A Vendor s Journey to SaaS & the Cloud
|
|
- Bethanie Cameron
- 8 years ago
- Views:
Transcription
1 A Vendor s Journey to SaaS & the Cloud
2 Mark Sherry Partner Marval North America ITIL Expert ISO Consultant MBA, MA, BComm 25+ ITIL implementations Trained Service Managers Globally 10 Years in Industry Actively involved in five independent businesses 1
3 Spollock April 27,
4 Cloud Computing Cloud computing is the use of computing resources (hardware and software) that are delivered as a service over a network (typically the Internet). Wikipedia
5 Hosted Environments IaaS PaaS SaaS Infrastructure as a Service offers computers (physical and virtual) in the cloud, e.g., servers, load balancers, network, storage Platform as a Service offers operating system, databases, web servers, and development capabilities Software as a Service offers applications in the cloud along with the corresponding infrastructure 4
6 SaaS Variations Offers application in the cloud vendor performs upgrades only customer administers the product Offers application in the cloud vendor performs upgrades, and administers the product on the client's behalf 5
7 Advantages of SaaS Potential costs savings for vendor can be one application to maintain and upgrade (only multi-tenant) Potentially shorter time to deploy depends on application Less up-front capital costs Risk mitigation Easier scalability Operational budget verses capital budget Allows small- and medium-size businesses to use applications that traditionally were too expensive to acquire independently 6
8 Disadvantages SaaS Long term costs Data Security questions and confidentiality concerns Dependence on network and internet speed Business needs driven by technology trends versus real business needs Not all applications are available in a SaaS model Integration challenges with other client applications Increased upgrade risk, as many clients may be upgraded at the same time. Client's may be forced to upgrade on vendor s schedule. 7
9 Multitenancy Usually defined as a single instance of software supporting multiple customers. Each customer can perform the administrative functions of the software for their organization. 8
10 Types of Data Centres 9
11 Types of Data Centres Tier 1 = Non-redundant capacity components (single uplink and servers). Guaranteeing % availability. Tier 2 = Tier 1 + Redundant capacity components. Tier 2: Guaranteeing % availability. Tier 3 = Tier 1 + Tier 2 + Dual-powered equipment and multiple uplinks. Tier 3: Guaranteeing % availability. Tier 4 = Tier 1 + Tier 2 + Tier 3 + all components are fully faulttolerant including uplinks, storage, chillers, HVAC systems, servers etc. Everything is dual-powered. Tier 4: Guaranteeing % availability *nixcraft
12 Security 11
13 Security Certifications In practice, two ISO standards are usually used together: ISO27001 Objective: "provide a model for establishing, implementing, operating, monitoring, reviewing, maintaining, and improving an Information Security Management System". Process approach: "The application of a system of processes within an organization, together with the identification and interactions of these processes, and their management". It employs the PDCA, Plan-Do-Check-Act model, to structure the processes, and reflects the principles set out in the OCEG guidelines. ISO/IEC Provides additional information and implementation advice on the controls. The domains covered by ISO include: Security policy Asset management Human resources security Physical and environmental security Communications and operations management Access control Organization of information security Information systems acquisition, development and maintenance Information security incident management Business continuity management Regulatory compliance 12
14 Security Certifications SAS 70 American Institute of Certified Public Accountants (AICPA) Widely recognized: it represents that a service organization has been through an in-depth audit of their control objectives and control activities, which often include controls over IT and related processes. SSAE 16 American Institute of Certified Public Accountants (AICPA) Effectively replaces SAS 70 as the authoritative guidance for reporting on service organizations. Service Organization Control (SOC) 1 - related to the effectiveness of controls at a service organization that impact their clients internal controls over financial reporting. SOC 2 & 3 - related to information privacy, security, confidentiality, availability and processing integrity. CICS 5970 Developed by the Canadian Institute of Chartered Accountants (CICA) in 2004, the audit largely adopted its guidelines from an already established American equivalent (SAS 70). In practice, most SaaS host providers with customers in Canada and the United States acquire both US and Canadian Certifications 13
15 Security Certifications Payment Card Industry (PCI) Data Security Standard Defined by a Council to increase controls around cardholder data to reduce credit card fraud via its exposure Validation of compliance: Done by an external Qualified Security Assessor (QSA) that creates a Report on Compliance (ROC) for organizations handling large volumes of transactions, or by Self-Assessment Questionnaire (SAQ) for companies handling smaller volumes. Internet-based merchants must undergo a quarterly vulnerability scan performed by an approved scanning vendor. Though some PCI Compliance Level 1 internet-based merchants may be able to perform annual self-assessments (with the permission of their processor and card brand), the vast majority of internet-based merchants will be held to these PCI Compliance expectations. 14
16 Security Certifications Payment Card Industry (PCI) Data Security Standard Merchants fall under four categories of PCI compliance, depending on the number of transactions they process each year, and whether those transactions are performed from a brick and mortar location or over the Internet. All merchants that process credit cards whether small or large must be PCI compliant. PCI Compliance Levels are based on several criterion. 15
17 Security Certifications All merchants that process credit cards whether small or large must be PCI compliant. PCI Compliance Levels are based on several criterion: PCI Compliance Level 1 over 6 million Visa transactions annually (all channels) or Global merchants identified as Level 1 by any Visa region PCI Compliance Level 2 1 million to 6 million Visa transactions annually (all channels) PCI Compliance Level 3 20,000 to 1 million Visa e-commerce transactions annually PCI Compliance Level 4 less than 20,000 Visa e-commerce transactions annually and all processing up to 1 million Visa transactions annually 16
18 Data Security Issues Where is the database located Canada, US or other country? What countries would your data flow through, and can you control it? What are the consequences if the vendor uses or sells your data? Is the data centre backed up at a remote location? Where is that location? 17
19 Data Security Issues There is a cost to using the SaaS service provider's security facilities. However orders of magnitude can actually reduce security costs for small organizations while adding otherwise unattainable security features. Few of us can afford a vault at our home office that rivals a bank vault. Many organizations believe that their critical data must remain in-house. Security is simply another feature or service that can be provided by the SaaS supplier. Very elaborate monitoring and services can be purchased or basic services can be acquired. Your choice. Effective network security requires a firewall / IPS / IDS mechanism that is usually very expensive and specialized. Data centers can protect hundreds of servers making this technology more affordable, even for relatively small organizations who have not the time or the manpower to monitor it. 18
20 Data Security Issues China-based hackers broke into the computer systems of at least three federal departments, seven Bay Street law firms, and two multinational corporations all involved in the ultimately unsuccessful corporate takeover of Saskatchewan s Potash Corporation. s on Jan. 31 indicated the Finance Department and Treasury Board were both being slammed with severe cyber attacks, including significant volumes of sensitive government data being stolen by computers in China. CBC News Feb 22,
21 Privacy 20
22 Privacy Issues What are the privacy laws of the data centre? Canadian Personal Information Protection and Electronic Documents Act (PIPEDA) sets out ground rules for how private sector organizations may collect, use or disclose personal information in the course of commercial activities. The law gives individuals the right to access and request correction of the personal information these organizations may have collected about them. 21
23 Privacy Laws and SaaS Providers Electronic Communications Privacy Act Applies to any transfer of signals, images, sounds, data, or intelligence of any nature transmitted in whole or in part by any means that affects interstate or foreign commerce. Stored Communications Act Addresses voluntary and compelled disclosure of "stored wire and electronic communications and transactional records" held by third-party internet service providers (ISPs). USA Patriot Act The act significantly reduced restrictions in law enforcement agencies' gathering of intelligence within the United States; expanded the Secretary of the Treasury s authority to regulate financial transactions, particularly those involving foreign individuals and entities. 22
24 WhatsApp WhatsApp allows users worldwide to use their phones to text message friends over the internet without incurring SMS text messaging charges. The popular mobile messaging app WhatsApp breaches Canadian and Dutch privacy laws by forcing many of its users to grant access to their entire address book in order to use it, Canada's privacy watchdog has found in a joint investigation with Dutch authorities. It is currently the third-most popular paid app in the itunes store, where it sells for 99 cents, and surpassed 100 million downloads on Google Play in November. CBC News Jan 28,
25 Backups and Recovery Options Things to consider: What needs to be backed up (files, database, etc.)? How much storage space is needed? How quickly the application needs to be available (immediately, hours, etc.)? Most Common Options: Virtual Machine snapshots Entire server can roll-back to the point of time (4 hours, 1 day, etc.) of the snapshot. Does not avoid downtime or protect data changed after the snapshot is restored. Full Backup Specific files and databases are backed up at a specific time. Requires downtime to restore the server and data loss will occur without replay. Cluster or Replica Fail Over Application and database are replicated real time (cluster) or with an offset of no more than five minutes (replica) to a secondary server Negligible downtime or data loss. 24
26 Vendor Options SaaS off site SaaS on site Minimum term contracts Conditions to limit price increases What is included in SaaS modules, support, upgrades, administration Support hours 25
27 Licensing Implications Named or Concurrent licenses or both Option to convert SaaS to On Premise Option to convert On Premise to SaaS What type of licensing is available? 26
28 Integration with Other Products Many SaaS offerings provide: The ability to integrate with the customer Corporate apps or services which are installed on a server somewhere on the customer s network on a server or cluster of servers which may be in-house, at another outsourced Data Centre, or at another SaaS provider. Information should be communicated between apps encrypted and using a very secure approach. Commonly available services integrate SaaS apps with Corporate apps such as: Active Directory or other Directory information Creation or update of accounts and contacts Asset discovery and management Creation or update of Configuration Items (CIs) Network monitoring events Creation of requests based on network events Other service management or event apps 27
29 Service Level Agreement Uptime Penalties Response times Maintenance schedules (do they follow your change management process) Adding an SaaS environment will add one or more third party suppliers to the service chain In the absence of true certification the SLA-enabled contract is still the best way to ensure vendors deliver the features they promise. 28
30 Flexibility and SaaS Some SaaS hosting organizations may impose certain standards that may limit flexibility. However, the orders of magnitude created by SaaS environments often afford more flexibility as a result of multitenancy. In order to survive, it is essential that SaaS hosting services provide a great deal of flexibility to its customers. Such is not always the case in an in-house monopoly environment. Organizations using most common industry infrastructures, services and products will likely have the most flexibility in SaaS environments. SaaS products and concepts are based on volume sales. It only makes sense that SaaS vendors will cater to the needs of the most common. 29
31 Cloud Perception 30
32 Long Term Cost / Benefit of SaaS A Pay as You Go service may start out relatively inexpensive until usage grows. "Break even" points and volume agreements should be considered before signing up. The environments for SaaS apps is usually more advanced and robust than all but the biggest of in-house environments. If your organization is small but requires environmental sophistication and robustness in Service Management, the ROI on an SaaS application may prove very attractive. Do the math. Produce a 5-year ROI for SaaS vs. other options, as you should for any technology plan. 31
33 SaaS and Service Delivery 32
34 Legal Considerations Underpinning Contract should be in place. Contract needs to be managed. SLA should be part of the contract. Need to manage KPIs to ensure vendor is managing according to contract. Supplier Management process should be in place. Insurance. 33
35 Will SaaS Improve Service Delivery? No, it is just a technology Pick what technology fits your needs Most vendors offer both options SaaS and in-house Need to work with a vendor that understands and can deliver on your service management goals When selecting a new tool, focus on Service Management requirements to deliver outstanding service first, and then the technology remember a fool with a shiny new tool is still a fool! 34
36 Questions 35
37 The End
PCI Compliance: How to ensure customer cardholder data is handled with care
PCI Compliance: How to ensure customer cardholder data is handled with care Choosing a safe payment process for your business Contents Contents 2 Executive Summary 3 PCI compliance and accreditation 4
More informationAn article on PCI Compliance for the Not-For-Profit Sector
Level 8, 66 King Street Sydney NSW 2000 Australia Telephone +61 2 9290 4444 or 1300 922 923 An article on PCI Compliance for the Not-For-Profit Sector Page No.1 PCI Compliance for the Not-For-Profit Sector
More informationPCI Compliance. Top 10 Questions & Answers
PCI Compliance Top 10 Questions & Answers 1. What is PCI Compliance and PCI DSS? 2. Who needs to follow the PCI Data Security Standard? 3. What happens if I don t comply? 4. What are the basic requirements
More informationPCI Compliance Overview
PCI Compliance Overview 1 PCI DSS Payment Card Industry Data Security Standard Standard that is applied to: Merchants Service Providers (Banks, Third party vendors, gateways) Systems (Hardware, software)
More informationHow To Protect Your Business From A Hacker Attack
Payment Card Industry Data Security Standards The payment card industry data security standard PCI DSS Visa and MasterCard have developed the Payment Card Industry Data Security Standard or PCI DSS as
More informationHow To Protect Your Credit Card Information From Being Stolen
Visa Account Information Security Tool Kit Welcome to the Visa Account Information Security Program 2 Contents 1. Securing cardholder data is everyone s concern 4 2. Visa Account Information Security (AIS)
More informationHow To Protect Visa Account Information
Account Information Security Merchant Guide At Visa, protecting our cardholders is at the core of everything we do. One of the many reasons people trust our brand is that we make buying and selling safer
More informationPAI Secure Program Guide
PAI Secure Program Guide A complete guide to understanding the Payment Card Industry Data Security Requirements and utilizing the PAI Secure Program. Letter From the CEO Welcome to PAI Secure. As you
More informationPCI Compliance Top 10 Questions and Answers
Where every interaction matters. PCI Compliance Top 10 Questions and Answers White Paper October 2013 By: Peer 1 Hosting Product Team www.peer1.com Contents What is PCI Compliance and PCI DSS? 3 Who needs
More informationMerchant guide to PCI DSS
Merchant guide to PCI DSS Contents What is PCI DSS and why was it introduced?... 3 Who needs to become PCI DSS compliant?... 3 BOIPA Simple PCI DSS - 3 step approach to helping businesses... 3 What does
More informationPCI Compliance Just the Facts. Rick Dakin President Rick.dakin@CoalfireSystems.com 303.554.6333 ext. 7001
PCI Compliance Just the Facts Rick Dakin President Rick.dakin@CoalfireSystems.com 303.554.6333 ext. 7001 Agenda Regulatory Landscape Scary Bedtime Stories What went wrong? PCI Compliance Process o What
More informationHow To Be A Successful Compliance Officer
: A Pragmatic Approach to SOC2 and PCI compliance The Cadence Group is a professional services firm specializing in financial and IT compliance and risk management services. Our value proposition includes:
More informationWHITE PAPER. PCI Basics: What it Takes to Be Compliant
WHITE PAPER PCI Basics: What it Takes to Be Compliant Introduction A long-running worldwide advertising campaign by Visa states that the card is accepted everywhere you want to be. Unfortunately, and through
More informationHOW SECURE IS YOUR PAYMENT CARD DATA?
HOW SECURE IS YOUR PAYMENT CARD DATA? October 27, 2011 MOSS ADAMS LLP 1 TODAY S PRESENTERS Francis Tam, CPA, CISA, CISM, CITP, CRISC, PCI QSA Managing Director PCI Practice Leader Kevin Villanueva,, CISSP,
More informationFrequently Asked Questions
PCI Compliance Frequently Asked Questions Table of Content GENERAL INFORMATION... 2 PAYMENT CARD INDUSTRY DATA SECURITY STANDARD (PCI DSS)...2 Are all merchants and service providers required to comply
More informationDon Roeber Vice President, PCI Compliance Manager. Lisa Tedeschi Assistant Vice President, Compliance Officer
Complying with the PCI DSS All the Moving Parts Don Roeber Vice President, PCI Compliance Manager Lisa Tedeschi Assistant Vice President, Compliance Officer Types of Risk Operational Risk Normal fraud
More informationTable of Contents. FME Cloud Architecture Overview. Secure Operations. Application Security. Shared Responsibility.
FME Cloud Security Table of Contents FME Cloud Architecture Overview Secure Operations I. Backup II. Data Governance and Privacy III. Destruction of Data IV. Incident Reporting V. Development VI. Customer
More informationHow Secure is Your Payment Card Data?
How Secure is Your Payment Card Data? Complying with PCI DSS SLIDE 1 PRESENTERS Francis Tam, CPA, CISA, CISM, CITP, CRISC, PCI QSA Managing Director, IT Security Practice PCI Practice Leader Francis has
More informationPCI DSS. CollectorSolutions, Incorporated
PCI DSS Robert Cothran President CollectorSolutions www.collectorsolutions.com CollectorSolutions, Incorporated Founded as Florida C corporation in 1999 Approximately 235 clients in 35 states Targeted
More information1 America Square, London 30 th May 2012. Cloud Computing: What Are My Options?
1 America Square, London 30 th May 2012 Cloud Computing: What Are My Options? Agenda Introductions and Your Challenges The Cloud @ Frontier Technology Infrastructure as a Service Cloud for Business Continuity
More informationWhite Paper September 2013 By Peer1 and CompliancePoint www.peer1.com. PCI DSS Compliance Clarity Out of Complexity
White Paper September 2013 By Peer1 and CompliancePoint www.peer1.com PCI DSS Compliance Clarity Out of Complexity Table of Contents Introduction 1 Businesses are losing customer data 1 Customers are learning
More informationPayment Card Industry Data Security Standard
Payment Card Industry Data Security Standard Abhinav Goyal, B.E.(Computer Science) MBA Finance Final Trimester Welingkar Institute of Management ISACA Bangalore chapter 13 th February 2010 Credit Card
More informationMobile Device Payment Card Processing: How Secure is It? Richard Poworski CISSP, ISP, ITCP, SCF, PCI QSA, PCIP Managing Consultant
Seccuris is Canada s premier Information Assurance integrator. We enable organizations to achieve business goals through effective management of information risk. We are agile, innovative, flexible, and
More informationPayment Card Industry Data Security Standard
Payment Card Industry Data Security Standard Office of the State Treasurer Ryan Pitroff Banking Services Manager Ryan.Pitroff@tre.wa.gov PCI-DSS A common set of industry tools and measurements to help
More informationTwo Approaches to PCI-DSS Compliance
Disclaimer Copyright Michael Chapple and Jane Drews, 2006. This work is the intellectual property of the authors. Permission is granted for this material to be shared for non-commercial, educational purposes,
More informationA Compliance Overview for the Payment Card Industry (PCI)
A Compliance Overview for the Payment Card Industry (PCI) Many organizations are aware of the Payment Card Industry (PCI) and PCI compliance but are unsure if they are doing everything necessary. This
More informationKeeping up with the World of Cloud Computing: What Should Internal Audit be Thinking About?
Keeping up with the World of Cloud Computing: What Should Internal Audit be Thinking About? IIA San Francisco Chapter October 11, 2011 Agenda Introductions Cloud computing overview Risks and audit strategies
More informationGETTING THE MOST FROM THE CLOUD. A White Paper presented by
GETTING THE MOST FROM THE CLOUD A White Paper presented by Why Move to the Cloud? CLOUD COMPUTING the latest evolution of IT services delivery is a scenario under which common business applications are
More informationWhy Migrate to the Cloud. ABSS Solutions, Inc. 2014
Why Migrate to the Cloud ABSS Solutions, Inc. 2014 ASI Cloud Services Information Systems Basics Cloud Fundamentals Cloud Options Why Move to the Cloud Our Service Providers Our Process Information System
More informationPayment Card Industry Data Security Standard (PCI DSS) v1.2
Payment Card Industry Data Security Standard (PCI DSS) v1.2 Joint LA-ISACA and SFV-IIA Meeting February 19, 2009 Presented by Mike O. Villegas, CISA, CISSP 2009-1- Agenda Introduction to PCI DSS Overview
More informationHosting Services VITA Contract VA-120416-AISN (Statewide contract available to any public entity in the Commonwealth)
Hosting Services VITA Contract VA-120416-AISN (Statewide contract available to any public entity in the Commonwealth) March 2014 Premier Provider of egov Services to the Commonwealth of Virginia Virginia
More informationPuzzled about PCI compliance? Proactive ways to navigate through the standard for compliance
Puzzled about PCI compliance? Proactive ways to navigate through the standard for compliance March 29, 2012 1:00 p.m. ET If you experience any technical difficulties, please contact 888.228.0988 or support@learnlive.com
More informationYour Compliance Classification Level and What it Means
General Information What are the Payment Card Industry (PCI) Data Security Standards? The PCI Data Security Standards represents a common set of industry tools and measurements to help ensure the safe
More informationPCI Compliance: Protection Against Data Breaches
Protection Against Data Breaches Get Started Now: 877.611.6342 to learn more. www.megapath.com The Growing Impact of Data Breaches Since 2005, there have been 4,579 data breaches (disclosed through 2013)
More informationEnterprise level security, the Huddle way.
Enterprise level security, the Huddle way. Security whitepaper TABLE OF CONTENTS 5 Huddle s promise Hosting environment Network infrastructure Multiple levels of security Physical security System & network
More informationThe State of Security and Compliance for E- Commerce and Retail
The State of Security and Compliance for E- Commerce and Retail Current state of security PCI regulations and compliance Does the data you hold require PCI compliance Security and safeguarding against
More informationCONTENT OUTLINE. Background... 3 Cloud Security... 3. Instance Isolation:... 4. SecureGRC Application Security... 5
Page 2 Disclaimer THIS DOCUMENT AND THE SOFTWARE DESCRIBED IN THIS DOCUMENT ARE FURNISHED UNDER AND ARE SUBJECT TO THE TERMS OF THE LICENSE AGREEMENT OR NON-DISCLOSURE AGREEMENT. EXCEPT AS EXPRESSLY SET
More informationTREASURER S OFFICE ADMINISTRATIVE STANDARDS FOR THE TREASURER S FISCAL PROCEDURE No. 08-01 MERCHANT DEBIT AND CREDIT CARD RECEIPTS
TREASURER S OFFICE ADMINISTRATIVE STANDARDS FOR THE TREASURER S FISCAL PROCEDURE No. 08-01 MERCHANT DEBIT AND CREDIT CARD RECEIPTS 1. Introduction Debit and Credit Card Receipt Standards apply to the administration
More informationCloud Assurance: Ensuring Security and Compliance for your IT Environment
Cloud Assurance: Ensuring Security and Compliance for your IT Environment A large global enterprise has to deal with all sorts of potential threats: advanced persistent threats (APTs), phishing, malware
More informationCloud Computing demystified! ISACA-IIA Joint Meeting Dec 9, 2014 By: Juman Doleh-Alomary Office of Internal Audit jdoleh@wayne.edu
Cloud Computing demystified! ISACA-IIA Joint Meeting Dec 9, 2014 By: Juman Doleh-Alomary Office of Internal Audit jdoleh@wayne.edu 2 If cloud computing is so simple, then what s the big deal? What is the
More informationPayment Card Industry Data Security Standard (PCI DSS) Q & A November 6, 2008
Payment Card Industry Data Security Standard (PCI DSS) Q & A November 6, 2008 What is the PCI DSS? And what do the acronyms CISP, SDP, DSOP and DISC stand for? The PCI DSS is a set of comprehensive requirements
More informationPCI DSS COMPLIANCE DATA
PCI DSS COMPLIANCE DATA AND PROTECTION EagleHeaps FROM CONTENTS Overview... 2 The Basics of PCI DSS... 2 PCI DSS Compliance... 4 The Solution Provider Role (and Accountability).... 4 Concerns and Opportunities
More informationPayment Card Industry Data Security Standard Training. Chris Harper Vice President of Technical Services Secure Enterprise Computing, Inc.
Payment Card Industry Data Security Standard Training Chris Harper Vice President of Technical Services Secure Enterprise Computing, Inc. March 27, 2012 Agenda Check-In 9:00-9:30 PCI Intro and History
More informationIT Security Compliance PCI DSS FOR MERCHANTS THE PAYMENT CARD INDUSTRY DATE SECURITY STANDARD WHITE PAPER
July 9 th, 2012 Prepared By: Mark Akins PCI QSA, CISSP, CISA WHITE PAPER IT Security Compliance PCI DSS FOR MERCHANTS THE PAYMENT CARD INDUSTRY DATE SECURITY STANDARD PCI DSS for Merchants The Payment
More informationIntroduction to PCI DSS Compliance. May 18, 2009 1:15 p.m. 2:15 p.m.
Introduction to PCI DSS Compliance May 18, 2009 1:15 p.m. 2:15 p.m. Disclaimer The opinions of the contributors expressed herein do not necessarily state or reflect those of the National Association of
More informationwhite paper Using Cloud for Data Storage and Backup By Aaron Goldberg Principal Analyst, Content4IT
white paper Using Cloud for Data Storage and Backup By Aaron Goldberg Principal Analyst, Content4IT (Former analyst with Ziff Davis Enterprise and IDC) Executive Overview Industry research shows the amount
More informationJosiah Wilkinson Internal Security Assessor. Nationwide
Josiah Wilkinson Internal Security Assessor Nationwide Payment Card Industry Overview PCI Governance/Enforcement Agenda PCI Data Security Standard Penalties for Non-Compliance Keys to Compliance Challenges
More informationHOW SECURE IS YOUR PAYMENT CARD DATA? COMPLYING WITH PCI DSS
HOW SECURE IS YOUR PAYMENT CARD DATA? COMPLYING WITH PCI DSS August 23, 2011 MOSS ADAMS LLP 1 TODAY S PRESENTERS Presenters Francis Tam, CPA, CISA, CISM, CITP, CRISC, PCI QSA Managing Director, IT Security
More informationThe Software-as-a Service (SaaS) Delivery Stack
The Software-as-a Service (SaaS) Delivery Stack A Framework for Delivering Successful SaaS Applications October 2010 2010 Online Tech, Inc. Page 1 of 12 www.onlinetech.com Audience Executives, founders,
More informationPCI Data Security Standards
PCI Data Security Standards An Introduction to Bankcard Data Security Why should we worry? Since 2005, over 500 million customer records have been reported as lost or stolen 1 In 2010 alone, over 134 million
More informationCloud models and compliance requirements which is right for you?
Cloud models and compliance requirements which is right for you? Bill Franklin, Director, Coalfire Stephanie Tayengco, VP of Technical Operations, Logicworks March 17, 2015 Speaker Introduction Bill Franklin,
More informationImportant Info for Youth Sports Associations
Important Info for Youth Sports Associations What the Heck is PCI DSS and Why Should I Care? Joe Posey Terrapin Financial Services Your Club is an ecommerce Business You accept online registration over
More informationThe Elephant in the Room: What s the Buzz Around Cloud Computing?
The Elephant in the Room: What s the Buzz Around Cloud Computing? Warren W. Stippich, Jr. Partner and National Governance, Risk and Compliance Solution Leader Business Advisory Services Grant Thornton
More informationPlatform as a Service and PCI www.engineyard.com
Engine Yard White Paper Platform as a Service and PCI www.engineyard.com Purpose Achieving PCI compliance can be a complex, time-consuming, and expensive undertaking, but the right approach can make it
More informationPCI Security Compliance
E N T E R P R I S E Enterprise Security Solutions PCI Security Compliance : What PCI security means for your business The Facts Comodo HackerGuardian TM PCI and the Online Merchant Overview The Payment
More informationUnderstanding Financial Cloud Services
Understanding Financial Cloud Services A Complete Guide for Hedge Funds About RFA RFA (Richard Fleischman & Associates) has been a Financial Cloud and trusted technology partner to our financial services
More informationTenzing Security Services and Best Practices
Tenzing Security Services and Best Practices OVERVIEW Security is about managing risks and threats to your environment. The most basic security protection is achieved by pro-actively monitoring and intercepting
More informationData Protection Act 1998. Guidance on the use of cloud computing
Data Protection Act 1998 Guidance on the use of cloud computing Contents Overview... 2 Introduction... 2 What is cloud computing?... 3 Definitions... 3 Deployment models... 4 Service models... 5 Layered
More informationCredit Card Processing, Point of Sale, ecommerce
Credit Card Processing, Point of Sale, ecommerce Compliance, Self Auditing, and More John Benson Kurt Willey HACKS REGULATIONS Greater Risk for Merchants Topics Compliance Changes Scans Self Audits
More informationpenelope athena software SOFTWARE AS A SERVICE INFORMATION PACKAGE case management software
penelope case management software SOFTWARE AS A SERVICE INFORMATION PACKAGE athena software "I've worked with major corporations and universities and I am really impressed with Athena's hosted server and
More informationNCR CLOUD SERVICES OVERVIEW. An NCR Brochure
NCR CLOUD SERVICES OVERVIEW An NCR Brochure Are you looking for a partner to provide unparalleled security, uptime and performance for your core applications? You have chosen to host your applications
More informationSecurity Breaches and Vulnerability Experiences Overview of PCI DSS Initiative and CISP Payment Application Best Practices Questions and Comments
Security in the Payment Card Industry OWASP AppSec Seattle Oct 2006 Hap Huynh, Information Security Specialist, Visa USA hhuynh@visa.com Copyright 2006 - The OWASP Foundation Permission is granted to copy,
More informationIBM Cloud Security Draft for Discussion September 12, 2011. 2011 IBM Corporation
IBM Cloud Security Draft for Discussion September 12, 2011 IBM Point of View: Cloud can be made secure for business As with most new technology paradigms, security concerns surrounding cloud computing
More informationPCI Compliance. What is New in Payment Card Industry Compliance Standards. October 2015. cliftonlarsonallen.com. 2015 CliftonLarsonAllen LLP
cliftonlarsonallen.com PCI Compliance What is New in Payment Card Industry Compliance Standards October 2015 Overview PCI DSS In the beginning Each major card brand had its own separate criteria for implementing
More informationPCI on Amazon Web Services (AWS) What You Need To Know Understanding the regulatory roadmap for PCI on AWS
PCI on Amazon Web Services (AWS) What You Need To Know Understanding the regulatory roadmap for PCI on AWS David Clevenger November 2015 Summary Payment Card Industry (PCI) is an accreditation body that
More informationTime to Value: Successful Cloud Software Implementation
Time to Value: Successful Cloud Software Implementation Cloud & Data Security 2015 Client Conference About the Presenter Scott Schimberg, CPA, CMA Partner, Consulting, Armanino Scott became a Certified
More informationOrchestrating the New Paradigm Cloud Assurance
Orchestrating the New Paradigm Cloud Assurance Amsterdam 17 January 2012 John Hermans - Partner Current business challenges versus traditional IT Organizations are challenged with: Traditional IT seems
More informationYour guide to the Payment Card Industry Data Security Standard (PCI DSS) Merchant Business Solutions. Version 5.0 (April 2011)
Your guide to the Payment Card Industry Data Security Standard (PCI DSS) Merchant Business Solutions Version 5.0 (April 2011) Contents Contents...2 Introduction...3 What are the 12 key requirements of
More informationProject Title slide Project: PCI. Are You At Risk?
Blank slide Project Title slide Project: PCI Are You At Risk? Agenda Are You At Risk? Video What is the PCI SSC? Agenda What are the requirements of the PCI DSS? What Steps Can You Take? Available Services
More informationCLOUD COMPUTING for Construction Accounting BY BRIAN J. THOMAS
CLOUD COMPUTING for Construction Accounting BY BRIAN J. THOMAS Copyright 2012 by the Construction Financial Management Association. All rights reserved. This article first appeared in CFMA Building Profits.
More informationAchieving Compliance with the PCI Data Security Standard
Achieving Compliance with the PCI Data Security Standard June 2006 By Alex Woda, MBA, CISA, QDSP, QPASP This article describes the history of the Payment Card Industry (PCI) data security standards (DSS),
More informationPayment Card Industry Data Security Standard (PCI DSS) and Payment Application Data Security Standard (PA-DSS) Frequently Asked Questions
PCI/PA-DSS FAQs Payment Card Industry Data Security Standard (PCI DSS) and Payment Application Data Security Standard (PA-DSS) Frequently Asked Questions What is PCI DSS? The Payment Card Industry Data
More informationTENDER NOTICE No. UGVCL/SP/III/608/GPRS Modem Page 1 of 6. TECHNICAL SPECIFICATION OF GPRS based MODEM PART 4
TENDER NOTICE No. UGVCL/SP/III/608/GPRS Modem Page 1 of 6 TECHNICAL SPECIFICATION OF GPRS based MODEM PART 4 Cloud services (Data Centre) and related Functional requirement Cloud services as a Control
More informationSecurity Information & Policies
Security Information & Policies 01 Table of Contents OVERVIEW CHAPTER 1 : CHAPTER 2: CHAPTER 3: CHAPTER 4: CHAPTER 5: CHAPTER 6: CHAPTER 7: CHAPTER 8: CHAPTER 9: CHAPTER 10: CHAPTER 11: CHAPTER 12: CHAPTER
More informationHIPAA in the Cloud. How to Effectively Collaborate with Cloud Providers
How to Effectively Collaborate with Cloud Providers Speaker Bio Chad Kissinger Chad Kissinger Founder OnRamp Chad Kissinger is the Founder of OnRamp, an industry leading high security and hybrid hosting
More informationLegal Issues in the Cloud: A Case Study. Jason Epstein
Legal Issues in the Cloud: A Case Study Jason Epstein Outline Overview of Cloud Computing Service Models (SaaS, PaaS, IaaS) Deployment Models (Private, Community, Public, Hybrid) Adoption Different types
More informationWith Eversync s cloud data tiering, the customer can tier data protection as follows:
APPLICATION NOTE: CLOUD DATA TIERING Eversync has developed a hybrid model for cloud-based data protection in which all of the elements of data protection are tiered between an on-premise appliance (software
More information1/18/10. Walt Conway. PCI DSS in Context. Some History The Digital Dozen Key Players Cardholder Data Outsourcing Conclusions. PCI in Higher Education
PCI in Higher Education Walter Conway, QSA 403 Labs, LLC Walt Conway PCI consultant, blogger, trainer, speaker, author Former Visa VP Help schools become PCI compliant Represent Higher Education at PCI
More informationPCI Compliance. How to Meet Payment Card Industry Compliance Standards. May 2015. cliftonlarsonallen.com. 2015 CliftonLarsonAllen LLP
2015 CliftonLarsonAllen LLP PCI Compliance How to Meet Payment Card Industry Compliance Standards May 2015 cliftonlarsonallen.com Overview PCI DSS In the beginning Each major card brand had its own separate
More informationCloud Computing An Auditor s Perspective
Cloud Computing An Auditor s Perspective Sailesh Gadia, CPA, CISA, CIPP sgadia@kpmg.com December 9, 2010 Discussion Agenda Introduction to cloud computing Types of cloud services Benefits, challenges,
More informationProtecting Your Customers' Card Data. Presented By: Oliver Pinson-Roxburgh
Protecting Your Customers' Card Data Presented By: Oliver Pinson-Roxburgh Agenda Trustwave Overview PCI Scope Compromise Statistics PCI Makes Business Sense Registration Process TrustKeeper Features Support
More informationCloud Computing for SCADA
Cloud Computing for SCADA Moving all or part of SCADA applications to the cloud can cut costs significantly while dramatically increasing reliability and scalability. A White Paper from InduSoft Larry
More informationSRG Security Services Technology Report Cloud Computing and Drop Box April 2013
SRG Security Services Technology Report Cloud Computing and Drop Box April 2013 1 Cloud Computing In the Industry Introduction to Cloud Computing The term cloud computing is simply the use of computing
More informationClient Security Risk Assessment Questionnaire
Select the appropriate answer from the drop down in the column, and provide a brief description in the section. 1 Do you have a member of your organization with dedicated information security duties? 2
More informationOverview of Cloud Computing and Cloud Computing s Use in Government Justin Heyman CGCIO, Information Technology Specialist, Township of Franklin
Overview of Cloud Computing and Cloud Computing s Use in Government Justin Heyman CGCIO, Information Technology Specialist, Township of Franklin Best Practices for Security in the Cloud John Essner, Director
More informationTop Ten Technology Risks Facing Colleges and Universities
Top Ten Technology Risks Facing Colleges and Universities Chris Watson, MBA, CISA, CRISC Manager, Internal Audit and Risk Advisory Services cwatson@schneiderdowns.com April 23, 2012 Overview Technology
More informationPROVIDING IT SOLUTIONS FOR THE HEALTHCARE INDUSTRY
PROVIDING IT SOLUTIONS FOR THE HEALTHCARE INDUSTRY The healthcare industry is facing unprecedented challenges as it evolves. New legislation and advances in technology are leading to obstacles and opportunities
More informationA PCI Journey with Wichita State University
A PCI Journey with Wichita State University Blaine Linehan System Software Analyst III Financial Operations & Business Technology Division of Administration & Finance 1 Question #1 How many of you know
More informationAnd Take a Step on the IG Career Path
How to Develop a PCI Compliance Program And Take a Step on the IG Career Path Andrew Altepeter Any organization that processes customer payment cards must comply with the Payment Card Industry s Data Security
More informationCase 2:13-cv-01887-ES-JAD Document 282-2 Filed 12/09/15 Page 1 of 116 PageID: 4879. Appendix A
Case 2:13-cv-01887-ES-JAD Document 282-2 Filed 12/09/15 Page 1 of 116 PageID: 4879 Appendix A Case 2:13-cv-01887-ES-JAD Document 282-2 Filed 12/09/15 Page 2 of 116 PageID: 4880 Payment Card Industry (PCI)
More informationCREDIT CARD MERCHANT PROCEDURES MANUAL. Effective Date: 5/25/2011
CREDIT CARD MERCHANT PROCEDURES MANUAL Effective Date: 5/25/2011 Updated: May 25, 2011 TABLE OF CONTENTS Introduction... 1 Third-Party Vendors... 1 Merchant Account Set-up... 2 Personnel Requirements...
More informationAccepting Payment Cards and ecommerce Payments
Policy V. 4.1.1 Responsible Official: Vice President for Finance and Treasurer Effective Date: September 29, 2010 Accepting Payment Cards and ecommerce Payments Policy Statement The University of Vermont
More informationPCI Solution for Retail: Addressing Compliance and Security Best Practices
PCI Solution for Retail: Addressing Compliance and Security Best Practices Executive Summary The Payment Card Industry (PCI) Data Security Standard has been revised to address an evolving risk environment
More informationFranchise Data Compromise Trends and Cardholder. December, 2010
Franchise Data Compromise Trends and Cardholder Security Best Practices December, 2010 Franchise Data Security Agenda Cardholder Data Compromise Overview Breach Commonalities Hacking Techniques Franchisee
More informationInformation Security Services. Achieving PCI compliance with Dell SecureWorks security services
Information Security Services Achieving PCI compliance with Dell SecureWorks security services Executive summary In October 2010, the Payment Card Industry (PCI) issued the new Data Security Standard (DSS)
More informationSecurityMetrics Introduction to PCI Compliance
SecurityMetrics Introduction to PCI Compliance Card Data Compromise What is a card data compromise? A card data compromise occurs when payment card information is stolen from a merchant. Some examples
More informationRecent Developments in PCI DSS. PCI in the Headlines Risks to Higher Education PCI DSS Version 1.2
Recent Developments in PCI DSS PCI in the Headlines Risks to Higher Education PCI DSS Version 1.2 1 2009 Breach Investigation Who did it? 74% external parties 20% insiders 32% implicated business partners
More informationPCI DATA SECURITY STANDARD OVERVIEW
PCI DATA SECURITY STANDARD OVERVIEW According to Visa, All members, merchants and service providers must adhere to the Payment Card Industry (PCI) Data Security Standard. In order to be PCI compliant,
More informationUsing Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4
WHITEPAPER Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4 An in-depth look at Payment Card Industry Data Security Standard Requirements 10, 11,
More information