Top 10 Tips and Tools for Meeting Regulatory Requirements and Managing Cloud Computing Providers in the United States and Around the World

Transcription

1 Top 10 Tips and Tools for Meeting Regulatory Requirements and Managing Cloud Computing Providers in the United States and Around the World Web Hull Privacy, Data Protection, & Compliance Advisor Society of Corporate Compliance & Ethics 2015 Compliance & Ethics Institute Top 10 Tips 1. Suit up & Get in the Game 2. It Takes a Village Make Friends 3. Know the Nomenclature 4. Understand the Data Document & Know How It Flows 5. There is No Such Thing as a Free Lunch Does Risk Go up as Price / Cost Goes Down? Program Cost 2 Top 10 Tips 6. Leverage Your 3 rd Party / Vendor Risk Management Program 7. Have a Contract Your Contract 8. Have a Tool Kit Use the Tools 9. Try to Get to Yes. Sometimes You Just Have to Say No! 10. It s Never Over! 3 1

2 Top 10 Tips But Wait There s More! 11. International / Cross Border Adds another Twist 4 What s this have to do with me as a Compliance Officer? This isn t just a Privacy issue But it s that too HIPAA, PCI, GLBA, Mass 201 CMR 17:00, Personally Identifiable Information (PII) and other data that crosses borders e.g. HR 5 What s this have to do with me as a Compliance Officer? Your data in the cloud might be: Regulated ITAR, Export Controls, Federal Government Contractor, Medical Records, Important / critical to your business Customer Lists, Confidential Materials, M&A, Financial Forecasts, Engineering Notebooks, 6 2

3 What s this have to do with me as a Compliance Officer? Subject to other restrictions Contractual & other commitments Part of my Corporate Records Management Program Records Retention & Timely Destruction Wanted in Discovery Other? 7 What s this have to do with me as a Compliance Officer? If you are going to have an effective compliance program, you have to make sure that Cloud computing is considered in the program You know something about cloud computing You know who s doing it in your company You know where it s done In your company In the Cloud 8 You can t do this alone Business Unit Procurement Compliance Privacy InfoSec Internal Audit It Takes a Village IT Contracts Physical Security Legal HR Others? Each Cloud Service Provider might require a different mix of functions & skills 9 3

4 What is Cloud Computing? Your data is on someone else s computer / server In general, it s just another 3 rd Party / Vendor Risk Management problem 10 Useful Documents NIST Cloud Computing FFIEC Cloud Computing Guidance _ _external_cloud_computing_ _public_statement.pdf 11 A Useful Book Cloud Computing: Concepts, Technology & Architecture by: Thomas Erl, Zaigham Mahood, and Ricardo Puttini Prentice Hall This book is pretty clear. It is written at a low college level and covers the basic concepts and concerns in cloud computing. It is a good handbook for non wicked technical compliance professionals to allow them to understand cloud computing and effectively communicate about it with a broad audience from IT staff, to business unit leaders, to contract lawyers. Here's the link to Amazon Computing Concepts Technology Architecture/dp/ /ref=sr_1_1?ie=UTF8&qid= &sr= 8 1&keywords=Cloud+Computing%3A+Concepts%2C+Technology+%26+Arc hitecture 12 4

5 What is Cloud Computing? NIST Special Publication Deployment Models Private Cloud Community Cloud Public Cloud Hybrid Cloud 13 What is Cloud Computing? NIST Special Publication (Continued) Essential Characteristics On demand self service Broad network access Resource pooling Rapid elasticity Measured service 14 What is Cloud Computing? NIST Special Publication (Continued) Service Models Software as a Service SaaS Platform as a Service PaaS Infrastructure as a Service IaaS 15 5

6 Cloud Computing Providers Let s name a few Dropbox Salesforce.com AWS Google icloud How many do you think that your workforce / company is using? 16 Understand the Data Document It & Know How It Flows If you don t know what you have, you don t know what to get from your cloud service provider Assessment Contract Audits International Legal holds 17 Identify the Data that the Cloud Service Provider will have, and what they will do with it Start with the Business Unit Detailed description Part of the Procurement Process Why this cloud provider, at this time, and not another? Part of the 3 rd Party / Vendor Risk Management Process Have the RFP include your requirements for compliant use 18 6

7 Data Flows Document where the data comes from, how it gets to the cloud provider, what the provider will do with in, other places it might go from the cloud provider (4 th Party), what the 4 th Party will do with it, Data Flow Tools Automated? Other 19 Off shore Risks Which law / regulation applies Workforce limitations Background checks, Privacy Rights, ediscovery Cross border transfer restrictions 20 International / Cross Border U.S to other Countries From European Union Watch this Space! Adequate Countries Model Contracts Binding Corporate Rules Safe Harbor U.S. only General Data Protection Regulation ( GDPR ) Discovery, Investigations, Sensitive Data From Other Countries Case by Case 21 7

8 Why Businesses Use Cloud Computing Low cost Fast set up / deployment Comes with the desired product Can t get internal IT to do it No CAPEX All the cool kids are doing it 22 Risk You increase your risk when you send your data outside of your company No matter where the data goes, it s still your risk 23 Risk Analogy Buying a Car Low to high risk 1. A new car from a reliable brand and a reputable brand dealer High price, high quality 2. A certified used car from a reliable brand and a reputable brand dealer Slightly lower price, high quality 3. A late model used car from a reputable brand and an independent dealer Lower price, so so quality 4. An older model used car from a less than reputable brand from a corner car lot Wicked low price, wicked low quality 24 8

9 Keys to Success A good 3 rd Party / Vendor Risk Management Program If you let someone rush this process, you will increase your risk Sources Shared Assessments: OCC: html FED: 9a1.pdf Cloud Security Alliance: Others? 25 Requirements What is the cloud service provider doing with my Information & Data? Confidentiality Integrity Availability Do they have appropriate / adequate Controls & Processes? Organizational & Administrative Physical Technical 26 Key Risk & Compliance Inflection Points 1. Pre Request for Proposal (RFP) 2. RFP 3. Pre acquisition Assessment 4. Initial Contract 5. Auditing / Monitoring / Periodic Assessment 6. Changes Laws / Regulations / Guidance / Standards Nature of their business Scope of your business 27 9

10 RFP Identify a sample of their customers HIPAA Covered Financial Services PCI DSS Federal Government Mass. 201 CMR 17:00 International These customers all have contractual and data protection requirements that you can use in your negotiations and contract Get and follow up on customer recommendations 28 Assessments & Remediation Have an Assessment Tool & Use It Shared Assessments SIG HC3 HIPAA Cloud Assessment Cloud Security Alliance Develop your own Massachusetts 201 CMR 17:00 HIPAA Security Rule PCI DSS 3 rd Party Others? 29 Assessments & Remediation Risk Rate Cloud Service Provider Driven by Detailed Description and Data Flows Tailor Assessment Accordingly Involve Business Unit, but Keep Separate Know Your Must Haves In Contract, Provide for Periodic Reassessment Remediation / Termination 30 10

11 Cloud Services Contract Have one Consult your lawyer! OCC & FED Guidance HIPAA: coveredentities/contractprov.html You don t know what to get from your cloud service provider if you don t know what you have Data Flows! Get everything that you need in the first round it s hard to impossible to get more after you sign your first contract 31 Key Components Nature & Scope of Services Cost Performance Measurements / Benchmarks / SLAs Assessment, Monitoring, and Audit Rights Remediation of Adverse Findings Compliance with Applicable Laws, Regulations, Standards, 32 Key Components Ownership & Licensing Business Resumption & Contingency Plans Limits on Liability / Indemnification Dispute Resolution Default & Termination Customer Complaints 33 11

12 Key Components Subcontracting Foreign Based Third Parties Breaches Encryption Confidentiality, Privacy, Data Protection, & Security Integrity of Data 34 Key Components Access, Disclosure, & Uses of Data Obtaining and Maintaining Certifications Background Checks OFAC, OIG, Sanctions Compliance Changes in Laws, Regulations, Standards, Scope, Certifications 35 Considerations Conforms with applicable laws, regulations, guidance, and standards Meets my commitments to my customers, employees, and others Do you have a CAP (Corrective Action Program) or other obligation? Make sure that your cloud service provider can meet these obligations 36 12

13 Considerations Something bad happens to my data Confidentiality Notice Availability Service Level Agreements Integrity 37 Considerations Something bad happens to the cloud provider Business resilience Disaster Recovery / Business Continuity Who owns the data? Make sure it s you How do I get to the data and use it? Software escrow Data escrow 38 Considerations You want to change providers How do you get your data back / transfer it? In what format? How long does it take? How much does it cost? How will the provider assist you? What about data they can t return / destroy / is embedded in back ups, / is still on the spinning disk,? 39 13

14 Encryption A good business practice Required Massachusetts 201 CMR 17:00 HIPAA Kind of required A safe harbor HIPAA Various states 40 Breaches HIPAA Financial Institutions Various States Off shore varies Contractual obligation 41 Specific Certifications SOC 2 ISO PCI DSS Certifications Shared Assessments AUP Safe Harbor Others? Good because they went to the time, trouble, & cost to get them 42 14

15 Certifications Limited But still good Might not cover all the processes and controls Cover a period or point in time that has already passed Keep current and in force 43 Notice of Changes in Service Scope Geography Mergers Regulatory Action Policies, Controls, & Processes 44 Reassessing, Auditing, & Monitoring This is not an exact science Get these rights in your contract Your contract and assessment drive the key items Your risk rating drives Frequency Technique Scope 45 15

16 Reassessing, Auditing, & Monitoring Reassess periodically Auditing Have a protocol It costs money a team has to go on site Your own team 3 rd party 46 Reassessing, Auditing, & Monitoring Monitoring Determine reports, certifications, and the like to receive Limited on site visits Limited desk reviews Read the newspapers, trade press, Remediate findings 47 Tool Kit 1. Charm 2. Knowledge 3. Detailed Description 4. Data Flows 5. 3 rd Party / Vendor Risk Management Program 6. Assessment 7. Contract 8. Audit & Monitoring 9. Metrics 10. Fiber 11. Others? 48 16

17 Questions? & Thank you! Web Hull Privacy, Data Protection, & Compliance Advisor 49 17