Policy Outsourcing and Cloud Based File Sharing

Similar documents
Protecting Official Records as Evidence in the Cloud Environment. Anne Thurston

Memeo C1 Secure File Transfer and Compliance

Client Security Risk Assessment Questionnaire

Move to the cloud without compromising security

2012 NCSA / Symantec. National Small Business Study

Move your business into the Cloud with one single, easy step.

Bring Your Own Device (BYOD) and Mobile Device Management.

Bring Your Own Device (BYOD) and Mobile Device Management. tekniqueit.com

The Essential Security Checklist. for Enterprise Endpoint Backup

Choose Your Own Device (CYOD) and Mobile Device Management. gsolutionz.com

Practical Legal Aspects of BYOD

Solving the Online File-Sharing Problem Replacing Rogue Tools with the Right Tools

INCIDENT RESPONSE CHECKLIST

The CIO s Guide to HIPAA Compliant Text Messaging

Appendix 4-2: Sample HIPAA Security Risk Assessment For a Small Physician Practice

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

What We ll Cover. Defensible Disposal of Records and Information Litigation Holds Information Governance the future of records management programs

Bring Your Own Device (BYOD) and Mobile Device Management

Solve the Dropbox Problem with Enterprise Content Connectors. Whitepaper Solve the Dropbox Problem with Enterprise Content Connectors

BRING YOUR OWN DEVICE (BYOD) AND MOBILE DEVICE MANAGEMENT

When enterprise mobility strategies are discussed, security is usually one of the first topics

Intel Enhanced Data Security Assessment Form

White Paper. Anywhere, Any Device File Access with IT in Control. Enterprise File Serving 2.0

HIPAA CRITICAL AREAS TECHNICAL SECURITY FOCUS FOR CLOUD DEPLOYMENT

EMBRACING SECURE BYOD

Office of the Chief Information Officer

How To Use Egnyte

HIPAA Privacy & Security White Paper

CJIS SECURITY POLICY: VERSION 5.2 CHANGES AND THE UPCOMING REQUIREMENTS.

HOW TO CHOOSE A FUNDRAISING DATABASE

White Paper: SLASH YOUR SME 1 COMPLIANCE COSTS

Auditing Software as a Service (SaaS): Balancing Security with Performance

INFORMATION SECURITY GOVERNANCE ASSESSMENT TOOL FOR HIGHER EDUCATION

Ensuring Enterprise Data Security with Secure Mobile File Sharing.

HIPAA compliance audit: Lessons learned apply to dental practices

Making the leap to the cloud: IS my data private and secure?

All your apps & data in the cloud, all in one place.

HIPAA SECURITY RISK ASSESSMENT SMALL PHYSICIAN PRACTICE

PRIVACY POLICIES AND FORMS FOR BUSINESS ASSOCIATES

ACCEPTING PAYMENT CARD ASSESSMENT Pre-Selection Questionnaire

Supplier Information Security Addendum for GE Restricted Data

California State University, Sacramento INFORMATION SECURITY PROGRAM

HIPAA and Cloud IT: What You Need to Know

Security Is Everyone s Concern:

CLOUD COMPUTING ISSUES FOR SCHOOL DISTRICTS. Presented to the 2013 BRADLEY F. KIDDER LAW CONFERENCE. October 2, 2013

Top Ten Technology Risks Facing Colleges and Universities

White Paper. Data Security. journeyapps.com

Mobile Devices: Know the RISKS. Take the STEPS. PROTECT AND SECURE Health Information.

USC Marshall School of Business ShareFile_With_Outlook_Client_v2.docx 6/12/13 1 of 9

Information Security Policy September 2009 Newman University IT Services. Information Security Policy

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

Art Gross President & CEO HIPAA Secure Now! How to Prepare for the 2015 HIPAA Audits and Avoid Data Breaches

SynapseBackup Secure backups and disaster recovery services for both physical and virtual environments. Top reasons on why SynapseBackup is the best

Privacy Policy Version 1.0, 1 st of May 2016

HIPAA MYTHS: DON T ALWAYS BELIEVE WHAT YOU HEAR. Chris Apgar, CISSP

CLOUD ATTACHED STORAGE. Protect your data, protect your business

Newcastle University Information Security Procedures Version 3

Mobile Devices: Know the RISKS. Take the STEPS. PROTECT AND SECURE Health Information.

Things You Need to Know About Cloud Backup

Don t Let A Security Breach Put You Out of Business

UIT USpace Flexible and Secure File Manager for Cloud Storage

REGULATIONS FOR THE SECURITY OF INTERNET BANKING

10 Hidden IT Risks That Threaten Your Practice

CONSIDERATIONS BEFORE MOVING TO THE CLOUD

SCHEDULE NO. 55 INFORMATION TECHNOLOGY AND COMMUNICATION SYSTEMS RECORDS

For example some Bookkeepers are using Dropbox to share the accounting files between them and their client.

The impact of the personal data security breach notification law

SERVICE SCHEDULE INFRASTRUCTURE AND PLATFORM SERVICES

Mobile Device Management for CFAES

FINAL May Guideline on Security Systems for Safeguarding Customer Information

CLOUD COMPUTING FOR SMALL- AND MEDIUM-SIZED ENTERPRISES:

Who Controls Your Information in the Cloud?

The Challenge of Securing and Managing Data While Meeting Compliance

Cloud Computing: What needs to Be Validated and Qualified. Ivan Soto

Adopting Cloud Computing with a RISK Mitigation Strategy

Desktop Solutions SolutioWhitepaper

Security and Privacy Considerations for BYOD

Anchor End-User Guide

Information Security Policy

Information Technology

How To Make Bring Your Own Device A Plus, Not A Risk

Buyer s Guide to Enterprise Collaboration

XIT CLOUD SOLUTIONS LIMITED

Dean Bank Primary and Nursery School. Secure Storage of Data and Cloud Storage

Type of Personal Data We Collect and How We Use It

Best Practices for Protecting Laptop Data

Cloud Computing. What is Cloud Computing?

Best Practices for Trialing the Intronis Cloud Backup and Recovery Solution

VMware Mirage Web Manager Guide

THE COMPLETE GUIDE TO GOOGLE APPS SECURITY. Building a comprehensive Google Apps security plan

Dell s Five Best Practices for Maximizing Mobility Benefits while Maintaining Compliance with Data Security and Privacy Regulations

Montclair State University. HIPAA Security Policy

BYOD BEST PRACTICES GUIDE

ISO COMPLIANCE WITH OBSERVEIT

PCI Compliance for Cloud Applications

How To Ensure Your Office Meets The Privacy And Security Requirements Of The Health Insurance Portability And Accountability Act (Hipaa)

BYOD. Bring Your Own Device - Mobile Device Management.

How To Protect Your Online Backup From Being Hacked

INFORMATION TECHNOLOGY MANAGEMENT CONTENTS. CHAPTER C RISKS Risk Assessment 357-7

Transcription:

Policy Outsourcing and Cloud Based File Sharing Version 3.1

TABLE OF CONTENTS Outsourcing Policy... 2 Outsourcing Management Standard... 2 Overview... 2 Standard... 2 Outsourcing Policy... 3 Policy Statement... 3 Goal... 3 Approval Standard... 4 Overview... 4 Standard... 4 Responsibilities... 9 Appendix... 11 Outsource Security Policy Compliance Agreement Form... 12 Audit Program Guide... 13 Audit Scope... 15 What s News... 17 1

Outsourcing Cloud Based File Sharing Management Standard Overview Outsourcing and Cloud Based File Sharing do not remove the enterprise s requirement to manage the process or the data. Even a comprehensive outsourcing and cloud based file sharing arrangement requires Service Level Agreement (SLA) monitoring and redefinition, as well as strategic management and other retained functions. Standard Service Level Agreements (SLA) The SLA is the central instrument for managing an outsourced function. The Information Technology Contract Management Group (ITCMG) will track SLA fulfillment and enforce the contract terms if an SLA is not met. ITCMG must also take an active role in defining and redefining SLAs in order to take into account changes in the operating environment. 1 Responsibility The efficient assignment of End-User complaints to the appropriate entity is critical to maintaining high service-levels. IT will ensure that the Help Desk staff is trained in order to identify whether a problem lies with IT or a particular vendor. In a multi-vendor environment this task becomes even more critical, if one is to avoid a constant reassignment of the problem. In the case of file sharing, the Help Desk Staff should be able to manage and diagnose issues associated with this technology. At the same time they should be versed in reviewing logs and diagnostics of the vendors who provide the service. 1 The web site http://www.e-janco.com has a tool kit and sample metrics that can be used for this 2

Security, Disaster Recovery, Business Continuity, Records Retention and Compliance ENTERPRISE maintains the primary responsibility for all the data and processes that are outsourced and placed on the cloud via a file sharing process. It is for this reason that this policy needs to be followed. All of the other supporting infrastructure policies need to be followed. This includes but is not limited to the following: Outsourcing Policy Disaster recovery and business continuity Security compliance and management Compliance management Backup and backup retention Internet, email, social networking, mobile device, electronic communication and records retention Mobile device access and use Physical and virtual server security Records management, retention, and destruction Sensitive information Social networking Telecommuting Text messaging Travel and off-site meetings Policy Statement The enterprise will consider the outsourcing and Cloud Based File Sharing of parts of its Information Technology (IT) function if such an arrangement could provide savings and true added value. These decisions will not be made without a formal base case analysis that demonstrates the cost-effectiveness of the outsourcing and cloud based file sharing solution. Outsourcing and cloud based file sharing contracts will be finite and will hold the Vendor to a Service Level Agreement (SLA). SLAs will contain clear penalties associated with failure to meet minimum service levels. Goal The goal of outsourcing and cloud based file sharing is to seek areas in which and vendor s convenience and economies of scale are able to streamline IT s operations, add value, and allow the enterprise to concentrate its efforts on core competencies. 3

Cloud Based File Sharing With the increased use of mobile devices, cloud based file sharing becomes a form of outsourcing. With that some specific rules need to be followed. Here are four key security considerations as you explore the cloud based file sharing Encryption - All cloud based services selected need to encrypt data while it travels through the Internet and sits in its data centers. They also have to have vital security systems to keep hackers out and are audited by third parties to confirm they're up to snuff. Because tablets and smartphones are easily lost, stolen or accessed by an unauthorized person, check the steps a service has taken to protect data temporarily stored, or "cached," in employees' devices. For example, some services encrypt cached files on mobile devices, and others let you remotely wipe its apps from missing devices, along with all log-in information and cached files. User authentication The enterprise needs control over user accounts so that ex-employees no longer have access to company information. Look for a service that lets an administrator manage accounts and define which users can read, edit and delete which files and folders. Also, look for such security features as the ability to set passwords for individual files and to wipe cached data in mobile devices if someone repeatedly fails to enter the right password. Audit trails the selected service needs to keep detailed logs of which employees downloaded, uploaded and shared which files with whom and when. The information provides better visibility into the company s operations. And if t is a security breach, it can help in the discovery process. Subpoena protection - Documents stored with a cloud provider can be subpoenaed by the government and other parties, and may be turned over without your consent. Risk Assessment Management shall nominate a suitable owner for each business function/process outsourced. The owner, with help from the local Information Risk Management Team, shall assess the risks before the function/process is outsourced, using ENTERPRISE s standard risk assessment processes. In relation to outsourcing, specifically, the risk assessment shall take due account of the: Nature of logical and physical access to ENTERPRISE information assets and facilities required by the outsourcer to fulfill the contract; Sensitivity, volume and value of any information assets involved; Commercial risks such as the possibility of the outsourcer s business failing completely, or of them failing to meet agreed service levels or providing services to ENTERPRISE s competitors w this might create conflicts of interest; and Security and commercial controls known to be currently employed by ENTERPRISE and/or by the outsourcer. The result of the risk assessment shall be presented to management for approval prior to signing the outsourcing contract. Management shall decide if ENTERPRISE will benefit overall by outsourcing the function to the outsourcer, taking into account both the commercial and information security aspects. If the risks involved are high and the commercial benefits are marginal (e.g. if the controls necessary to manage the risks are too costly), the function shall not be outsourced. 5

What s News Version 3.1 Added cloud based file sharing to the outsourcing policy Updated to meet latest compliance requirements Added references to Cloud based file sharing services Version 3.0 Added electronic form for Outsourcing Security Policy Compliance Updated to meet all mandated compliance requirements Version 2.2 Updated policy to comply with ISO 27001 Security Requirements Security Audit Program updated Version 2.1 Updated to Office 2007 CSS Style Sheet Version 2.0 Converted to Janco standard policy format Added Outsourcing Secure Information Policy Agreement Form Audit Program Added Office 2007 version Added 17

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information