5/29/2015. Auditing IT Contracts From Afar. Disclaimer. Agenda



Similar documents
AT&T Global Network Client for Windows Product Support Matrix January 29, 2015

COMPARISON OF FIXED & VARIABLE RATES (25 YEARS) CHARTERED BANK ADMINISTERED INTEREST RATES - PRIME BUSINESS*

COMPARISON OF FIXED & VARIABLE RATES (25 YEARS) CHARTERED BANK ADMINISTERED INTEREST RATES - PRIME BUSINESS*

Managing Cloud Computing Risk

Information Technology: This Year s Hot Issue - Cloud Computing

Cloud Security and Managing Use Risks

The Keys to the Cloud: The Essentials of Cloud Contracting

Cloud Computing. What Are We Handing Over? Ganesh Shankar Advanced IT Core Pervasive Technology Institute

Analysis One Code Desc. Transaction Amount. Fiscal Period

Case 2:08-cv ABC-E Document 1-4 Filed 04/15/2008 Page 1 of 138. Exhibit 8

AgriLife Information Technology IT General Session January 2010

Cloud Security Panel: Real World GRC Experiences. ISACA Atlanta s 2013 Annual Geek Week

A COALFIRE PERSPECTIVE. Moving to the Cloud. NCHELP Spring Convention Panel May 2012

HIPAA in the Cloud. How to Effectively Collaborate with Cloud Providers

Clinical Trials in the Cloud: A New Paradigm?

Strategic Compliance & Securing the Cloud. Annalea Sharack-Ilg, CISSP, AMBCI Technical Director of Information Security

Identity & Access Management The Cloud Perspective. Andrea Themistou 08 October 2015

Enhanced Vessel Traffic Management System Booking Slots Available and Vessels Booked per Day From 12-JAN-2016 To 30-JUN-2017

Key Considerations of Regulatory Compliance in the Public Cloud

Security Issues in Cloud Computing

Welcome & Introductions

Securing Oracle E-Business Suite in the Cloud

Data Privacy, Security, and Risk Management in the Cloud

SECURITY MODELS FOR CLOUD Kurtis E. Minder, CISSP

East African Information Conference th August, 2013, Kampala, Uganda. Security and Privacy: Can we trust the cloud?

Adding Cloud Solutions to Customer Contracts Robert J. Scott

FAQ: HIPAA AND CLOUD COMPUTING (v1.0)

Office of the Government Chief Information Officer The Government of the Hong Kong Special Administrative Region

Cloud Computing; What is it, How long has it been here, and Where is it going?

Cloud Security Introduction and Overview

HIPAA in the Cloud How to Effectively Collaborate with Cloud Providers

Overview of Topics Covered

Client Security Risk Assessment Questionnaire

Vendor Questions Infrastructure Products and Services RFP #

SATURDAY, FEBRUARY 28, 2015 CLE 10 (Ethics) 9:30 a.m. 10:30 a.m. Moving to the Cloud - Identifying & Managing Legal, Ethical and Compliance Risks

AHLA. JJ. Keeping Your Cloud Services Provider from Raining on Your Parade. Jean Hess Manager HORNE LLP Ridgeland, MS

Cloud Computing: Legal Risks and Best Practices

Commercial Software Licensing

Security Considerations for the Cloud

Virtualization Impact on Compliance and Audit

Blackboard Collaborate Web Conferencing Hosted Environment Technical Infrastructure and Security

Every Cloud Has A Silver Lining. Protecting Privilege Data In A Hosted World

Cloud Services Overview

SMS. Cloud Computing. Systems Management Specialists. Grupo SMS option 3 for sales

Security of Payment Card Data on Cloud-Based Mobile Payment Platforms

White Paper: Efficient Management of Cloud Resources

Cloud Computing: Contracting and Compliance Issues for In-House Counsel

Cloud Computing Governance & Security. Security Risks in the Cloud

3 rd -party Security Risk Assessment

Clouds on the Horizon Cloud Security in Today s DoD Environment. Bill Musson Security Analyst

How To Manage Cloud Data Safely

Wednesday, January 16, 2013

John Essner, CISO Office of Information Technology State of New Jersey

Private vs. Public Cloud Solutions

PCI Compliance and the Cloud: What You Can and What You Can t Outsource Presented By:

Review of Cloud Risks: What if

BCOE Payroll Calendar. Monday Tuesday Wednesday Thursday Friday Jun Jul Full Force Calc

LEGAL ISSUES IN CLOUD COMPUTING

OWASP Chapter Meeting June Presented by: Brayton Rider, SecureState Chief Architect

Trimble Navigation Limited (NasdaqGS:TRMB) > Public Ownership > Officials' Trading

Computing & Telecommunications Services Monthly Report March 2015

How To Understand The Third Platform Ct Market Transformation In Latin America

Cloud Computing Technology

IT Cloud / Data Security Vendor Risk Management Associated with Data Security. September 9, 2014

Security & privacy in the cloud; an easy road?

Cloud Security. DLT Solutions LLC June #DLTCloud

Daren Kinser Auditor, UCSD Jennifer McDonald Auditor, UCSD

Running head: TAKING A DEEPER LOOK AT THE CLOUD: SOLUTION OR 1

Continuous compliance through good governance

3rd Party Assurance & Information Governance outlook IIA Ireland Annual Conference Straightforward Security and Compliance

Cloud Computing: The atmospheric jeopardy. Unique Approach Unique Solutions. Salmon Ltd 2014 Commercial in Confidence Page 1 of 5

Data Privacy and Security for Market Research in the Cloud

The Five W's of SOC Operations. Kevin

CQC Compliance Monitoring Framework

Rapid Consumption and Deployment of SAP Software as Virtual Appliances Using SAP Cloud Appliance Library

CYBER AND IT SECURITY: CLOUD SECURITY FINAL SESSION. Architecture Framework Advisory Committee November 4, 2014

Third Party Security: Are your vendors compromising the security of your Agency?

Using Data Encryption to Achieve HIPAA Safe Harbor in the Cloud

Information Security: Cloud Computing

Ashley Institute of Training Schedule of VET Tuition Fees 2015

Anatomy of a Cloud Computing Data Breach

GAIN CLARITY CRITICAL ISSUES. Your Data in the Cloud : Benefits & Risks GAIN CONTROL. berrydunn.com

Cloud Security considerations for business adoption. Ricci IEONG CSA-HK&M Chapter

Managing Open Source Code Best Practices

Orchestrating the New Paradigm Cloud Assurance

Cloud Computing and HIPAA Privacy and Security

Risk Management Solutions for Access Services Los Angeles, CA

1 ABOUT THIS PART COMPLIANCE WITH STANDARDS GENERALLY COMPLIANCE WITH TECHNOLOGY INDUSTRY STANDARDS... 3

CLOUD COMPUTING OVERVIEW

Seeing Though the Clouds

Storm Clouds Ahead? A risk analysis of Cloud Computing

Federal Cloud Computing Initiative Overview

Intel Enhanced Data Security Assessment Form

Cloud Services and Business Process Outsourcing

Top 10 Tips and Tools for Meeting Regulatory Requirements and Managing Cloud Computing Providers in the United States and Around the World

Guidelines for Virtual Transportation Management Center Development. National Rural ITS Meeting August 27, 2014

Cloud Computing. What is Cloud Computing?

Evolving Technology Issues: Cloud Computing

Transcription:

Auditing IT Contracts From Afar Ensuring Compliance Michael Carr, JD, CISSP, CIPP Director, Enterprise IT Architecture & Chief Information Security Officer University of Kentucky June 2015 Disclaimer The content, discussion, or materials presented are for informational purposes only and not for the purpose of providing legal advice. While I am a lawyer, I am not your lawyer. The use of and access to this information or material does not create an attorneyclient relationship between Michael Carr and you. You should contact your attorney or your Office of General Counsel to obtain advice with respect to getting legal advice or addressing any particular legal issue or problem. The opinions expressed during this presentation are the opinions of the author and do not reflect the opinions or advice of the SCCE, the University of Kentucky, the Commonwealth of Kentucky or any of their respective affiliates. Agenda Learn more about the growing strategy of moving IT systems and services off campus and to 3 rd party vendors Review some of the more important security and privacy related provisions in these contracts Learn how to remotely audit these provisions to ensure compliance without breaking your travel budget 1

Agenda (the why ) 2. Contract Provisions (the what ) 3. The Long Arm of the Law (the how )? Time Share Cloud Main frame Internet Client Server Does it really matter where Waldo is? 2

Enough computing resources must be available to satisfy peak demands even if the peak demands are not sustained Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec This creates a surplus (i.e., waste) for the majority of the time = unused capacity = needed capacity Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec 3

Now imagine... Being able to acquire and use the exact computing resources and storage you need only when you need it, for as long as you need it And only paying for what you need That is the gist of Cloud Computing A model for enabling ubiquitous, convenient, on demand (elastic), network access to a shared pool of configurable, pay for use, computing resources Think intelligent outsourcing There are 3 primary cloud service models: 1. IaaS Infrastructure as a Service 2. PaaS Platform as a Service 3. SaaS Software as a Service 4

IaaS: Infrastructure As A Service Computers & storage (hardware) are leased on an as needed basis and supported/maintained by the cloud service provider The customer is responsible for supporting & maintaining the operating system, application and database software PaaS: Platform As A Service Computers & storage (hardware) are leased on an as needed basis and supported/maintained by the cloud service provider The cloud service provider also supports & maintains the operating system and database software The customer installs, supports & maintains the application software on the leased platform SaaS: Software As A Service The cloud service provider supports & maintains the computing hardware, the operating system software, the application software and the database software The customer pays for a license to use the application software (When more than one customer uses the same application, the service provider cordons off one from the other) 5

Security & Privacy Responsibilities Will Vary Too Outsourcing is nothing new 6

But it s different enough to make things interesting Instead of... Many systems are now virtual (as opposed to physical) a) One medium-size computer system b) Running one operating system (e.g., Windows) c) Under which numerous computer applications are running Imagine... a) One fairly-large computer system b) Running numerous operating systems simultaneously c) With each operating system having numerous computer applications running under it d) And each system having access to the exact same memory & storage as every other system... 7

Think... a) Multiple apartment tenants b) With access to the exact same garage and store room that you may have used earlier today c) But when they were using them, your stuff was moved elsewhere. Suddenly, your concerns are heightened about... a) Unauthorized Access b) HIPAA, FERPA, Export Controls, FISMA Compliance, etc. c) Data Ownership, Research Integrity, Records Retention d) Physical Access, Loss of Control, Quality of Service And the need for the institution to audit these contracts, ensure compliance and do so with limited resources 2. Contract Provisions If it s in the cloud, get it on paper Methuselah In general... 1. Don t cede control. 2. Don t assume. 3. Don t trust. Verify. 8

2. Contract Provisions If it s in the cloud, get it on paper Methuselah Biggest challenge may be getting in front of the procurement process To ensure compliance with laws, regulations, standards, etc. 2. Contract Provisions 1. You don t get what you deserve... Negotiate hard on Service Level Agreements Notice, Action & Information Rights, Roles & Responsibilities Liability & Indemnification 2. Contract Provisions Negotiate hard on Physical location & choice of law Certifications (ISO 27001, PCI DSS, etc.) Access to audit reports Exit strategies & H/W end-of-life 9

2. Contract Provisions Try to negotiate hard on Internal controls (more on this in a bit) Syslog access Software & data escrow 2. Contract Provisions Internal Controls focus: Ensure isolation of applications & data in shared, multi-tenant environments Ensure protection of assets from unauthorized access by provider s staff and/or subcontractors We need to start thinking like external auditors 2. Contract Provisions Negotiate with Purchasing... Require vendors to explain how they will show/prove compliance with the contract Require vendors to do so periodically (annually?) Fight like &$^! for the contract to have teeth 10

3. The Long Arm of the Law How do we ensure compliance? when services are elsewhere and when it s technical 3. The Long Arm of the Law Quick recap Audit: Are they doing what they said they would do? Compliance: If they do what they said they will do, will we be complying with the regulation? here & now vs. horizon scanning 3. The Long Arm of the Law Aside from physical safeguards, on-site visits may not tell you much Pretend you re from Missouri 11

3. The Long Arm of the Law Certifications don t always tell the whole story remember: Target was deemed PCI-compliant Phished credentials will be considered as authorized Get copies of vendors Pen Test results Does the contract require it? Get copies of vendors incidents Does the contract require it? 3. The Long Arm of the Law Receive copies of firewall and IDS logs Tricky: data may not be segregated (your systems vs. uber ) IT Security should be able to integrate into it s SIEM (security incident/event mgmt system) and then report on anomalous behavior Step thru the HHS Audit Program (HIPAA) Covers Security, Privacy & Breach Notification Rules 3. The Long Arm of the Law Major vendors BAAs won t include these Major vendors (currently) won t negotiate As customers, we need to start demanding Increased competition is our friend 12

Recap (the why ) 2. Contract Provisions (the what ) 3. The Long Arm of the Law (the how ) Hate to say it but it all comes down to those &$^! lawyers! Recap And then there are Gibbs Rules (from NCIS)... #3 Don t believe what you re told. Double Check. #8 Never take anything for granted. #13 Never, ever involve lawyers. Auditing IT Contracts From Afar Additional Discussion? Michael Carr, JD, CISSP, CIPP Director, Enterprise IT Architecture & Chief Information Security Officer University of Kentucky June 2015 13

Thank You Michael Carr, JD, CISSP, CIPP Director, Enterprise IT Architecture & Chief Information Security Officer University of Kentucky June 2015 14

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information