HIPAA CRITICAL AREAS TECHNICAL SECURITY FOCUS FOR CLOUD DEPLOYMENT
|
|
- Monica Gregory
- 8 years ago
- Views:
Transcription
1 HIPAA CRITICAL AREAS TECHNICAL SECURITY FOCUS FOR CLOUD DEPLOYMENT A Review List This paper was put together with Security in mind, ISO, and HIPAA, for guidance as you move into a cloud deployment Dr. Lenny Michael Bonnes Dr.l.Mike.Bonnes@gmail.com
2
3 Contents Security Focus for critical areas within a cloud deployment... 3 Determine Risk tolerance... 3 Evaluate Assets... 3 Map the asset to potential cloud deployment model... 3 Domains:... 4 Security Content Automation Protocol... 4 Information security controls associated to implementation Access control... 5 Information access restriction... 5 Cryptographic key management... 6 Capacity... 6 System environment... 6 Data storage... 6 Information Backup... 7 Event Logging... 7 Management of technical vulnerabilities... 7 Security requirements analysis and specification... 7 Responsibilities and procedures... 8 Assessment of and decision on information security events... 8 Forensics Collection of evidence... 8 Businesses should:... 8 Interfaces and APIs forensic information will be provided through:... 8 Compliance... 9 Regulation of cryptographic controls... 9 Compliance with security policies and standards... 9 Technical Compliance Review... 9 Demarcation of responsibility... 9 Protection of Virtual Environment Cooperation of configurations between virtual and physical network Information security incident management Information security risk related cloud computing Threats to business unit... 11
4 Security Focus for critical areas within a cloud deployment This paper is put together to help Business focus on critical areas when moving to a cloud deployment. Determine Risk tolerance Identify the asset for the cloud deployment 1. Data 2. Applications/functions/process Determine either moving information into the cloud, or transactions/processing (partial functions) Determine the need to have data and applications reside in the same location or can only parts of functions to the cloud. Evaluate Assets How sensitive is the data? How important is the application/function/process For each asset think of these questions: How would we be harmed if the asset became widely public and widely distributed? How would we be harmed if an employee of our cloud provider accessed the asset? How would we be harmed if the application or function were manipulated by an outsider? How would we be harmed if the process or function failed to provide expected results? How would we be harmed if the asset were unavailable for a period of time? These questions are directed towards Confidentiality, integrity and availability requirements for the asset. Map the asset to potential cloud deployment model Determine deployment following options: Public Private, internal /on premises Private, external (dedicated or shared infrastructure) Hybrid have in mind the architecture where functions components and data will reside Map out data flow before deciding
5 Domains: Governance and Enterprise risk management; the ability of the businesses to govern and measure enterprise risk introduced by a cloud deployment. I.e., legal precedence for agreement breaches, your client s ability to adequately assess risk of a cloud provider. Where does the responsibility reside to protect sensitive data access points when both business and provider are at fault? Legal issues; contracts and Electronic discovery. Review contracts to ensure that SLA, MLA, or BAAs has not restricted the use of a cloud deployment. Compliance and Audit; maintain audit trail and proving compliance when utilizing a cloud deployment Managing Data; managing data in the cloud the identification and control of data and all compensating controls to deal with loss of physical control. Who is responsible for data confidentiality, integrity and availability? Portability and interoperability; determine the ability to move data/ services from one provider to another, or bring it back in house. Traditional Security practices business continuity and disaster recovery. How does the move to the cloud affect the operational processes and procedures currently used to implement security, business continuity and disaster recovery? Security Content Automation Protocol Assessing Information security risks in cloud services Risk assessment should be run periodically but may also be performed following the manifestation or observation of a vulnerability or new threat. The following considerations should be considered following the assessing of security risk Information security controls disclosed by cloud service provider can be limited or abstracted in order to minimize their risks. Disclosures by the cloud provider on its vulnerabilities can also increase risk to the business unit. When defining the information security policy for the use of cloud computing the following issues have been taken into account. a) Information stored in the cloud computing environment that is subject to Access controls b) Assets maintained in the cloud I.e., application programs c) Processes run on the cloud service d) Administrators who will have privileges
6 Information security controls associated to implementation. Clear division of information security responsibilities between businesses and the service provider should be clearly defined and documented. Segregation of duties and access rights should be determined Policy written for use of cloud service Standards and procedures for use of cloud service Risk determined with each cloud service System and network environment risks with the use of cloud service. Asset management Inventory of assets in relation to use in a cloud environment. Confirmation of support for asset management in the cloud environment Policy developed for the end of contract with Cloud provider and return of assets. Access control Businesses should include the following regarding control on the use of cloud service in the policy on the use of network services: A. Access control for each service. User credentials B. Access control preventing network access from designated sites. IP address or URL C. Identify procedures for issuance and re-issuance of password Information access restriction Businesses should restrict access to cloud service, (Admin Rights) functions and customer information maintained by the cloud service provider. Businesses should put in a request to the cloud service provider for the restrictions that are in place for the cloud service and cloud service customer information. Businesses should restrict and tightly control the use of utility programs running in the cloud environment that might be capable of overriding system and application controls. Business units should request: Specifications of utility programs that might be capable of overriding system and application controls Functional specifications to restrict and control utility programs Business units should request the following information on procedures used to manage keys related to the cloud service.
7 Cryptographic key management Businesses should confirm that functionalities of cryptography provided on cloud service are adequate with the policy on the use of cryptographic control Specifications of key management system, including procedure for each process of key life cycle I.e., generating changing, updating storing, retiring, retrieving retaining and destroying. The businesses should not permit the cloud service provider to store and manage encryption keys on the behalf of the Businesses for protection of any data that is owned or managed by the business unit. Businesses should employ a separate and distinct service to store and manage keys. Businesses should request information about physical security perimeter to confirm that the specification satisfies the regulatory requirements. Capacity Businesses should confirm that communication to the Businesses includes: Changes to the system Planned date and time of system changes Announcement of system change start and completion Businesses should confirm that the capacity is sufficient to deliver product. System environment Data storage Capacity of network and network equipment including the virtual network environment. I.e., bandwidth, maximum number of network sessions. And the following: Agreed or expected system performance Lead time to have additional capacity or system performance Maximum capacity and system performance Redundancy and diversity of systems Redundancy and diversity of access networks Statistics on system resource usage Statistics in a given time period Maximum system resource usage. FYI (Total volume of logical capacity can never exceed the total volume of the physical capacity)
8 Information Backup 1. businesses should define back-up policy and develop procedures with the following considerations 2. Backup and restoration functions should be performed as part of the cloud service 3. Backup and restoration functions should be developed by business unit 4. Backups should be encrypted according HIPAA/HITECH/ISO demands. 5. Backup and restoration functions should be performed as part of the cloud service 6. Local and or offsite storage of backups should be documented 7. businesses should establish a retention period Event Logging Businesses should request specifications to the cloud service providers to develop procedures for monitoring usage of the cloud services A. Types of usage records B. Retention period of usage records Management of technical vulnerabilities Businesses should understand technical vulnerability management of cloud service. Businesses should request the following information to the cloud service provider to understand technical vulnerability management. Process of identification of technical vulnerability Policy to respond to technical vulnerability Request and agree upon criteria for system feature to be considered vulnerable Businesses should request information on functional specifications on dividing the networks into separate network domains. To the cloud provider to segregate networks of cloud service. Security requirements analysis and specification Businesses should specify the security requirements for the cloud service. Businesses should analyze and evaluate the alignment of the implemented controls in the cloud environment Businesses should include cloud specific risks along with the organizations general information security risks. Businesses should be aware that visibility of controls and achieved levels of information security tends to be limited in the use of cloud service and information security risks.
9 Responsibilities and procedures Businesses should verify distribution process of information about severe information security incident by cloud provider Businesses should notify cloud provider in the event of an incident or breach Assessment of and decision on information security events Businesses should verify the definition of information regarding severe information security incident provided by cloud provider Business should review incident management framework Forensics Collection of evidence Businesses should: Identify information that can serve as evidence that resides within a cloud service or within the cloud provider environment associated with the cloud service Establish procedures by which the information can be collected and acquired from the cloud service or the related environment. Ensure that information which can serve as evidence is preserved within the cloud service and related provider environment. (Should be covered in the cloud service agreement) Available information made available should be from: VMs network, SIEM, Offline VMs, IPS and other sources Interfaces and APIs forensic information will be provided through: 1. Protection measures against collateral damage during a forensic investigation on shared resources (if available) 2. Protection of sensitive information from other tenants during a forensic investigation on shared resources like RAM or Network (if available) 3. Competence of available personnel supporting forensic investigations. 4. Provider awareness of local laws 5. Procedures and measures to strictly isolate customer related evidence data (if available)
10 Compliance Identification of applicable legislation and contractual requirements Businesses should identify domestic and foreign legal, regulatory and contractual requirements depending on purpose of the cloud service. Businesses should identify Privacy and protection of personally identifiable information Regulation of cryptographic controls Businesses should request cloud service provider to affirm that cryptographic technology used is not in conflict with regulations on export in the countries or regions where such cryptography is provided Compliance with security policies and standards Business service providers need to ensure that there are procedures in place to ensure compliance with security terms contained in the service agreements (and SLAs MLAs BAA) Technical Compliance Review Businesses should confirm information related to technical compliance checking provided from the cloud service provider. Will satisfy any technical compliance. When the cloud provider does not satisfy cloud service customer technical compliance policy, businesses should reconsider the use of cloud service. Demarcation of responsibility Businesses should identify and manage the support contact and the Businesses contact of the cloud service provider Businesses should review proposed demarcation of information security responsibilities and confirm if it can accept the responsibilities of both parties in the contract. Businesses should identify and manage the support contact and the customer contact of the cloud service provider
11 Protection of Virtual Environment Businesses should identify the controls in place by the cloud service provider to ensure that access to Businesses instance is executable from another cloud service customer or unauthorized users to ensure segregation of virtual environments. This segregation should be strictly preserved regardless of physical configurations or physical migration of virtual assets. Businesses should request an operation log by the cloud service provider and stored to clarify boundary of responsibility Cooperation of configurations between virtual and physical network Businesses should request a configuration manual based on virtualized security policy Information security incident management Businesses should verify distribution process of information about severe information security incidents by cloud service provider and be able to acquire information accurately and quickly. Businesses should notify the cloud service provider and have information to avoid affection of incident when Businesses confirmed that an incident occurred in the cloud-computing environment.
12 Information security risk related cloud computing Threats to business unit 1. Loss of governance: Public cloud deployments, customers cede control to the cloud provider over a number of issues that may affect security. All the while the service level agreements may not offer a commitment to provide sufficient security 2. Responsibility ambiguity Ambiguity exist between the Businesses and the cloud provider on who must control security. Most cloud providers supply a division of responsibilities and because of this split between the customer and provider gaps may exist in the environment and should be fully vetted. 3. Isolation failure During a shared resource cloud deployment and multi tenancy characteristics of cloud computing. A higher than normal risk exist on coverage of the usage of data 4. Vendor lock-in This security dependency is within the proprietary services of any one particular cloud service provider which could lead to the cloud service customer being tied to that provider. Services that do not support portability of applications and data to other providers increase the risk of data and service unavailability. 5. Compliance and legal risks Investment in achieving certification or compliance may be at risk by migration to use cloud computing if the cloud service provider cannot provide evidence of their own compliance with relevant requirements or if the cloud provider does not permit audit by the business unit. It is the responsibility of the Businesses to be clear about the division of security responsibilities between the customer and the provider and to ensure that the business unit s responsibilities are handled appropriately when using cloud services. 6. Handling of security incidents The detection, reporting and subsequent management of security breaches is a concern for the business unit, which relies on the cloud provider to handle breach matters. 7. Management interface vulnerability Customer management interfaces of a public cloud provider 8. Data Protection Cloud computing poses several data protection risks for cloud customers. Major point to consider exposure or release of sensitive data but also include loss or unavailability of data. In most cases on data protection it will be a challenge to check the data handling practice of the cloud provider. 9. Malicious behavior of insiders Damage caused by the malicious actions from within the cloud provider can be substantial, given the access and authorizations they may have. This is of course increased within a cloud computing environment. This kind of activity could occur with or without the knowledge of the business unit.
13 10. Business failure of the provider In disaster recovery if the cloud provider fails to recover from a disaster, this could render data and applications unavailable to the business unit. 11. Service unavailability As we know service a host of factors, from equipment or software failures in the provider s data center, or failure of communication between Businesses system and that of the cloud providers, can cause unavailability. 12. Migration and integration failures Migrating to use cloud services may involve moving data and applications from the customer environment to the provider environment with associated configuration changes (I.e., network addressing). Migration of part of the business unit s infrastructure to a cloud service provider may require substantial changes in the infrastructure design. Same issues follow with the migrating of applications and data. 13. Evolutionary risks The businesses should be aware a cloud service provider that has passed the security assessment during acquisition phase might have new vulnerabilities introduced during its lifetime due to changes in software components. 14. Cross border issues The businesses should be aware that the location of the service provider might prevent its ability to meet regulatory requirements due to cross border issues 15. Insecure or incomplete data deletion Requests to delete cloud resources, when a customer terminates the use of a cloud service with a provider, may not result in complete deletion. It is important that the Businesses be aware of where all data rest and how it is disposed, it is quite possible that a cloud provider hardware will retain data that had been deleted and yet artifacts remain.
Managing Cloud Computing Risk
Managing Cloud Computing Risk Presented By: Dan Desko; Manager, Internal IT Audit & Risk Advisory Services Schneider Downs & Co. Inc. ddesko@schneiderdowns.com Learning Objectives Understand how to identify
More informationISO 27001 Controls and Objectives
ISO 27001 s and Objectives A.5 Security policy A.5.1 Information security policy Objective: To provide management direction and support for information security in accordance with business requirements
More informationISO 27002:2013 Version Change Summary
Information Shield www.informationshield.com 888.641.0500 sales@informationshield.com Information Security Policies Made Easy ISO 27002:2013 Version Change Summary This table highlights the control category
More information<Choose> Addendum Windows Azure Data Processing Agreement Amendment ID M129
Addendum Amendment ID Proposal ID Enrollment number Microsoft to complete This addendum ( Windows Azure Addendum ) is entered into between the parties identified on the signature form for the
More informationMicrosoft s Compliance Framework for Online Services
Microsoft s Compliance Framework for Online Services Online Services Security and Compliance Executive summary Contents Executive summary 1 The changing landscape for online services compliance 4 How Microsoft
More informationCloud Computing: Legal Risks and Best Practices
Cloud Computing: Legal Risks and Best Practices A Bennett Jones Presentation Toronto, Ontario Lisa Abe-Oldenburg, Partner Bennett Jones LLP November 7, 2012 Introduction Security and Data Privacy Recent
More informationInformation Security Policies. Version 6.1
Information Security Policies Version 6.1 Information Security Policies Contents: 1. Information Security page 3 2. Business Continuity page 5 3. Compliance page 6 4. Outsourcing and Third Party Access
More informationINFORMATION TECHNOLOGY SECURITY STANDARDS
INFORMATION TECHNOLOGY SECURITY STANDARDS Version 2.0 December 2013 Table of Contents 1 OVERVIEW 3 2 SCOPE 4 3 STRUCTURE 5 4 ASSET MANAGEMENT 6 5 HUMAN RESOURCES SECURITY 7 6 PHYSICAL AND ENVIRONMENTAL
More informationResidual risk. 3 Compliance challenges (i.e. right to examine, exit clause, privacy acy etc.)
Organizational risks 1 Lock-in Risk of not being able to migrate easily from one provider to another 2 Loss of Governance Control and influence on the cloud providers, and conflicts between customer hardening
More informationISO 27001 COMPLIANCE WITH OBSERVEIT
ISO 27001 COMPLIANCE WITH OBSERVEIT OVERVIEW ISO/IEC 27001 is a framework of policies and procedures that include all legal, physical and technical controls involved in an organization s information risk
More informationCloud Computing: What needs to Be Validated and Qualified. Ivan Soto
Cloud Computing: What needs to Be Validated and Qualified Ivan Soto Learning Objectives At the end of this session we will have covered: Technical Overview of the Cloud Risk Factors Cloud Security & Data
More informationBuild (develop) and document Acceptance Transition to production (installation) Operations and maintenance support (postinstallation)
It is a well-known fact in computer security that security problems are very often a direct result of software bugs. That leads security researches to pay lots of attention to software engineering. The
More informationIT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:
IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including: 1. IT Cost Containment 84 topics 2. Cloud Computing Readiness 225
More informationCloud Computing Security Issues
Copyright Marchany 2010 Cloud Computing Security Issues Randy Marchany, VA Tech IT Security, marchany@vt.edu Something Old, Something New New: Cloud describes the use of a collection of services, applications,
More informationISO27001 Controls and Objectives
Introduction This reference document for the University of Birmingham lists the control objectives, specific controls and background information, as given in Annex A to ISO/IEC 27001:2005. As such, the
More informationMusic Recording Studio Security Program Security Assessment Version 1.1
Music Recording Studio Security Program Security Assessment Version 1.1 DOCUMENTATION, RISK MANAGEMENT AND COMPLIANCE PERSONNEL AND RESOURCES ASSET MANAGEMENT PHYSICAL SECURITY IT SECURITY TRAINING AND
More informationJohn Essner, CISO Office of Information Technology State of New Jersey
John Essner, CISO Office of Information Technology State of New Jersey http://csrc.nist.gov/publications/nistpubs/800-144/sp800-144.pdf Governance Compliance Trust Architecture Identity and Access Management
More informationCloud Security Introduction and Overview
Introduction and Overview Klaus Gribi Senior Security Consultant klaus.gribi@swisscom.com May 6, 2015 Agenda 2 1. Cloud Security Cloud Evolution, Service and Deployment models Overview and the Notorious
More informationIntel Enhanced Data Security Assessment Form
Intel Enhanced Data Security Assessment Form Supplier Name: Address: Respondent Name & Role: Signature of responsible party: Role: By placing my name in the box above I am acknowledging that I am authorized
More informationAnatomy of a Cloud Computing Data Breach
Anatomy of a Cloud Computing Data Breach Sheryl Falk Mike Olive ACC Houston Chapter ITPEC Practice Group September 18, 2014 1 Agenda Ø Cloud 101 Welcome to Cloud Computing Ø Cloud Agreement Considerations
More informationInformation Security Policy September 2009 Newman University IT Services. Information Security Policy
Contents 1. Statement 1.1 Introduction 1.2 Objectives 1.3 Scope and Policy Structure 1.4 Risk Assessment and Management 1.5 Responsibilities for Information Security 2. Compliance 3. HR Security 3.1 Terms
More informationSupplier Security Assessment Questionnaire
HALKYN CONSULTING LTD Supplier Security Assessment Questionnaire Security Self-Assessment and Reporting This questionnaire is provided to assist organisations in conducting supplier security assessments.
More informationCLOUD STORAGE SECURITY INTRODUCTION. Gordon Arnold, IBM
CLOUD STORAGE SECURITY INTRODUCTION Gordon Arnold, IBM SNIA Legal Notice The material contained in this tutorial is copyrighted by the SNIA. Member companies and individual members may use this material
More informationCompliance Guide ISO 27002. Compliance Guide. September 2015. Contents. Introduction 1. Detailed Controls Mapping 2.
ISO 27002 Compliance Guide September 2015 Contents Compliance Guide 01 02 03 Introduction 1 Detailed Controls Mapping 2 About Rapid7 7 01 INTRODUCTION If you re looking for a comprehensive, global framework
More informationREGULATIONS FOR THE SECURITY OF INTERNET BANKING
REGULATIONS FOR THE SECURITY OF INTERNET BANKING PAYMENT SYSTEMS DEPARTMENT STATE BANK OF PAKISTAN Table of Contents PREFACE... 3 DEFINITIONS... 4 1. SCOPE OF THE REGULATIONS... 6 2. INTERNET BANKING SECURITY
More informationNewcastle University Information Security Procedures Version 3
Newcastle University Information Security Procedures Version 3 A Information Security Procedures 2 B Business Continuity 3 C Compliance 4 D Outsourcing and Third Party Access 5 E Personnel 6 F Operations
More informationCLOUD COMPUTING FOR SMALL- AND MEDIUM-SIZED ENTERPRISES:
CLOUD COMPUTING FOR SMALL- AND MEDIUM-SIZED ENTERPRISES: Privacy Responsibilities and Considerations Cloud computing is the delivery of computing services over the Internet, and it offers many potential
More informationDomain 1 The Process of Auditing Information Systems
Certified Information Systems Auditor (CISA ) Certification Course Description Our 5-day ISACA Certified Information Systems Auditor (CISA) training course equips information professionals with the knowledge
More informationUnderstanding changes to the Trust Services Principles for SOC 2 reporting
Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed member of Baker Tilly International. Understanding changes to the Trust Services Principles for SOC 2 reporting
More informationData Protection: From PKI to Virtualization & Cloud
Data Protection: From PKI to Virtualization & Cloud Raymond Yeung CISSP, CISA Senior Regional Director, HK/TW, ASEAN & A/NZ SafeNet Inc. Agenda What is PKI? And Value? Traditional PKI Usage Cloud Security
More informationSolution Brief for ISO 27002: 2013 Audit Standard ISO 27002. Publication Date: Feb 6, 2015. EventTracker 8815 Centre Park Drive, Columbia MD 21045
Solution Brief for ISO 27002: 2013 Audit Standard Publication Date: Feb 6, 2015 8815 Centre Park Drive, Columbia MD 21045 ISO 27002 About delivers business critical software and services that transform
More informationCloud Computing. Cloud Computing An insight in the Governance & Security aspects
Cloud Computing An insight in the Governance & Security aspects AGENDA Introduction Security Governance Risks Compliance Recommendations References 1 Cloud Computing Peter Hinssen, The New Normal, 2010
More informationServices Providers. Ivan Soto
SOP s for Managing Application Services Providers Ivan Soto Learning Objectives At the end of this session we will have covered: Types of Managed Services Outsourcing process Quality expectations for Managed
More informationHIPAA/HITECH Compliance Using VMware vcloud Air
Last Updated: September 23, 2014 White paper Introduction This paper is intended for security, privacy, and compliance officers whose organizations must comply with the Privacy and Security Rules of the
More informationCloud Computing Security Considerations
Cloud Computing Security Considerations Roger Halbheer, Chief Security Advisor, Public Sector, EMEA Doug Cavit, Principal Security Strategist Lead, Trustworthy Computing, USA January 2010 1 Introduction
More informationOffice 365 Data Processing Agreement with Model Clauses
Enrollment for Education Solutions Office 365 Data Processing Agreement (with EU Standard Contractual Clauses) Amendment ID Enrollment for Education Solutions number Microsoft to complete 7392924 GOLDS03081
More informationOrchestrating the New Paradigm Cloud Assurance
Orchestrating the New Paradigm Cloud Assurance Amsterdam 17 January 2012 John Hermans - Partner Current business challenges versus traditional IT Organizations are challenged with: Traditional IT seems
More informationSplunk Enterprise Log Management Role Supporting the ISO 27002 Framework EXECUTIVE BRIEF
Splunk Enterprise Log Management Role Supporting the ISO 27002 Framework EXECUTIVE BRIEF Businesses around the world have adopted the information security standard ISO 27002 as part of their overall risk
More informationHow To Protect Decd Information From Harm
Policy ICT Security Please note this policy is mandatory and staff are required to adhere to the content Summary DECD is committed to ensuring its information is appropriately managed according to the
More informationIT General Controls Domain COBIT Domain Control Objective Control Activity Test Plan Test of Controls Results
Acquire or develop application systems software Controls provide reasonable assurance that application and system software is acquired or developed that effectively supports financial reporting requirements.
More informationVMware vcloud Air HIPAA Matrix
goes to great lengths to ensure the security and availability of vcloud Air services. In this effort VMware has completed an independent third party examination of vcloud Air against applicable regulatory
More informationSecurity Controls What Works. Southside Virginia Community College: Security Awareness
Security Controls What Works Southside Virginia Community College: Security Awareness Session Overview Identification of Information Security Drivers Identification of Regulations and Acts Introduction
More informationCybersecurity Framework Security Policy Mapping Table
Cybersecurity Framework Security Policy Mapping Table The following table illustrates how specific requirements of the US Cybersecurity Framework [1] are addressed by the ISO 27002 standard and covered
More informationBig Data, Big Risk, Big Rewards. Hussein Syed
Big Data, Big Risk, Big Rewards Hussein Syed Discussion Topics Information Security in healthcare Cyber Security Big Data Security Security and Privacy concerns Security and Privacy Governance Big Data
More informationEnrollment for Education Solutions Addendum Microsoft Online Services Agreement Amendment 10 EES17 --------------
w Microsoft Volume Licensing Enrollment for Education Solutions Addendum Microsoft Online Services Agreement Amendment 10 Enrollment for Education Solutions number Microsoft to complete --------------
More informationAssessing, Evaluating and Managing Cloud Computing Security
Assessing, Evaluating and Managing Cloud Computing Security S.SENTHIL KUMAR 1, R.KANAKARAJ 2 1,2 ASSISTANT PROESSOR, DEPARTMENT OF COMMERCE WITH COMPUTER APPLICATIONS Dr.SNS RAJALAKSHMI COLLEGE OF ARTS
More information05.0 Application Development
Number 5.0 Policy Owner Information Security and Technology Policy Application Development Effective 01/01/2014 Last Revision 12/30/2013 Department of Innovation and Technology 5. Application Development
More informationCloud Security Trust Cisco to Protect Your Data
Trust Cisco to Protect Your Data As cloud adoption accelerates, organizations are increasingly placing their trust in third-party cloud service providers (CSPs). But can you fully trust your most sensitive
More informationMicrosoft Online Subscription Agreement/Open Program License Amendment Microsoft Online Services Security Amendment Amendment ID MOS10
Microsoft Online Subscription Agreement/Open Program License Amendment Microsoft Online Services Security Amendment Amendment ID This Microsoft Online Services Security Amendment ( Amendment ) is between
More informationRetention & Disposition in the Cloud Do you really have control?
InterPARES Trust Retention & Disposition in the Cloud Do you really have control? Franks Patricia, San Jose State University, San Jose, USA and Alan Doyle, University of British Columbia, Canada October
More informationSecurity Issues in Cloud Computing
Security Issues in Computing CSCI 454/554 Computing w Definition based on NIST: A model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources
More informationCloud Security and Managing Use Risks
Carl F. Allen, CISM, CRISC, MBA Director, Information Systems Security Intermountain Healthcare Regulatory Compliance External Audit Legal and ediscovery Information Security Architecture Models Access
More informationTop Ten Technology Risks Facing Colleges and Universities
Top Ten Technology Risks Facing Colleges and Universities Chris Watson, MBA, CISA, CRISC Manager, Internal Audit and Risk Advisory Services cwatson@schneiderdowns.com April 23, 2012 Overview Technology
More informationOverview of Cloud Computing and Cloud Computing s Use in Government Justin Heyman CGCIO, Information Technology Specialist, Township of Franklin
Overview of Cloud Computing and Cloud Computing s Use in Government Justin Heyman CGCIO, Information Technology Specialist, Township of Franklin Best Practices for Security in the Cloud John Essner, Director
More informationHealth Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH)
Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH) Table of Contents Introduction... 1 1. Administrative Safeguards...
More informationHIPAA Compliance Guide
HIPAA Compliance Guide Important Terms Covered Entities (CAs) The HIPAA Privacy Rule refers to three specific groups as covered entities, including health plans, healthcare clearinghouses, and health care
More informationSummary of CIP Version 5 Standards
Summary of CIP Version 5 Standards In Version 5 of the Critical Infrastructure Protection ( CIP ) Reliability Standards ( CIP Version 5 Standards ), the existing versions of CIP-002 through CIP-009 have
More informationHIPAA Security. 2 Security Standards: Administrative Safeguards. Security Topics
HIPAA Security SERIES Security Topics 1. Security 101 for Covered Entities 5. 2. Security Standards - Organizational, Security Policies Standards & Procedures, - Administrative and Documentation Safeguards
More informationAttachment A. Identification of Risks/Cybersecurity Governance
Attachment A Identification of Risks/Cybersecurity Governance 1. For each of the following practices employed by the Firm for management of information security assets, please provide the month and year
More informationKey Management Best Practices
White Paper Key Management Best Practices Data encryption is a fundamental component of strategies to address security threats and satisfy regulatory mandates. While encryption is not in itself difficult
More informationA Strategic Approach to Enterprise Key Management
Ingrian - Enterprise Key Management. A Strategic Approach to Enterprise Key Management Executive Summary: In response to security threats and regulatory mandates, enterprises have adopted a range of encryption
More informationINFORMATION SECURITY PROCEDURES
INFORMATION AN INFORMATION SECURITY PROCEURES Parent Policy Title Information Security Policy Associated ocuments Use of Computer Facilities Statute 2009 Risk Management Policy Risk Management Procedures
More informationCAN NUCLEAR INSTALLATIONS AND RESEARCH CENTERS ADOPT CLOUD COMPUTING?
CAN NUCLEAR INSTALLATIONS AND RESEARCH CENTERS ADOPT CLOUD COMPUTING? Ameer Pichan School of Electrical Engineering & Computing Curtin University, Australia What is it? Similar to other services net r
More information08/10/2013. Data protection and compliance. Agenda. Data protection life cycle and goals. Introduction. Data protection overview
Data protection and compliance In the cloud and in your data center 1 November 2013 Agenda 1 Introduction 2 Data protection overview 3 Understanding the cloud 4 Where do I start? 5 Wrap-up Page 2 Data
More informationCentral Agency for Information Technology
Central Agency for Information Technology Kuwait National IT Governance Framework Information Security Agenda 1 Manage security policy 2 Information security management system procedure Agenda 3 Manage
More informationSTATE OF NEW JERSEY Security Controls Assessment Checklist
STATE OF NEW JERSEY Security Controls Assessment Checklist Appendix D to 09-11-P1-NJOIT P.O. Box 212 www.nj.gov/it/ps/ 300 Riverview Plaza Trenton, NJ 08625-0212 Agency/Business (Extranet) Entity Response
More informationData Security and Privacy Principles for IBM SaaS How IBM Software as a Service is protected by IBM s security-driven culture
Data Security and Privacy Principles for IBM SaaS How IBM Software as a Service is protected by IBM s security-driven culture 2 Data Security and Privacy Principles for IBM SaaS Contents 2 Introduction
More informationWhitepaper. What You Need to Know About Infrastructure as a Service (IaaS) Encryption
Whitepaper What You Need to Know About Infrastructure as a Service (IaaS) Encryption What You Need to Know about IaaS Encryption What You Need to Know About IaaS Encryption Executive Summary In this paper,
More informationPurpose. Service Model SaaS (Applications) PaaS (APIs) IaaS (Virtualization) Use Case 1: Public Use Case 2: Use Case 3: Public.
Federal CIO Council Information Security and Identity Management Committee (ISIMC) Guidelines for the Secure Use of Cloud Computing by Federal Departments and Agencies DRAFT V0.41 Earl Crane, CISSP, CISM
More informationSupplier Information Security Addendum for GE Restricted Data
Supplier Information Security Addendum for GE Restricted Data This Supplier Information Security Addendum lists the security controls that GE Suppliers are required to adopt when accessing, processing,
More informationLEGAL ISSUES IN CLOUD COMPUTING
LEGAL ISSUES IN CLOUD COMPUTING RITAMBHARA AGRAWAL INTELLIGERE 1 CLOUD COMPUTING Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing
More informationCertified Information Systems Auditor (CISA)
Certified Information Systems Auditor (CISA) Course Introduction Course Introduction Module 01 - The Process of Auditing Information Systems Lesson 1: Management of the Audit Function Organization of the
More informationTASK -040. TDSP Web Portal Project Cyber Security Standards Best Practices
Page 1 of 10 TSK- 040 Determine what PCI, NERC CIP cyber security standards are, which are applicable, and what requirements are around them. Find out what TRE thinks about the NERC CIP cyber security
More informationWhat Cloud computing means in real life
ITU TRCSL Symposium on Cloud Computing Session 2: Cloud Computing Foundation and Requirements What Cloud computing means in real life Saman Perera Senior General Manager Information Systems Mobitel (Pvt)
More informationensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster
Security Standards Symantec shall maintain administrative, technical, and physical safeguards for the Symantec Network designed to (i) protect the security and integrity of the Symantec Network, and (ii)
More informationData Processing Agreement for Oracle Cloud Services
Data Processing Agreement for Oracle Cloud Services Version December 1, 2013 1. Scope and order of precedence This is an agreement concerning the Processing of Personal Data as part of Oracle s Cloud Services
More informationRetention & Destruction
Last Updated: March 28, 2014 This document sets forth the security policies and procedures for WealthEngine, Inc. ( WealthEngine or the Company ). A. Retention & Destruction Retention & Destruction of
More informationIT Security Risk Management Model for Cloud Computing: A Need for a New Escalation Approach.
IT Security Risk Management Model for Cloud Computing: A Need for a New Escalation Approach. Gunnar Wahlgren 1, Stewart Kowalski 2 Stockholm University 1: (wahlgren@dsv.su.se), 2: (stewart@dsv.su.se) ABSTRACT
More informationIBM Cloud Security Draft for Discussion September 12, 2011. 2011 IBM Corporation
IBM Cloud Security Draft for Discussion September 12, 2011 IBM Point of View: Cloud can be made secure for business As with most new technology paradigms, security concerns surrounding cloud computing
More informationCLOUD COMPUTING ISSUES FOR SCHOOL DISTRICTS. Presented to the 2013 BRADLEY F. KIDDER LAW CONFERENCE. October 2, 2013
CLOUD COMPUTING ISSUES FOR SCHOOL DISTRICTS Presented to the 2013 BRADLEY F. KIDDER LAW CONFERENCE October 2, 2013 By: Diane M. Gorrow Soule, Leslie, Kidder, Sayward & Loughman, P.L.L.C. 220 Main Street
More informationUniversity of Sunderland Business Assurance Information Security Policy
University of Sunderland Business Assurance Information Security Policy Document Classification: Public Policy Reference Central Register Policy Reference Faculty / Service IG 003 Policy Owner Assistant
More informationOverview. What are operational policies? Development, adoption, implementation
Practical Geospatial Policies: Resolving Operational Issues to Optimize Your SDI Ed Kennedy Hickling Arthurs Low Corporation and Cynthia Mitchell and Simon Riopel Division, Natural Resources Canada Overview
More informationThird Party Security Requirements Policy
Overview This policy sets out the requirements expected of third parties to effectively protect BBC information. Audience Owner Contacts This policy applies to all third parties and staff, including contractors,
More informationStrategies for assessing cloud security
IBM Global Technology Services Thought Leadership White Paper November 2010 Strategies for assessing cloud security 2 Securing the cloud: from strategy development to ongoing assessment Executive summary
More informationInformation Technology Engineers Examination. Information Security Specialist Examination. (Level 4) Syllabus
Information Technology Engineers Examination Information Security Specialist Examination (Level 4) Syllabus Details of Knowledge and Skills Required for the Information Technology Engineers Examination
More informationEnterprise Key Management: A Strategic Approach ENTERPRISE KEY MANAGEMENT A SRATEGIC APPROACH. White Paper February 2010 www.alvandsolutions.
Enterprise Key Management: A Strategic Approach ENTERPRISE KEY MANAGEMENT A SRATEGIC APPROACH White Paper February 2010 www.alvandsolutions.com Overview Today s increasing security threats and regulatory
More informationData Security Incident Response Plan. [Insert Organization Name]
Data Security Incident Response Plan Dated: [Month] & [Year] [Insert Organization Name] 1 Introduction Purpose This data security incident response plan provides the framework to respond to a security
More informationVirtual Private Cloud. Service Level Agreement. Terms and Abbreviations
Virtual Private Cloud. Service Level Agreement Terms and Abbreviations Customer's Control Panel the web page intended for managing the Services rendered by the Executor, retaining the Customer's actual
More informationService Definition Document
Service Definition Document QinetiQ Secure Cloud Protective Monitoring Service (AWARE) QinetiQ Secure Cloud Protective Monitoring Service (DETER) Secure Multi-Tenant Protective Monitoring Service (AWARE)
More informationSRA International Managed Information Systems Internal Audit Report
SRA International Managed Information Systems Internal Audit Report Report #2014-03 June 18, 2014 Table of Contents Executive Summary... 3 Background Information... 4 Background... 4 Audit Objectives...
More informationState of Oregon. State of Oregon 1
State of Oregon State of Oregon 1 Table of Contents 1. Introduction...1 2. Information Asset Management...2 3. Communication Operations...7 3.3 Workstation Management... 7 3.9 Log management... 11 4. Information
More informationWhite Paper: Meeting and Exceeding GSI/GCSx Information Security Monitoring Requirements
White Paper: Meeting and Exceeding GSI/GCSx Information Security Monitoring Requirements The benefits of QRadar for protective monitoring of government systems as required by the UK Government Connect
More informationExternal Supplier Control Requirements
External Supplier Control Requirements Cyber Security For Suppliers Categorised as High Cyber Risk Cyber Security Requirement Description Why this is important 1. Asset Protection and System Configuration
More informationAddressing Cloud Computing Security Considerations
Addressing Cloud Computing Security Considerations with Microsoft Office 365 Protect more Contents 2 Introduction 3 Key Security Considerations 4 Office 365 Service Stack 5 ISO Certifications for the Microsoft
More informationCyberSource Payment Security. with PCI DSS Tokenization Guidelines
CyberSource Payment Security Compliance The PCI Security Standards Council has published guidelines on tokenization, providing all merchants who store, process, or transmit cardholder data with guidance
More informationIT Audit in the Cloud
IT Audit in the Cloud Pavlina Ivanova, CISM ISACA-Sofia Chapter Content: o 1. Introduction o 2. Cloud Computing o 3. IT Audit in the Cloud o 4. Residual Risks o Used Resources o Questions 1. ISACA Trust
More informationSecurity from a customer s perspective. Halogen s approach to security
September 18, 2015 Security from a customer s perspective Using a cloud-based talent management program can deliver tremendous benefits to your organization, including aligning your workforce, improving
More information