Cloud Risk Management: How to Consolidate your CSP and Corporate Risk Profile

Similar documents
Report on Hong Kong SME Cloud Adoption and Security Readiness Survey

Cloud Security and Managing Use Risks

Cloud Security Introduction and Overview

Client Security Risk Assessment Questionnaire

Cloud Computing: Opportunities, Challenges, and Solutions. Jungwoo Ryoo, Ph.D., CISSP, CISA The Pennsylvania State University

Pharma CloudAdoption. and Qualification Trends

Cloud Computing An Auditor s Perspective

Clinical Trials in the Cloud: A New Paradigm?

Managing Cloud Computing Risk

Cloud Computing Risks & Reality. Sandra Liepkalns, CRISC sandra.liepkalns@netrus.com

Cloud Computing: Risks and Auditing

Keeping up with the World of Cloud Computing: What Should Internal Audit be Thinking About?

What Cloud computing means in real life

Cisco Cloud Assessments. Justin Tang

A Comparison of IT Governance & Control Frameworks in Cloud Computing. Jack D. Becker ITDS Department, UNT & Elana Bailey

Virginia Government Finance Officers Association Spring Conference May 28, Cloud Security 101

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

SSAE 16 for Transportation & Logistics Companies. Chris Kradjan Kim Koch

{Moving to the cloud}

Third Party Cloud Services Its Adoption in the New Age

How To Protect Your Cloud Computing Resources From Attack

VENDOR RISK MANAGEMENT UPDATE- ARE YOU AT RISK? Larry L. Llirán, CISA, CISM December 10, 2015 ISACA Puerto Rico Symposium

PCI Compliance for Cloud Applications

SECURITY MODELS FOR CLOUD Kurtis E. Minder, CISSP

Securing and Auditing Cloud Computing. Jason Alexander Chief Information Security Officer

Whitepaper. What You Need to Know About Infrastructure as a Service (IaaS) Encryption

ACCEPTING PAYMENT CARD ASSESSMENT Pre-Selection Questionnaire

Refresher on cloud computing

Data Security and Privacy Principles for IBM SaaS How IBM Software as a Service is protected by IBM s security-driven culture

Key Considerations of Regulatory Compliance in the Public Cloud

Cloud Computing in a Regulated Environment

Cloud Computing. Introduction

The Elephant in the Room: What s the Buzz Around Cloud Computing?

SECURITY CONCERNS AND SOLUTIONS FOR CLOUD COMPUTING

REGULATIONS FOR THE SECURITY OF INTERNET BANKING

Virtualization Impact on Compliance and Audit

(a) the kind of data and the harm that could result if any of those things should occur;

Intel Enhanced Data Security Assessment Form

Cloud Security Alliance New Zealand Contribution to the Privacy Commissioner. 23 February 2012

Maintaining PCI-DSS compliance. Daniele Bertolotti Antonio Ricci

Cloud Security Through Threat Modeling. Robert M. Zigweid Director of Services for IOActive

Cloud Computing: What needs to Be Validated and Qualified. Ivan Soto

PCI Compliance and the Cloud: What You Can and What You Can t Outsource Presented By:

Assessing Risks in the Cloud

Cloud Computing Governance & Security. Security Risks in the Cloud

Security Information & Policies

The Cloud is Not Enough Why Hybrid Infrastructure is Shaping the Future of Cloud Computing

Welcome. Panel. Cloud Computing New Challenges in Data Integrity and Security 13 November 2014

Cloud Security for Federal Agencies

Time to Value: Successful Cloud Software Implementation

Cloud Security Who do you trust?

Orchestrating the New Paradigm Cloud Assurance

Validation of a Cloud-Based ERP system, in practice. Regulatory Affairs Conference Raleigh. 8Th September 2014

Securing The Cloud. Foundational Best Practices For Securing Cloud Computing. Scott Clark. Insert presenter logo here on slide master

Adopting Cloud Computing with a RISK Mitigation Strategy

Securing The Cloud With Confidence. Opinion Piece

Cloud Security. DLT Solutions LLC June #DLTCloud

Conquering PCI DSS Compliance

Cloud Services Overview

Cloud Computing; What is it, How long has it been here, and Where is it going?

A COALFIRE PERSPECTIVE. Moving to the Cloud. NCHELP Spring Convention Panel May 2012

nwstor Storage Security Solution 1. Executive Summary 2. Need for Data Security 3. Solution: nwstor isav Storage Security Appliances 4.

Hans Bos Microsoft Nederland.

Third Party Risk Management 12 April 2012

Secure, Scalable and Reliable Cloud Analytics from FusionOps

Cloud Computing and Security Risk Analysis Qing Liu Technology Architect STREAM Technology Lab

BMC s Security Strategy for ITSM in the SaaS Environment

SMS. Cloud Computing. Systems Management Specialists. Grupo SMS option 3 for sales

John Essner, CISO Office of Information Technology State of New Jersey

Information Security Team

Securing the Service Desk in the Cloud

A Flexible and Comprehensive Approach to a Cloud Compliance Program

The Cloud in Regulatory Affairs - Validation, Risk Management and Chances -

Information Security Policy and Handbook Overview. ITSS Information Security June 2015

University of Pittsburgh Security Assessment Questionnaire (v1.5)

Policy Document. Communications and Operation Management Policy

Dimension Data Hosted Private Cloud

Third-Party Cybersecurity and Data Loss Prevention

Transcription:

Cloud Risk Management: How to Consolidate your CSP and Corporate Risk Profile Jerry Wertelecky, CPA, Fellow HKIoD & Managing Director

INTRODUCTION Jerry Wertelecky Country of Birth: United States Current Job : Managing Director Cloud Transformation & Security Solutions(CTSS) Residence: Permanent Resident of Hong Kong Email: jw@cloudtss.com www.cloudtss.com Past Experience: Former Partner 29 Years with Ernst & Young Former United States Marine Favorite Sports: Boxing, American football, Basketball, Rugby

What is the difference between Outsourcing, Managed Services and Cloud Computing? Traditional Outsourcing is the use of a dedicated service provider(s) with direct secure access to compute, storage and network resources with little operational transparency. It is a very expensive IT model and service management is almost totally controlled by the service provider. (Traditional Data Center Model) Managed Services is basically can provide the same scope of services with much more transparency, flexibility, availability and most importantly security as the infrastructure was designed for rapid customer development and deployment using a lower cost model. Also specifically designed for mobile and cloud services. Cloud Computing is a managed service delivery model (CSP) providing full transparency, scalability, variable pricing using the internet as its main delivery backbone. (VLAN, private/hybrid and IP connections, public). Managed Services and CSPS are starting to blend!!

PWC 2014 Info Security Breach Survey

EY GISS Survey October 2014

In March 2015, the Internet Society Hong Kong (ISOC HK) and Cloud Security Alliance Hong Kong and Macau Chapter (CSA HK) performed a survey by telephone based on a structured Chinese questionnaire of 168 local SMEs coming from various industries including retail, manufacturing, Information and communications, imports/exports, financial services, etc. The questions try to address the following areas of concerns in terms of Cloud security: Policy design Physical security management Data privacy management System management Incident management Cloud technology adoption and application Understanding of CSPs privacy protection policy Overall Results More than 80% of the responding SMEs have adopted some kind of Cloud services, which represented a big jump from the 51% last year. security is still among their top consideration.

Policy design 63% of companies surveyed have security policies in place (14% increase from last year) 52% of companies surveyed have proper documentation on access rights management to data (decreased by 15%) 40% of companies surveyed perform security audit and certifications by external parties (increased by 38%).

Physical security 59% of the companies surveyed manage their IT systems with proper access rights and password control, as well as maintain appropriate audit trail 49% of the companies surveyed have people or teams in charge of hardware /software maintenance, as well as support and security

Data privacy management 56% of companies surveyed have good understanding of or have implemented data encryption; a slight increase from last year s survey (increased by 12%) 45% of companies surveyed have a data disposal policy established, which compares favorably with last year s result (increased by 13%).

System management 28% of the companies surveyed implemented a security patches policy, and it is not as good as last year (decreased by 33%). 71% of the companies surveyed installed firewall devices to further improve the security and it is slightly better than last year (increased by 6%).

Incident management 51% of the companies surveyed have established an Incident Response Plan and it s less than last year s result (decreased by 22%) 47% of the companies surveyed also have a Disaster Recovery Plan in place and this is less than last year s result as well (decreased by 25%).

Cloud technology adoption and application Nearly 83% of companies surveyed are using or planning to use Cloud services, indicating a big increase from last year s 55% The top two Cloud services used are email and data storage Top two reasons for using Cloud services: Reliability and Security.

Understand SMEs readiness on privacy For those companies who use Cloud services: 69% follow the guidance from Office of the Privacy Commissioner for Personal Data (PCPD) to protect personal data 49% use CSPs who do not have transparency to their users on if and when their company or customer data will be deleted or returned 25% do not know if and when their CSPs will return or delete their company or customer data.

Understand SMEs readiness on privacy 30% use CSPs who do not/likely do not comply with guidance from PCPD to protect PD 18% do not know if their CSPs will comply with guidance from PCPD to protect PD Companies who do not use Cloud services, over 50% do not understand or care of the impact of the privacy related questions in this session.

Create a Combined Company/CSP Risk Management Profile

High Level Top risks Risk frequently associated with Cloud are not new Top risks include: Cloud Risk Management Loss of governance Data loss and leakage Loss of service or data availability Legal and regulatory risk lack of compliance Data quality and processing accuracy (SaaS, PaaS).

Cloud Risk Management Action Plan Top risks loss of governance Key mitigation activities include: Effective Provider selection and structured SLA development Effective Contract management of CSP Provider 3 rd party certification reports Interactive IT service management of the CSP.

Cloud Risk Management Action Plan Data Loss Leakage Key mitigation activities include: Data Classification Virtualization Hypervisor security Strong access controls Identity access management Integration with CSP Separation/isolation of sensitive systems-sandboxing Encryption end to end, Network, CPU and Storage Strong network configuration IDS, firewalls, IPS etc.

Cloud Risk Management Action Plan Top risks loss of service or data availability Key mitigation activities include: Thorough BIA analysis Service and availability testing--periodic Reputation, history, and sustainability assessment social media Strong network configuration establishment and monitoring Data sovereignty always should be considered.

Cloud Risk Management Action Plan Top risks data quality and processing accuracy (SaaS, PaaS) Key mitigation activities include: Stringent provider selection through RFI/RFP process Relevant reporting SSAE 16, ISO 27001, PCI-DSS, MTCS Integration of CSP controls and monitoring into Overall Company Risk Profile

Questions from listening Audience?

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information