to-date, to ensuring applications themselves have appropriate safeguards in place. Maintaining a rich set of controls and defense in depth strategy ensures that if any one area should fail, there are compensating protections in other areas that retain security and privacy at all times. figure 1: Defense-in-depth Security at our Foundation Application security is a key element in Microsoft s approach to securing its cloud computing environment. The rigorous security practices employed by development teams at Microsoft were formalized into a process called the Security Development Lifecycle (SDL) in The SDL process is development methodology agnostic and is fully integrated with the application development lifecycle from design to response. Various phases of the SDL process emphasize education and training, and also mandate that specific activities and processes be applied as appropriate to each phase of software development. Starting with the requirements phase, the SDL process includes a number of specific activities that need to be considered for the development of applications to be hosted in the Microsoft cloud in mind. One of the key steps is threat modeling and attack surface analysis, where we assess of the potential threats that could come in, what aspects of the service are exposed and proceed to minimize the attack surface by restricting services or eliminating functions that are unnecessary. The later stages then ensure that the controls are fully tested to mitigate the potential threats, so customers can have confidence in the final service release. Security Incident Response An important part of Microsoft s security capabilities includes our support and response processes. The Security Incident Management (SIM) team responds to these issues when they occur, operating around the clock. The SIM processes are aligned with ISO/IEC and NIST SP There are six phases to the SIM incident response process: Preparation SIM staff undergo ongoing training in order to be ready to respond when a security incident occurs. Identification Looking for the cause of an incident, whether intentional or not, often means tracking the issue through multiple layers of the Microsoft cloud computing environment. SIM collaborates with members from other internal Microsoft teams to diagnose the origin of a given security incident. Containment Once the cause of the incident has been found, SIM works with all necessary teams to contain the incident. How containment occurs depends on the business impact of the incident. Mitigation SIM coordinates with relevant product and service delivery teams to reduce risk of incident recurrence. Recovery Continuing to work with other groups as needed, SIM assists in the service recovery process. PHYSICAL NETWORK IDENTITY AND ACCESS MANAGEMENT HOST SECURITY APPLICATION DATA 3

4 Lessons learned After resolution of the security incident, SIM convenes a joint meeting with all involved personnel to evaluate what happened and to record lessons learned during the incident response process. A second area of response is interacting with law enforcement agencies. The Global Criminal Compliance (GCC) program is involved in setting policy and providing training on Microsoft s response process. GCC also responds to valid legal requests for information. GCC has legal agents available in many countries to validate and, if necessary, translate the request. One reason that GCC is considered a best response program by many international authorities is that GCC provides a law enforcement portal that offers guidance in multiple languages to authenticated law enforcement personnel about how to submit a legal request to Microsoft. Comprehensive Compliance Framework The Microsoft online services environment must meet numerous governmentmandated and industry-specific security requirements in addition to Microsoft s own business-driven specifications. As Microsoft online businesses continue to grow and change and new online services are introduced into the Microsoft cloud, additional requirements are expected that could include regional and country-specific data security standards. The Operational Compliance team works across operation, product, and service delivery teams and with internal and external auditors to ensure Microsoft is in compliance with relevant standards and regulatory obligations. One of the successes of having implemented this program is that Microsoft s cloud infrastructure has achieved SAS70 70 type I and Type II attestations, ISO/IEC 27001:2005 certification, and FISMA NIST SP revision 3 standard. Figure 4 (on the last page) lists out Microsoft s cloud infrastructure key certifications and attestations as of December The compliance framework includes a compliance process based on the ISO approach of plan-do-check-act. On a regular basis, Microsoft monitors the change in statutory and regulatory demands and adjusts our compliance framework and audit schedule accordingly. Though Microsoft s infrastructure has received industry certifications and attestations, customers are ultimately responsible to ensure their own compliance with applicable policies, practices, and regulations. Microsoft does not claim to be responsible for providing these certifications or to comply/not comply with these certifications on behalf of the customer, but does provide guidance to assist customers in meeting their own compliance requirements. As Microsoft online businesses continue to grow and change and new online services are introduced into our cloud, additional requirements are expected that could include regional and country-specific data security standards. figure 2: Microsoft s Security Development Lifecycle TRAINING REQUIREMENTS DESIGN IMPLEMENTATION VERIFICATION RELEASE RESPONSE + Core Training + Analyze security and privacy risk + Define quality gates + Threat modeling + Attack surface analysis + Specify tools + Enforce banned functions + Static Analysis + Dynamic/Fuzz testing + Verify threat models/ attack surface + Response plan + Final security review + Release archive + Response execution 4

5 Figure 3: Microsoft datacenter control framework 01. General information 02. Informational security 03. Organization of information security 04. Asset management 05. Human resources security 06. Physical and environmental security 07. Communications and operations management 08. Access control 09. Information systems aquisition, development and maintenance 10. Information security incident management 11. Business continuity management 12. Risk management 13. Compliance 14. Privacy DOMAINS STRUCTURE Domain Sub-domain Control objective Associated standard (external compliance requirement) Sample control activity Sample testing activity Control Framework Customers evaluating Microsoft s cloud services often ask how our compliance framework is actually structured. We have a series of domains that are informed by the ISA/IEC 27001:2005 standard along with specific industry obligations, such as the payment card industry data security standard and the FISMA NIST SP revision 3 standard. The control framework structure depends upon how we map those domains to the specific activities that go with them. For example, we take each of those domains, identify control activities and control owners of those activities, and provide specific evidence to demonstrate that we re meeting those activities and control domain objectives. This structure and process allows thirdparty auditors to follow a clean map from control domains down to activities and evidence. In addition, this framework allows us to take each requirement and communicate how we meet specific obligations back to customer and internal teams. For example, we can take the controlled domain and controlled activity structure and focus on specific healthcare obligations for customers in that industry. Alternatively, we can take a specific control objective, such as training and awareness, and map it back to a specific need an example here would be the requirement for training under ISO/IEC 27001:2005 and Sarbanes-Oxley. Security and Privacy Considerations for Selecting Online Services Providers Microsoft s stringent security, privacy and compliance controls helps ensure customers can have confidence and trust in the online services we provide. As customers evaluate options for online services, it is important that the ability of a service provider to ensure a protected, trusted environment be included in the selection criteria. The following checklist can help in assessing the security, privacy and compliance capabilities of a potential service provider: Require that the provider has attained third-party certifications and audits, such as ISO/IEC 27001:2005 Consider the ability of vendors to accommodate changing security and compliance requirements Understand the specific regional and industry compliance obligations that must be met Ensure a clear understanding of security and compliance roles and responsibilities for delivered services Ensure data and services can be brought back in-house if necessary Require transparency in security policies and operations 5

6 Microsoft is confident we offer a trusted cloud environment that will help public and private organizations take advantage of the flexibility and economics of the online services model, while maintaining the robust security and privacy their business demands. For more information on Microsoft s secure cloud infrastructure, please visit Figure 4: microsoft datacenter Certifications and Attestations, december 2010 ISO SAS 70 Type II HIPAA/HITECH Various State, Federal, and International Privacy Laws (95/46/EC aka EU Data Protection Directive; California SB1386; etc.) PCI Data Security Standard FISMA Certification & Accreditation 2010 Microsoft Corporation. All rights reserved. This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY. Microsoft is a registered trademark of Microsoft Corporation in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.

EXECUTIVE STRATEGY BRIEF. Securing the Cloud Infrastructure. Cloud. Resources

EXECUTIVE STRATEGY BRIEF. Securing the Cloud Infrastructure. Cloud. Resources EXECUTIVE STRATEGY BRIEF Securing the Cloud Infrastructure Cloud Resources 01 Securing the Cloud Infrastructure / Executive Strategy Brief Securing the Cloud Infrastructure Microsoft recognizes that trust

More information

Securing the Microsoft Cloud

Securing the Microsoft Cloud Securing the Microsoft Cloud Securing the Microsoft Cloud Page 1 Securing the Microsoft Cloud Microsoft recognizes that trust is necessary for organizations and consumers to fully embrace and benefit from

More information

Securing the Microsoft Cloud

Securing the Microsoft Cloud Securing the Microsoft Cloud Page 1 Securing the Microsoft Cloud Microsoft recognizes that trust is necessary for organizations and customers to fully embrace and benefit from cloud services. We are committed

More information

Securing Microsoft s Cloud Infrastructure

Securing Microsoft s Cloud Infrastructure Securing Microsoft s Cloud Infrastructure This paper introduces the reader to the Online Services Security and Compliance team, a part of the Global Foundation Services division who manages security for

More information

Securing Microsoft s Cloud Infrastructure

Securing Microsoft s Cloud Infrastructure Securing Microsoft s Cloud Infrastructure This paper introduces the reader to the Online Services Security and Compliance team, a part of the Global Foundation Services division who manages security for

More information

Hans Bos Microsoft Nederland. hans.bos@microsoft.com

Hans Bos Microsoft Nederland. hans.bos@microsoft.com Hans Bos Microsoft Nederland Email: Twitter: hans.bos@microsoft.com @hansbos Microsoft s Cloud Environment Consumer and Small Business Services Software as a Service (SaaS) Enterprise Services Third-party

More information

Information Security Management System for Microsoft s Cloud Infrastructure

Information Security Management System for Microsoft s Cloud Infrastructure Information Security Management System for Microsoft s Cloud Infrastructure Online Services Security and Compliance Executive summary Contents Executive summary 1 Information Security Management System

More information

A Flexible and Comprehensive Approach to a Cloud Compliance Program

A Flexible and Comprehensive Approach to a Cloud Compliance Program A Flexible and Comprehensive Approach to a Cloud Compliance Program Stuart Aston Microsoft UK Session ID: SPO-201 Session Classification: General Interest Compliance in the cloud Transparency Responsibility

More information

Microsoft s Compliance Framework for Online Services

Microsoft s Compliance Framework for Online Services Microsoft s Compliance Framework for Online Services Online Services Security and Compliance Executive summary Contents Executive summary 1 The changing landscape for online services compliance 4 How Microsoft

More information

Transparency. Privacy. Compliance. Security. What does privacy at Microsoft mean? Are you using my data to build advertising products?

Transparency. Privacy. Compliance. Security. What does privacy at Microsoft mean? Are you using my data to build advertising products? Privacy Transparency What does privacy at Microsoft mean? Are you using my data to build advertising products? Where is my data? Who has access to my data? Compliance What certifications and capabilities

More information

Cloud Security Trust Cisco to Protect Your Data

Cloud Security Trust Cisco to Protect Your Data Trust Cisco to Protect Your Data As cloud adoption accelerates, organizations are increasingly placing their trust in third-party cloud service providers (CSPs). But can you fully trust your most sensitive

More information

Trust. The essential ingredient for innovation. Thomas Langkabel National Technology Officer Microsoft Germany

Trust. The essential ingredient for innovation. Thomas Langkabel National Technology Officer Microsoft Germany Trust The essential ingredient for innovation Thomas Langkabel National Technology Officer Microsoft Germany How do we understand innovation? Innovation is the conversion of knowledge and ideas into new

More information

John Essner, CISO Office of Information Technology State of New Jersey

John Essner, CISO Office of Information Technology State of New Jersey John Essner, CISO Office of Information Technology State of New Jersey http://csrc.nist.gov/publications/nistpubs/800-144/sp800-144.pdf Governance Compliance Trust Architecture Identity and Access Management

More information

have adequate policies and practices for secure data disposal have not established a formal 22% risk management program

have adequate policies and practices for secure data disposal have not established a formal 22% risk management program do not have budgeted disaster 38% recovery plans do not use standardized data 37% classification do not have a plan for responding to 29% security breaches 23% have adequate policies and practices for

More information

Operational security for online services overview

Operational security for online services overview Operational security for online services overview Microsoft Trustworthy Computing October 21, 2013 Trustworthy Computing Operational security for online services overview Legal disclaimer This document

More information

Cyber Security and Privacy Services. Working in partnership with you to protect your organisation from cyber security threats and data theft

Cyber Security and Privacy Services. Working in partnership with you to protect your organisation from cyber security threats and data theft Cyber Security and Privacy Services Working in partnership with you to protect your organisation from cyber security threats and data theft 2 Cyber Security and Privacy Services What drives your security

More information

Enterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006

Enterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006 Enterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006 April 2013 Hologic and the Hologic Logo are trademarks or registered trademarks of Hologic, Inc. Microsoft, Active Directory,

More information

SAP Product and Cloud Security Strategy

SAP Product and Cloud Security Strategy SAP Products and Solutions SAP Product and Cloud Security Strategy Table of Contents 2 SAP s Commitment to Security 3 Secure Product Development at SAP 5 SAP s Approach to Secure Cloud Offerings SAP s

More information

Compliance, Audits and Fire Drills: In the Way of Real Security?

Compliance, Audits and Fire Drills: In the Way of Real Security? Compliance, Audits and Fire Drills: In the Way of Real Security? Mark Estberg and John Howie Microsoft Corporation Session ID: SP01-203 Session Classification: Intermediate Introduction Microsoft s Global

More information

RMS. Privacy Policy for RMS Hosting Plus and RMS(one) Guiding Principles

RMS. Privacy Policy for RMS Hosting Plus and RMS(one) Guiding Principles RMS Privacy Policy for RMS Hosting Plus and RMS(one) Guiding Principles RMS Privacy Policy for RMS Hosting Plus and RMS(one) Guiding Principles RMS aims to provide the most secure, the most private, and

More information

Addressing Cloud Computing Security Considerations

Addressing Cloud Computing Security Considerations Addressing Cloud Computing Security Considerations with Microsoft Office 365 Protect more Contents 2 Introduction 3 Key Security Considerations 4 Office 365 Service Stack 5 ISO Certifications for the Microsoft

More information

How does IBM deliver cloud security? An IBM paper covering SmartCloud Services 1

How does IBM deliver cloud security? An IBM paper covering SmartCloud Services 1 How does IBM deliver cloud security? An IBM paper covering SmartCloud Services 1 2 How does IBM deliver cloud security? Contents 2 Introduction 3 Cloud governance 3 Security governance, risk management

More information

CPNI VIEWPOINT 01/2010 CLOUD COMPUTING

CPNI VIEWPOINT 01/2010 CLOUD COMPUTING CPNI VIEWPOINT 01/2010 CLOUD COMPUTING MARCH 2010 Acknowledgements This viewpoint is based upon a research document compiled on behalf of CPNI by Deloitte. The findings presented here have been subjected

More information

Cloud Assurance: Ensuring Security and Compliance for your IT Environment

Cloud Assurance: Ensuring Security and Compliance for your IT Environment Cloud Assurance: Ensuring Security and Compliance for your IT Environment A large global enterprise has to deal with all sorts of potential threats: advanced persistent threats (APTs), phishing, malware

More information

Developing National Frameworks & Engaging the Private Sector

Developing National Frameworks & Engaging the Private Sector www.pwc.com Developing National Frameworks & Engaging the Private Sector Focus on Information/Cyber Security Risk Management American Red Cross Disaster Preparedness Summit Chicago, IL September 19, 2012

More information

An Overview of Information Security Frameworks. Presented to TIF September 25, 2013

An Overview of Information Security Frameworks. Presented to TIF September 25, 2013 An Overview of Information Security Frameworks Presented to TIF September 25, 2013 What is a framework? A framework helps define an approach to implementing, maintaining, monitoring, and improving information

More information

The Education Fellowship Finance Centralisation IT Security Strategy

The Education Fellowship Finance Centralisation IT Security Strategy The Education Fellowship Finance Centralisation IT Security Strategy Introduction This strategy outlines the security systems in place to optimise, manage and protect The Education Fellowship data and

More information

Cloud security architecture

Cloud security architecture ericsson White paper Uen 284 23-3244 January 2015 Cloud security architecture from process to deployment The Trust Engine concept and logical cloud security architecture presented in this paper provide

More information

Microsoft s cybersecurity commitment

Microsoft s cybersecurity commitment Microsoft s cybersecurity commitment Published January 2015 At Microsoft, we take the security and privacy of our customers data seriously. This focus has been core to our culture for more than a decade

More information

GoodData Corporation Security White Paper

GoodData Corporation Security White Paper GoodData Corporation Security White Paper May 2016 Executive Overview The GoodData Analytics Distribution Platform is designed to help Enterprises and Independent Software Vendors (ISVs) securely share

More information

Mobile Security Checklist. An Easy, Achievable Plan for Security and Compliance

Mobile Security Checklist. An Easy, Achievable Plan for Security and Compliance Mobile Security Checklist An Easy, Achievable Plan for Security and Compliance Introduction Are mobile devices the weak link in your security defenses? Today, organizations are pouring millions of dollars

More information

Microsoft Azure. White Paper Security, Privacy, and Compliance in

Microsoft Azure. White Paper Security, Privacy, and Compliance in White Paper Security, Privacy, and Compliance in Security, Privacy, and Compliance in Executive Summary The adoption of cloud services worldwide continues to accelerate, yet many organizations are wary

More information

VENDOR MANAGEMENT. General Overview

VENDOR MANAGEMENT. General Overview VENDOR MANAGEMENT General Overview With many organizations outsourcing services to other third-party entities, the issue of vendor management has become a noted topic in today s business world. Vendor

More information

White Paper Achieving GLBA Compliance through Security Information Management. White Paper / GLBA

White Paper Achieving GLBA Compliance through Security Information Management. White Paper / GLBA White Paper Achieving GLBA Compliance through Security Information Management White Paper / GLBA Contents Executive Summary... 1 Introduction: Brief Overview of GLBA... 1 The GLBA Challenge: Securing Financial

More information

PROTECTING YOUR VOICE SYSTEM IN THE CLOUD

PROTECTING YOUR VOICE SYSTEM IN THE CLOUD PROTECTING YOUR VOICE SYSTEM IN THE CLOUD Every enterprise deserves to know what its vendors are doing to protect the data and systems entrusted to them. Leading IVR vendors in the cloud, like Angel, consider

More information

Securing the Microsoft Cloud Infrastructure. Reto Häni Chief Security Officer Microsoft Western Europe MEET SWISS INFOSEC! 24.06.

Securing the Microsoft Cloud Infrastructure. Reto Häni Chief Security Officer Microsoft Western Europe MEET SWISS INFOSEC! 24.06. Securing the Microsoft Cloud Infrastructure Reto Häni Chief Security Officer Microsoft Western Europe MEET SWISS INFOSEC! 24.06.2015 1 Certification & Security Reliance Microsoft s cloud environment Application

More information

Infor CloudSuite. Defense-in-depth. Table of Contents. Technical Paper Plain talk about Infor CloudSuite security

Infor CloudSuite. Defense-in-depth. Table of Contents. Technical Paper Plain talk about Infor CloudSuite security Technical Paper Plain talk about security When it comes to Cloud deployment, security is top of mind for all concerned. The Infor CloudSuite team uses best-practice protocols and a thorough, continuous

More information

PCI Compliance for Cloud Applications

PCI Compliance for Cloud Applications What Is It? The Payment Card Industry Data Security Standard (PCIDSS), in particular v3.0, aims to reduce credit card fraud by minimizing the risks associated with the transmission, processing, and storage

More information

Cisco Security Services

Cisco Security Services Cisco Security Services Cisco Security Services help you defend your business from evolving security threats, enhance the efficiency of your internal staff and processes, and increase the return on your

More information

CORE Security and GLBA

CORE Security and GLBA CORE Security and GLBA Addressing the Graham-Leach-Bliley Act with Predictive Security Intelligence Solutions from CORE Security CORE Security +1 617.399-6980 info@coresecurity.com www.coresecurity.com

More information

Maintaining PCI-DSS compliance. Daniele Bertolotti daniele_bertolotti@symantec.com Antonio Ricci antonio_ricci@symantec.com

Maintaining PCI-DSS compliance. Daniele Bertolotti daniele_bertolotti@symantec.com Antonio Ricci antonio_ricci@symantec.com Maintaining PCI-DSS compliance Daniele Bertolotti daniele_bertolotti@symantec.com Antonio Ricci antonio_ricci@symantec.com Sessione di Studio Milano, 21 Febbraio 2013 Agenda 1 Maintaining PCI-DSS compliance

More information

Addressing the SANS Top 20 Critical Security Controls for Effective Cyber Defense

Addressing the SANS Top 20 Critical Security Controls for Effective Cyber Defense A Trend Micro Whitepaper I February 2016 Addressing the SANS Top 20 Critical Security Controls for Effective Cyber Defense How Trend Micro Deep Security Can Help: A Mapping to the SANS Top 20 Critical

More information

Cloud Computing Security Considerations

Cloud Computing Security Considerations Cloud Computing Security Considerations Roger Halbheer, Chief Security Advisor, Public Sector, EMEA Doug Cavit, Principal Security Strategist Lead, Trustworthy Computing, USA January 2010 1 Introduction

More information

PCI Policy Compliance Using Information Security Policies Made Easy. PCI Policy Compliance Information Shield Page 1

PCI Policy Compliance Using Information Security Policies Made Easy. PCI Policy Compliance Information Shield Page 1 PCI Policy Compliance Using Information Security Policies Made Easy PCI Policy Compliance Information Shield Page 1 PCI Policy Compliance Using Information Security Policies Made Easy By David J Lineman

More information

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE THE CHALLENGE: SECURE THE OPEN AIR Wirelesss communication lets you take your business wherever your customers,

More information

Fly. Wealth and Retirement IT Hosting

Fly. Wealth and Retirement IT Hosting Fly. Wealth and Retirement IT Hosting 02 SunGard Hedge 360 SunGard Wealth and Retirement IT Hosting SunGard IT Hosting 01 241bn The global cloud computing market will reach $241 billion in 2020. Achieve

More information

ISSUE BRIEF. Cloud Security for Federal Agencies. Achieving greater efficiency and better security through federally certified cloud services

ISSUE BRIEF. Cloud Security for Federal Agencies. Achieving greater efficiency and better security through federally certified cloud services ISSUE BRIEF Cloud Security for Federal Agencies Achieving greater efficiency and better security through federally certified cloud services This paper is intended to help federal agency executives to better

More information

White Paper Achieving HIPAA Compliance through Security Information Management. White Paper / HIPAA

White Paper Achieving HIPAA Compliance through Security Information Management. White Paper / HIPAA White Paper Achieving HIPAA Compliance through Security Information Management White Paper / HIPAA Contents Executive Summary... 1 Introduction: Brief Overview of HIPAA... 1 The HIPAA Challenge: Protecting

More information

Well-Documented Controls Reduce Risk and Support Compliance Initiatives

Well-Documented Controls Reduce Risk and Support Compliance Initiatives White Paper Risks Associated with Missing Documentation for Health Care Providers Well-Documented Controls Reduce Risk and Support Compliance Initiatives www.solutionary.com (866) 333-2133 Many Health

More information

Health Insurance Portability and Accountability Act Enterprise Compliance Auditing & Reporting ECAR for HIPAA Technical Product Overview Whitepaper

Health Insurance Portability and Accountability Act Enterprise Compliance Auditing & Reporting ECAR for HIPAA Technical Product Overview Whitepaper Regulatory Compliance Solutions for Microsoft Windows IT Security Controls Supporting DHS HIPAA Final Security Rules Health Insurance Portability and Accountability Act Enterprise Compliance Auditing &

More information

FACT SHEET: Ransomware and HIPAA

FACT SHEET: Ransomware and HIPAA FACT SHEET: Ransomware and HIPAA A recent U.S. Government interagency report indicates that, on average, there have been 4,000 daily ransomware attacks since early 2016 (a 300% increase over the 1,000

More information

Payment Card Industry Data Security Standard

Payment Card Industry Data Security Standard Symantec Managed Security Services support for IT compliance Solution Overview: Symantec Managed Services Overviewview The (PCI DSS) was developed to facilitate the broad adoption of consistent data security

More information

Security and Compliance Play Critical Roles in Protecting IT Assets of Law Firms and Their Clients

Security and Compliance Play Critical Roles in Protecting IT Assets of Law Firms and Their Clients Security and Compliance Play Critical Roles in Protecting IT Assets of Law Firms and Their Clients Executive Overview Within the legal sector, IT system security and compliance have changed dramatically

More information

Amazon Web Services: Risk and Compliance May 2011

Amazon Web Services: Risk and Compliance May 2011 Amazon Web Services: Risk and Compliance May 2011 (Please consult http://aws.amazon.com/security for the latest version of this paper) 1 This document intends to provide information to assist AWS customers

More information

Windows Least Privilege Management and Beyond

Windows Least Privilege Management and Beyond CENTRIFY WHITE PAPER Windows Least Privilege Management and Beyond Abstract Devising an enterprise-wide privilege access scheme for Windows systems is complex (for example, each Window system object has

More information

Achieving PCI Compliance with Red Hat Enterprise Linux. June 2009

Achieving PCI Compliance with Red Hat Enterprise Linux. June 2009 Achieving PCI Compliance with Red Hat Enterprise Linux June 2009 CONTENTS EXECUTIVE SUMMARY...2 OVERVIEW OF PCI...3 1.1. What is PCI DSS?... 3 1.2. Who is impacted by PCI?... 3 1.3. Requirements for achieving

More information

Cloud e-mail services: Security, Compliance and Privacy. Nasos Kladakis Solutions Specialist Microsoft Hellas

Cloud e-mail services: Security, Compliance and Privacy. Nasos Kladakis Solutions Specialist Microsoft Hellas Cloud e-mail services: Security, Compliance and Privacy Nasos Kladakis Solutions Specialist Microsoft Hellas Risk Management Program Overview Information Security Policy Security Privacy & Regulatory Service

More information

Security Issues in Cloud Computing

Security Issues in Cloud Computing Security Issues in Computing CSCI 454/554 Computing w Definition based on NIST: A model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources

More information

Microsoft Services Premier Support. Security Services Catalogue

Microsoft Services Premier Support. Security Services Catalogue Microsoft Services Premier Support Security Services Catalogue 2014 Microsoft Services Microsoft Services helps you get the most out of your Microsoft Information Technology (IT) investment with integrated

More information

SECURITY RISK MANAGEMENT

SECURITY RISK MANAGEMENT SECURITY RISK MANAGEMENT ISACA Atlanta Chapter, Geek Week August 20, 2013 Scott Ritchie, Manager, HA&W Information Assurance Services Scott Ritchie CISSP, CISA, PCI QSA, ISO 27001 Auditor Manager, HA&W

More information

RSA Solution Brief RSA. Encryption and Key Management Suite. RSA Solution Brief

RSA Solution Brief RSA. Encryption and Key Management Suite. RSA Solution Brief RSA Encryption and Key Management Suite The threat of experiencing a data breach has never been greater. According to the Identity Theft Resource Center, since the beginning of 2008, the personal information

More information

<Choose> Addendum Windows Azure Data Processing Agreement Amendment ID M129

<Choose> Addendum Windows Azure Data Processing Agreement Amendment ID M129 Addendum Amendment ID Proposal ID Enrollment number Microsoft to complete This addendum ( Windows Azure Addendum ) is entered into between the parties identified on the signature form for the

More information

White Paper How Noah Mobile uses Microsoft Azure Core Services

White Paper How Noah Mobile uses Microsoft Azure Core Services NoahMobile Documentation White Paper How Noah Mobile uses Microsoft Azure Core Services The Noah Mobile Cloud service is built for the Microsoft Azure platform. The solutions that are part of the Noah

More information

Best Practices in ICS Security for Device Manufacturers. A Wurldtech White Paper

Best Practices in ICS Security for Device Manufacturers. A Wurldtech White Paper Best Practices in ICS Security for Device Manufacturers A Wurldtech White Paper No part of this document may be distributed, reproduced or posted without the express written permission of Wurldtech Security

More information

Assessment and Compliance with Federal Financial Institutions Examination Council (FFIEC) Requirements

Assessment and Compliance with Federal Financial Institutions Examination Council (FFIEC) Requirements isl Assessment and Compliance with Federal Financial Institutions Examination Council (FFIEC) Requirements DataGuardZ White Paper Forti5 BNP Paribas [Pick the date] What is the history behind FFIEC compliance?

More information

Microsoft Online Subscription Agreement/Open Program License Amendment Microsoft Online Services Security Amendment Amendment ID MOS10

Microsoft Online Subscription Agreement/Open Program License Amendment Microsoft Online Services Security Amendment Amendment ID MOS10 Microsoft Online Subscription Agreement/Open Program License Amendment Microsoft Online Services Security Amendment Amendment ID This Microsoft Online Services Security Amendment ( Amendment ) is between

More information

Real-Time Security for Active Directory

Real-Time Security for Active Directory Real-Time Security for Active Directory Contents The Need to Monitor and Control Change... 3 Reducing Risk and Standardizing Controls... 3 Integrating Change Monitoring... 4 Policy Compliance... 4 The

More information

IMPLEMENTING A SECURITY ANALYTICS ARCHITECTURE

IMPLEMENTING A SECURITY ANALYTICS ARCHITECTURE IMPLEMENTING A SECURITY ANALYTICS ARCHITECTURE Solution Brief SUMMARY New security threats demand a new approach to security management. Security teams need a security analytics architecture that can handle

More information

Security Overview. BlackBerry Corporate Infrastructure

Security Overview. BlackBerry Corporate Infrastructure Security Overview BlackBerry Corporate Infrastructure Published: 2015-04-23 SWD-20150423095908892 Contents Introduction... 5 History... 6 BlackBerry policies...7 Security organizations...8 Corporate Security

More information

Achieving Regulatory Compliance through Security Information Management

Achieving Regulatory Compliance through Security Information Management www.netforensics.com NETFORENSICS WHITE PAPER Achieving Regulatory Compliance through Security Information Management Contents Executive Summary The Compliance Challenge Common Requirements of Regulations

More information

The Next Generation of Security Leaders

The Next Generation of Security Leaders The Next Generation of Security Leaders In an increasingly complex cyber world, there is a growing need for information security leaders who possess the breadth and depth of expertise necessary to establish

More information

BMC s Security Strategy for ITSM in the SaaS Environment

BMC s Security Strategy for ITSM in the SaaS Environment BMC s Security Strategy for ITSM in the SaaS Environment TABLE OF CONTENTS Introduction... 3 Data Security... 4 Secure Backup... 6 Administrative Access... 6 Patching Processes... 6 Security Certifications...

More information

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE THE CHALLENGE: SECURE THE OPEN AIR Wirelesss communication lets you take your business wherever your customers,

More information

Information Security Handbook

Information Security Handbook Information Security Handbook Adopted 6/4/14 Page 0 Page 1 1. Introduction... 5 1.1. Executive Summary... 5 1.2. Governance... 5 1.3. Scope and Application... 5 1.4. Biennial Review... 5 2. Definitions...

More information

Cloud Security Panel: Real World GRC Experiences. ISACA Atlanta s 2013 Annual Geek Week

Cloud Security Panel: Real World GRC Experiences. ISACA Atlanta s 2013 Annual Geek Week Cloud Security Panel: Real World GRC Experiences ISACA Atlanta s 2013 Annual Geek Week Agenda Introductions Recap: Overview of Cloud Computing and Why Auditors Should Care Reference Materials Panel/Questions

More information

Enterprise Risk Management taking on new dimensions

Enterprise Risk Management taking on new dimensions Enterprise Risk Management taking on new dimensions October 2006 The practice of Enterprise Risk Management (ERM) is becoming more critical and complex every day. There is a growing need for organizations

More information

AN OVERVIEW OF INFORMATION SECURITY STANDARDS

AN OVERVIEW OF INFORMATION SECURITY STANDARDS AN OVERVIEW OF INFORMATION SECURITY STANDARDS February 2008 The Government of the Hong Kong Special Administrative Region The contents of this document remain the property of, and may not be reproduced

More information

Business Communications for Healthcare

Business Communications for Healthcare Business Communications for Healthcare Today, many powerful business communication challenges face everyone in the healthcare chain including clinics, hospitals, insurance providers and any other organization

More information

Get Confidence in Mission Security with IV&V Information Assurance

Get Confidence in Mission Security with IV&V Information Assurance Get Confidence in Mission Security with IV&V Information Assurance September 10, 2014 Threat Landscape Regulatory Framework Life-cycles IV&V Rigor and Independence Threat Landscape Continuously evolving

More information

Web application security Executive brief Managing a growing threat: an executive s guide to Web application security.

Web application security Executive brief Managing a growing threat: an executive s guide to Web application security. Web application security Executive brief Managing a growing threat: an executive s guide to Web application security. Danny Allan, strategic research analyst, IBM Software Group Contents 2 Introduction

More information

kamai Technologies Inc. Commonly Accepted Security Practices and Recommendations (CASPR)

kamai Technologies Inc. Commonly Accepted Security Practices and Recommendations (CASPR) kamai Technologies Inc. Commonly Accepted Security Practices and Recommendations (CASPR) June 2015 Table of Contents CASPR... 2 FIPS 140-2: Security Requirements For Cryptographic Modules... 2 Federal

More information

ADDENDUM TO STATE OF MARYLAND PURCHASES ISSUED UNDER STATE CONTRACT NO. 060B2490021-2015.

ADDENDUM TO STATE OF MARYLAND PURCHASES ISSUED UNDER STATE CONTRACT NO. 060B2490021-2015. ADDENDUM TO STATE OF MARYLAND PURCHASES ISSUED UNDER STATE CONTRACT NO. 060B2490021-2015. This addendum is applicable to each purchase order that is subject to the State of Maryland s contract number 060B2490021-2015.

More information

Cloud Operations Excellence & Reliability

Cloud Operations Excellence & Reliability Cloud Operations Excellence & Reliability Cloud Operations Excellence & Reliability Page 1 Cloud Operations Excellence & Reliability Microsoft has invested over $15 billion in building a highly scalable,

More information

Ensuring Cloud Security Using Cloud Control Matrix

Ensuring Cloud Security Using Cloud Control Matrix International Journal of Information and Computation Technology. ISSN 0974-2239 Volume 3, Number 9 (2013), pp. 933-938 International Research Publications House http://www. irphouse.com /ijict.htm Ensuring

More information

Security Controls What Works. Southside Virginia Community College: Security Awareness

Security Controls What Works. Southside Virginia Community College: Security Awareness Security Controls What Works Southside Virginia Community College: Security Awareness Session Overview Identification of Information Security Drivers Identification of Regulations and Acts Introduction

More information

TOP 10 WAYS TO ADDRESS PCI DSS COMPLIANCE. ebook Series

TOP 10 WAYS TO ADDRESS PCI DSS COMPLIANCE. ebook Series TOP 10 WAYS TO ADDRESS PCI DSS COMPLIANCE ebook Series 2 Headlines have been written, fines have been issued and companies around the world have been challenged to find the resources, time and capital

More information

Evolving Threats and Attacks: A Cloud Service Provider s viewpoint. John Howie Senior Director Online Services Security and Compliance

Evolving Threats and Attacks: A Cloud Service Provider s viewpoint. John Howie Senior Director Online Services Security and Compliance Evolving Threats and Attacks: A Cloud Service Provider s viewpoint John Howie Senior Director Online Services Security and Compliance Introduction Microsoft s Cloud Infrastructure Evolution of Threats

More information

FINRA Publishes its 2015 Report on Cybersecurity Practices

FINRA Publishes its 2015 Report on Cybersecurity Practices Securities Litigation & Enforcement Client Service Group and Data Privacy & Security Team To: Our Clients and Friends February 12, 2015 FINRA Publishes its 2015 Report on Cybersecurity Practices On February

More information

Big Data, Big Risk, Big Rewards. Hussein Syed

Big Data, Big Risk, Big Rewards. Hussein Syed Big Data, Big Risk, Big Rewards Hussein Syed Discussion Topics Information Security in healthcare Cyber Security Big Data Security Security and Privacy concerns Security and Privacy Governance Big Data

More information

Strengthen security with intelligent identity and access management

Strengthen security with intelligent identity and access management Strengthen security with intelligent identity and access management IBM Security solutions help safeguard user access, boost compliance and mitigate insider threats Highlights Enable business managers

More information

Logging In: Auditing Cybersecurity in an Unsecure World

Logging In: Auditing Cybersecurity in an Unsecure World About This Course Logging In: Auditing Cybersecurity in an Unsecure World Course Description $5.4 million that s the average cost of a data breach to a U.S.-based company. It s no surprise, then, that

More information

FINAL May 2005. Guideline on Security Systems for Safeguarding Customer Information

FINAL May 2005. Guideline on Security Systems for Safeguarding Customer Information FINAL May 2005 Guideline on Security Systems for Safeguarding Customer Information Table of Contents 1 Introduction 1 1.1 Purpose of Guideline 1 2 Definitions 2 3 Internal Controls and Procedures 2 3.1

More information

Richard Gadsden Information Security Office Office of the CIO Information Services

Richard Gadsden Information Security Office Office of the CIO Information Services Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO Information Services Sharon Knowles Information Assurance Compliance MUSC Medical Center

More information

08/10/2013. Data protection and compliance. Agenda. Data protection life cycle and goals. Introduction. Data protection overview

08/10/2013. Data protection and compliance. Agenda. Data protection life cycle and goals. Introduction. Data protection overview Data protection and compliance In the cloud and in your data center 1 November 2013 Agenda 1 Introduction 2 Data protection overview 3 Understanding the cloud 4 Where do I start? 5 Wrap-up Page 2 Data

More information

The Panoptix Building Efficiency Solution: Ensuring a Secure Delivery of Building Efficiency

The Panoptix Building Efficiency Solution: Ensuring a Secure Delivery of Building Efficiency logo The Panoptix Building Efficiency Solution: Ensuring a Secure Delivery of Building Efficiency Understanding the Multiple Levels of Security Built Into the Panoptix Solution Published: October 2011

More information

External Supplier Control Requirements

External Supplier Control Requirements External Supplier Control s Cyber Security For Suppliers Categorised as Low Cyber Risk 1. Asset Protection and System Configuration Barclays Data and the assets or systems storing or processing it must

More information

PII Compliance Guidelines

PII Compliance Guidelines Personally Identifiable Information (PII): Individually identifiable information from or about an individual customer including, but not limited to: (a) a first and last name or first initial and last

More information