Accountability Model for Cloud Governance
|
|
|
- Clarissa Anthony
- 10 years ago
- Views:
Transcription
1 Accountability Model for Cloud Governance Massimo Felici, Hewlett-Packard Laboratories CSP Forum 2014, Athens, May 2014
2 Overview Problem of Data Governance Data Governance in the Cloud Accountability Definitions Conceptual Definition of Accountability Definition of Accountability for Data Stewardship in the Cloud Accountability Model Accountability Attributes, Practices and Mechanisms Accountability Governance Accountability Framework Accountability Context Accountability Governance
3 Problem of Data Governance Different regulatory regimes Complex governance environment Lack of trust in the cloud Transfer of data into the cloud Lack of governance and transparency
4 Conceptual Definition of Accountability Defining Accountability Applicable across different domains and capturing a shared multidisciplinary understanding within the project Concerned about governance Conceptual Definition of Accountability Accountability consists of defining governance to comply in a responsible manner with internal and external criteria, ensuring implementation of appropriate actions, explaining and justifying those actions and remedying any failure to act properly. Responsibly and proactively (explaining, justifying, remedying) delivery of actions Compliance with respect to internal and external criteria defined by stakeholders
5 Defining Accountability Contextualising accountability for data governance in cloud ecosystems personal and/or confidential data Definition of Accountability for Data Stewardship in the Cloud Accountability for an organisation consists of accepting responsibility for the stewardship of personal and/or confidential data with which it is entrusted in a cloud environment, for processing, storing, sharing, deleting and otherwise using the data according to contractual and legal requirements from the time it is collected until when the data are destroyed (including onward transfer to and from third parties). It involves committing to legal and ethical obligations, policies, procedures and mechanisms, explaining and demonstrating ethical implementation to internal and external stakeholders and remedying any failure to act properly. Deploying different mechanisms Ethical aspects of accountability
6 From accountability to being accountable Accountability Model Operationalise the accountability definitions Capture different abstraction levels of accountability Identify attributes contributing towards accountability Characterise accountable organisations Identify elements of accountability practices Enable accountability practices
7 Accountability Model Accountability Definitions Observability Verifiability Attributability Transparency Responsibility Liability Remediability Defining governance Ensuring governance Demonstrating governance Holding to account Different mechanisms supporting accountability
8 Accountability Framework Preventive investigating and mitigating risk in order to form policies and determine appropriate mechanisms to put in place; putting in place appropriate policies, procedures and technical mechanisms) Detective monitoring and identifying policy violation; putting in place detection and traceability measures Corrective managing incidents and providing notifications and redress Supporting accountability at different stages Supporting cloud actors Co-designing: Responsible and ethical corporate governance, Innovative regulatory frameworks, and Supporting technologies
9 Accountability Context Obligations, responsibilities and liabilities of actors Regulatory Regimes Trustworthy Account Clarification of Requirements Accountability Transparency Stakeholders Requirements Cloud Ecosystems Help with meeting Obligations
10 Accountability Governance Claims Emerging Trustworthiness Deciding to Trust Questioning Evidence Supported by arguments Providing Evidence
11 Accountability Highlights Addressing data governance in the cloud Accountability Definitions Accountability Model Accountability Framework Accountability Governance
12 Thank You.
The problem of cloud data governance
The problem of cloud data governance Vasilis Tountopoulos, Athens Technology Center S.A. (ATC) CSP EU Forum 2014 - Thursday, 22 nd May, 2014 Focus on data protection in the cloud Why data governance in
FSPFCC04(SQA Unit Code-F88P 04) Ensure you comply with regulations in your financial services environment
Ensure you comply with regulations in your financial services Overview This Standard is about working within the regulatory of the financial services industry. Most organisations within financial services
Accountability in Cloud Computing An Introduction to the Issues, Approaches, and Tools
Accountability in Cloud Computing An Introduction to the Issues, Approaches, and Tools Nick Papanikolaou, Cloud and Security Lab, HP Labs Europe [email protected] With special thanks to Nick Wainwright and Siani
(a) the kind of data and the harm that could result if any of those things should occur;
Cloud Computing This information leaflet aims to advise organisations on the factors they should take into account in considering engaging cloud computing. It explains the relevance of the Personal Data
The Legal Pitfalls of Failing to Develop Secure Cloud Services
SESSION ID: CSV-R03 The Legal Pitfalls of Failing to Develop Secure Cloud Services Cristin Goodwin Senior Attorney, Trustworthy Computing & Regulatory Affairs Microsoft Corporation Edward McNicholas Global
Article 29 Working Party Issues Opinion on Cloud Computing
Client Alert Global Regulatory Enforcement If you have questions or would like additional information on the material covered in this Alert, please contact one of the authors: Cynthia O Donoghue Partner,
Cloud Computing: Legal Risks and Best Practices
Cloud Computing: Legal Risks and Best Practices A Bennett Jones Presentation Toronto, Ontario Lisa Abe-Oldenburg, Partner Bennett Jones LLP November 7, 2012 Introduction Security and Data Privacy Recent
The New Zealand Human Services Quality Framework - ISO9002:2008 to 2012
HUMAN SERVICES QUALITY FRAMEWORK STANDARDS - POLICIES DOCUMENT Q:/1 DATE REVEIWED: REFERENCE: GOVERNANCE AND August 2014 MANAGEMENT POLICY AUTHORISATION: STANDARD REFERENCE: NEXT REVIEW DATE: Management
Business Associate Agreement
Business Associate Agreement This Business Associate Agreement (the Agreement ) is made by and between Business Associate, [Name of Business Associate], and Covered Entity, The Connecticut Center for Health,
PCL2\13991300\1 CYBER RISKS: RISK MANAGEMENT STRATEGIES
PCL2\13991300\1 CYBER RISKS: RISK MANAGEMENT STRATEGIES Cyber Attacks: How prepared are you? With barely a day passing without a reported breach of corporate information security, the threat to financial
Ethical Trading Initiative Management Benchmarks
Ethical Trading Initiative Management Benchmarks The Management Benchmarks are the means by which ETI (a) sets out its expectations of members and (b) measures members progress in applying the ETI Base
Job Description. Radiography Services Manager
Job Description Radiography Services Manager Professionally accountable to: Head of Nursing and Clinical Services Key working relationships: Key reporting relationships: All Radiographers, Consultant Radiologists,
A Flexible and Comprehensive Approach to a Cloud Compliance Program
A Flexible and Comprehensive Approach to a Cloud Compliance Program Stuart Aston Microsoft UK Session ID: SPO-201 Session Classification: General Interest Compliance in the cloud Transparency Responsibility
Information Security Management System for Microsoft s Cloud Infrastructure
Information Security Management System for Microsoft s Cloud Infrastructure Online Services Security and Compliance Executive summary Contents Executive summary 1 Information Security Management System
The Use of Cloud Computing for the Storing and Accessing of Client Information: Some Practical and Ethical Considerations
The Use of Cloud Computing for the Storing and Accessing of Client Information: Some Practical and Ethical Considerations Jeffrey D. Scott Jeffrey D. Scott, Legal Professional Corporation Practice Advisors
Overview TECHIS60241. Carry out risk assessment and management activities
Overview Information in all its forms is a vital component of the digital environment in which we live and work. The protection of information in its physical form is well understood but the protection
Data Integrity & Technical Ethics
ACCUTEST LABORATORIES Data Integrity & Technical Ethics January 2012 What is Data Integrity? Data that has been produced to the ethical standards of the industry, which is traceable and defensible. What
LEEDS BECKETT UNIVERSITY. Information Security Policy. 1.0 Introduction
LEEDS BECKETT UNIVERSITY Information Security Policy 1.0 Introduction 1.1 Information in all of its forms is crucial to the effective functioning and good governance of our University. We are committed
FSPAMFPI06 Complete reports for mortgage and/or financial planning clients
Complete reports for mortgage and/or financial planning clients Overview You must be able to accurately complete reports of a complex nature, and take a proactive approach to the preparation of valuations
Memorandum of Understanding between the Office of the Independent Adjudicator (OIA) and the General Medical Council (GMC)
Memorandum of Understanding between the Office of the Independent Adjudicator (OIA) and the General Medical Council (GMC) Purpose and basis of the memorandum of understanding This Memorandum of Understanding
Consultative report. Committee on Payment and Settlement Systems. Board of the International Organization of Securities Commissions
Committee on Payment and Settlement Systems Board of the International Organization of Securities Commissions Consultative report Principles for financial market infrastructures: Assessment methodology
REGULATIONS OF THE COMPLIANCE UNIT OF IBERDROLA GENERACIÓN ESPAÑA, S.A.U. 16/12/14
REGULATIONS OF THE COMPLIANCE UNIT OF IBERDROLA GENERACIÓN ESPAÑA, S.A.U. 16/12/14 ÍNDICE TITLE I. NATURE, PURPOSE AND AMENDMENT 3 Artículo 1. Nature and purpose 3 Artículo 2. Amendment 3 TITLE II. COMPLIANCE
The CIPM certification is comprised of two domains: Privacy Program Governance (I) and Privacy Program Operational Life Cycle (II).
Page 1 of 7 The CIPM certification is comprised of two domains: Privacy Program Governance (I) and Privacy Program Operational Life Cycle (II). Domain I provides a solid foundation for the governance of
Cloud Computing. Introduction
Cloud Computing Introduction This information leaflet aims to advise organisations which are considering engaging cloud computing on the factors they should consider. It explains the relationship between
Personal data and cloud computing, the cloud now has a standard. by Luca Bolognini
Personal data and cloud computing, the cloud now has a standard by Luca Bolognini Lawyer, President of the Italian Institute for Privacy and Data Valorization, founding partner ICT Legal Consulting Last
Model Based Engineering and Its Integration with Safety Assurance Cases for Medical Device Software
Model Based Engineering and Its Integration with Safety Assurance Cases for Medical Device Software Yi Zhang Ph.D., Paul Jones Office of Science and Engineering Laboratories Center for Devices and Radiological
BUSINESS ASSOCIATE AGREEMENT
BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement ( Agreement ) is effective as of, 200 ( Effective Date ), and entered into by and between, whose address is ( Business Associate ) and THE
Requirements Evolution of an Avionics Safety-Critical Industrial Case Study Predictive Changes Risk/Cost Analyses
of an Avionics Safety-Critical Industrial Case Study Predictive Changes Risk/Cost Analyses Massimo Felici, Stuart Anderson Abstract. Recent research in requirements engineering has identified two strong
Information Security Management System (ISMS) Policy
Information Security Management System (ISMS) Policy April 2015 Version 1.0 Version History Version Date Detail Author 0.1 18/02/2015 First draft Andy Turton 0.2 20/02/2015 Updated following feedback from
BUSINESS ASSOCIATE AGREEMENT
BUSINESS ASSOCIATE AGREEMENT This Addendum is made part of the agreement between Boston Medical Center ("Covered Entity ) and ( Business Associate"), dated [the Underlying Agreement ]. In connection with
Information Security Governance:
Information Security Governance: Designing and Implementing Security Effectively 2 nd Athens International Forum on Security 15 16 Jan 2009 Anestis Demopoulos, CISA, CISSP, CIA President of ISACA Athens
Application of King III Corporate Governance Principles
APPLICATION of KING III CORPORATE GOVERNANCE PRINCIPLES 2013 Application of Corporate Governance Principles This table is a useful reference to each of the principles and how, in broad terms, they have
BUSINESS ASSOCIATE AGREEMENT
BUSINESS ASSOCIATE AGREEMENT This Agreement ( Agreement ) is made and entered into this day of [Month], [Year] by and between [Business Name] ( Covered Entity ), [Type of Entity], whose business address
Board of Directors Meeting 12/04/2010. Operational Risk Management Charter
Board of Directors Meeting 12/04/2010 Document approved Operational Risk Management Charter Table of contents A. INTRODUCTION...3 I. Background...3 II. Purpose and Scope...3 III. Definitions...3 B. GOVERNANCE...4
Professional Solutions Insurance Company. Business Associate Agreement re HIPAA Rules
Professional Solutions Insurance Company Business Associate Agreement re HIPAA Rules I. Purpose of Agreement This Agreement reflects Professional Solutions Insurance Company s agreement to comply with
Cloud Computing Security Considerations
Cloud Computing Security Considerations Roger Halbheer, Chief Security Advisor, Public Sector, EMEA Doug Cavit, Principal Security Strategist Lead, Trustworthy Computing, USA January 2010 1 Introduction
Helping to protect your business and your customers in the event of a data breach
Helping to protect your business and your customers in the event of a data breach Equifax Data Breach Assistance helps you respond more quickly and effectively, limiting the reputational damage to your
Privacy and Electronic Communications Regulations
ICO lo Notification of PECR security breaches Privacy and Electronic Communications Regulations Contents Introduction... 2 Overview... 2 Relevant security breaches... 3 What is a service provider?... 3
NORTHERN IRELAND FIRE & RESCUE SERVICE JOB DESCRIPTION
MAIN PURPOSE OF JOB NORTHERN IRELAND FIRE & RESCUE SERVICE JOB DESCRIPTION IT PROJECT AND SECURITY MANAGER (GRADE PO2) INFORMATION TECHNOLOGY DEPARTMENT JOB REF: N45/11/06 SALARY: 27,492.00 TO 29,859.00
Application of King III Corporate Governance Principles
Application of Corporate Governance Principles Application of Corporate Governance Principles This table is a useful reference to each of the principles and how, in broad terms, they have been applied
Acquia Comments on EU Recommendations for Data Processing in the Cloud
Acquia Comments on EU Recommendations for Data Processing in the Cloud Executive Summary On July 1, 2012, European Union (EU) data protection regulators provided guidelines for service providers processing
Information Security Policy. Document ID: 3809 Version: 1.0 Owner: Chief Security Officer, Security Services
Information Security Policy Document ID: 3809 Version: 1.0 Owner: Chief Security Officer, Security Services Contents 1 Purpose / Objective... 1 1.1 Information Security... 1 1.2 Purpose... 1 1.3 Objectives...
I S O I E C 2 7 0 0 2 2 0 1 3 I N F O R M A T I O N S E C U R I T Y A U D I T T O O L
7.1 EMPHASIZE SECURITY PRIOR TO EMPLOYMENT 7.1.1 VERIFY THE BACKGROUNDS OF ALL NEW PERSONNEL Do you check the backgrounds of all candidates for employment? Do you make sure that background verifications
REGULATIONS FOR THE SECURITY OF INTERNET BANKING
REGULATIONS FOR THE SECURITY OF INTERNET BANKING PAYMENT SYSTEMS DEPARTMENT STATE BANK OF PAKISTAN Table of Contents PREFACE... 3 DEFINITIONS... 4 1. SCOPE OF THE REGULATIONS... 6 2. INTERNET BANKING SECURITY
CFABAI132 Inform and facilitate organisational decision-making
Overview This standard is about informing and facilitating organisational decision-making. It includes presenting information and advice to decision-makers, recording and communicating decisions made by
The PNC Financial Services Group, Inc. Business Continuity Program
The PNC Financial Services Group, Inc. Business Continuity Program subsidiaries) 1 Content Overview A. Introduction Page 3 B. Governance Model Page 4 C. Program Components Page 4 Business Impact Analysis
National Cyber Security Policy -2013
National Cyber Security Policy -2013 Preamble 1. Cyberspace 1 is a complex environment consisting of interactions between people, software and services, supported by worldwide distribution of information
Part E: Contract management
Overview Part A: Strategic assessment Part B1: Business case developing the business case Part B2: Business case procurement options Part B3: Business case funding and financing options Part C: Project
CPNI VIEWPOINT 01/2010 CLOUD COMPUTING
CPNI VIEWPOINT 01/2010 CLOUD COMPUTING MARCH 2010 Acknowledgements This viewpoint is based upon a research document compiled on behalf of CPNI by Deloitte. The findings presented here have been subjected
WHITEPAPER Complying with HIPAA LogRhythm and HIPAA Compliance
WHITEPAPER Complying with HIPAA LogRhythm and HIPAA Compliance Complying With HIPAA The Department of Health and Human Services (HHS) enacted the Health Insurance Portability and Accountability Act of
MANAGEMENT STANDARD CLOSURE PLANNING
AngloGold Ashanti Limited \ Reg. No.1944/017354/06 76 Jeppe Street \ Newtown \ 2001 \ PO Box 62117 \ Marshalltown \ 2107 \ South Africa Tel +27 (0)11 637 6000 \ Fax +27 (0)11 637 6624 \ Website: www.anglogoldashanti.com
Enabling the re-use of research data: organising stakeholders and infrastructure in the Netherlands
Enabling the re-use of research data: organising stakeholders and infrastructure in the Netherlands Ingrid Dillo, deputy director DANS RECODE conference, Athens 15-01-2015 Challenges in sharing data Technical
Best Practices at Research Level
PReparing Industry to Privacy-by-design by supporting its Application in REsearch Best Practices at Research Level Hisain Elshaafi Telecommunications Software and Systems Group (TSSG) Waterford Institute
How To Assess A Critical Service Provider
Committee on Payments and Market Infrastructures Board of the International Organization of Securities Commissions Principles for financial market infrastructures: Assessment methodology for the oversight
Consultation on Monitoring of Employees at Work ~ The Way Forward Presentation by Raymond Tang Privacy Commissioner for Personal Data Hong Kong SAR Privacy Issues Forum 28 March 2003 Wellington, New Zealand
Cloud security architecture
ericsson White paper Uen 284 23-3244 January 2015 Cloud security architecture from process to deployment The Trust Engine concept and logical cloud security architecture presented in this paper provide
Practical and ethical considerations on the use of cloud computing in accounting
Practical and ethical considerations on the use of cloud computing in accounting ABSTRACT Katherine Kinkela Iona College Cloud Computing promises cost cutting efficiencies to businesses and specifically
HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA) BUSINESS ASSOCIATE AGREEMENT
HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA) BUSINESS ASSOCIATE AGREEMENT This HIPAA Business Associate Agreement ( BAA ) is by and between the National Association of Boards of Pharmacy
D:C-3.1 Requirements for cloud interoperability
Deliverable Number: D33.1 Work Package: WP 33 Version: Final Deliverable Lead Organisation: CSA Dissemination Level: PU Contractual Date of Delivery (release): 30 th September, 2013 Date of Delivery: 5
Information Security and Governance in ERP Implementation (JD Edwards)
Information Security and Governance in ERP Implementation (JD Edwards) Table of Contents Information Security... 2 Information Security in ERP Environment... 3 J D Edwards Security and Governance Features...
REGULATIONS FOR COMPLIANCE OFFICERS
PenCom REGULATIONS FOR COMPLIANCE OFFICERS RR/P&R/09/03 www.pencom.gov.ng About this Guidelines The Regulations for Compliance Officers is divided into four (4) sections. Section one is the introduction
IT Professional Standards. Information Security Discipline. Sub-discipline 605 Information Security Testing and Information Assurance Methodologies
IT Professional Standards Information Security Discipline Sub-discipline 605 Information Security Testing and Information Assurance Methodologies December 2012 Draft Version 0.6 DOCUMENT REVIEW Document
CCSAPAB2 Develop and agree objectives for archaeological projects
Develop and agree objectives for archaeological projects Overview This standard is relevant to archaeologists responsible for the development of projects on behalf of clients and the agreement of contracts
This form may not be modified without prior approval from the Department of Justice.
This form may not be modified without prior approval from the Department of Justice. Delete this header in execution (signature) version of agreement. HIPAA BUSINESS ASSOCIATE AGREEMENT This Business Associate
Procurement Capability Standards
IPAA PROFESSIONAL CAPABILITIES PROJECT Procurement Capability Standards Definition Professional Role Procurement is the process of acquiring goods and/or services. It can include: identifying a procurement
COMPLIANCE FRAMEWORK AND REPORTING GUIDELINES
COMPLIANCE FRAMEWORK AND REPORTING GUIDELINES DRAFT FOR CONSULTATION June 2015 38 Cavenagh Street DARWIN NT 0800 Postal Address GPO Box 915 DARWIN NT 0801 Email: [email protected] Website:
Accountability: Data Governance for the Evolving Digital Marketplace 1
Accountability: Data Governance for the Evolving Digital Marketplace 1 1 For the past three years, the Centre for Information Policy Leadership at Hunton & Williams LLP has served as secretariat for the
HIPAA BUSINESS ASSOCIATE ADDENDUM (Privacy & Security) I. Definitions
HIPAA BUSINESS ASSOCIATE ADDENDUM (Privacy & Security) I. Definitions A. Business Associate. Business Associate shall have the meaning given to such term under the Privacy and Security Rules, including,
Compliance Policy ALCO recommended standard
1. PURPOSE In accordance with CSSF Circular 2004/155, the board of directors of [NAME OF COMPANY] (hereafter the Company ) has adopted the following Compliance Policy. The Company s Compliance function
Role of contracts in Cloud Computing an Overview. Kevin McGillivray Doctoral Candidate (NRCCL)
Role of contracts in Cloud Computing an Overview Kevin McGillivray Doctoral Candidate (NRCCL) Barriers/Challenges to Cloud Transparency Compliance Legal Shared infrastructure Subcontractors (and their
By Emily Hay and Jan Dhont, Data Privacy Department, Lorenz Brussels.
Getting a Clean Bill of Health for Privacy in Your Mobile App By Emily Hay and Jan Dhont, Data Privacy Department, Lorenz Brussels. I. Introduction to the legal regime and risks As the marketplace floods
Privacy in the Cloud A Microsoft Perspective
A Microsoft Perspective November 2010 The information contained in this document represents the current view of Microsoft Corp. on the issues discussed as of the date of publication. Because Microsoft
CLOUD COMPUTING FOR SMALL- AND MEDIUM-SIZED ENTERPRISES:
CLOUD COMPUTING FOR SMALL- AND MEDIUM-SIZED ENTERPRISES: Privacy Responsibilities and Considerations Cloud computing is the delivery of computing services over the Internet, and it offers many potential
BUSINESS ASSOCIATE AGREEMENT BETWEEN AND COMMISSION ON ACCREDITATION, AMERICAN PSYCHOLOGICAL ASSOCIATION
BUSINESS ASSOCIATE AGREEMENT BETWEEN AND COMMISSION ON ACCREDITATION, AMERICAN PSYCHOLOGICAL ASSOCIATION This Agreement governs the provision of Protected Health Information ("PHI") (as defined in 45 C.F.R.
Privacy by Design The 7 Foundational Principles Implementation and Mapping of Fair Information Practices
Privacy by Design The 7 Foundational Principles Implementation and Mapping of Fair Information Practices Ann Cavoukian, Ph.D. Information & Privacy Commissioner, Ontario, Canada Purpose: This document
All about Threat Central
All about Threat Central Ted Ross & Nadav Cohen #HPProtect Forward-looking statements This is a rolling (up to three year) Roadmap and is subject to change without notice. This document contains forward
Business Associate Agreement (BAA) Guidance
Business Associate Agreement (BAA) Guidance Introduction The purpose of this document is to provide guidance for creating or updating business associate agreements between your Practice ( Covered Entity