Cloud Security Benchmark: Top 10 Cloud Service Providers Appendix A E January 5, 2015
|
|
- Chastity Gordon
- 8 years ago
- Views:
Transcription
1 Cloud Security Benchmark: Top 10 Cloud Service Providers Appendix A E January 5, CloudeAssurance Page 1
2 Table of Contents Copyright and Disclaimer... 3 Appendix A: Introduction... 4 Appendix B: Methodology & Scoring Guidelines... 5 Appendix C: Cloud Security Benchmark... 7 Appendix D: Glossary Appendix E: References Contact CloudeAssurance Page 2
3 Copyright and Disclaimer 2015 CloudeAssurance All rights reserved. You may download this study, store or display it on your computer, view, print, and also point to the CloudeAssurance website However, (a) this document may ONLY be used solely for personal, informational, and non- commercial use; (b) the document may not be altered or changed in any way from its published form; (c) the document may not be redistributed without the expressed written permission of CloudeAssurance; and (d) the trademark, copyright or any other relevant notices may not be removed at any time. Please see section (b) above. As permitted by the Fair Use provisions of the United States Copyright Act, you may quote segments of the document, but only if due diligence is adhered to by attributing appropriate citations and attributions to CloudeAssurance Cloud Security Benchmark: Top 10 Cloud Service Providers (Q4, 2014). NO WARRANTY. CloudeAssurance makes this document available AS- IS, and makes no warranty as to its accuracy or use. The information contained in this document may include inaccuracies or typographical errors, and may not reflect the most current developments, and CloudeAssurance does not represent, warrant or guarantee that it is complete, accurate, or up- to- date, nor does CloudeAssurance offer any certification or guarantee with respect to any opinions expressed herein or any references provided. Changing circumstances may change the accuracy of the content herein. Opinions presented in this document reflect judgment at the time of publication and are subject to change. Any use of the information contained in this document is at the risk of the user. CloudeAssurance assumes no responsibility for errors, omissions, or damages resulting from the use of or reliance on the information herein. CloudeAssurance reserves the right to make changes at any time without prior notice CloudeAssurance Page 3
4 Appendix A: Introduction This document contains a glossary of definitions that provides insight into the key terms and concepts used within the CloudeAssurance independent study entitled Cloud Security Benchmark: Top 10 Cloud Service Providers, as well as a detailed look at the scoring methodology utilized for the study. This document aims to provide the reader with a clear and concise understanding of the various acronyms, expressions, and language used throughout the study, as well as a comprehensive understanding of the scoring and assessment methodology applied. Cloud computing is a growing industry that was projected to reach $148.8 billion globally by the end of 2014 (source: Gartner, Q4 2012). The technology has successfully introduced the world to the accessibility of near limitless resources, unrivaled scalability, and enormous cost savings for information technology infrastructure and capital expenses for an enterprise. With cloud adoption rates skyrocketing internationally, there can be little doubt that the cloud represents one of the most innovative and efficient service models ever developed. Streamlined processes and unrivaled accessibility both help to explain the ever growing focus on this innovative business model. They also provide a clear understanding of why a seemingly endless number of cloud service providers (CSPs) continue to emerge daily, offering services for everything from simple storage space and processing power to platform and application development and release capabilities. The cloud is the future of business, and has already begun to transform it in its entirety. Yet while the cloud does indeed offer numerous advantages for both the public and private sectors, it also brings with it the responsibility of adequately securing the massive amounts of data that is processed, stored and provisioned within it on a daily basis. Information security and assurance is nothing short of mission critical to organizations and cloud customers because issues surrounding the exchange of information and the handling of data affects every enterprise as they attempt to provide services and achieve their various business goals and objectives. The cloud certainly does provide the most powerful and efficient way to better advance and achieve these various goals, but it also opens the door to increased security threats, risks and exposure as well. Most importantly, because it is a new service model, there is a general lack of experience in securing data within the cloud environment. The efortresses Security Breaches Matrix ( ) clearly indicates that cloud related security breaches are on the rise and have become an unsettling reality in today s world. Major incidents such as the recent Apple icloud, Code Spaces and ebay hacks reveal a clear shift in attacks towards companies providing cloud services and operating within the cloud environment. Additional security breaches such as the Target Corporation hack clearly reveal an increasing trend in attacks on not only organizations, but their supply chains as well. With the rising prevalence of CSPs and their various cloud service offerings, as well as the unique threat landscape that the cloud presents, it is critical that the risks associated with the storage and processing of data in the cloud be adequately managed by the CSPs entrusted with this data. The CloudeAssurance platform and the AlertApp! mobile application was created to bridge the critical security gaps that exist within the cloud industry and provide both the guidance and resources needed to identify, remediate and validate the security of the cloud. This platform enables not only cloud assurance, but also vendor assurance and consumer assurance as well, being a standards based, all- encompassing solution that is capable of addressing not just cloud security concerns, but any information security standard or framework as well (including updated standards such as PCI- DSS 3.0, ISO/IEC 27001:2013 and NIST Cybersecurity Framework 1.0) CloudeAssurance Page 4
5 Appendix B: Methodology & Scoring Guidelines Company profiles referred to as Assessment Profiles were created within CloudeAssurance using publicly available information about each cloud service provider (CSP) included in the study. Each Cloud Service Provider voluntarily submitted self- assessment documents to the Cloud Security Alliance (CSA) STAR Registry to reflect the transparency of their cloud security posture and control maturity, information that served as the primary source material for a given security assessment. The CSA GRC Stack, the standard used for these self- assessments, was imported into the CloudeAssurance platform and used in the scoring process to provide an apples to apples comparison. Please note that while the entries listed within the CSA STAR Registry form the study sample size, not all entries are used, as not all entries include self- assessment information for the cloud service provider. Within an assessment, a CSP s responses to questions within each of the eleven domains for this framework were analyzed and given a YES, NO, Partial, or N/A answer. We also assigned an accompanying maturity level to each response using the CMMI model of maturity, a proven maturity model utilized by many industries to measure process maturity based on a scale of 1-5. It is important to understand that while some cloud service providers provided detailed and thorough self- assessment information, others were overly vague or provided only YES or NO answers, with no control evidence or descriptions to accompany such responses. As a result, it was necessary for researchers to create a uniform scoring system to reflect the differences in approach that CSPs took to their self- assessment documents. Since the purpose of this study is to provide an objective, systematic and fair representation of each CSP s cloud security, assessors agreed that criteria needed to be established that could be applied to all assessments across the board. The result was a simple yet effective set of guidelines: if a CSP has achieved ISO certification, then any YES response is assigned a maturity level of 3, denoting a Defined process on the CMMI scale. However, if the CSP does not hold ISO certification, then any YES responses are assigned a 2 score instead to reflect this difference in maturity, regardless of the level of detail provided with such responses. Partial responses are universally scored a 2, while all NO responses are assigned a 1 score on the CMMI maturity scale to denote a process or control that is in an Initial maturity state. N/A responses are handled in the following manner. If a control is comprised of multiple questions or control areas, for instance three questions requiring three separate answers, and the provider has given two YES responses and one N/A, then the overall response is marked as YES with either a 3 or a 2 score according to the above mentioned criteria. Essentially, N/A responses are subtracted from the other responses when determining a maturity score for that specific control, with the remainder determining the final score. Please note that an abundance of N/A responses does negatively impact a CSP s rating score, to serve as a checks and balances system and prevent CSPs from excluding an abundance of relevant controls and artificially boosting their score. Scoring table 1.1 below provides a simple visual representation of the scoring criteria used by assessors across all CAIQ responses for any given CSP. Please note that a CSP s provisional score is capped at a maximum of 600 unless an independent CAAP validation assessment is performed by an assessor qualified through the HISPI CAAP (Cloud Assurance Assessor Program), which ensures the effective implementation and maturity of controls. Without performing an independent on- site CAAP Validation Assessment, the exact levels of compliance and maturity cannot be validated, which is why capping each CSP s controls at the Defined maturity level (CMMI level 3, the expected maturity level for a CSP with ISO certification) is appropriate for this study. However, it 2015 CloudeAssurance Page 5
6 should be emphasized that when a CSP undertakes CAAP Validation, the validated score can rise above 600 and can be included in the Top 10 CSP study, with the CSP s permission. Table 1.1: Scoring Guidelines CAIQ Response Score Maturity Level Yes 2 or 3 Managed / Defined No 1 Initial Partial 2 Managed N/A None N/A 2015 CloudeAssurance Page 6
7 Appendix C: Cloud Security Benchmark The study was initially performed over a period of three months in the final quarter of 2012, and has been carried out and updated quarterly since that time. This update and release covers Q4 2014, and involved the analysis and evaluation of 87 CSPs using their publicly available self- assessment documents from the CSA STAR Registry. It also utilized publicly available information relating to each CSP s ISO Certification scope. The independent assessment approach used ensures impartiality and objectivity throughout the study. Each CSP s self- assessment information was gathered and entered into the CloudeAssurance platform. Revisions and alterations to the CAIQ response documents creates the need to regularly check for information updates, as any changes or re- submittals can drastically alter the assessment scores. For example, while Firehost did not initially make the Top 10 list in Q4 2012, they achieved ISO certification in early Q and demonstrated continuous improvement in the process, resulting in the CSP making the Top 10 list in Q Dates when assessments were last updated are documented within CloudeAssurance and kept current to establish consistency. The scoring guidelines are applied universally to all assessments and regularly checked for both completeness and accuracy. As a result of these measures, the provisional scores for these CSPs reflect strong objectivity and neutrality in which CloudeAssurance carries out all assessments. The goals of this benchmarking effort are to identify and create a Top 10 list of CSPs, to observe the general cloud security posture of numerous CSPs, identify control weaknesses, and establish a sense of the focus and overall emphasis that CSPs place on the information security concerns and the maturity of their cloud services. The inclusion of additional CSPs in future assessments is expected each quarter, and will provide further insight into the cloud security posture of CSPs, enhancing existing benchmark data available to cloud customers in the process CloudeAssurance Page 7
8 Appendix D: Glossary AlertApp! Powered by CloudeAssurance and the Top 10 Cloud Service Providers independent study, AlertApp! is a mobile application that allows cloud consumers to monitor the safety and security of their data in the cloud. Users can proactively track in real time the cloud security ratings, security breaches, lawsuits and major outages impacting the cloud services that they use and enable them to act accordingly. Assessment The systematic process of analyzing a cloud service provider s (CSP) overall cloud security posture using their own submitted self- assessments performed against the Cloud Security Alliance CAIQ and Cloud Controls Matrix. The assessment data, which is publicly available information, is carefully analyzed, assessed and entered into the CloudeAssurance platform for centralized and automated scoring, tracking, trending and benchmark reporting. Assessor The individual performing the assessment of a CSP s cloud security environment using the CSP s self- assessment information analyzed within the CloudeAssurance platform. Capability Maturity Model Integration (CMMI) A widely used and proven model of process maturity developed by the Carnegie Mellon University that identifies the maturity level of various processes and controls using a scale of 1 5: 1. Initial Processes unpredictable, poorly controlled and REACTIVE. 2. Managed Processes characterized for PROJECTS and is often MANAGABLE. 3. Defined Processes characterized for the ORGANIZATION and is PROACTIVE. 4. Quantitatively Managed Processes QUANTITATIVELY measured and controlled. 5. Optimizing Focus on CONTINUOUS PROCESS improvement. Cloud Controls Matrix (CCM) The Cloud Controls Matrix v1.1, v3.0 and v3.0.1 are the cloud security frameworks developed by the Cloud Security Alliance (CSA) that are leveraged for the study. Cloud Service Provider (CSP) A company offering cloud services whose cloud service is the focus of this study. CloudeAssurance Platform The industry s first truly risk- intelligent rating and continuous monitoring system providing assurance regarding a cloud service provider s cloud security, governance, risk and compliance using a 10- year proven algorithm developed by efortresses, Inc. Customers and end users can know which cloud providers have the best cloud assurance score and history, validated criteria that provides a dependable measure of cloud trust. The platform enables the safe and secure adoption of cloud computing, and includes gap identification, reporting and automated assessment capabilities. CloudeAssurance Rating Score The CloudeAssurance Rating Score is based on an integrated controls framework consisting of the CSA CAIQ, CSA CCM, the HISPI Top 20 Security Breaches Mitigating Controls and 2015 CloudeAssurance Page 8
9 CMMI. The framework used for this Rating System includes ISO 27001, COBIT, PCI- DSS, HIPAA, NIST SP and FedRAMP. This rating score represents a CSP s overall security assessment and control adequacy, similar to a credit worthiness score, and is calculated within the CloudeAssurance platform using a 10- year field proven scoring algorithm. This proprietary algorithm utilizes a mixture of compliance and process maturity to offer a gauge of true security for a cloud service provider, and represents the overall security posture of the CSP s cloud environment. Consensus Assessments Initiative Questionnaire (CAIQ) An extensive and robust questionnaire developed by the Cloud Security Alliance that allows for the documentation and transparency of the various security controls that exist across an organization s cloud infrastructure and service model (IaaS, PaaS, SaaS). The CAIQ directly compliments the CSA s CCM and is the primary source of information used in the assessment process for this study. A CSP s response to the questionnaire is voluntarily submitted and is publicly available information found in the CSA STAR Registry. HISPI The Holistic Information Security Practitioner Institute (HISPI) is a highly respected independent certification organization that consists of numerous industry experts including Chief Information Security Officers (CISOs), Information Security Officers (ISOs), Directors of Information Security, Security Analysts and Security engineers, among other industry professionals. HISPI bridges the vital alignment gaps between technology and business goals with a holistic approach to information security, and is the oversight body of the Cloud Assurance Assessor Program (CAAP). The HISPI CAAP provides assurance of the qualifications for those purporting to have the necessary skills as independent Cloud Assessors. HISPI Top 20 Mitigating Controls The identified top 20 critical or mitigating security controls deemed necessary for an organization to prevent information security breaches. Developed by HISPI, these controls are derived from real world security breach information and research (efortresses security breach matrices, ) and cover people, processes and technology. These controls are updated annually within the platform, and factor heavily into the CloudeAssurance rating and scoring algorithm. Allows CloudeAssurance to stay current and adaptive to the cloud s evolving threat landscape CloudeAssurance Page 9
10 Appendix E: References CloudeAssurance Platform CMMI COBIT CSA STAR Registry efortresses Security Breaches Matrix ( ) Breaches- Matrix.htm FedRAMP Gartner Cloud Computing Services HIPAA HISPI Top 20 Security Breaches Mitigating Controls HISPI Qualified CAAP Assessor ISO/IEC 27001: ISO/IEC 27001: PCI- DSS NIST Cybersecurity Framework Contact Please send all feedback, inquiries and requests to 2015 CloudeAssurance Page 10
Cloud Security Benchmark: Top 10 Cloud Service Providers Executive Summary January 5, 2015
Cloud Security Benchmark: Top 10 Cloud Service Providers Executive Summary January 5, 2015 2015 CloudeAssurance Page 1 Table of Contents Copyright and Disclaimer... 3 Results: Top 10 Cloud Service Providers
More informationCloud Security Benchmark Webinar. January 7, 2015 11:00 AM ET
Cloud Security Benchmark Webinar Top 10 Cloud Service Providers: Q4 2014 January 7, 2015 11:00 AM ET Disclaimer NO WARRANTY. CloudeAssurance makes this presentahon available AS- IS, and makes no warranty
More informationGRC Stack Research Sponsorship
GRC Stack Research Sponsorship Overview Achieving Governance, Risk Management and Compliance (GRC) goals requires appropriate assessment criteria, relevant control objectives and timely access to necessary
More informationBuilding an Effective
Building an Effective Cloud Security Program Becky Swain Co-Founder/Chair, CSA CCM Board Member, CSA Silicon Valley Chapter Partner, EKKO Consulting Marlin Pohlman Co-Chair, CSA CCM Co-Chair/Founder, CSA
More informationCloud Security Alliance and Standards. Jim Reavis Executive Director March 2012
Cloud Security Alliance and Standards Jim Reavis Executive Director March 2012 About the CSA Global, not for profit, 501(c)6 organization Over 32,000 individual members, 120 corporate members, 60 chapters
More informationTOOLS and BEST PRACTICES
TOOLS and BEST PRACTICES Daniele Catteddu Managing Director EMEA, Cloud Security Alliance ABOUT THE CLOUD SECURITY ALLIANCE To promote the use of best practices for providing security assurance within
More informationInformation Security ISO Standards. Feb 11, 2015. Glen Bruce Director, Enterprise Risk Security & Privacy
Information Security ISO Standards Feb 11, 2015 Glen Bruce Director, Enterprise Risk Security & Privacy Agenda 1. Introduction Information security risks and requirements 2. Information Security Management
More informationIIA Conference. September 18, 2015. Paige Needling Director, Global Information Security Recall, Inc.
IIA Conference September 18, 2015 Paige Needling Director, Global Information Security Recall, Inc. IT SECURITY UMBRELLA Compliance for IT Data Privacy Protection Privacy Risk Assessment Vulnerability
More informationHIPAA and HITRUST - FAQ
A COALFIRE WHITE PAPER HIPAA and HITRUST - FAQ by Andrew Hicks, MBA, CISA, CCM, CRISC, HITRUST CSF Practitioner Director, Healthcare Practice Lead Coalfire February 2013 Introduction Organizations are
More informationRobert Brammer. Senior Advisor to the Internet2 CEO rfbtech@internet2.edu. Internet2 NET+ Security Assessment Forum. 8 April 2014
Robert Brammer Senior Advisor to the Internet2 CEO rfbtech@internet2.edu Internet2 NET+ Security Assessment Forum 8 April 2014 INTERNET2 NET+ Security Initiative Primary objective -- develop guidance to
More informationInformation Security Management System for Microsoft s Cloud Infrastructure
Information Security Management System for Microsoft s Cloud Infrastructure Online Services Security and Compliance Executive summary Contents Executive summary 1 Information Security Management System
More informationA Flexible and Comprehensive Approach to a Cloud Compliance Program
A Flexible and Comprehensive Approach to a Cloud Compliance Program Stuart Aston Microsoft UK Session ID: SPO-201 Session Classification: General Interest Compliance in the cloud Transparency Responsibility
More informationThe Cloud Security Alliance
The Cloud Security Alliance Daniele Catteddu, Managing Director EMEA & OCF-STAR Program Director Cloud Security Alliance ABOUT THE CLOUD SECURITY ALLIANCE To promote the use of best practices for providing
More informationCloud Security Panel: Real World GRC Experiences. ISACA Atlanta s 2013 Annual Geek Week
Cloud Security Panel: Real World GRC Experiences ISACA Atlanta s 2013 Annual Geek Week Agenda Introductions Recap: Overview of Cloud Computing and Why Auditors Should Care Reference Materials Panel/Questions
More informationKey Speculations & Problems faced by Cloud service user s in Today s time. Wipro Recommendation: GRC Framework for Cloud Computing
Contents Introduction Why GRC Assessment Benefits of Cloud computing and Problem Statement Key Speculations & Problems faced by Cloud service user s in Today s time Threats, Vulnerabilities and related
More informationProtec'ng Data and Privacy in a World of Clouds and Third Par'es Vincent Campitelli
Protec'ng Data and Privacy in a World of Clouds and Third Par'es Vincent Campitelli Vice President, IT Risk Management McKesson Corpora-on What is Your Business Model? Economic Moats In business, I look
More informationSecuring The Cloud. Foundational Best Practices For Securing Cloud Computing. Scott Clark. Insert presenter logo here on slide master
Securing The Cloud Foundational Best Practices For Securing Cloud Computing Scott Clark Agenda Introduction to Cloud Computing What is Different in the Cloud? CSA Guidance Additional Resources 2 What is
More informationHITRUST CSF Assurance Program
HITRUST CSF Assurance Program Simplifying the information protection of healthcare data 1 May 2015 2015 HITRUST LLC, Frisco, TX. All Rights Reserved Table of Contents Background CSF Assurance Program Overview
More informationOpen Certification Framework. Vision Statement
Open Certification Framework Vision Statement Jim Reavis and Daniele Catteddu August 2012 BACKGROUND The Cloud Security Alliance has identified gaps within the IT ecosystem that are inhibiting market adoption
More informationCyber Governance Preparing for the Inevitable Perimeter Breach
SAP Brief SAP Extensions SAP Regulation Management by Greenlight, Cyber Governance Edition Objectives Cyber Governance Preparing for the Inevitable Perimeter Breach Augment your preventive cybersecurity
More informationCloud Security considerations for business adoption. Ricci IEONG CSA-HK&M Chapter
Cloud Security considerations for business adoption Ricci IEONG CSA-HK&M Chapter What is Cloud Computing? Slide 2 What is Cloud Computing? My Cloud @ Internet Pogoplug What is Cloud Computing? Compute
More informationSecurity, Compliance & Risk Management for Cloud Relationships. Adnan Dakhwe, MS, CISA, CRISC, CRMA Safeway Inc. In-Depth Seminars D32
Security, Compliance & Risk Management for Cloud Relationships Adnan Dakhwe, MS, CISA, CRISC, CRMA Safeway Inc. In-Depth Seminars D32 Introductions & Poll Organization is leveraging the Cloud? Organization
More informationLogically Securing a Public Cloud Service
SESSION ID: CIN-W07 Logically Securing a Public Cloud Service Tim Mather CISO Cadence Design Systems @mather_tim Disclaimer: AWS (Amazon Web Services) is referenced in this presentation extensively, only
More informationCloud Security Certification
Cloud Security Certification January 21, 2015 1 Agenda 1. What problem are we solving? 2. Definitions (Attestation vs Certification) 3. Cloud Security Responsibilities and Risk Exposure 4. Who is responsible
More informationEverything You Wanted to Know about DISA STIGs but were Afraid to Ask
Everything You Wanted to Know about DISA STIGs but were Afraid to Ask An EiQ Networks White Paper 2015 EiQ Networks, Inc. All Rights Reserved. EiQ, the EiQ logo, the SOCVue logo, SecureVue, ThreatVue,
More informationCloud Security Keeping Data Safe in the Boundaryless World of Cloud Computing
Cloud Security Keeping Data Safe in the Boundaryless World of Cloud Computing Executive Summary As cloud service providers mature, and expand and refine their offerings, it is increasingly difficult for
More informationSTORAGE SECURITY TUTORIAL With a focus on Cloud Storage. Gordon Arnold, IBM
STORAGE SECURITY TUTORIAL With a focus on Cloud Storage Gordon Arnold, IBM SNIA Legal Notice The material contained in this tutorial is copyrighted by the SNIA. Member companies and individual members
More informationAgenda 4/21/2015. Evelyn de Souza Chair Cloud Security Alliance Data Governance Chair/ Data Privacy and Compliance Leader Cisco Systems
Evelyn de Souza Chair Cloud Security Alliance Data Governance Chair/ Data Privacy and Compliance Leader Cisco Systems Cloud Security Alliance, 2015 Agenda Charter /Members What is Data Governance Data
More informationLeveraging a Maturity Model to Achieve Proactive Compliance
Leveraging a Maturity Model to Achieve Proactive Compliance White Paper: Proactive Compliance Leveraging a Maturity Model to Achieve Proactive Compliance Contents Introduction............................................................................................
More informationPCI Compliance and the Cloud: What You Can and What You Can t Outsource Presented By:
PCI Compliance and the Cloud: What You Can and What You Can t Outsource Presented By: Peter Spier Managing Director PCI and Risk Assurance Fortrex Technologies Agenda Instructor Biography Background On
More informationNeed to reassure customers that your cloud services are secure? Inspire confidence with STAR Certification from BSI
Need to reassure customers that your cloud services are secure? Inspire confidence with STAR Certification from BSI What is STAR Certification? TM STAR Certification differentiates you from your competition.
More informationMicrosoft s Compliance Framework for Online Services
Microsoft s Compliance Framework for Online Services Online Services Security and Compliance Executive summary Contents Executive summary 1 The changing landscape for online services compliance 4 How Microsoft
More informationAddress C-level Cybersecurity issues to enable and secure Digital transformation
Home Overview Challenges Global Resource Growth Impacting Industries Address C-level Cybersecurity issues to enable and secure Digital transformation We support cybersecurity transformations with assessments,
More informationCloud Computing in a Regulated Environment
Computing in a Regulated Environment White Paper by David Stephenson CTG Regulatory Compliance Subject Matter Expert February 2014 CTG (UK) Limited, 11 Beacontree Plaza, Gillette Way, READING, Berks RG2
More informationSecuring business data. CNS White Paper. Cloud for Enterprise. Effective Management of Data Security
Securing business data CNS White Paper Cloud for Enterprise Effective Management of Data Security Jeff Finch, Head of Business Development, CNS Mosaic 2nd July 2015 Contents 1 Non-Disclosure Statement...
More informationDocument Management Systems for Legal
Document Management Systems for Legal May 2013 HYPERION GLOBAL PARTNERS THREE SUGAR CREEK CENTER, STE 100 SUGAR LAND, TEXAS 77478 www.hyperiongp.com www.hgpresearch.com A T L A N T A C H I C A G O D A
More informationConsolidated Audit Program (CAP) A multi-compliance approach
Consolidated Audit Program (CAP) A multi-compliance approach ISSA CONFERENCE Carlos Pelaez, Director, Coalfire May 14, 2015 About Coalfire We help our clients recognize and control cybersecurity risk,
More informationAddressing FISMA Assessment Requirements
SOLUTION BRIEF Heeding FISMA s Call for Security Metrics and Continuous Network Monitoring Addressing FISMA Assessment Requirements Using RedSeal november 2011 WHITE PAPER RedSeal Networks, Inc. 3965 Freedom
More informationHans Bos Microsoft Nederland. hans.bos@microsoft.com
Hans Bos Microsoft Nederland Email: Twitter: hans.bos@microsoft.com @hansbos Microsoft s Cloud Environment Consumer and Small Business Services Software as a Service (SaaS) Enterprise Services Third-party
More informationEnabling Continuous PCI DSS Compliance. Achieving Consistent PCI Requirement 1 Adherence Using RedSeal
SOLUTION BRIEF Enabling Continuous PCI DSS Compliance Achieving Consistent PCI Requirement 1 Adherence Using RedSeal november 2011 WHITE PAPER RedSeal Networks, Inc. 3965 Freedom Circle, Suite 800, Santa
More information08/10/2013. Data protection and compliance. Agenda. Data protection life cycle and goals. Introduction. Data protection overview
Data protection and compliance In the cloud and in your data center 1 November 2013 Agenda 1 Introduction 2 Data protection overview 3 Understanding the cloud 4 Where do I start? 5 Wrap-up Page 2 Data
More informationVENDOR MANAGEMENT. General Overview
VENDOR MANAGEMENT General Overview With many organizations outsourcing services to other third-party entities, the issue of vendor management has become a noted topic in today s business world. Vendor
More informationSecurity solutions White paper. Acquire a global view of your organization s security state: the importance of security assessments.
Security solutions White paper Acquire a global view of your organization s security state: the importance of security assessments. April 2007 2 Contents 2 Overview 3 Why conduct security assessments?
More informationNeed to reassure customers that your cloud services are secure? Inspire confidence with STAR Certification from BSI
Need to reassure customers that your cloud services are secure? Inspire confidence with STAR Certification from BSI What is STAR Certification? TM STAR Certification is a unique new certification which
More informationItaly. EY s Global Information Security Survey 2013
Italy EY s Global Information Security Survey 2013 EY s Global Information Security Survey 2013 This year s survey our 16th edition captures the responses of 1,909 C-suite and senior level IT and information
More informationPreemptive security solutions for healthcare
Helping to secure critical healthcare infrastructure from internal and external IT threats, ensuring business continuity and supporting compliance requirements. Preemptive security solutions for healthcare
More informationHow to ensure control and security when moving to SaaS/cloud applications
How to ensure control and security when moving to SaaS/cloud applications Stéphane Hurtaud Partner Information & Technology Risk Deloitte Laurent de la Vaissière Directeur Information & Technology Risk
More informationService Measurement Index Framework Version 2.1
Service Measurement Index Framework Version 2.1 July 2014 CSMIC Carnegie Mellon University Silicon Valley Moffett Field, CA USA Introducing the Service Measurement Index (SMI) The Service Measurement Index
More informationFINRA Publishes its 2015 Report on Cybersecurity Practices
Securities Litigation & Enforcement Client Service Group and Data Privacy & Security Team To: Our Clients and Friends February 12, 2015 FINRA Publishes its 2015 Report on Cybersecurity Practices On February
More informationEMC CONSULTING SECURITY STANDARDS AND COMPLIANCE SERVICES
EMC CONSULTING SECURITY STANDARDS AND COMPLIANCE SERVICES Aligning information with business and operational objectives ESSENTIALS Leverage EMC Consulting as your trusted advisor to move your and compliance
More informationReal-Time Security for Active Directory
Real-Time Security for Active Directory Contents The Need to Monitor and Control Change... 3 Reducing Risk and Standardizing Controls... 3 Integrating Change Monitoring... 4 Policy Compliance... 4 The
More informationCYBER AND PRIVACY INSURANCE: LOSS MITIGATION SERVICES
CYBER AND PRIVACY INSURANCE: LOSS MITIGATION SERVICES How can you better prepare and respond to cyber risks? ACE developed Loss Mitigation Services to help policyholders understand and gauge various areas
More informationState of Information Security
State of Information Security Second Annual Assessment Study 2013 Table of Contents: Synopsis and Methodology _ page 2 A Snapshot of Participants _ page 2 Survey Findings _ page 5 Final Thoughts _ page
More informationRegulatory Compliance Management for Energy and Utilities
Regulatory Compliance Management for Energy and Utilities The Energy and Utility (E&U) sector is transforming as enterprises are looking for ways to replace aging infrastructure and create clean, sustainable
More informationWrapping Audit Arms around the Cloud Georgia 2013 Conference for College and University Auditors
1 Wrapping Audit Arms around the Cloud Georgia 2013 Conference for College and University Auditors Scott Woodison Executive Director, Compliance and Enterprise Risk Office of Internal Audit and Compliance
More informationOptimizing Network Vulnerability
SOLUTION BRIEF Adding Real-World Exposure Awareness to Vulnerability and Risk Management Optimizing Network Vulnerability Management Using RedSeal november 2011 WHITE PAPER RedSeal Networks, Inc. 3965
More informationHow To Buy Nitro Security
McAfee Acquires NitroSecurity McAfee announced that it has closed the acquisition of privately owned NitroSecurity. 1. Who is NitroSecurity? What do they do? NitroSecurity develops high-performance security
More informationLeveraging Network and Vulnerability metrics Using RedSeal
SOLUTION BRIEF Transforming IT Security Management Via Outcome-Oriented Metrics Leveraging Network and Vulnerability metrics Using RedSeal november 2011 WHITE PAPER RedSeal Networks, Inc. 3965 Freedom
More informationMaintaining PCI-DSS compliance. Daniele Bertolotti daniele_bertolotti@symantec.com Antonio Ricci antonio_ricci@symantec.com
Maintaining PCI-DSS compliance Daniele Bertolotti daniele_bertolotti@symantec.com Antonio Ricci antonio_ricci@symantec.com Sessione di Studio Milano, 21 Febbraio 2013 Agenda 1 Maintaining PCI-DSS compliance
More informationAHLA. JJ. Keeping Your Cloud Services Provider from Raining on Your Parade. Jean Hess Manager HORNE LLP Ridgeland, MS
AHLA JJ. Keeping Your Cloud Services Provider from Raining on Your Parade Jean Hess Manager HORNE LLP Ridgeland, MS Melissa Markey Hall Render Killian Heath & Lyman PC Troy, MI Physicians and Hospitals
More informationHITRUST CSF Assurance Program You Need a HITRUST CSF Assessment Now What?
HITRUST CSF Assurance Program You Need a HITRUST CSF Assessment Now What? Introduction This material is designed to answer some of the commonly asked questions by business associates and other organizations
More informationwww.pwc.com The data breach lifecycle: From prevention to response IAPP global privacy summit March 6, 2014 (4:30-5:30) Draft v8 2-25-14
www.pwc.com The data breach lifecycle: From prevention to response IAPP global privacy summit (4:30-5:30) Draft v8 2-25-14 Common Myths 1. You have not been hacked. 2. Cyber security is about keeping the
More informationSecure360. Measuring the Maturity of your Information Security Program Impossible? Presented by: Mark Carney, VP of Strategic Services
Secure360 Measuring the Maturity of your Information Security Program Impossible? Presented by: Mark Carney, VP of Strategic Services Question about Life HOW DO YOU KNOW IF YOU ARE GETTING THE MOST OUT
More informationImproving Network Security Change Management Using RedSeal
SOLUTION BRIEF Mapping the Impact of Change on Today s Network Security Infrastructure Improving Network Security Change Management Using RedSeal november 2011 WHITE PAPER RedSeal Networks, Inc. 3965 Freedom
More informationGlobal Efforts to Secure Cloud Computing
April 2012 Global Efforts to Secure Cloud Computing Jim Reavis Executive Director Cloud: ushering in IT Spring Technology consumerization and its offspring Cloud: Compute as a utility Smart Mobility: Compute
More informationStrategies for assessing cloud security
IBM Global Technology Services Thought Leadership White Paper November 2010 Strategies for assessing cloud security 2 Securing the cloud: from strategy development to ongoing assessment Executive summary
More informationIT Insights. Managing Third Party Technology Risk
IT Insights Managing Third Party Technology Risk According to a recent study by the Institute of Internal Auditors, more than 65 percent of organizations rely heavily on third parties, yet most allocate
More informationDefending the Database Techniques and best practices
ISACA Houston: Grounding Security & Compliance Where The Data Lives Mark R. Trinidad Product Manager mtrinidad@appsecinc.com March 19, 2009 Agenda Understanding the Risk Changing threat landscape The target
More informationWhat Is A Security Program? How Do I Build A Successful Program?
What Is A Security Program? How Do I Build A Successful Program? White Paper A Security Program is like building a house, the standards provide you with a list of parts needed to build the house and a
More informationImprove Information Governance Through Clarity and Collaboration
SAP Brief SAP s for Information Management SAP Information Steward and SAP PowerDesigner Objectives Improve Information Governance Through Clarity and Collaboration Collaborative approach to 360-degree
More informationCyber Security and Privacy Services. Working in partnership with you to protect your organisation from cyber security threats and data theft
Cyber Security and Privacy Services Working in partnership with you to protect your organisation from cyber security threats and data theft 2 Cyber Security and Privacy Services What drives your security
More informationBIOS Steven Penn, Senior Director CSF Development And Educa9on Programs Bryan Cline, PhD Senior Advisor
1 CSF Roadmap 2015 BIOS Steven Penn, Senior Director CSF Development And Educa9on Programs Steve Penn is an experienced security professional with 15+ years of informa;on security experience. He currently
More informationMeasure Your Data and Achieve Information Governance Excellence
SAP Brief SAP s for Enterprise Information Management SAP Information Steward Objectives Measure Your Data and Achieve Information Governance Excellence A single solution for managing enterprise data quality
More informationCloud Computing in a GxP Environment: The Promise, the Reality and the Path to Clarity
Reprinted from PHARMACEUTICAL ENGINEERING THE OFFICIAL TECHNICAL MAGAZINE OF ISPE JANUARY/FEBRUARY 2014, VOL 34, NO 1 Copyright ISPE 2014 www.pharmaceuticalengineering.org information systems in a GxP
More informationDeploying Cloud Security Standards The MTCS Experience
Deploying Cloud Security Standards The MTCS Experience Presented to ASEAN CSA Summit 2015 Tao Yao Sing Assistant Director, National Cloud Computing Office 12 June 2015 Background Cloud security is always
More informationHow To Protect Your Cloud From Attack
SESSION ID: CDS-R03 Security Lessons Learned: Enterprise Adoption of Cloud Computing Jim Reavis Chief Executive Officer Cloud Security Alliance @cloudsa Agenda What we are going to cover The current &
More informationTime Is Not On Our Side!
An audit sets the baseline. Restricting The next steps Authenticating help prevent, Tracking detect, and User Access? respond. It is rare for a few days to pass without news of a security breach affecting
More informationMU Security & Privacy Risk Assessments: What It Is & How to Approach It
MU Security & Privacy Risk Assessments: What It Is & How to Approach It Dr. Bryan S. Cline, CISSP-ISSEP, CISM, CISA, CCSFP, HCISPP Advisor, Health Information Trust Alliance 2011-2014 HITRUST LLC, Frisco,
More informationCybersecurity Strategic Consulting
Home Overview Challenges Global Resource Growth Impacting Industries Why Capgemini Capgemini & Sogeti Cybersecurity Strategic Consulting Enabling business ambitions, resilience and cost efficiency with
More informationAchieving Control: The Four Critical Success Factors of Change Management. Technology Concepts & Business Considerations
Achieving Control: The Four Critical Success Factors of Change Management Technology Concepts & Business Considerations T e c h n i c a l W H I T E P A P E R Table of Contents Executive Summary...........................................................
More informationSCALABLE SYSTEMS LIFE SCIENCE & HEALTHCARE PRACTICES
SCALABLE SYSTEMS LIFE SCIENCE & HEALTHCARE PRACTICES Improve Your DNA Data, Numbers & Analytics IntelliPayer Scalable Systems IntelliPayer solution is a next generation healthcare payer solution framework
More informationCybersecurity@RTD Program Overview and 2015 Outlook
Cybersecurity@RTD Program Overview and 2015 Outlook Finance & Administration Committee Meeting February 10, 2015 Sheri Le, Manager of Cybersecurity RTD Information Technology Department of Finance & Administration
More information2014 HIMSS Analytics Cloud Survey
2014 HIMSS Analytics Cloud Survey June 2014 2 Introduction Cloud services have been touted as a viable approach to reduce operating expenses for healthcare organizations. Yet, engage in any conversation
More informationVulnerability Risk Management 2.0. Best Practices for Managing Risk in the New Digital War
Vulnerability Risk Management 2.0 Best Practices for Managing Risk in the New Digital War In 2015, 17 new security vulnerabilities are identified every day. One nearly every 90 minutes. This consistent
More informationSelecting a Cloud Service Provider (CSP)
Selecting a Cloud Service Provider (CSP) Steven C. Markey, MSIS, PMP, CISSP, CIPP, CISM, CISA, STS-EV, CCSK, CompTIA Cloud Essentials Principal, ncontrol, LLC Adjunct Professor President, Cloud Security
More informationCA Business Service Insight
DATA SHEET CA Business Service Insight With CA Business Service Insight, you can know what services are being used within your business, improve service performance while helping to reduce operating costs,
More informationPCI DSS READINESS AND RESPONSE
PCI DSS READINESS AND RESPONSE EMC Consulting Services offers a lifecycle approach to holistic, proactive PCI program management ESSENTIALS Partner with EMC Consulting for your PCI program management and
More informationPASTA Abstract. Process for Attack S imulation & Threat Assessment Abstract. VerSprite, LLC Copyright 2013
2013 PASTA Abstract Process for Attack S imulation & Threat Assessment Abstract VerSprite, LLC Copyright 2013 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
More informationPatient Relationship Management
Solution in Detail Healthcare Executive Summary Contact Us Patient Relationship Management 2013 2014 SAP AG or an SAP affiliate company. Attract and Delight the Empowered Patient Engaged Consumers Information
More informationThe Growing Need for Real-time and Actionable Security Intelligence Date: February 2014 Author: Jon Oltsik, Senior Principal Analyst
ESG Brief The Growing Need for Real-time and Actionable Security Intelligence Date: February 2014 Author: Jon Oltsik, Senior Principal Analyst Abstract: ESG data indicates that many enterprise organizations
More informationBRIDGE. the gaps between IT, cloud service providers, and the business. IT service management for the cloud. Business white paper
BRIDGE the gaps between IT, cloud service providers, and the business. IT service management for the cloud Business white paper Executive summary Today, with more and more cloud services materializing,
More informationDATASHEET CONTROL COMPLIANCE SUITE VENDOR RISK MANAGER 11.1
DATASHEET CONTROL COMPLIANCE SUITE VENDOR RISK MANAGER 11.1 Continuously Assess, Monitor, & Secure Your Information Supply Chain and Data Center Data Sheet: Security Management Is your organization able
More informationUP L13: Leveraging the full protection of SEP 12.1.x
UP L13: Leveraging the full protection of SEP 12.1.x Martial RICHARD Principal Field Enablement Manager Endpoint Security UP L13 1 Threat landscape (ISTR Vol.18 April 2013) http://www.symantec.com/threatreport/
More informationWHITE PAPER Leveraging GRC for PCI DSS Compliance. By: Chris Goodwin, Co-founder and CTO, LockPath
WHITE PAPER Leveraging GRC for PCI DSS Compliance By: Chris Goodwin, Co-founder and CTO, LockPath The Payment Card Industry Data Security Standard ( PCI DSS ) is set forth by a consortium of payment card
More informationImplementing the U.S. Cybersecurity Framework at Intel A Case Study
SESSION ID: STR-W01 Implementing the U.S. Cybersecurity Framework at Intel A Case Study Tim Casey Senior Strategic Risk Analyst Intel Information Security @timcaseycyber How would you represent your entire
More informationPCI DSS Top 10 Reports March 2011
PCI DSS Top 10 Reports March 2011 The Payment Card Industry Data Security Standard (PCI DSS) Requirements 6, 10 and 11 can be the most costly and resource intensive to meet as they require log management,
More informationCyber Security Risks for Banking Institutions.
Cyber Security Risks for Banking Institutions. September 8, 2014 1 Administrative CPE regulations require that online participants take part in online questions Must respond to a minimum of four questions
More informationReport on Hong Kong SME Cloud Adoption and Security Readiness Survey
Report on Hong Kong SME Cloud Adoption and Security Readiness Survey Collaborated by Internet Society Hong Kong and Cloud Security Alliance (HK & Macau Chapter) Sponsored by Microsoft Hong Kong Jointly
More informationIncident Management & Forensics Working Group. Charter
Incident Management & Forensics Working Group Charter February 2013 2013 Cloud Security Alliance All Rights Reserved All rights reserved. You may download, store, display on your computer, view, print,
More information{Moving to the cloud}
{Moving to the cloud} plantemoran.com doesn t mean outsourcing your security controls. Cloud computing is a strategic move. Its impact will have a ripple effect throughout an organization. You don t have
More information