Security Officer s Checklist in a Sourcing Deal

Size: px
Start display at page:

Download "Security Officer s Checklist in a Sourcing Deal"

Transcription

1 Security Officer s Checklist in a Sourcing Deal Guide Share Europe Ostend, May 9th 2014 Johan Van Mengsel IBM Distinguished IT Specialist IBM Client

2 Abstract Sourcing deals creates opportunities and challenges. What does it mean for a security officer : are special checklists required or can this be handled as business as usual? This presentation will focus on the areas of attention for a security officer for securing sourcing deals. 2 Security Officer Checklist in a Sourcing deal Johan Van Mengsel

3 Security Management Risk Management CRO The Chief Risk Officer looks at the organization s overall risk profile and where they are most vulnerable to unexpected loss. CFO The Chief Financial Officer must ensure that necessary controls are in place to have accurate financial statements. CISO The Chief Information Security Officer must ensure that the IT Infrastructure supports the overall business drivers of the organization. The CISO must minimize the risk of the IT environment and assess and communicate the impact of this environment on the overall organization from a Governance, Risk and Compliance perspective 3 Security Officer Checklist in a Sourcing deal Johan Van Mengsel

4 Risk Management Likelihood Almost Certain Likely Moderate Unlikely Rare Impact Insignificant Minor Moderate Major Catastrophic Risk Rating Low Medium High Critical 4 Security Officer Checklist in a Sourcing deal Johan Van Mengsel

5 5 Security Officer Checklist in a Sourcing deal Johan Van Mengsel

6 The economics of IT and risk and reputation Security Officer Checklist in a Sourcing deal Johan Van Mengsel

7 The economics of IT and risk and reputation Security Officer Checklist in a Sourcing deal Johan Van Mengsel

8 The economics of IT and risk and reputation Security Officer Checklist in a Sourcing deal Johan Van Mengsel

9 9 Security Officer Checklist in a Sourcing deal Johan Van Mengsel

10 Factors that influence the cost of data breach Source: 2014 Cost of Data Breach Study: United States Ponemon Benchmark research sponsored by IBM 10 Security Officer Checklist in a Sourcing deal Johan Van Mengsel

11 Impact of factors on the per capita cost of data breach Source: 2014 Cost of Data Breach Study: United States Benchmark research sponsored by IBM 11 Security Officer Checklist in a Sourcing deal Johan Van Mengsel

12 Risk Management Third Party Likelihood Almost Certain Likely Moderate Unlikely Rare Impact Insignificant Minor Moderate Major Catastrophic Risk Rating Low Medium High Critical 12 Security Officer Checklist in a Sourcing deal Johan Van Mengsel

13 Cloud Security: Simple Example Today s Data Center Tomorrow s Public Cloud??? We Have Control It s located at X. It s stored in server s Y, Z. We have backups in place. Our admins control access. Our uptime is sufficient. The auditors are happy. Our security team is engaged.??? Who Has Control? Where is it located? Where is it stored? Who backs it up? Who has access? How resilient is it? How do auditors observe? How does our security team engage? 13 Security Officer Checklist in a Sourcing deal Johan Van Mengsel 13

14 Risks introduced by cloud computing Restrictions imposed by industry regulations over the use of clouds for some applications Challenges with an increase in potential unauthorized exposure when migrating workloads to a shared network and compute infrastructure Data Security Where the information is located and stored, who has access rights, how access is monitored & managed, including resiliency Less Control Control needed to manage firewall and security settings for applications and runtime environments in the cloud Security Management Concerns with high availability and loss of service should outages occur Compliance Reliability Private Clouds Risks across private, public and hybrid cloud delivery models Public Clouds 14 Security Officer Checklist in a Sourcing deal Johan Van Mengsel

15 1 5 Customer Requirements for Cloud Security 16 Cross Industry Customers Analyzed 6 Telcos 3 CSIs 1 Government 1 Bank 1 Manufacturing 1 SMB 2 IBM Results of the analysis of existing customer requirements for Cloud Security World-Wide Representation NE IOT SW IOT MEA North America IOT ANZ Identity and access management 21 Intrusion prevention and response 37 Patch management 7 Data Sources Formal RFPs Project Architect Interviews Data Management 12 Virtualization Security 12 Governance, risk & compliance Security Officer Checklist in a Sourcing deal Johan Van Mengsel

16 Cloud Deployment/Delivery and Security Depending on an organization's readiness to adopt cloud, there are a wide array of deployment and delivery options More Embedded Security SaaS Software as a Service BPaaS Business Process as a Service PaaS Platform as a Service IaaS Infrastructure as a Service Less Embedded Security 16 Security Officer Checklist in a Sourcing deal Johan Van Mengsel

17 Different cloud deployment models also change the way we think about security Private cloud On or off premises cloud infrastructure operated solely for an organization and managed by the organization or a third party Hybrid IT Traditional IT and clouds (public and/or private) that remain separate but are bound together by technology that enables data and application portability Public cloud Available to the general public or a large industry group and owned by an organization selling cloud services. Changes in Security and Privacy Customer responsibility for infrastructure More customization of security controls Good visibility into day-to-day operations Easy to access to logs and policies Applications and data remain inside the firewall Provider responsibility for infrastructure Less customization of security controls No visibility into day-to-day operations Difficult to access to logs and policies Applications and data are publically exposed 17 Security Officer Checklist in a Sourcing deal Johan Van Mengsel 17

18 Coordinating information security is BOTH the responsibility of the provider and the consumer Who is responsible for security at the level? Datacenter Infrastructure Middleware Application Process Industry-specific Processes Employee Benefits Mgmt. Business Travel Procurement Business Process-as-a-Service Provider Consumer Collaboration CRM/ERP/HR Financials Industry Applications Application-as-a-Service Provider Consumer Middleware Web 2.0 Application Runtime Java Runtime Database Development Tooling Platform-as-a-Service Provider Consumer Data Center Servers Networking Storage Fabric Shared virtualized, dynamic provisioning Infrastructure-as-a-Service Provider Consumer 18 Security Officer Checklist in a Sourcing deal Johan Van Mengsel

19 What is multi-tenancy, and what are the security IMPLICATIONS? Example: Database Multi-tenancy 19 Security Officer Checklist in a Sourcing deal Johan Van Mengsel

20 ISO / IEC 27002:2005 provides an information security management framework ISO / IEC 27002:2005 covers 11 security management topics or Clauses. Each Clause is divided into categories with security objectives and sets of security controls to meet those objectives. Controls should be selected based on: assessment of risk business principles and objectives; legal, regulatory, and contractual obligations. Information Security Incident Management Business Continuity Management Organizational Information Security Asset Management Security Policy Human Resources Security System Access Control Compliance Communications and Operations Management Physical and Environmental Security Information Systems Acquisition, Development, and Maintenance 20 Security Officer Checklist in a Sourcing deal Johan Van Mengsel

21 Clause 5 : Security Policy Objective: Communicates management commitment and information security requirements across the organization. 21 Security Officer Checklist in a Sourcing deal Johan Van Mengsel

22 Clause 6: Organization of Information Security Objective: Resources must be allocated and assigned roles and responsibilities for security processes. Organizational Information Security Security organization crossing boundaries to Sourcing Partner: o o Dedicated counter-party typically for larger sourcing deals Security expertise in sourcing team 22 Security Officer Checklist in a Sourcing deal Johan Van Mengsel

23 Clause 7: Asset Management Objective: Accountability must be assigned to ensure decisions take into account the value of data and requirements for confidentiality, integrity, and availability. Asset Management Third party follows established procedures for handling information identified by the customer as classified. Matching asset classification to third party If all handled as Top Secret Too costly Attention deluted Protect the crown jewls Implement more stringent requirements for protecting and handling classified information based on custom security controls (i.e. specific controls for handling personal information) 23 Security Officer Checklist in a Sourcing deal Johan Van Mengsel

24 Clause 8: Human Resources Security Objective: Personnel processes should ensure security responsibilities are addressed during recruitment, in third party contracts, in training programs, and in disciplinary processes. Human Resources Security Background checks? NDA : individual or corporate level Security awareness training? 24 Security Officer Checklist in a Sourcing deal Johan Van Mengsel

25 Clause 9: Physical and Environmental Security Objective: Provide a secure environment for people, equipment, and information and to deter damage to assets or the bypassing of logical security controls. Physical and Environmental Security Where is third party located Office space Data center Restricted areas 25 Security Officer Checklist in a Sourcing deal Johan Van Mengsel

26 Clause 10: Communications and Operations Management Objective: Provide sound network and systems management practices in order to reduce the risk of negligent or deliberate system misuse. Communications and Operations Management Most sourcing deal will require some connectivity Inwards Outwards 26 Security Officer Checklist in a Sourcing deal Johan Van Mengsel

27 Clause 11: Access Control Objective: Access control processes provide protection for information and resources, and help ensure accountability. System Access Control User Access Management : o o o Creation/change/revocation Revalidation Privileged user administration Access for own users + sourcing partner 27 Security Officer Checklist in a Sourcing deal Johan Van Mengsel

28 Clause 12: Information Systems Acquisition, Development and Maintenance Objective: Security requirements must be identified and appropriate security controls are built into systems and applications. Information Systems Acquisition, Development, and Maintenance Building new systems to security build specifications. Security patching Management of cryptographic controls 28 Security Officer Checklist in a Sourcing deal Johan Van Mengsel

29 Encryption in the Cloud Approximate 50% of companies have sensitive and confidential information stored in the Cloud. Source: 2013 Encryption in the Cloud van Thales e-security and The Ponemon Institute 4275 business and IT-managers involved in study But not always with Encryption : Encryption at rest : 39% for SaaS and 26% for IaaS- and PaaS-consumers Encryption before send to the cloud: 44% SaaS and 40% IaaS and PaaS consumers Whom controls the crypto keys : 34% consumers 29% shared between consumers and producers 18% third party 17% producers 29 Security Officer Checklist in a Sourcing deal Johan Van Mengsel

30 Clause 13: Information Security Incident Management Objective: Information security events and weaknesses must be reported quickly and corrective should be taken. Information Security Incident Management Whom are you gonna call? Will they call you? o o Establishment of security incident reporting procedures Initial security incident evaluation services 30 Security Officer Checklist in a Sourcing deal Johan Van Mengsel

31 Clause 14: Business Continuity Management Objective: Ensure that an organization is prepared to continue critical business functions in the event of a disaster. Business Continuity Management Must be in-line with own BCM o o o o Continuity impact analysis and Continuity plan development Disaster Recovery planning services in support of a Continuity plan Disaster Recovery testing services Disaster Recovery execution 31 Security Officer Checklist in a Sourcing deal Johan Van Mengsel

32 Clause 15: Compliance Compliance Objective: Ensure that an organization s security policy is enforced and that security controls are working as expected. Need to know relevant compliancy requirements: System security checks o o o PCI Basel SoX Regularly checking: o o System security checks on a sample of systems for compliance with password policy, anti-virus protection and logging requirements Security audits 32 Security Officer Checklist in a Sourcing deal Johan Van Mengsel

33 Summary Sourcing definitely warrants the Security Officer attention Get your own act together first David versus Goliath Compliancy versus Security Trick question: what about sourcing security? 33 Security Officer Checklist in a Sourcing deal Johan Van Mengsel

34 Any Questions?????????????? 34 Security Officer Checklist in a Sourcing deal Johan Van Mengsel

35 35 Security Officer Checklist in a Sourcing deal Johan Van Mengsel

Healthcare: La sicurezza nel Cloud October 18, 2011. 2011 IBM Corporation

Healthcare: La sicurezza nel Cloud October 18, 2011. 2011 IBM Corporation Healthcare: La sicurezza nel Cloud October 18, 2011 Cloud Computing Tests The Limits Of Security Operations And Infrastructure Security and Privacy Domains People and Identity Data and Information Application

More information

Cloud computing is a new consumption and delivery model. Yesterday Today

Cloud computing is a new consumption and delivery model. Yesterday Today IBM Cloud Security Strategy Securing the Cloud Johan Van Mengsel, CISSP Open Group Distinguished IT Specialist IBM Global Technology Services 2010 IBM Corporation Todays Challenges 85% idle 70 per $1 1.5x

More information

IBM Cloud Security Draft for Discussion September 12, 2011. 2011 IBM Corporation

IBM Cloud Security Draft for Discussion September 12, 2011. 2011 IBM Corporation IBM Cloud Security Draft for Discussion September 12, 2011 IBM Point of View: Cloud can be made secure for business As with most new technology paradigms, security concerns surrounding cloud computing

More information

Security Controls What Works. Southside Virginia Community College: Security Awareness

Security Controls What Works. Southside Virginia Community College: Security Awareness Security Controls What Works Southside Virginia Community College: Security Awareness Session Overview Identification of Information Security Drivers Identification of Regulations and Acts Introduction

More information

Securing the Cloud with IBM Security Systems. IBM Security Systems. 2012 IBM Corporation. 2012 2012 IBM IBM Corporation Corporation

Securing the Cloud with IBM Security Systems. IBM Security Systems. 2012 IBM Corporation. 2012 2012 IBM IBM Corporation Corporation Securing the Cloud with IBM Security Systems 1 2012 2012 IBM IBM Corporation Corporation IBM Point of View: Cloud can be made secure for business As with most new technology paradigms, security concerns

More information

Security and Cloud Computing

Security and Cloud Computing Security and Cloud Computing Martin Borrett, Lead Security Architect NE Europe, WW Service Management Tiger Team IBM Software Optimising the World s Infrastructure 27th May - London Agenda Brief Introduction

More information

Cloud Security Who do you trust?

Cloud Security Who do you trust? Thought Leadership White Paper Cloud Computing Cloud Security Who do you trust? Nick Coleman, IBM Cloud Security Leader Martin Borrett, IBM Lead Security Architect 2 Cloud Security Who do you trust? Cloud

More information

Ragy Magdy Regional Channel Manager MEA IBM Security Systems

Ragy Magdy Regional Channel Manager MEA IBM Security Systems Ragy Magdy Regional Channel Manager MEA IBM Security Systems 1 Started my career in Security in 2003 by Joining ISS 2005 was named the ISS Regional Manager for the Middle East 2006 ISS was acquired by

More information

Cloud Security: The Grand Challenge

Cloud Security: The Grand Challenge Dr. Paul Ashley IBM Software Group pashley@au1.ibm.com Cloud Security: The Grand Challenge Outline Cloud computing: the pros, the cons, the blind spots Security in the cloud - what are the risks now and

More information

Securing and Auditing Cloud Computing. Jason Alexander Chief Information Security Officer

Securing and Auditing Cloud Computing. Jason Alexander Chief Information Security Officer Securing and Auditing Cloud Computing Jason Alexander Chief Information Security Officer What is Cloud Computing A model for enabling convenient, on-demand network access to a shared pool of configurable

More information

Information Security Handbook

Information Security Handbook Information Security Handbook Adopted 6/4/14 Page 0 Page 1 1. Introduction... 5 1.1. Executive Summary... 5 1.2. Governance... 5 1.3. Scope and Application... 5 1.4. Biennial Review... 5 2. Definitions...

More information

Managing Cloud Computing Risk

Managing Cloud Computing Risk Managing Cloud Computing Risk Presented By: Dan Desko; Manager, Internal IT Audit & Risk Advisory Services Schneider Downs & Co. Inc. ddesko@schneiderdowns.com Learning Objectives Understand how to identify

More information

Cloud Security. Peter Jopling joplingp@uk.ibm.com IBM UK Ltd Software Group Hursley Labs. peterjopling. 2011 IBM Corporation

Cloud Security. Peter Jopling joplingp@uk.ibm.com IBM UK Ltd Software Group Hursley Labs. peterjopling. 2011 IBM Corporation Cloud Security Peter Jopling joplingp@uk.ibm.com IBM UK Ltd Software Group Hursley Labs peterjopling 2011 IBM Corporation Cloud computing impacts the implementation of security in fundamentally new ways

More information

Data Security and Privacy Principles for IBM SaaS How IBM Software as a Service is protected by IBM s security-driven culture

Data Security and Privacy Principles for IBM SaaS How IBM Software as a Service is protected by IBM s security-driven culture Data Security and Privacy Principles for IBM SaaS How IBM Software as a Service is protected by IBM s security-driven culture 2 Data Security and Privacy Principles for IBM SaaS Contents 2 Introduction

More information

Cloud Security Who do you trust?

Cloud Security Who do you trust? Thought Leadership White Paper Cloud Computing Cloud Security Who do you trust? Nick Coleman, IBM Cloud Security Leader Martin Borrett, IBM Lead Security Architect 2 Cloud Security Who do you trust? Cloud

More information

Strategic Compliance & Securing the Cloud. Annalea Sharack-Ilg, CISSP, AMBCI Technical Director of Information Security

Strategic Compliance & Securing the Cloud. Annalea Sharack-Ilg, CISSP, AMBCI Technical Director of Information Security Strategic Compliance & Securing the Cloud Annalea Sharack-Ilg, CISSP, AMBCI Technical Director of Information Security Complexity and Challenges 2 Complexity and Challenges Compliance Regulatory entities

More information

Cloud Security Implications for Financial Institutions By Scott Galyk Director of Software Development FIMAC Solutions, LLC

Cloud Security Implications for Financial Institutions By Scott Galyk Director of Software Development FIMAC Solutions, LLC Cloud Security Implications for Financial Institutions By Scott Galyk Director of Software Development FIMAC Solutions, LLC www.fmsinc.org 1 2015 Financial Managers Society, Inc. Cloud Security Implications

More information

Cloud Security Introduction and Overview

Cloud Security Introduction and Overview Introduction and Overview Klaus Gribi Senior Security Consultant klaus.gribi@swisscom.com May 6, 2015 Agenda 2 1. Cloud Security Cloud Evolution, Service and Deployment models Overview and the Notorious

More information

Cloud Computing: The atmospheric jeopardy. Unique Approach Unique Solutions. Salmon Ltd 2014 Commercial in Confidence Page 1 of 5

Cloud Computing: The atmospheric jeopardy. Unique Approach Unique Solutions. Salmon Ltd 2014 Commercial in Confidence Page 1 of 5 Cloud Computing: The atmospheric jeopardy Unique Approach Unique Solutions Salmon Ltd 2014 Commercial in Confidence Page 1 of 5 Background Cloud computing has its place in company computing strategies,

More information

Security Issues in Cloud Computing

Security Issues in Cloud Computing Security Issues in Computing CSCI 454/554 Computing w Definition based on NIST: A model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources

More information

Cloud Security - Risiken und Chancen Dr. Matthias Schunter, MBA IBM Research Zürich, schunter@acm.org http://www.schunter.org/

Cloud Security - Risiken und Chancen Dr. Matthias Schunter, MBA IBM Research Zürich, schunter@acm.org http://www.schunter.org/ Dr. Matthias Schunter, MBA IBM Research Zürich, schunter@acm.org http://www.schunter.org/ Simple Questions Today s Data Center Tomorrow s Public Cloud??? We Have Control It s located at X. It s stored

More information

IT Audit in the Cloud

IT Audit in the Cloud IT Audit in the Cloud Pavlina Ivanova, CISM ISACA-Sofia Chapter Content: o 1. Introduction o 2. Cloud Computing o 3. IT Audit in the Cloud o 4. Residual Risks o Used Resources o Questions 1. ISACA Trust

More information

SMS. Cloud Computing. Systems Management Specialists. Grupo SMS www.grupo-sms.com 949.223.9240 option 3 for sales

SMS. Cloud Computing. Systems Management Specialists. Grupo SMS www.grupo-sms.com 949.223.9240 option 3 for sales SMS Systems Management Specialists Cloud Computing Grupo SMS www.grupo-sms.com 949.223.9240 option 3 for sales Cloud Computing The SMS Model: Cloud computing is a model for enabling ubiquitous, convenient,

More information

Cloud Security 2011. Prof. Dr. Michael Waidner Fraunhofer SIT CASED. Fraunhofer SIT. Fraunhofer-Gesellschaft 2011

Cloud Security 2011. Prof. Dr. Michael Waidner Fraunhofer SIT CASED. Fraunhofer SIT. Fraunhofer-Gesellschaft 2011 Fraunhofer-Gesellschaft 2011 Cloud Security 2011 Prof. Dr. Michael Waidner Fraunhofer SIT CASED 1 Fraunhofer SIT Security and Privacy»made in Darmstadt«Center for Advanced Security Research Darmstadt 170

More information

Validating Enterprise Systems: A Practical Guide

Validating Enterprise Systems: A Practical Guide Table of Contents Validating Enterprise Systems: A Practical Guide Foreword 1 Introduction The Need for Guidance on Compliant Enterprise Systems What is an Enterprise System The Need to Validate Enterprise

More information

micros MICROS Systems, Inc. Enterprise Information Security Policy (MEIP) August, 2013 Revision 8.0 MICROS Systems, Inc. Version 8.

micros MICROS Systems, Inc. Enterprise Information Security Policy (MEIP) August, 2013 Revision 8.0 MICROS Systems, Inc. Version 8. micros MICROS Systems, Inc. Enterprise Information Security Policy (MEIP) Revision 8.0 August, 2013 1 Table of Contents Overview /Standards: I. Information Security Policy/Standards Preface...5 I.1 Purpose....5

More information

AskAvanade: Answering the Burning Questions around Cloud Computing

AskAvanade: Answering the Burning Questions around Cloud Computing AskAvanade: Answering the Burning Questions around Cloud Computing There is a great deal of interest in better leveraging the benefits of cloud computing. While there is a lot of excitement about the cloud,

More information

Client Security Risk Assessment Questionnaire

Client Security Risk Assessment Questionnaire Select the appropriate answer from the drop down in the column, and provide a brief description in the section. 1 Do you have a member of your organization with dedicated information security duties? 2

More information

HIPAA CRITICAL AREAS TECHNICAL SECURITY FOCUS FOR CLOUD DEPLOYMENT

HIPAA CRITICAL AREAS TECHNICAL SECURITY FOCUS FOR CLOUD DEPLOYMENT HIPAA CRITICAL AREAS TECHNICAL SECURITY FOCUS FOR CLOUD DEPLOYMENT A Review List This paper was put together with Security in mind, ISO, and HIPAA, for guidance as you move into a cloud deployment Dr.

More information

Cloud Computing Why, what, how?

Cloud Computing Why, what, how? IBM Nederland B.V. Cloud Computing Why, what, how? Ronald Zoutendijk, zoutendi@nl.ibm.com Johan Arts, johan.arts@nl.ibm.com 1 Why Cloud Computing? Complexiteit Agenda 1 Why Cloud Computing? 2 What is Cloud

More information

Enterprise Governance and Planning

Enterprise Governance and Planning GEORGIA TECHNOLOGY AUTHORITY Title: Enterprise Operational Environment PSG Number: SO-10-003.02 Topical Area: Operations / Performance and Capacity Document Type: Standard Pages: 5 Issue Date: July 15,

More information

Library Systems Security: On Premises & Off Premises

Library Systems Security: On Premises & Off Premises Library Systems Security: On Premises & Off Premises Guoying (Grace) Liu University of Windsor Leddy Library Huoxin (Michael) Zheng Castlebreck Inc. CLA 2015 Annual Conference, Ottawa, June 5, 2015 Information

More information

Securing the Service Desk in the Cloud

Securing the Service Desk in the Cloud TECHNICAL WHITE PAPER Securing the Service Desk in the Cloud BMC s Security Strategy for ITSM in the SaaS Environment Introduction Faced with a growing number of regulatory, corporate, and industry requirements,

More information

WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY

WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY DATA LABEL: PUBLIC INFORMATION SECURITY POLICY CONTENTS 1. INTRODUCTION... 3 2. MAIN OBJECTIVES... 3 3. LEGISLATION... 4 4. SCOPE... 4 5. STANDARDS... 4

More information

RE Think. IT & Business. Invent. IBM SmartCloud Security. Dr. Khaled Negm, SMIEEE, ACM Fellow IBM SW Global Competency Center Leader GCC

RE Think. IT & Business. Invent. IBM SmartCloud Security. Dr. Khaled Negm, SMIEEE, ACM Fellow IBM SW Global Competency Center Leader GCC RE Think Invent IT & Business IBM SmartCloud Security Dr. Khaled Negm, SMIEEE, ACM Fellow IBM SW Global Competency Center Leader GCC 2014 IBM Corporation Some Business Questions Is Your Company is Secure

More information

Cloud Data Security and the Insider Threat

Cloud Data Security and the Insider Threat Cloud Data Security and the Insider Threat Sol Cates CSO @solcates scates@vormetric.com Copyright 2014 Vormetric, Inc. All rights reserved. A bit about me InfoSec for ~ 18 years Currently have 4 jobs Infrastructure

More information

Newcastle University Information Security Procedures Version 3

Newcastle University Information Security Procedures Version 3 Newcastle University Information Security Procedures Version 3 A Information Security Procedures 2 B Business Continuity 3 C Compliance 4 D Outsourcing and Third Party Access 5 E Personnel 6 F Operations

More information

Ellucian Cloud Services. Joe Street Cloud Services, Sr. Solution Consultant

Ellucian Cloud Services. Joe Street Cloud Services, Sr. Solution Consultant Ellucian Cloud Services Joe Street Cloud Services, Sr. Solution Consultant Confidentiality Statement The information contained herein is considered proprietary and highly confidential by Ellucian Managed

More information

ISO 27001 Controls and Objectives

ISO 27001 Controls and Objectives ISO 27001 s and Objectives A.5 Security policy A.5.1 Information security policy Objective: To provide management direction and support for information security in accordance with business requirements

More information

The Value of Vulnerability Management*

The Value of Vulnerability Management* The Value of Vulnerability Management* *ISACA/IIA Dallas Presented by: Robert Buchheit, Director Advisory Practice, Dallas Ricky Allen, Manager Advisory Practice, Houston *connectedthinking PwC Agenda

More information

Fundamental Concepts and Models

Fundamental Concepts and Models Fundamental Concepts and Models 1 1. Roles and Boundaries Could provider The organization that provides the cloud based IT resources Cloud consumer An organization (or a human) that has a formal contract

More information

Can SaaS be your strategic advantage in building software? Presented by: Paul Gatty, Director of World Wide Operations

Can SaaS be your strategic advantage in building software? Presented by: Paul Gatty, Director of World Wide Operations Can SaaS be your strategic advantage in building software? Presented by: Paul Gatty, Director of World Wide Operations Topics What is SaaS? How does SaaS differ from managed hosting? Advantages of SaaS

More information

3rd Party Assurance & Information Governance 2014-2016 outlook IIA Ireland Annual Conference 2014. Straightforward Security and Compliance

3rd Party Assurance & Information Governance 2014-2016 outlook IIA Ireland Annual Conference 2014. Straightforward Security and Compliance 3rd Party Assurance & Information Governance 2014-2016 outlook IIA Ireland Annual Conference 2014 Continuous Education Services (elearning/workshops) Compliance Management Portals Information Security

More information

Cloud Security considerations for business adoption. Ricci IEONG CSA-HK&M Chapter

Cloud Security considerations for business adoption. Ricci IEONG CSA-HK&M Chapter Cloud Security considerations for business adoption Ricci IEONG CSA-HK&M Chapter What is Cloud Computing? Slide 2 What is Cloud Computing? My Cloud @ Internet Pogoplug What is Cloud Computing? Compute

More information

How does IBM deliver cloud security? An IBM paper covering SmartCloud Services 1

How does IBM deliver cloud security? An IBM paper covering SmartCloud Services 1 How does IBM deliver cloud security? An IBM paper covering SmartCloud Services 1 2 How does IBM deliver cloud security? Contents 2 Introduction 3 Cloud governance 3 Security governance, risk management

More information

Security and Cloud Computing

Security and Cloud Computing Martin Borrett, Lead Security Architect, Europe, IBM 9 th December 2010 Outline Brief Introduction to Cloud Computing Security: Grand Challenge for the Adoption of Cloud Computing IBM and Cloud Security

More information

What Every User Needs To Know Before Moving To The Cloud. LawyerDoneDeal Corp.

What Every User Needs To Know Before Moving To The Cloud. LawyerDoneDeal Corp. What Every User Needs To Know Before Moving To The Cloud LawyerDoneDeal Corp. What Every User Needs To Know Before Moving To The Cloud 1 What is meant by Cloud Computing, or Going To The Cloud? A model

More information

Cloud Computing Security Issues

Cloud Computing Security Issues Copyright Marchany 2010 Cloud Computing Security Issues Randy Marchany, VA Tech IT Security, marchany@vt.edu Something Old, Something New New: Cloud describes the use of a collection of services, applications,

More information

Cloud Computing. Jean-Claude DISPENSA IBM Distinguished Engineer

Cloud Computing. Jean-Claude DISPENSA IBM Distinguished Engineer Cloud Computing Jean-Claude DISPENSA IBM Distinguished Engineer Best Student Recognition Event July 6-8, 2011 EMEA IBM Innovation Center La Gaude, France Business needs are growing - IT costs are increasing

More information

Cloud Computing in Banking

Cloud Computing in Banking Financial Services the way we see it Cloud Computing in Banking What banks need to know when considering a move to the cloud Contents 1 Overview 3 2 Why Cloud Computing for Banks? 4 2.1 Cost Savings and

More information

Cloud Computing: Risks and Auditing

Cloud Computing: Risks and Auditing IIA Chicago Chapter 53 rd Annual Seminar April 15, 2013, Donald E. Stephens Convention Center @IIAChicago #IIACHI Cloud Computing: Risks Auditing Phil Lageschulte/Partner/KPMG Sailesh Gadia/Director/KPMG

More information

Cloud Computing; What is it, How long has it been here, and Where is it going?

Cloud Computing; What is it, How long has it been here, and Where is it going? Cloud Computing; What is it, How long has it been here, and Where is it going? David Losacco, CPA, CIA, CISA Principal January 10, 2013 Agenda The Cloud WHAT IS THE CLOUD? How long has it been here? Where

More information

Four Top Emagined Security Services

Four Top Emagined Security Services Four Top Emagined Security Services. www.emagined.com Emagined Security offers a variety of Security Services designed to support growing security needs. This brochure highlights four key Emagined Security

More information

INFORMATION TECHNOLOGY SECURITY STANDARDS

INFORMATION TECHNOLOGY SECURITY STANDARDS INFORMATION TECHNOLOGY SECURITY STANDARDS Version 2.0 December 2013 Table of Contents 1 OVERVIEW 3 2 SCOPE 4 3 STRUCTURE 5 4 ASSET MANAGEMENT 6 5 HUMAN RESOURCES SECURITY 7 6 PHYSICAL AND ENVIRONMENTAL

More information

CLOUD STORAGE SECURITY INTRODUCTION. Gordon Arnold, IBM

CLOUD STORAGE SECURITY INTRODUCTION. Gordon Arnold, IBM CLOUD STORAGE SECURITY INTRODUCTION Gordon Arnold, IBM SNIA Legal Notice The material contained in this tutorial is copyrighted by the SNIA. Member companies and individual members may use this material

More information

BMC s Security Strategy for ITSM in the SaaS Environment

BMC s Security Strategy for ITSM in the SaaS Environment BMC s Security Strategy for ITSM in the SaaS Environment TABLE OF CONTENTS Introduction... 3 Data Security... 4 Secure Backup... 6 Administrative Access... 6 Patching Processes... 6 Security Certifications...

More information

FINAL May 2005. Guideline on Security Systems for Safeguarding Customer Information

FINAL May 2005. Guideline on Security Systems for Safeguarding Customer Information FINAL May 2005 Guideline on Security Systems for Safeguarding Customer Information Table of Contents 1 Introduction 1 1.1 Purpose of Guideline 1 2 Definitions 2 3 Internal Controls and Procedures 2 3.1

More information

Cloud Courses Description

Cloud Courses Description Courses Description 101: Fundamental Computing and Architecture Computing Concepts and Models. Data center architecture. Fundamental Architecture. Virtualization Basics. platforms: IaaS, PaaS, SaaS. deployment

More information

Report on Hong Kong SME Cloud Adoption and Security Readiness Survey

Report on Hong Kong SME Cloud Adoption and Security Readiness Survey Report on Hong Kong SME Cloud Adoption and Security Readiness Survey Collaborated by Internet Society Hong Kong and Cloud Security Alliance (HK & Macau Chapter) Sponsored by Microsoft Hong Kong Jointly

More information

ISO27001 Controls and Objectives

ISO27001 Controls and Objectives Introduction This reference document for the University of Birmingham lists the control objectives, specific controls and background information, as given in Annex A to ISO/IEC 27001:2005. As such, the

More information

Cloud Computing Governance & Security. Security Risks in the Cloud

Cloud Computing Governance & Security. Security Risks in the Cloud Cloud Computing Governance & Security The top ten questions you have to ask Mike Small CEng, FBCS, CITP Fellow Analyst, KuppingerCole This Webinar is supported by Agenda What is the Problem? Ten Cloud

More information

LEGAL ISSUES IN CLOUD COMPUTING

LEGAL ISSUES IN CLOUD COMPUTING LEGAL ISSUES IN CLOUD COMPUTING RITAMBHARA AGRAWAL INTELLIGERE 1 CLOUD COMPUTING Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing

More information

Cloud Computing. Bringing the Cloud into Focus

Cloud Computing. Bringing the Cloud into Focus Cloud Computing Bringing the Cloud into Focus November 2011 Introduction Ken Cochrane CEO, IT/NET Partner, KPGM Performance and Technology National co-leader IT Advisory Services KPMG Andrew Brewin Vice

More information

Cloud Computing: What needs to Be Validated and Qualified. Ivan Soto

Cloud Computing: What needs to Be Validated and Qualified. Ivan Soto Cloud Computing: What needs to Be Validated and Qualified Ivan Soto Learning Objectives At the end of this session we will have covered: Technical Overview of the Cloud Risk Factors Cloud Security & Data

More information

OWASP Chapter Meeting June 2010. Presented by: Brayton Rider, SecureState Chief Architect

OWASP Chapter Meeting June 2010. Presented by: Brayton Rider, SecureState Chief Architect OWASP Chapter Meeting June 2010 Presented by: Brayton Rider, SecureState Chief Architect Agenda What is Cloud Computing? Cloud Service Models Cloud Deployment Models Cloud Computing Security Security Cloud

More information

Security Threat Risk Assessment: the final key piece of the PIA puzzle

Security Threat Risk Assessment: the final key piece of the PIA puzzle Security Threat Risk Assessment: the final key piece of the PIA puzzle Curtis Kore, Information Security Analyst Angela Swan, Director, Information Security Agenda Introduction Current issues The value

More information

Cloud Computing for SCADA

Cloud Computing for SCADA Cloud Computing for SCADA Moving all or part of SCADA applications to the cloud can cut costs significantly while dramatically increasing reliability and scalability. A White Paper from InduSoft Larry

More information

CLOUD SECURITY: THE GRAND CHALLENGE

CLOUD SECURITY: THE GRAND CHALLENGE Government Ware: GovWare Singapore September 29, 2010 CLOUD SECURITY: THE GRAND CHALLENGE Glen Gooding Asia Pacific Security Leader IBM Corporation ggooding@au1.ibm.com Rest safe: Google saves the day

More information

Computer Security Lecture 13

Computer Security Lecture 13 Computer Security Lecture 13 Risk Analysis Erland Jonsson (based on material from Lawrie Brown) Department of Computer Science and Engineering Chalmers University of Technology Sweden Security Management

More information

Virginia Government Finance Officers Association Spring Conference May 28, 2014. Cloud Security 101

Virginia Government Finance Officers Association Spring Conference May 28, 2014. Cloud Security 101 Virginia Government Finance Officers Association Spring Conference May 28, 2014 Cloud Security 101 Presenters: John Montoro, RealTime Accounting Solutions Ted Brown, Network Alliance Presenters John Montoro

More information

6 Cloud computing overview

6 Cloud computing overview 6 Cloud computing overview 6.1 General ISO/IEC 17788:2014 (E) Cloud Computing Overview Page 1 of 6 Cloud computing is a paradigm for enabling network access to a scalable and elastic pool of shareable

More information

Cloud Security for Federal Agencies

Cloud Security for Federal Agencies Experience the commitment ISSUE BRIEF Rev. April 2014 Cloud Security for Federal Agencies This paper helps federal agency executives evaluate security and privacy features when choosing a cloud service

More information

Addressing Cloud Computing Security Considerations

Addressing Cloud Computing Security Considerations Addressing Cloud Computing Security Considerations with Microsoft Office 365 Protect more Contents 2 Introduction 3 Key Security Considerations 4 Office 365 Service Stack 5 ISO Certifications for the Microsoft

More information

AHLA. JJ. Keeping Your Cloud Services Provider from Raining on Your Parade. Jean Hess Manager HORNE LLP Ridgeland, MS

AHLA. JJ. Keeping Your Cloud Services Provider from Raining on Your Parade. Jean Hess Manager HORNE LLP Ridgeland, MS AHLA JJ. Keeping Your Cloud Services Provider from Raining on Your Parade Jean Hess Manager HORNE LLP Ridgeland, MS Melissa Markey Hall Render Killian Heath & Lyman PC Troy, MI Physicians and Hospitals

More information

Audit Report. Effectiveness of IT Controls at the Global Fund Follow-up report. GF-OIG-15-20b 26 November 2015 Geneva, Switzerland

Audit Report. Effectiveness of IT Controls at the Global Fund Follow-up report. GF-OIG-15-20b 26 November 2015 Geneva, Switzerland Audit Report Effectiveness of IT Controls at the Global Fund Follow-up report GF-OIG-15-20b Geneva, Switzerland Table of Contents I. Background and scope... 3 II. Executive Summary... 4 III. Status of

More information

Cloud Security and Managing Use Risks

Cloud Security and Managing Use Risks Carl F. Allen, CISM, CRISC, MBA Director, Information Systems Security Intermountain Healthcare Regulatory Compliance External Audit Legal and ediscovery Information Security Architecture Models Access

More information

Cisco Cloud Assessments. Justin Tang

Cisco Cloud Assessments. Justin Tang Cisco Cloud Assessments Justin Tang Cisco Landscape Evolution of Cloud Assessments Performing Cloud Assessments Challenges 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 2 Definition:

More information

Altius IT Policy Collection Compliance and Standards Matrix

Altius IT Policy Collection Compliance and Standards Matrix Governance IT Governance Policy Mergers and Acquisitions Policy Terms and Definitions Policy 164.308 12.4 12.5 EDM01 EDM02 EDM03 Information Security Privacy Policy Securing Information Systems Policy

More information

Capacity Management for Cloud Computing

Capacity Management for Cloud Computing Capacity Management for Cloud Computing Chris Molloy Distinguished Engineer Member, IBM Academy of Technology October 2009 1 Is a cloud like touching an elephant? 2 Gartner defines cloud computing as a

More information

Security and Privacy in Cloud Computing

Security and Privacy in Cloud Computing Security and Privacy in Cloud Computing - Study Report Sai Lakshmi General Manager Enterprise Security Solutions 2 Agenda Background & Objective Current Scenario & Future of Cloud Computing Challenges

More information

Release 1. ICAICT814A Develop cloud computing strategies for a business

Release 1. ICAICT814A Develop cloud computing strategies for a business Release 1 ICAICT814A Develop cloud computing strategies for a business ICAICT814A Develop cloud computing strategies for a business Modification History Release Release 1 Comments This version first released

More information

Information Security Policy and Handbook Overview. ITSS Information Security June 2015

Information Security Policy and Handbook Overview. ITSS Information Security June 2015 Information Security Policy and Handbook Overview ITSS Information Security June 2015 Information Security Policy Control Hierarchy System and Campus Information Security Policies UNT System Information

More information

Information Security Policies. Version 6.1

Information Security Policies. Version 6.1 Information Security Policies Version 6.1 Information Security Policies Contents: 1. Information Security page 3 2. Business Continuity page 5 3. Compliance page 6 4. Outsourcing and Third Party Access

More information

Cloud Security. DLT Solutions LLC June 2011. #DLTCloud

Cloud Security. DLT Solutions LLC June 2011. #DLTCloud Cloud Security DLT Solutions LLC June 2011 Contact Information DLT Cloud Advisory Group 1-855-CLOUD01 (256-8301) cloud@dlt.com www.dlt.com/cloud Your Hosts Van Ristau Chief Technology Officer, DLT Solutions

More information

Public Clouds. Krishnan Subramanian Analyst & Researcher Krishworld.com. A whitepaper sponsored by Trend Micro Inc.

Public Clouds. Krishnan Subramanian Analyst & Researcher Krishworld.com. A whitepaper sponsored by Trend Micro Inc. Public Clouds Krishnan Subramanian Analyst & Researcher Krishworld.com A whitepaper sponsored by Trend Micro Inc. Introduction Public clouds are the latest evolution of computing, offering tremendous value

More information

Cloud computing White paper November 2009. IBM Point of View: Security and Cloud Computing

Cloud computing White paper November 2009. IBM Point of View: Security and Cloud Computing White paper November 2009 IBM Point of View: Security and Cloud Computing Page 2 Table of Contents Introduction... 3 Address cloud security the grand challenge... 4 Evaluate different models of cloud computing...

More information

Security and Privacy Aspects in Cloud Computing

Security and Privacy Aspects in Cloud Computing Frank Hebestreit, CISA, CIPP/IT IBM Security Services, IBM Global Technology Services frank.hebestreit@de.ibm.com Security and Privacy Aspects in Cloud Computing 17.11.2010 Outline Brief Introduction to

More information

Buyer s Guide. Buyer s Guide to Secure Cloud. thebunker.net Phone: 01304 814800 Fax: 01304 814899 info@thebunker.net

Buyer s Guide. Buyer s Guide to Secure Cloud. thebunker.net Phone: 01304 814800 Fax: 01304 814899 info@thebunker.net Buyer s Guide to Secure Cloud Buyer s Guide to Secure Cloud An executive guide to outsourcing IT infrastructure and data storage using Private Cloud as the foundation. Executives derive much confidence

More information

Cloud and Regulations: A match made in heaven, or the worst blind date ever?

Cloud and Regulations: A match made in heaven, or the worst blind date ever? Cloud and Regulations: A match made in heaven, or the worst blind date ever? Vinod S Chavan Director Industry Cloud Solutions, IBM Cloud October 28, 2015 Customers are faced with challenge of balancing

More information

Dynamic Security for the Hybrid Cloud

Dynamic Security for the Hybrid Cloud Dynamic Security for the Hybrid Cloud Marc van Zadelhoff, VP Strategy, Marketing and Product Management, IBM Security Nataraj Nagaratnam, Distinguished Engineer and CTO Security Solutions, IBM Security

More information

Legal Issues Associated with Cloud Computing. Laurin H. Mills May 13, 2009

Legal Issues Associated with Cloud Computing. Laurin H. Mills May 13, 2009 Legal Issues Associated with Cloud Computing Laurin H. Mills May 13, 2009 What Is Cloud Computing? The cloud is a metaphor for the Internet Leverages the connectivity of the Internet to optimize the utility

More information

The Cloud in Regulatory Affairs - Validation, Risk Management and Chances -

The Cloud in Regulatory Affairs - Validation, Risk Management and Chances - 45 min Webinar: November 14th, 2014 The Cloud in Regulatory Affairs - Validation, Risk Management and Chances - www.cunesoft.com Rainer Schwarz Cunesoft Holger Spalt ivigilance 2014 Cunesoft GmbH PART

More information

Cloud Vendor Evaluation

Cloud Vendor Evaluation Cloud Vendor Evaluation Checklist Life Sciences in the Cloud Cloud Vendor Evaluation Checklist What to evaluate when choosing a cloud vendor in Life Sciences Cloud computing is radically changing business

More information

The Next Generation of Security Leaders

The Next Generation of Security Leaders The Next Generation of Security Leaders In an increasingly complex cyber world, there is a growing need for information security leaders who possess the breadth and depth of expertise necessary to establish

More information

Belmont Savings Bank. Are there Hackers at the gate? 2013 Wolf & Company, P.C.

Belmont Savings Bank. Are there Hackers at the gate? 2013 Wolf & Company, P.C. Belmont Savings Bank Are there Hackers at the gate? 2013 Wolf & Company, P.C. MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS 2013 Wolf & Company, P.C. About Wolf & Company, P.C.

More information

Cloud Computing. What is Cloud Computing?

Cloud Computing. What is Cloud Computing? Cloud Computing What is Cloud Computing? Cloud computing is where the organization outsources data processing to computers owned by the vendor. Primarily the vendor hosts the equipment while the audited

More information

APPENDIX G ASP/SaaS SECURITY ASSESSMENT CHECKLIST

APPENDIX G ASP/SaaS SECURITY ASSESSMENT CHECKLIST APPENDIX G ASP/SaaS SECURITY ASSESSMENT CHECKLIST Application Name: Vendor Name: Briefly describe the purpose of the application. Include an overview of the application architecture, and identify the data

More information

Cloud Security Keeping Data Safe in the Boundaryless World of Cloud Computing

Cloud Security Keeping Data Safe in the Boundaryless World of Cloud Computing Cloud Security Keeping Data Safe in the Boundaryless World of Cloud Computing Executive Summary As cloud service providers mature, and expand and refine their offerings, it is increasingly difficult for

More information

ISO 27001 COMPLIANCE WITH OBSERVEIT

ISO 27001 COMPLIANCE WITH OBSERVEIT ISO 27001 COMPLIANCE WITH OBSERVEIT OVERVIEW ISO/IEC 27001 is a framework of policies and procedures that include all legal, physical and technical controls involved in an organization s information risk

More information