Risks to cloud Computing Control



Similar documents
Cloud Computing Questions to Ask

PRINCIPLES ON OUTSOURCING OF FINANCIAL SERVICES FOR MARKET INTERMEDIARIES

Cloud Computing in the Federal Sector: What is it, what to worry about, and what to negotiate.

WHITE PAPER. HIPAA-Compliant Data Backup and Disaster Recovery

BEFORE THE BOARD OF COUNTY COMMISSIONERS FOR MULTNOMAH COUNTY, OREGON RESOLUTION NO

Cloud Computing: Legal Risks and Best Practices

for Kimberly F. Benoit Deputy Assistant Inspector General for Information Technology and Data Analysis

Cloud Computing Contract Clauses

INSPECTION U.S. DEPARTMENT OF THE INTERIOR WEB HOSTING SERVICES

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

Information Security Program

Draft Information Technology Policy

U.S. ELECTION ASSISTANCE COMMISSION OFFICE OF INSPECTOR GENERAL

NETWORK AND AIS AUDIT, LOGGING, AND MONITORING POLICY OCIO TABLE OF CONTENTS

Data Security and Integrity of e-phi. MLCHC Annual Clinical Conference Worcester, MA Wednesday, November 12, :15pm 3:30pm

Appendix 10 IT Security Implementation Guide. For. Information Management and Communication Support (IMCS)

Considerations for Outsourcing Records Storage to the Cloud

HIPAA Security Alert

Nationwide Review of CMS s HIPAA Oversight. Brian C. Johnson, CPA, CISA. Wednesday, January 19, 2011

FINAL May Guideline on Security Systems for Safeguarding Customer Information

Southern Law Center Law Center Policy #IT0014. Title: Privacy Expectations for SULC Computing Resources

Program Overview. CDP is a registered certification designed and administered by Identity Management Institute (IMI).

CLOUD COMPUTING FOR SMALL- AND MEDIUM-SIZED ENTERPRISES:

The Council of the Inspectors General on Integrity and Efficiency s Cloud Computing Initiative

What s New with HIPAA? Policy and Enforcement Update

Wright State University Information Security

Standard: Information Security Incident Management

Why You Should Consider Cloud- Based Archiving. A whitepaper by The Radicati Group, Inc.

All can damage or destroy your company s computers along with the data and applications you rely on to run your business.

BUSINESS ASSOCIATE AGREEMENT

TRENDS AND DEVELOPMENTS IN INFORMATION GOVERNANCE AND RECORDS MANAGEMENT. Key Concepts Defined. Key Concepts Defined 4/30/2015

VMware vcloud Air HIPAA Matrix

OCC 98-3 OCC BULLETIN

HIPAA Security Rule Compliance

State of Michigan Department of Technology, Management & Budget. Acceptable Use of Information Technology (former Ad Guide 1460.

HIPAA Omnibus Compliance How A Data Loss Prevention Solution Can Help

UTech Services Compliance, Auditing, Risk, and Security (CARS) Team Charter

White Paper on Financial Institution Vendor Management

HIPAA Security. 2 Security Standards: Administrative Safeguards. Security Topics

Village of Hastings-on-Hudson Electronic Policy. Internal and External Policies and Procedures

Qatar University Information Security Policies Handbook November 2013

1. Contact Information. 2. System Information. Privacy Impact Assessment (PIA)

ELECTRONIC INFORMATION SECURITY A.R.

Information Security Policy

Louisiana State University System

Top Ten Technology Risks Facing Colleges and Universities

Adopting Cloud Computing with a RISK Mitigation Strategy

GUIDANCE FOR MANAGING THIRD-PARTY RISK

Office of Inspector General

U.S. Department of Energy Office of Inspector General Office of Audits and Inspections. Evaluation Report

FMCS SECURE HOSTING GUIDE

The ReHabilitation Center Buffalo Street. Olean. NY

CTR System Report FISMA

Management of Cloud Computing Contracts and Environment

Virginia Commonwealth University School of Medicine Information Security Standard

9/11 Heroes Stamp Act of 2001 File System

Unified Security Anywhere HIPAA COMPLIANCE ACHIEVING HIPAA COMPLIANCE WITH MASERGY PROFESSIONAL SERVICES

Appendix 4-2: Sample HIPAA Security Risk Assessment For a Small Physician Practice

HIPAA BUSINESS ASSOCIATE AGREEMENT

PBGC Information Security Policy

Understanding changes to the Trust Services Principles for SOC 2 reporting

a GAO GAO INFORMATION SECURITY Department of Homeland Security Needs to Fully Implement Its Security Program

EVALUATION REPORT. Weaknesses Identified During the FY 2014 Federal Information Security Management Act Review. March 13, 2015 REPORT NUMBER 15-07

Information Resources Security Guidelines

Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH)

micros MICROS Systems, Inc. Enterprise Information Security Policy (MEIP) August, 2013 Revision 8.0 MICROS Systems, Inc. Version 8.

Trust 9/10/2015. Why Does Privacy and Security Matter? Who Must Comply with HIPAA Rules? HIPAA Breaches, Security Risk Analysis, and Audits

Security and Managed Services

CLOUD COMPUTING ISSUES FOR SCHOOL DISTRICTS. Presented to the 2013 BRADLEY F. KIDDER LAW CONFERENCE. October 2, 2013

Arizona Health Information Exchange Marketplace. Requirements and Specifications Health Information Service Provider (HISP)

HIPAA: Understanding The Omnibus Rule and Keeping Your Business Compliant

TEMPLE UNIVERSITY POLICIES AND PROCEDURES MANUAL

On Premise Vs Cloud: Selection Approach & Implementation Strategies

M E M O R A N D U M. Definitions

COMPLIANCE ALERT 10-12

OFFICE OF THE INSPECTOR GENERAL SOCIAL SECURITY ADMINISTRATION

UNIVERSITY OF MAINE SYSTEM STANDARDS FOR SAFEGUARDING INFORMATION ATTACHMENT C

WHITE PAPER. HIPPA Compliance and Secure Online Data Backup and Disaster Recovery

HIPAA Security COMPLIANCE Checklist For Employers

Benefits and risks of cloud computing

HIPAA Omnibus Rule Overview. Presented by: Crystal Stanton MicroMD Marketing Communication Specialist

Keep Your Data Secure in the Cloud Using encryption to ensure your online data is protected from compromise

HIPAA Compliance and the Protection of Patient Health Information

Information Security Program Management Standard

Transcription:

/s/

In the attached report, Audit of USAID's Contracts for Cloud Computing Services, we concluded that USAID's contract clauses did not address the following control areas (Tab!): Data Security Application Security Compliance and Audit Asset Availability Maintenance Intellectual Property Incident Response Legal and Electronic Discovery Termination and Tran.~tion Portability and Interoperability As a result of not addressing the aforementioned control areas in the contract clauses, USAID is potentially at risk of not securing its data and assets. Moreover, this affects the confidentiality, integrity, and availability ofusaid's information. As a proactive measure, OIG is providing additional risk factors fur your consideration and to assist USAID in implementing a solution that is secure, reliable and cost-effective (Tab 2). While OIG recognizes that cloud computing is a relatively new technology and that the related risks and best practices for controls are still emerging, we believe USAID should pro,ide assurance that all significant risks have been thoroughly considered and that all possible steps have been taken to mitigate those risks and comply with all applicable policies, standards, and regulations. Ifyou have any questions or wish to discuss this document further, I would be happy to meet with you. Attachments: Tab I: Tab2: Audit ofusajd' s Contracts for Cloud Computing Services Potential Risk Associated with Cloud Computing at U.S. Agency for International Development 2

The U.S. Agency for International Development Office of Inspector General (OIG) is withholding from public release Tab 1, Audit of USAID s Contracts for Cloud Computing Services. This report contains sensitive but unclassified (SBU) information, the disclosure of which would risk the integrity of agency information systems. This audit report, number A-000-12-004-P, was issued April 12, 2012 by OIG Office of Audit s Information Technology Audits Division. OIG publicly disclosed the report s issuance in its Semiannual Report to the Congress, April 1 September 30, 2012, which contained the following information from the audit report: OIG conducted this audit to determine whether USAID s contracts for cloud computing services included best practices and controls. OIG found that, of the 11 best practices and control areas selected for review, only one was included in its entirety in both contracts. OIG made seven recommendations to improve the Agency s contracting practices and controls for cloud computing services, and management decisions have been made on all of them. 1 1 Semiannual Report to the Congress, April 1 September 30, 2012, p. 50; http://oig.usaid.gov/sites/default/files/other-reports/sarc0912_0.pdf

Tab 2 - POTENTIAL MSKASSOCIATED wmt CLOUD COMPUTING AT U.S. AGENCY FOR INTERNATIONAL DEVELOflMENT DescrtatJon Rlsb 1. Pm Secyrltv provides protection of agencies' Data stored on cloud provider's servers may be physically located anywhere In the world and may not be data and Information. protected by U.S. laws. Fo~n governments or terrorists coo Id access, modify or disclose USAID sensitive data Data may be unencrypted when In tran.slt or stored on vendot's servers, wtilch Increases the risk that USAID's data could be exposed to unauthorized use and released without proper auttiorlzatlons. Response to security incidents may be untimely and require long periods of time to bring the systems back onllne and re-secure after outages. Access to backup data may not be limited to authorized persons and vendors' access or use of USAID's data may not be prohibited. Sensitive and restricted law enforcement data could be distributed to unauthoriied persons. 2. Aaptlgtlgn 5ecurttv provides protection of Application software that Is running In the doud could be at risk of unauthorized access, data leakage, and USAID's systems such as Phoenix and Gl.AAS, which is based on the risk and maanitude of harm or unauthorized access or modification of the information in the system. system unavailablhty. 3. Aplt AyaH11b!Htv 11Ves agencies ttie ability to Without disaster recovery and business continuity plans In place, USAID's business processes may be Impaired continue their business operations and meets If access is unavailable. their needs when the doud provider implements Incompatible hardware and software upgrades could result In costly solutions and Iona response time to new software and hardware for compatibility, address system outages and disruption of business operations. software updates, hardware refresh, and Untimely and uncoordinated software updates and hardware refresh could slgniflcantly Impact agency's maintenance. operations. Unavailablllty of law enforcement Information/data may not meet judicial and congressional demands. (Instant availability of usable, unoorrupted, untainted data Is a business necessity.) 4. Mon1tortn1 l!ui Illllilll!'ll Flaw Rf l!lll are used Real time monitoring may be difficult or may incur additional chaf'ies because USAID will no longer own the by aaencles to monitor and trade network traffic network. and data. Usually, monitoring tools and/or Aa:eu to network lop, archived data, or other Information may not be permitted. specialized software are placed on systems to Obtaining data for electronic discovery and lltiptlon could be Umited and delayed. monitor data traffic or search for documents Inexpensive alternatives to search the networt to obtain requested data may not exist stored In electronic format. Acceu to law enforcement information to build a case and take administrative or other action may be difficult to obtain or unavailable, which will result In Insurmountable challenges for IG and Office of Securlty trying to investigate or discipline employees who are misusing or committing crimes using government resources. Evidence requirlna chain-of-custody may not be protected or dlfflajft to maintain -

s. 6. 7. Description Regulatorv Compliance is imposed by various statues and regulations, including the Privacy Act, the Freedom of Information Security Management Act (FISMA}, the Federal Records Act, the Trade Secret Act and the Rehabilitation Act. Services obtained through cloud providers must be compatible with these requirements before committing to the provider's services. Portabilitv and lnteropera~ilitv provides the agency with the ability to transfer and share data with other cloud providers and others Termination & Transition ensures that agency data is properly protected, conveyed, and destroyed at the end of the cloud contract. POTENTIAL RISK ASSOCIATED WrTH CLOUD COMPUTING AT U.S. AGENCY FOR INTERNATIONAL DEVELOPMENT Risks Non-compliance with federal regulations can be detrimental to USAID's operations and reputation. Obtaining timely responses to USAID's or public request to access Freedom ofinformation Act information may not be permitted. Protection of non-public information such as trade secrets, procurements, and pre-decisional policy information may not be adequate. Physical security for responses to discovery and other informational disclosure requests may not be adequate. Compliance with Section 508 ofthe U.S. Workforce Rehabilitation Act of 1973 that requires USAID's electronic and information technology to be accessible by people with disabilities may not be obtained. Compliance with Privacy Act may not be obtained. Without identifying a backup cloud provider or backup plan and a means to allow data to be sharable between cloud providers, USAID could be at risk of not being able to process data and information. Transfers to another cloud computing provider or if the provider goes out ofbusiness may be expensive. The transfer may require USAID to reformat its data and applications, and transfer them to a new provider, which could be a potentially complex and expensive process. To bring the services provided by cloud computing vendor back in-house may not be easy or inexpensive. Data may continue to reside on vendor's servers after the contract is terminated. Timing of termination and transition could be disruptive to USAID's operations. Ownership ofdata may not have been clearly defined and USAIO may have to pay to obtain its data. Source: CGIE IT Committee, Cloud Computing Contracting Concerns

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information