Managing cloud services risk throughout a supplier lifecycle relationship
|
|
- Ferdinand Rose
- 8 years ago
- Views:
Transcription
1 Managing cloud services risk throughout a supplier lifecycle relationship By Mark Becker, Senior security consultant, BT and Bryan Fite, Security portfolio manager, BT
2 Introduction Cloud services have proliferated. New, virtual services and repositioned hosted services deliver the agility and pay-for-use objectives cloud proponents expect. Project teams and organizational units have found the cloud to be a highly responsive option to immediate needs. While the cloud as a service delivery model has made substantive advances in the past two years, companion risk and governance models have not matured at a similar rate. Risk Management and Information Security teams should be concerned. Who has the responsibility to provide a sustainable management and governance infrastructure that minimizes business risk? Who will assure that compliance, privacy and long-term service continuity controls are adequate? Who will guarantee that the level of trust extended to a service provider is warranted? In an ideal world, the tactics used to engage a Cloud Services Provider (CSP) would be commensurate with the level of risk to which the enterprise is exposed. The tactics to establish whether the CSP is worthy of trust, the scope of technical control to mitigate threats, and the quality management governance model would be dictated by a simple to use and easily-understood risk management framework. Managing cloud services risk throughout a supplier lifecycle relationship 2
3 Today, the focus is on the service outcome BT provides network consulting services for which the cloud is often a delivery option. We have noticed that many cloud programs are directed at a specific problem that can be solved by a widget or service provided by a CSP. The good news is that if the widget fits, the result is generally of high quality. The bad news is, far too often there is very little: 1) Oversight of the CSP relationship, 2) Data protection, 3) Operational and business continuity assurance, and / or 4) Integrated change management. While not as egregious as buying a Rolex watch from a New York street vendor, there are similarities: the watch does tell the time, for a while anyway, the credentials of the supplier are assumed adequate, and the purchase comes with no warranty. Urgency, responsiveness and the short-term nature of the vendor relationship are the justification for risk management shortcuts. Reality check CSP selection is risky business The more sensitive the data and / or the more critical the process, the more important supplier selection tactics and trust management become to the success of the relationship and the value it provides. A successful relationship will be grounded in a shared understanding of accountabilities and expectations. The choice will not be solely whether someone else can provide a service within desired cost and time parameters. Rather, the choice will confirm that they will do it with the same care you provide when doing it yourself as well. As the relationship develops from prospect to partner, risk mitigation must change from assessment to in-life control. The focal point must change from me to we. Figure 1 looks at the various stages of a provider relationship lifecycle. At each point, a share of the activity should include risk management activities. Define use case Define use case must declare the relative risk associated with data sensitivity and process criticality - the service is to support. Qualify CSP must build trust based on a verification that the service provider provides adequate security controls for the use case, the business benefits, and the cost of entry. Define service should summarize the human and security controls aligned with use case risk, document the technical and process integration with the CSP, and provide the quality control framework to manage the in-life operation. Contract for service must include the terms under which the use case and service are managed to contain risk including SLAs, roles/responsibilities, and terms that could be invoked upon service failure such as information disclosure and service interruption. Terminate service CSP Relationship Lifecycle Quality CSP Manage in-life service includes the required level of joint management and control. Terminate service is the unavoidable but mutually agreed end of the relationship. Manage in-life service Define service Contact for service Figure 1: Cloud Services Relationship Lifecycle Managing cloud services risk throughout a supplier lifecycle relationship 3
4 Fill a need, not buy a service The crux of the relationship is the use case for which a service is to be provided. A use case describes the business operation, process and data flow, technical services, support requirements, and its risk management requirements in terms of data sensitivity and process criticality. The use case is the risk filter for the development of the relationship. The greater the risk, the more judicious the CSP selection, the more complete the service description, the more protective the contract, and the more rigorous in-life management becomes. Figures 2 offers instances of triggered / materialized risk in the context of sensitivity and criticality. Data and process examples by risk level (low, medium, high) are found in Figure 3. Each enterprise should standardize how data and processes are to be categorized with respect to risk. The standard should be grounded on the impact on the enterprise rather than the impact on a team or project. At one extreme, it is tempting to claim that my data does not require protection, or that my process is the most important work the business does. It would benefit all organizational units and project teams if the Risk Management group defined the risk levels associated with data categories and process criticality to assure alignment with corporate confidentiality and business continuity objectives. H M L H M L Privacy regulation violation Lost strategic advantage Fines for OID leakage Eroded competitiveness Brand damage Regulatory compliance fines Adverse impact on image / reputation Figure 2: Triggered Risks Figure 3: Data and Process Examples External personally identifiable data Strategic planning content Stock-price-affecting content Audit findings Need to know (business plans, password, system logs, legal) Customer data / transactions Employee information Publically available content Unrestricted internal (intranet, briefings, policies) L M H L M H Reproduction cost Recovery cost Lost revenue / sales Eroded customer confidence Recovery from mission critical outage Lost market share Use case / Training Storage Conferencing Public sites Web presence for commerce Virtual data center Hosted security Hosted processes (call center, BPOS) Disaster recovery Core ERP systems CSP qualification is an exercise in trust management CSP qualification is the starting point for building trust. Clearly, mission-critical transaction processing or the secret sauce that is your marketplace differentiation requires a different level of trust and assurance than does a conferencing service. The greater the processing dependence on the CSP and / or the privacy of the data the CSP retains, the greater the potential risk and the more substantial the level of required due diligence. Ultimately, a qualified CSP infers that you trust the supplier will provide a level of protection and quality of service no worse than you demand of yourself given the data sensitivity and process criticality. The scope of due diligence should include: Data privacy, access control and leakage prevention. Perimeter controls including access link, intrusion prevention. Desktop controls to preclude malicious code introduction. Isolation from other clients to assure processing performance and data confidentiality. Hypervisor standards and virtual image protection. Log collection, management and analysis. Physical and environmental controls. System development practices. Managing cloud services risk throughout a supplier lifecycle relationship 4
5 Service design clarifies the operational control baseline The service must be designed and implemented in a manner that can be sustained. The focal point is a service design that is as complete as the use case demands. When the data sensitivity and/or process criticality require, the service design should have agreed descriptions of all of the services and controls required to assure quality and mitigate threats. With a depth appropriate for the use case risk, the service design should address: Technical integration for seamless and secure communications. Process integration including declared handoffs between entities. Security requirements and controls that in combination harden the environment. Operational quality controls such as monitoring. ITSM integration for service catalogues, technology introduction, change management and incident management. Human resource requirements and controls such as selection/vetting, duty separation, social engineering prevention and personal responsibility programs, and training. In-life management practices. Service activation and termination processes. Managing cloud services risk throughout a supplier lifecycle relationship 5
6 Contracting sets the relationship tone Just as fences make good neighbours, contracts make good partners. While the service design describes how the integrated operations are to behave, the contract confirms responsibility should operational stability be lost. As the level of risk increases, so do the scope and the specificity of the contract. The contract may include: SLAs and associated reporting for each service. Quality/audit/legal/regulatory expectations for data confidentiality/privacy, regulatory reporting, audit, and system compliance with regulatory requirements. Specific terms and potentially monetary recovery for contract failures such as recurring SLAs, confidentiality/non-disclosure, reputational loss, Intellectual Property, and limitation of liability/indemnity. Applicability of terms to federated CSPs. Delineation of client and CSP roles/responsibilities such as service changes and steady state monitoring/administration. Joint management/governance requirements. Escrow agreement for critical software. In-life management keeps the focus on quality (and ensures accountability) Once the service becomes operational, it is tempting to fall back to a business-as-usual mindset. However, data sensitivity and/or process criticality may demand a high degree of on-going vigilance to sustain long-term quality. and even moderate risk use cases demand that in-life governance controls be compatible and shared. The greater the risk and/or longer the term of the relationship, the more proactive managerial oversight must become, including: Policy alignment. Joint governance and oversight teams that meet regularly. Integrated emergency response and forensic services. Joint quality programs underpinned with robust dashboard/reporting, rigorous risk-based self-assessment process, and coordinated improvement program. Joint audit/remediation controls based upon shared control points and their metrics aligned with SLAs. Joint DR/BCP and capacity management. Managing cloud services risk throughout a supplier lifecycle relationship 6
7 Future, scaled CSP relationships Monetary recovery for contact failure Integrated security Due diligence for data privacy / leak Contract extends to federated CSPs Due diligence for security / risk / regulatory Due diligence for HR / admin access Due diligence for federated CSPs ITSM integration Comprehensive service design Joint governance / change control Due diligence for ops / DR / BCP / physical / IDP tools VM / hypervisor Joint DP /DCP Joint CSIP Joint audit Figure 4: Risk-based CSP relationship requirements If we are to manage our CSP relationships more effectively, we need an assessment framework that responds to use case risk. The framework will guide a relationship management plan defined by the CSP Relationship Lifecycle. Figure 4 is such a framework. The data sensitivity and process criticality define a cell in the model which is the starting point for the analysis of the level of trust, control and governance the relationship demands. In-house backup copy Internal governance CSP restoration process Contractual SLA / terms Due diligence for SDLC Joint restoration process CSP quality reporting Application of this framework is a two-step process: 1. Define the cell represented by the data sensitivity and process criticality of the use case. 2. Include all calls within the shadow of the use case cell. The shadow of a use case covers all cells to the right and below the use case cell. See Figure 5 for some examples. The framework has advantages for both project teams and Risk Management. Multiple suppliers can be introduced to the organization based upon need, provider capabilities and consistent enterprise requirements. The development of each CSP relationship will assess and manage risk to an appropriate level based upon the data and process characteristics of the use case. Relationships will emerge in the context of a lifecycle, not a specific and immediate project need. The effort to create a relationship will be scaled to the impact on the enterprise. Organizational units and project teams will be freed to quickly engage niche CSPs whenever the data and process represent low risk to the enterprise. Figure 5: Framework applicability given use case Use case + Shadow same and lower data and Use same or lower process risk Case Managing cloud services risk throughout a supplier lifecycle relationship 7
8 Extending the framework to common cloud services The range of cloud services is on the rise. It would be especially useful if service categorization can be linked to risk. Two categorizations may be helpful: Delivery model type of service available on a pay-for-use basis: Infrastructure as a Service (IaaS): Computing power, storage, and networking infrastructure. Platform as a Service (PaaS): Runtime environment for client-provided compiled application code. Software as a Service (SaaS): Entire application available on demand. Deployment model Will other clients share the same service? Namely: Public cloud: clients are intermingled. Virtual private cloud: client-specific resources are provided within a public cloud. Hybrid cloud: on-premise private cloud selectively interacts with publicly available cloud services. Each combination of delivery model and service-sharing fits a typical risk profile. Figure 6 organizes cloud services based upon risk exposure. For a given use case and its risk level, a generic service structure emerges. Virtual private cloud (IaaS, PaaS, SaaS) Virtual private cloud (IaaS, Paas) Hybrid cloud (IaaS, Paas) Public cloud (IaaS, Paas, SaaS) Virtual private cloud (IaaS, Paas, SaaS) Virtual private cloud (IaaS, Paas) Public cloud (IaaS, Paas, SaaS) Public cloud (IaaS, Paas, SaaS) Virtual private cloud (IaaS, Paas, SaaS) Figure 6: Common CSP services aligned with risk Based upon Figure 6: The degree to which services are shared shifts from public services to client-specific and ultimately client-controlled infrastructures as risk increases. -risk use case scenarios focus on speed and agility (that is public clouds) while higher risk scenarios focus on privacy and control. Figure 6 is intended to be a guideline. Enterprises that intend to leverage many cloud services would be well-served to develop a similar model. In the process, the relative completeness of the risk assessment at each stage in the CSP relationship lifecycle can be clarified. The role of SaaS decreases in high-risk use cases, retaining more of the critical capabilities in house. Managing cloud services risk throughout a supplier lifecycle relationship 8
9 Conclusion Cloud services are here to stay. How quickly they should be adopted is a risk management issue. The intensity of the risk assessment varies with the data sensitivity and/or process criticality of the use case being supported with a cloud service. The CSP relationship lifecycle infers a management plan to adopt CSP services. Risk mitigation activities should be scaled to balance business objectives and cloud service benefits. It would be in the best interest of cloud-friendly enterprises to put a framework in place such that project teams and organizational units understand what they must do to capitalize on available cloud services and manage risk at the same time. Ideally, the framework would embed tactics that would address the level of trust, control and governance the risk scenario demands. Managing cloud services risk throughout a supplier lifecycle relationship 9
10 Offices worldwide The telecommunications services described in this publication are subject to availability and may be modified from time to time. Services and equipment are provided subject to British Telecommunications plc s respective standard conditions of contract. Nothing in this publication forms any part of any contract. British Telecommunications plc 2013 Registered office: 81 Newgate Street, London EC1A 7AJ Registered in England No:
Managing Cloud Computing Risk
Managing Cloud Computing Risk Presented By: Dan Desko; Manager, Internal IT Audit & Risk Advisory Services Schneider Downs & Co. Inc. ddesko@schneiderdowns.com Learning Objectives Understand how to identify
More informationStrategic Compliance & Securing the Cloud. Annalea Sharack-Ilg, CISSP, AMBCI Technical Director of Information Security
Strategic Compliance & Securing the Cloud Annalea Sharack-Ilg, CISSP, AMBCI Technical Director of Information Security Complexity and Challenges 2 Complexity and Challenges Compliance Regulatory entities
More informationWhat s the Path? Information Life-cycle part of Vendor Management
Disclaimer The materials provided in this presentation and any comments or information provided by the presenter are for educational purposes only and nothing conveyed or provided should be considered
More informationHow To Get A Hybrid Cloud
Hybrid Cloud: A Strategic Roadmap Executive summary The cloud is here to stay. Investments in cloud services are expected to continue growing at double digits over the coming years. Nevertheless, obstacles
More informationServices Providers. Ivan Soto
SOP s for Managing Application Services Providers Ivan Soto Learning Objectives At the end of this session we will have covered: Types of Managed Services Outsourcing process Quality expectations for Managed
More informationHow to ensure control and security when moving to SaaS/cloud applications
How to ensure control and security when moving to SaaS/cloud applications Stéphane Hurtaud Partner Information & Technology Risk Deloitte Laurent de la Vaissière Directeur Information & Technology Risk
More informationPrivate & Hybrid Cloud: Risk, Security and Audit. Scott Lowry, Hassan Javed VMware, Inc. March 2012
Private & Hybrid Cloud: Risk, Security and Audit Scott Lowry, Hassan Javed VMware, Inc. March 2012 Private and Hybrid Cloud - Risk, Security and Audit Objectives: Explain the technology and benefits behind
More informationPharma CloudAdoption. and Qualification Trends
Pharma CloudAdoption and Qualification Trends OurCloudExperience Numerous implementations of EDMS systems with external hosting for smaller life science clients Development of qualification strategy for
More informationVENDOR RISK MANAGEMENT UPDATE- ARE YOU AT RISK? Larry L. Llirán, CISA, CISM December 10, 2015 ISACA Puerto Rico Symposium
1 VENDOR RISK MANAGEMENT UPDATE- ARE YOU AT RISK? Larry L. Llirán, CISA, CISM December 10, 2015 ISACA Puerto Rico Symposium 2 Agenda Introduction Vendor Management what is? Available Guidance Vendor Management
More informationConcurrent Technologies Corporation (CTC) is an independent, nonprofit, applied scientific research and development professional services
Concurrent Technologies Corporation (CTC) is an independent, nonprofit, applied scientific research and development professional services organization providing innovative management and technology-based
More informationBT Conferencing Business Continuity Management. Planning to stay in business
BT Conferencing Business Continuity Management Planning to stay in business Planning for the unexpected In today s connected world, businesses are increasingly dependent on their communications and networked
More informationCLOUD COMPUTING PROTECTION STRATEGIES
CLOUD COMPUTING PROTECTION STRATEGIES WHITE PAPER STRATEGIES FOR SaaS CONTINGENCY PLANNING CONTENTS Executive Summary What is Contingency Planning for SaaS Applications? The Crux of SaaS Enablement How
More informationMicrosoft s Compliance Framework for Online Services
Microsoft s Compliance Framework for Online Services Online Services Security and Compliance Executive summary Contents Executive summary 1 The changing landscape for online services compliance 4 How Microsoft
More informationSecure Enterprise Mobility Management. Cloud-Based Enterprise Mobility Management. White Paper: soti.net
Secure Enterprise Mobility Management White Paper: Cloud-Based Enterprise Mobility Management soti.net Background Facing a business environment of constant change and increasing complexity, enterprises
More informationREGULATIONS FOR THE SECURITY OF INTERNET BANKING
REGULATIONS FOR THE SECURITY OF INTERNET BANKING PAYMENT SYSTEMS DEPARTMENT STATE BANK OF PAKISTAN Table of Contents PREFACE... 3 DEFINITIONS... 4 1. SCOPE OF THE REGULATIONS... 6 2. INTERNET BANKING SECURITY
More informationCloud Computing: It s In Your Future. What You Need to Know about Logicalis and Cloud Computing
Cloud Computing: It s In Your Future What You Need to Know about Logicalis and Cloud Computing Cloud computing is a transition that is changing the way you will buy, build, operate and consume information,
More informationBuild (develop) and document Acceptance Transition to production (installation) Operations and maintenance support (postinstallation)
It is a well-known fact in computer security that security problems are very often a direct result of software bugs. That leads security researches to pay lots of attention to software engineering. The
More informationCloud Security: The Grand Challenge
Dr. Paul Ashley IBM Software Group pashley@au1.ibm.com Cloud Security: The Grand Challenge Outline Cloud computing: the pros, the cons, the blind spots Security in the cloud - what are the risks now and
More informationAn example ITIL -based model for effective Service Integration and Management. Kevin Holland. AXELOS.com
An example ITIL -based model for effective Service Integration and Management Kevin Holland AXELOS.com White Paper April 2015 Contents Introduction to Service Integration and Management 4 An example SIAM
More informationA risky business. Why you can t afford to gamble on the resilience of business-critical infrastructure
A risky business Why you can t afford to gamble on the resilience of business-critical infrastructure Banking on a computer system that never fails? Recent failures in the retail banking system show how
More informationA Guide to. Cloud Services for production workloads
A Guide to Cloud Services for production workloads Intro Workload Requirements Matter Intro With the benefits of the cloud supported by both research and case studies, a growing number of cloud service
More informationCloud Security Specialist Certification Self-Study Kit Bundle
Cloud Security Specialist Certification Bundle CloudSchool.com CLOUD CERTIFIED Technology Professional This certification bundle provides you with the self-study materials you need to prepare for the exams
More informationCloud Security. DLT Solutions LLC June 2011. #DLTCloud
Cloud Security DLT Solutions LLC June 2011 Contact Information DLT Cloud Advisory Group 1-855-CLOUD01 (256-8301) cloud@dlt.com www.dlt.com/cloud Your Hosts Van Ristau Chief Technology Officer, DLT Solutions
More informationValidating Enterprise Systems: A Practical Guide
Table of Contents Validating Enterprise Systems: A Practical Guide Foreword 1 Introduction The Need for Guidance on Compliant Enterprise Systems What is an Enterprise System The Need to Validate Enterprise
More informationCloud P ROVIDER CHOOSE A HOW TO. A White Paper presented by
Cloud HOW TO CHOOSE A P ROVIDER A White Paper presented by Introduction THE COMING OF AGE OF THE CLOUD More and more organizations are turning to cloud computing to augment or replace their in-house IT
More informationSecuring The Cloud. Foundational Best Practices For Securing Cloud Computing. Scott Clark. Insert presenter logo here on slide master
Securing The Cloud Foundational Best Practices For Securing Cloud Computing Scott Clark Agenda Introduction to Cloud Computing What is Different in the Cloud? CSA Guidance Additional Resources 2 What is
More informationWhat Cloud computing means in real life
ITU TRCSL Symposium on Cloud Computing Session 2: Cloud Computing Foundation and Requirements What Cloud computing means in real life Saman Perera Senior General Manager Information Systems Mobitel (Pvt)
More informationhave adequate policies and practices for secure data disposal have not established a formal 22% risk management program
do not have budgeted disaster 38% recovery plans do not use standardized data 37% classification do not have a plan for responding to 29% security breaches 23% have adequate policies and practices for
More informationIs it Time to Trust the Cloud? Unpacking the Notorious Nine
Is it Time to Trust the Cloud? Unpacking the Notorious Nine Jonathan C. Trull, CISO, Qualys Cloud Security Alliance Agenda Cloud Security Model Background on the Notorious Nine Unpacking the Notorious
More informationFISMA Cloud GovDataHosting Service Portfolio
FISMA Cloud Advanced Government Oriented Cloud Hosting Solutions Cyber FISMA Security Cloud Information Security Management Compliance Security Compliant Disaster Recovery Hosting Application Cyber Security
More informationManaging the Shadow Cloud
Managing the Shadow Cloud Integrating cloud governance into your existing compliance program August 2014 Shadow IT is not a new concept and organizations are well aware of the risks associated with unauthorized
More informationTutorial: Service Portfolio design for NGIs Terminology, concepts, practical guidance
Tutorial: Terminology, concepts, practical guidance EGI Technical Forum 2012, Prague (Czech Republic) September 20, 2012 Owen Appleton Dr. Thomas Schaaf EMERGENCE TECH LTD. The gslm project is supported
More informationSecurity Issues in Cloud Computing
Security Issues in Computing CSCI 454/554 Computing w Definition based on NIST: A model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources
More informationCLOUD STORAGE SECURITY INTRODUCTION. Gordon Arnold, IBM
CLOUD STORAGE SECURITY INTRODUCTION Gordon Arnold, IBM SNIA Legal Notice The material contained in this tutorial is copyrighted by the SNIA. Member companies and individual members may use this material
More informationCloud Computing in a Regulated Environment
Computing in a Regulated Environment White Paper by David Stephenson CTG Regulatory Compliance Subject Matter Expert February 2014 CTG (UK) Limited, 11 Beacontree Plaza, Gillette Way, READING, Berks RG2
More informationHybrid Cloud: A Strategic Roadmap
Hybrid Cloud: A Strategic Roadmap Executive summary Cloud is here to Stay Strong uptake of cloud services BT finds that its enterprise customers are showing increasing interest in cloud services. Yet the
More information3 rd Party Vendor Risk Management
3 rd Party Vendor Risk Management Session 402 Tuesday, June 9, 2015 (11 to 12pm) Session Objectives The need for enhanced reporting on vendor risk management Current outsourcing environment Key risks faced
More informationCPNI VIEWPOINT 01/2010 CLOUD COMPUTING
CPNI VIEWPOINT 01/2010 CLOUD COMPUTING MARCH 2010 Acknowledgements This viewpoint is based upon a research document compiled on behalf of CPNI by Deloitte. The findings presented here have been subjected
More informationThird Party Security: Are your vendors compromising the security of your Agency?
Third Party Security: Are your vendors compromising the security of your Agency? Wendy Nather, Texas Education Agency Michael Wyatt, Deloitte & Touche LLP TASSCC Annual Conference 3 August 2010 Agenda
More informationCloud Security for Federal Agencies
Experience the commitment ISSUE BRIEF Rev. April 2014 Cloud Security for Federal Agencies This paper helps federal agency executives evaluate security and privacy features when choosing a cloud service
More informationCloud Computing: What needs to Be Validated and Qualified. Ivan Soto
Cloud Computing: What needs to Be Validated and Qualified Ivan Soto Learning Objectives At the end of this session we will have covered: Technical Overview of the Cloud Risk Factors Cloud Security & Data
More informationIT Security Risk Management Model for Cloud Computing: A Need for a New Escalation Approach.
IT Security Risk Management Model for Cloud Computing: A Need for a New Escalation Approach. Gunnar Wahlgren 1, Stewart Kowalski 2 Stockholm University 1: (wahlgren@dsv.su.se), 2: (stewart@dsv.su.se) ABSTRACT
More informationCloud Computing and Security Risk Analysis Qing Liu Technology Architect STREAM Technology Lab Qing.Liu@chi.frb.org
Cloud Computing and Security Risk Analysis Qing Liu Technology Architect STREAM Technology Lab Qing.Liu@chi.frb.org 1 Disclaimers This presentation provides education on Cloud Computing and its security
More informationITIL Foundation for IT Service Management 2011 Edition
ITIL Foundation for IT Service Management 2011 Edition ITIL Rev 03.12 3 days Description ITIL (IT Infrastructure Library) provides a practical, no-nonsense framework for identifying, planning, delivering
More informationCloud computing: benefits, risks and recommendations for information security
Cloud computing: benefits, risks and recommendations for information security Dr Giles Hogben Secure Services Programme Manager European Network and Information Security Agency (ENISA) Goals of my presentation
More informationINFORMATION TECHNOLOGY SECURITY STANDARDS
INFORMATION TECHNOLOGY SECURITY STANDARDS Version 2.0 December 2013 Table of Contents 1 OVERVIEW 3 2 SCOPE 4 3 STRUCTURE 5 4 ASSET MANAGEMENT 6 5 HUMAN RESOURCES SECURITY 7 6 PHYSICAL AND ENVIRONMENTAL
More informationISSUE BRIEF. Cloud Security for Federal Agencies. Achieving greater efficiency and better security through federally certified cloud services
ISSUE BRIEF Cloud Security for Federal Agencies Achieving greater efficiency and better security through federally certified cloud services This paper is intended to help federal agency executives to better
More informationPublic Cloud Service Agreements: What to Expect & What to Negotiate. April 2013
Public Cloud Service Agreements: What to Expect & What to Negotiate April 2013 The Cloud Standards Customer Council THE Customer s Voice for Cloud Standards! Provide customer-led guidance to the multiple
More informationCloud Computing: Legal Risks and Best Practices
Cloud Computing: Legal Risks and Best Practices A Bennett Jones Presentation Toronto, Ontario Lisa Abe-Oldenburg, Partner Bennett Jones LLP November 7, 2012 Introduction Security and Data Privacy Recent
More informationHIPAA CRITICAL AREAS TECHNICAL SECURITY FOCUS FOR CLOUD DEPLOYMENT
HIPAA CRITICAL AREAS TECHNICAL SECURITY FOCUS FOR CLOUD DEPLOYMENT A Review List This paper was put together with Security in mind, ISO, and HIPAA, for guidance as you move into a cloud deployment Dr.
More informationCloud Computing are you ready?
Cloud Computing are you ready? Steven Krenz ITSM Practice Lead Agenda Introduction Presentation Topics The traditional Data Center: How it compares to The Cloud Cloud Computing and IT Service Management:
More informationITIL in the Cloud. Vernon Lloyd. www.foxit.net www.askthefox.info
ITIL in the Cloud Vernon Lloyd ITIL is a Registered Trade Mark, and a Registered Community Trade Mark of the Office of Government Commerce, and is Registered in the U.S. Patent and Trademark Office www.foxit.net
More informationITIL: Foundation (Revision 1.6) Course Overview. Course Outline
ITIL: Foundation (Revision 1.6) Course Overview The ITIL Foundation Certification Course introduces the new student to the fundamentals of IT Service Management as described in the IT Infrastructure Library
More informationAssessment & Monitoring
Cloud Services Shadow IT Risk Assessment Report Assessment & Monitoring Shadow IT Analytics & Business Readiness Ratings with Elastica CloudSOC & Audit November, 204 Based on all data sources from October,
More informationIBM Cloud Security Draft for Discussion September 12, 2011. 2011 IBM Corporation
IBM Cloud Security Draft for Discussion September 12, 2011 IBM Point of View: Cloud can be made secure for business As with most new technology paradigms, security concerns surrounding cloud computing
More informationIntegrated service management and cloud computing:
IBM Global Technology Services Thought Leadership White Paper September 2010 Integrated service management and cloud computing: More than just technology best friends 2 Integrated service management and
More informationCloud Security Keeping Data Safe in the Boundaryless World of Cloud Computing
Cloud Security Keeping Data Safe in the Boundaryless World of Cloud Computing Executive Summary As cloud service providers mature, and expand and refine their offerings, it is increasingly difficult for
More informationCloud Computing Security Issues And Methods to Overcome
Cloud Computing Security Issues And Methods to Overcome Manas M N 1, Nagalakshmi C K 2, Shobha G 3 MTech, Computer Science & Engineering, RVCE, Bangalore, India 1,2 Professor & HOD, Computer Science &
More informationBuyer s Guide. Buyer s Guide to Secure Cloud. thebunker.net Phone: 01304 814800 Fax: 01304 814899 info@thebunker.net
Buyer s Guide to Secure Cloud Buyer s Guide to Secure Cloud An executive guide to outsourcing IT infrastructure and data storage using Private Cloud as the foundation. Executives derive much confidence
More informationCloud Computing for SCADA
Cloud Computing for SCADA Moving all or part of SCADA applications to the cloud can cut costs significantly while dramatically increasing reliability and scalability. A White Paper from InduSoft Larry
More informationFive Tactics to Hybrid Cloud Success
March 2016 Five Tactics to Kick Start Your Table of Contents High-Performance IT Environments Drive Revenue and Agility 3 What is Hybrid Cloud? 4 Five Keys for Hybrid Cloud Success: 1. Start with a Business
More informationSecurity Officer s Checklist in a Sourcing Deal
Security Officer s Checklist in a Sourcing Deal Guide Share Europe Ostend, May 9th 2014 Johan Van Mengsel IBM Distinguished IT Specialist IBM Client Abstract Sourcing deals creates opportunities and challenges.
More informationSecuring The Cloud With Confidence. Opinion Piece
Securing The Cloud With Confidence Opinion Piece 1 Securing the cloud with confidence Contents Introduction 03 Don t outsource what you don t understand 03 Steps towards control 04 Due diligence 04 F-discovery
More informationBuying Guide for Cloud Services
BUYING GUIDE Buying Guide for Cloud Services Getting Started Welcome to the CompTIA Buying Guide for Cloud Services. If you are like most executives, buying technology often entails elements of excitement,
More informationDispelling the vapor around Cloud Security
Dispelling the vapor around Cloud Security The final barrier to adopting cloud computing is security of their data and applications in the cloud. The last barrier to cloud adoption This White Paper examines
More informationWritten Testimony. Mark Kneidinger. Director, Federal Network Resilience. Office of Cybersecurity and Communications
Written Testimony of Mark Kneidinger Director, Federal Network Resilience Office of Cybersecurity and Communications U.S. Department of Homeland Security Before the U.S. House of Representatives Committee
More informationCloud Computing and Disaster Recovery
Understanding the Cloud Environment Cloud Environment = Internet-based data access & exchange + Internet-based access to low cost computing & applications Cloud Computing and Disaster Recovery April 2013
More informationThe silver lining: Getting value and mitigating risk in cloud computing
The silver lining: Getting value and mitigating risk in cloud computing Frequently asked questions The cloud is here to stay. And given its decreased costs and increased business agility, organizations
More informationCloud Security. Peter Jopling joplingp@uk.ibm.com IBM UK Ltd Software Group Hursley Labs. peterjopling. 2011 IBM Corporation
Cloud Security Peter Jopling joplingp@uk.ibm.com IBM UK Ltd Software Group Hursley Labs peterjopling 2011 IBM Corporation Cloud computing impacts the implementation of security in fundamentally new ways
More informationA Comparison of IT Governance & Control Frameworks in Cloud Computing. Jack D. Becker ITDS Department, UNT & Elana Bailey
A Comparison of IT Governance & Control Frameworks in Cloud Computing Jack D. Becker ITDS Department, UNT & Elana Bailey ITDS Department, UNT MS in IS AMCIS 2014 August, 2014 Savannah, GA Presentation
More informationThe Changing IT Risk Landscape Understanding and managing existing and emerging risks
The Changing IT Risk Landscape Understanding and managing existing and emerging risks IIA @ Noon Kareem Sadek Senior Manager, Deloitte Canada Chris Close Senior Manager, Deloitte Canada December 2, 2015
More informationRoles within ITIL V3. Contents
Roles within ITIL V3 Roles are employed in order to define responsibilities. In particular, they are used to assign Process Owners to the various ITIL V3 processes, and to illustrate responsibilities for
More informationALIGNING BUSINESS STRATEGY TO CLOUD APPLICATIONS
ALIGNING BUSINESS STRATEGY TO CLOUD APPLICATIONS AGENDA Introductions Business challenges Cloud answers Organization adoption Migration to Cloud Governance, risk and compliance Panel discussion Summary
More informationHybrid Cloud Computing
Dr. Marcel Schlatter, IBM Distinguished Engineer, Delivery Technology & Engineering, GTS 10 November 2010 Hybrid Computing Why is it becoming popular, Patterns, Trends, Impact Hybrid Definition and Scope
More informationSecuring Oracle E-Business Suite in the Cloud
Securing Oracle E-Business Suite in the Cloud November 18, 2015 Stephen Kost Chief Technology Officer Integrigy Corporation Phil Reimann Director of Business Development Integrigy Corporation Agenda The
More informationCISM Certified Information Security Manager
CISM Certified Information Security Manager Firebrand Custom Designed Courseware Chapter 4 Information Security Incident Management Exam Relevance Ensure that the CISM candidate Establish an effective
More informationICANWK616A Manage security, privacy and compliance of cloud service deployment
ICANWK616A Manage security, privacy and compliance of cloud service deployment Release 1 ICANWK616A Manage security, privacy and compliance of cloud service deployment Modification History Release Release
More informationwww.pwc.co.uk Cyber security Building confidence in your digital future
www.pwc.co.uk Cyber security Building confidence in your digital future November 2013 Contents 1 Confidence in your digital future 2 Our point of view 3 Building confidence 4 Our services Confidence in
More informationAuditing Software as a Service (SaaS): Balancing Security with Performance
Auditing Software as a Service (SaaS): Balancing Security with Performance Goals for Today Defining SaaS (Software as a Service) and its importance Identify your company's process for managing SaaS solutions
More informationShaping the Cloud for the Healthcare Industry
Shaping the Cloud for the Healthcare Industry Louis Caschera Chief Information Officer CareTech Solutions www.caretech.com > 877.700.8324 Information technology (IT) is used by healthcare providers as
More informationTips For Buying Cloud Infrastructure
27 Tips For Buying Cloud Infrastructure A Comprehensive list of questions to ask yourself when reviewing potential cloud providers By Christopher Wilson @chrisleewilson Table of Contents Intro: Evaluating
More informationTHOUGHT LEADERSHIP. Journey to Cloud 9. Navigating a path to secure cloud computing. Alastair Broom Solutions Director, Integralis
Journey to Cloud 9 Navigating a path to secure cloud computing Alastair Broom Solutions Director, Integralis March 2012 Navigating a path to secure cloud computing 2 Living on Cloud 9 Cloud computing represents
More informationITIL Event Management in the Cloud
ITIL Event Management in the Cloud An AWS Cloud Adoption Framework Addendum July 2015 2015, Amazon Web Services, Inc. or its affiliates. All rights reserved. Notices This document is provided for informational
More informationEAaaS Cloud Security Best Practices
EAaaS Cloud Security Best Practices A Technical White Paper by Sennovate Inc Jan 2013 EAaaS Cloud Security Best Practices Page 1 Introduction: Cloud security is an ever evolving subject that is difficult
More informationIT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:
IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including: 1. IT Cost Containment 84 topics 2. Cloud Computing Readiness 225
More informationITIL Essentials Study Guide
ITIL Essentials Study Guide Introduction Service Support Functions: Service Desk Incident Management Problem Management Change Management Configuration Management Release Management Service Delivery Functions:
More informationVALUE PROPOSITION FOR SERVICE PROVIDERS. Helping Service Providers accelerate adoption of the cloud
VALUE PROPOSITION FOR SERVICE PROVIDERS Helping Service Providers accelerate adoption of the cloud Partnership with Service Providers Enabling Your Cloud Services in Complex Environments Today s challenge
More informationITIL Asset and Configuration Management in the Cloud. January 2016
ITIL Asset and Configuration Management in the Cloud January 2016 2016, Amazon Web Services, Inc. or its affiliates. All rights reserved. Notices This document is provided for informational purposes only.
More informationLCS Quick Start Service
BT s Quick Start service is a set of engagements that will enable you to deploy Microsoft Office Live Communications Server 2005 (LCS) into your network, providing an enterprise-grade, real-time communication
More informationITIL AS A FRAMEWORK FOR MANAGEMENT OF CLOUD SERVICES
ITIL AS A FRAMEWORK FOR MANAGEMENT OF CLOUD SERVICES Soňa Karkošková 1, George Feuerlicht 2 1 Faculty of Information Technology, University of Economics, Prague, W. Churchill Sqr. 4, 130 67 Prague 3, Czech
More informationCloud Computing Safe Harbor or Wild West?
IT Best Practices Series Cloud Computing Safe Harbor or Wild West? With IT expenditures coming under increasing scrutiny, the cloud is being sold as an oasis of practical solutions. It s true that many
More informationGETTING THE MOST FROM THE CLOUD. A White Paper presented by
GETTING THE MOST FROM THE CLOUD A White Paper presented by Why Move to the Cloud? CLOUD COMPUTING the latest evolution of IT services delivery is a scenario under which common business applications are
More informationSupplier Security Assessment Questionnaire
HALKYN CONSULTING LTD Supplier Security Assessment Questionnaire Security Self-Assessment and Reporting This questionnaire is provided to assist organisations in conducting supplier security assessments.
More informationCertified Information Systems Auditor (CISA)
Certified Information Systems Auditor (CISA) Course Introduction Course Introduction Module 01 - The Process of Auditing Information Systems Lesson 1: Management of the Audit Function Organization of the
More informationLeveraging the Private Cloud for Competitive Advantage
Leveraging the Private Cloud for Competitive Advantage Introduction While it is universally accepted that organisations will leverage cloud solutions to service their IT needs, there is a lack of clarity
More information6 Cloud strategy formation. 6.1 Towards cloud solutions
6 Cloud strategy formation 6.1 Towards cloud solutions Based on the comprehensive set of information, collected and analysed during the strategic analysis process, the next step in cloud strategy formation
More informationBT Unified Trading communication. The Future Delivered
BT Unified Trading communication The Future Delivered BT Unified Trading With BT Unified Trading, BT has set the benchmark for the next decade by bringing to market a powerful, cost-effective, software-based
More informationITIL Asset and Configuration. Management in the Cloud
ITIL Asset and Configuration Management in the Cloud An AWS Cloud Adoption Framework Addendum September 2015 A Joint Whitepaper with Minjar Cloud Solutions 2015, Amazon Web Services, Inc. or its affiliates.
More information