GRC Stack Research Sponsorship



Similar documents
Open Certification Framework. Vision Statement

Building an Effective

A view from the Cloud Security Alliance peephole

TOOLS and BEST PRACTICES

The Cloud Security Alliance

Cloud Security Benchmark: Top 10 Cloud Service Providers Appendix A E January 5, 2015

Cloud Security considerations for business adoption. Ricci IEONG CSA-HK&M Chapter

Cloud Audit and Cloud Trust Protocol. By David Lingenfelter 2011

Cloud Security Certification

Global Efforts to Secure Cloud Computing. Jason Witty President, Cloud Security Alliance Chicago

Robert Brammer. Senior Advisor to the Internet2 CEO Internet2 NET+ Security Assessment Forum. 8 April 2014

Assessing Risks in the Cloud

Information Security ISO Standards. Feb 11, Glen Bruce Director, Enterprise Risk Security & Privacy

Cloud Security Alliance: Industry Efforts to Secure Cloud Computing

A Flexible and Comprehensive Approach to a Cloud Compliance Program

Protec'ng Data and Privacy in a World of Clouds and Third Par'es Vincent Campitelli

Cloud Channel Summit #RCCS15

Wrapping Audit Arms around the Cloud Georgia 2013 Conference for College and University Auditors

How To Protect Your Cloud From Attack

Report on Hong Kong SME Cloud Adoption and Security Readiness Survey

Security & IT Governance: Strategies to Building a Sustainable Model for Your Organization

SUPPLY CHAIN ASSURANCE FRAMEWORK: THE SUPPLY CHAIN STANDARDS TRANSLATOR

Consolidated Audit Program (CAP) A multi-compliance approach

Securing The Cloud. Foundational Best Practices For Securing Cloud Computing. Scott Clark. Insert presenter logo here on slide master

Ensuring Cloud Security Using Cloud Control Matrix

Close-Up on Cloud Security Audit

Security, Compliance & Risk Management for Cloud Relationships. Adnan Dakhwe, MS, CISA, CRISC, CRMA Safeway Inc. In-Depth Seminars D32

Aalborg Universitet. Cloud Governance Berthing, Hans Henrik Aabenhus. Publication date: Document Version Preprint (usually an early version)

Data Risk Management: ISM Ground to Cloud Summit. accelerate your ambition 1

Hans Bos Microsoft Nederland.

Key Speculations & Problems faced by Cloud service user s in Today s time. Wipro Recommendation: GRC Framework for Cloud Computing

Information Security Management System for Microsoft s Cloud Infrastructure

BECOME A SMARTER CLOUD CONSUMER

Cloud Security. Nantawan Wongkachonkitti Electronic Government Agency, Thailand Cloud Security Alliance, Thailand Chapter October 2014

Public Cloud Workshop Offerings

Compliance and the Cloud: What You Can and What You Can t Outsource

Protecting Data and Privacy in the Cloud

EMC CONSULTING SECURITY STANDARDS AND COMPLIANCE SERVICES

CSA Position Paper on AICPA Service Organization Control Reports

SERVICE ORGANIZATION CONTROL REPORTS SM. Formerly SAS 70 Reports

Agenda 3/7/ ERM Symposium March 14 16, Continuous Controls Monitoring. I. Changes In Corporate Environment

Need to reassure customers that your cloud services are secure? Inspire confidence with STAR Certification from BSI

Need to reassure customers that your cloud services are secure? Inspire confidence with STAR Certification from BSI

A Comparison of IT Governance & Control Frameworks in Cloud Computing. Jack D. Becker ITDS Department, UNT & Elana Bailey

IIA Conference. September 18, Paige Needling Director, Global Information Security Recall, Inc.

08/10/2013. Data protection and compliance. Agenda. Data protection life cycle and goals. Introduction. Data protection overview

Selecting a Cloud Service Provider (CSP)

Cloud Security. DLT Solutions LLC June #DLTCloud

Data, Data, Who Has The Data?

PCI Compliance and the Cloud: What You Can and What You Can t Outsource Presented By:

G-Cloud IV Services Service Definition Accenture Cloud Security Services

Cloud Computing An Auditor s Perspective

IT Audit in the Cloud

Professional Cloud Solutions and Service Practices

Security and Privacy in Cloud Computing

TDWI strives to provide course books that are content-rich and that serve as useful reference documents after a class has ended.

2011 Cloud Security Alliance, Inc. All rights reserved.

Privacy in the Cloud A Microsoft Perspective

How to ensure control and security when moving to SaaS/cloud applications

Privacy Compliance and Security SLA: CSA addressing the challenges

How To Be A Successful Compliance Officer

CLOUD SERVICE LEVEL AGREEMENTS Meeting Customer and Provider needs

Cloud Computing demystified! ISACA-IIA Joint Meeting Dec 9, 2014 By: Juman Doleh-Alomary Office of Internal Audit

Cloud Security Keeping Data Safe in the Boundaryless World of Cloud Computing

Cloud Standardization, Compliance and Certification. Class 2012 event 25.rd of October 2012 Dalibor Baskovc, CEO Zavod e-oblak

February 8, Analysis of Consulting-Portal s 5th Annual ITSM Industry Survey

Program Overview and 2015 Outlook

Capturing the New Frontier:

HIPAA and HITRUST - FAQ

A Comprehensive Study on Cloud Computing Standardization

HITRUST CSF Assurance Program

Uniting IAM and data protection for greater security

Open Cloud Alliance. Choice and Control for the Cloud. Open Cloud Alliance

Security in the Cloud

How To Manage Cloud Management

With Eversync s cloud data tiering, the customer can tier data protection as follows:

Impact of New Internal Control Frameworks

Securing the Cloud Infrastructure

Citation for published version (APA): Berthing, H. H. (2014). Vision for IT Audit Abstract from Nordic ISACA Conference 2014, Oslo, Norway.

Re: Experience with the Framework for Improving Critical Infrastructure Cybersecurity ( Framework )

Transcription:

GRC Stack Research Sponsorship

Overview Achieving Governance, Risk Management and Compliance (GRC) goals requires appropriate assessment criteria, relevant control objectives and timely access to necessary supporting data. Whether implementing private, public or hybrid clouds, the shift to compute as a service presents new challenges across the spectrum of GRC requirements. Cloud Security Alliance is leading the charge in addressing these challenges within our GRC Stack research portfolio. This brochure outlines GRC Stack research we will be undertaking in the next year and describes the unique opportunity for a limited number of companies to sponsor this research and become CSA GRC Stack Research Partners About the Cloud Security Alliance The Cloud Security Alliance is a not for profit, vendor neutral organization with a mission to promote the use of best practices for providing security assurance within Cloud Computing, and to provide education on the uses of Cloud Computing to help secure all other forms of computing. The Cloud Security Alliance is led by a broad coalition of industry practitioners, corporations, associations and other key stakeholders. CSA has grown tremendously since we publicly launched in April 2009, and we continue to set the pace as the industry leader in research and best practices for developing the trusted cloud ecosystem. 35,000 members worldwide, in over 60 chapters Not for profit organization registered as a 501(c)6 corporation with the US Internal Revenue Service Developed first comprehensive best practices for secure cloud computing, Security Guidance for Critical Areas of Focus for Cloud Computing (April 2009, updated December 2010 and October 2011) First and only user certification for cloud security, the CCSK (Certificate of Cloud Security Knowledge, September 2010) Tools for managing Governance, Risk and Compliance in the Cloud (GRC Stack) Registry of cloud provider security practices, the CSA STAR (Security, Trust & Assurance Registry, Q4 2011) Industry leading security practices, education and tools developed by 20 working groups Selection of CSA venue by US White House to announce the US Federal Cloud Strategy in 2011 Leadership in developing new security standards addressing cloud computing Trusted advisor to governments and Global 2000 firms around the world Copyright 2012 Cloud Security Alliance 1

The CSA Portfolio CSA quickly captured industry thought leadership by being the first mover in several areas due to our philosophy of agility, community and meritocracy. Cloud computing can be seen as a generation shift towards creating a global compute utility,, even if it will create several different global and local clouds. Cloud s dynamism and the criticall decisions being made by the public and private sector today with a long tail of impact have createdd a growing sense of urgency within CSA to continue our aggressive production of critical research, education and tools. Our research includes fundamental projects needed to define and implement trust within the future of information technology, which include cloud computing, mobile and big data. Copyright 2012 Cloud Security Alliance 2

GRC Stack Initiatives The Cloud Security Alliance GRC Stack provides a toolkit for enterprises, cloud providers, security solution providers, IT auditors and other key stakeholders s to instrument and assess both private and public clouds against industry established best practices, standards and critical compliance requirements. CloudAudit The goal of CloudAudit is to provide a common interface and namespace that allows cloud computing providers to automate the Audit, Assertion, Assessment, and Assurance (A6) of their infrastructure (IaaS), platform (PaaS), and application (SaaS) environments and allow authorized consumers of their services to do likewise via an open, extensible and secure interface and methodology. CloudAudit provides the technical foundation to enable transparency and trust in private and public cloud systems. Copyright 2012 Cloud Security Alliance 3

Cloud Controls Matrix (CCM) The Cloud Security Alliance Cloud Controls Matrix (CCM) is specifically designed to provide fundamental security principles to guide cloud vendors and to assist prospective cloud customers in assessing the overall security risk of a cloud provider. The Cloud Controls Matrix provides a controls framework that gives detailed understanding of security concepts and principles that are aligned to the Cloud Security Alliance guidance in 13 domains. The foundations of the Cloud Security Alliance Cloud Controls Matrix rest on its customized relationship to other industryaccepted security standards, regulations, and controls frameworks such as the HITRUST CSF, ISO 27001/27002, ISACA COBIT, PCI, HIPAA and NIST, and will augment or provide internal control direction for SAS 70 attestations provided by cloud providers. As a framework, the CSA CCM provides organizations with the needed structure, detail and clarity relating to information security tailored to the cloud industry. The CSA CCM strengthens existing information security control environments by emphasizing business information security control requirements, reduces and identifies consistent security threats and vulnerabilities in the cloud, provides standardize security and operational risk management, and seeks to normalize security expectations, cloud taxonomy and terminology, and security measures implemented in the cloud. Consensus Assessments Initiative Questionnaire (CAIQ) The Cloud Security Alliance Consensus Assessments Initiative (CAI) was launched to perform research, create tools and create industry partnerships to enable cloud computing assessments. We are focused on providing industry accepted ways to document what security controls exist in IaaS, PaaS, and SaaS offerings, providing security control transparency. This effort by design is integrated with and will support other projects from our research partners. The initial deliverable of this project is the Consensus Assessments Initiative Questionnaire (CAIQ). This questionnaire is available in spreadsheet format, and provides a set of questions a cloud consumer and cloud auditor may wish to ask of a cloud provider. It provides a series of yes or no control assertion questions which can then be tailored to suit each unique cloud customer s evidentiary requirements. Cloud Trust Protocol (CTP) The CloudTrust Protocol (CTP) is the mechanism by which cloud service consumers (also known as cloud users or cloud service owners ) ask for and receive information about the elements of transparency as applied to cloud service providers. The primary purpose of the CTP and the elements of transparency is to generate evidence based confidence that everything that is claimed to be happening in the cloud is indeed happening as described,, and nothing else. This is a classic application of the definition of digital trust. Assured of such evidence, cloud consumers become liberated to bring more sensitive and valuable business functions to the cloud, and reap even larger payoffs. With the CTP cloud consumers are provided a way to find out important pieces of Copyright 2012 Cloud Security Alliance 4

information concerning the compliance, security, privacy, integrity, and operational security history of service elements being performed in the cloud. Security Trust and Assurance Registry (STAR) The CSA Security, Trust & Assurance Registry (STAR) is a publicly accessible registry that documents the security controls provided by various cloud computing offerings, thereby helping users assess the security of cloud providers they currently use or are considering contracting with. It is a simple but powerful idea, cloud providers post self assessments of their cloud services, CSA makes these assessments publicly available and cloud consumers can use this data to make informed purchasing decisions. GRC Stack 2012 Research Projects The Cloud Security Alliance GRC Stack provides a toolkit for enterprises, cloud providers, security solution providers, IT auditors and other key stakeholders to instrument and assess both private and public clouds against industry established best practices, standards and critical compliance requirements. GRC Stack Implementation Pilots and Use Case Documentation The need for greater industry transparency and a better understanding of governance, risk and compliance issues within cloud environments is the single greatest consideration stalling full scale adoption of cloud computing. There exists tremendous industry interest in CSA s GRC Stack set of research projects as the foundation for assurance, attestation and certification of cloud providers. The key to accelerating adoption of the CSA GRC Stack and consequentially increasing adoption of cloud computing in general is the completion and documentation of strategic pilot projects that clearly articulate the benefits of GRC Stack and also explain how to implement the GRC Stack successfully. The GRC Stack pilot project will consist of the participation of a cloud provider, enterprise class customer and CSA experts to implement the four GRC Stack research projects within a customerprovider environment. Use of CAIQ and CCM tools to demonstrate alignment with CSA controls framework for both provider and customer. Updating of CCM 2.0 for new mappings, control objectives and a database structure Use of CloudAudit and CTP tools to enable GRC automation and continuous controls monitoring within the pilot environment. Documentation of lessons learned and three unique use cases of the GRC Stack that represent geographical and industry diversity. Documentation of ROI achieved within assurance and compliance due to the project. Creation of an implementation guide for use by both customers and cloud providers. Copyright 2012 Cloud Security Alliance 5

The GRC Stack pilots and use case documentation will have whitepaper deliverables in Q3 2012, Q4 2012, Q1 2013 and Q2 2012. Open Certification Framework The CSA Open Certification Framework is a program for flexible, incremental and multi layered cloud provider certification according to the Cloud Security Alliance s industry leading security guidance and control objectives. The program will integrate with popular third party assessment and attestation statements developed within the public accounting community to avoid duplication of effort and cost. The CSA Open Certification Framework is based upon the control objectives and continuous monitoring structure as defined within the CSA GRC (Governance, Risk and Compliance) Stack research projects. The CSA Open Certification Framework will support several tiers, recognizing the varying assurance requirements and maturity levels of providers and consumers. These will range from the CSA Security, Trust and Assurance Registry (STAR) self assessment to high assurance specifications that are continuously monitored. The CSA Open Certification Framework provides: A path for any region to address compliance concerns with trusted, global best practices. For example, we expect governments to be heavy adopters of the CSA Open Certification Framework to layer their own unique requirements on top of the GRC Stack and provide agile certification of public sector cloud usage. An explicit guidance for providers on how to use GRC Stack tools for multiple certification efforts. For example, scoping documentation will articulate the means by which a provider may follow an ISO/IEC 27001 certification path that incorporates the CSA Cloud Controls Matrix (CCM). A "recognition scheme" that would allow us to support ISO, AICPA and potentially others that incorporate CSA IP inside of their certifications. The timeline for OCF is as follows: LEVEL 1 is currently available through STAR The Open Certification Framework will be available in Q1 2013 The Auditor Certification scheme will be available in Q1 2013 The LEVEL 2 Third Party Assessment certification for provider will be available in Q2 2013 The LEVEL 3 Continuous Monitoring is planned for 2014 2015 Copyright 2012 Cloud Security Alliance 6

GRC Stack 2012 Research Benefits CLOUD SECURITY ALLIANCE: GRC Stack Research Sponsorship Sponsored Research Listing Sponsor will be permanently listed as a charter sponsor with logo and URL link at initiative website and related areas, such as printed collateral. Press activity Sponsor will be included in press release activity related to key project milestones, including the opportunity to provide supporting quotes for the project. Whitepaper & GRC Stack Download Information Sponsor will receive monthly list of individuals opting in when downloading the individual whitepapers or GRC Stack modules. Blogging, Twitter & Webcasts Sponsor will participate in communications related to the project, including CSA funded webcasts, project blogs and use of the CSA corporate Twitter account. Project Observer Status Sponsor will be allowed the opportunity to monitor the project and will be provided regular updates from the project leadership. Sponsor will also be allowed the opportunity to interview customer participants. Branded Deliverables Whitepapers, presentations and related project deliverables will include an acknowledgement of sponsor and will include sponsor logo. Sponsor will also be allowed to incorporate project deliverables into sponsor s own whitepapers and related collateral with appropriate acknowledgements to CSA. Events The Research Initiative will be highlighted in CSA events, providing exposure for sponsors of the initiative. Signing Up Please contact Jim Reavis at jreavis@cloudsecurityalliance.org for more information, pricing and terms for this Research Sponsorship. Copyright 2012 Cloud Security Alliance 7

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information