Auditing IT Contracts From Afar Ensuring Compliance Michael Carr, JD, CISSP, CIPP Director, Enterprise IT Architecture & Chief Information Security Officer University of Kentucky June 2015 Disclaimer The content, discussion, or materials presented are for informational purposes only and not for the purpose of providing legal advice. While I am a lawyer, I am not your lawyer. The use of and access to this information or material does not create an attorneyclient relationship between Michael Carr and you. You should contact your attorney or your Office of General Counsel to obtain advice with respect to getting legal advice or addressing any particular legal issue or problem. The opinions expressed during this presentation are the opinions of the author and do not reflect the opinions or advice of the SCCE, the University of Kentucky, the Commonwealth of Kentucky or any of their respective affiliates. Agenda Learn more about the growing strategy of moving IT systems and services off campus and to 3 rd party vendors Review some of the more important security and privacy related provisions in these contracts Learn how to remotely audit these provisions to ensure compliance without breaking your travel budget 1
Agenda (the why ) 2. Contract Provisions (the what ) 3. The Long Arm of the Law (the how )? Time Share Cloud Main frame Internet Client Server Does it really matter where Waldo is? 2
Enough computing resources must be available to satisfy peak demands even if the peak demands are not sustained Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec This creates a surplus (i.e., waste) for the majority of the time = unused capacity = needed capacity Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec 3
Now imagine... Being able to acquire and use the exact computing resources and storage you need only when you need it, for as long as you need it And only paying for what you need That is the gist of Cloud Computing A model for enabling ubiquitous, convenient, on demand (elastic), network access to a shared pool of configurable, pay for use, computing resources Think intelligent outsourcing There are 3 primary cloud service models: 1. IaaS Infrastructure as a Service 2. PaaS Platform as a Service 3. SaaS Software as a Service 4
IaaS: Infrastructure As A Service Computers & storage (hardware) are leased on an as needed basis and supported/maintained by the cloud service provider The customer is responsible for supporting & maintaining the operating system, application and database software PaaS: Platform As A Service Computers & storage (hardware) are leased on an as needed basis and supported/maintained by the cloud service provider The cloud service provider also supports & maintains the operating system and database software The customer installs, supports & maintains the application software on the leased platform SaaS: Software As A Service The cloud service provider supports & maintains the computing hardware, the operating system software, the application software and the database software The customer pays for a license to use the application software (When more than one customer uses the same application, the service provider cordons off one from the other) 5
Security & Privacy Responsibilities Will Vary Too Outsourcing is nothing new 6
But it s different enough to make things interesting Instead of... Many systems are now virtual (as opposed to physical) a) One medium-size computer system b) Running one operating system (e.g., Windows) c) Under which numerous computer applications are running Imagine... a) One fairly-large computer system b) Running numerous operating systems simultaneously c) With each operating system having numerous computer applications running under it d) And each system having access to the exact same memory & storage as every other system... 7
Think... a) Multiple apartment tenants b) With access to the exact same garage and store room that you may have used earlier today c) But when they were using them, your stuff was moved elsewhere. Suddenly, your concerns are heightened about... a) Unauthorized Access b) HIPAA, FERPA, Export Controls, FISMA Compliance, etc. c) Data Ownership, Research Integrity, Records Retention d) Physical Access, Loss of Control, Quality of Service And the need for the institution to audit these contracts, ensure compliance and do so with limited resources 2. Contract Provisions If it s in the cloud, get it on paper Methuselah In general... 1. Don t cede control. 2. Don t assume. 3. Don t trust. Verify. 8
2. Contract Provisions If it s in the cloud, get it on paper Methuselah Biggest challenge may be getting in front of the procurement process To ensure compliance with laws, regulations, standards, etc. 2. Contract Provisions 1. You don t get what you deserve... Negotiate hard on Service Level Agreements Notice, Action & Information Rights, Roles & Responsibilities Liability & Indemnification 2. Contract Provisions Negotiate hard on Physical location & choice of law Certifications (ISO 27001, PCI DSS, etc.) Access to audit reports Exit strategies & H/W end-of-life 9
2. Contract Provisions Try to negotiate hard on Internal controls (more on this in a bit) Syslog access Software & data escrow 2. Contract Provisions Internal Controls focus: Ensure isolation of applications & data in shared, multi-tenant environments Ensure protection of assets from unauthorized access by provider s staff and/or subcontractors We need to start thinking like external auditors 2. Contract Provisions Negotiate with Purchasing... Require vendors to explain how they will show/prove compliance with the contract Require vendors to do so periodically (annually?) Fight like &$^! for the contract to have teeth 10
3. The Long Arm of the Law How do we ensure compliance? when services are elsewhere and when it s technical 3. The Long Arm of the Law Quick recap Audit: Are they doing what they said they would do? Compliance: If they do what they said they will do, will we be complying with the regulation? here & now vs. horizon scanning 3. The Long Arm of the Law Aside from physical safeguards, on-site visits may not tell you much Pretend you re from Missouri 11
3. The Long Arm of the Law Certifications don t always tell the whole story remember: Target was deemed PCI-compliant Phished credentials will be considered as authorized Get copies of vendors Pen Test results Does the contract require it? Get copies of vendors incidents Does the contract require it? 3. The Long Arm of the Law Receive copies of firewall and IDS logs Tricky: data may not be segregated (your systems vs. uber ) IT Security should be able to integrate into it s SIEM (security incident/event mgmt system) and then report on anomalous behavior Step thru the HHS Audit Program (HIPAA) Covers Security, Privacy & Breach Notification Rules 3. The Long Arm of the Law Major vendors BAAs won t include these Major vendors (currently) won t negotiate As customers, we need to start demanding Increased competition is our friend 12
Recap (the why ) 2. Contract Provisions (the what ) 3. The Long Arm of the Law (the how ) Hate to say it but it all comes down to those &$^! lawyers! Recap And then there are Gibbs Rules (from NCIS)... #3 Don t believe what you re told. Double Check. #8 Never take anything for granted. #13 Never, ever involve lawyers. Auditing IT Contracts From Afar Additional Discussion? Michael Carr, JD, CISSP, CIPP Director, Enterprise IT Architecture & Chief Information Security Officer University of Kentucky June 2015 13
Thank You Michael Carr, JD, CISSP, CIPP Director, Enterprise IT Architecture & Chief Information Security Officer University of Kentucky June 2015 14