Risk Management & Cloud Security. Setting & Enforcing Policy

Similar documents
Service Organization Control Reports

Orchestrating the New Paradigm Cloud Assurance

Cloud Computing An Auditor s Perspective

Service Organization Control (SOC) Reports Focus on SOC 2 Reporting Standard

Cloud Computing; What is it, How long has it been here, and Where is it going?

OFFICE OF AUDITS & ADVISORY SERVICES CLOUD COMPUTING AUDIT FINAL REPORT

Cloud Computing Technology

NCTA Cloud Architecture

Security & Trust in the Cloud

SSAE 16 for Transportation & Logistics Companies. Chris Kradjan Kim Koch

Security, Compliance & Risk Management for Cloud Relationships. Adnan Dakhwe, MS, CISA, CRISC, CRMA Safeway Inc. In-Depth Seminars D32

Daren Kinser Auditor, UCSD Jennifer McDonald Auditor, UCSD

Cloud Computing and Security Risk Analysis Qing Liu Technology Architect STREAM Technology Lab

PCI Compliance and the Cloud: What You Can and What You Can t Outsource Presented By:

Pharma CloudAdoption. and Qualification Trends

Compliance and the Cloud: What You Can and What You Can t Outsource

Cloud Security Panel: Real World GRC Experiences. ISACA Atlanta s 2013 Annual Geek Week

Securing and Auditing Cloud Computing. Jason Alexander Chief Information Security Officer

Security Issues in Cloud Computing

Clinical Trials in the Cloud: A New Paradigm?

Cloud Computing: Background, Risks and Audit Recommendations

Private & Hybrid Cloud: Risk, Security and Audit. Scott Lowry, Hassan Javed VMware, Inc. March 2012

IT Cloud / Data Security Vendor Risk Management Associated with Data Security. September 9, 2014

Virginia Government Finance Officers Association Spring Conference May 28, Cloud Security 101

White Paper on CLOUD COMPUTING

Cloud Computing Risk and Rewards

Wrapping Audit Arms around the Cloud Georgia 2013 Conference for College and University Auditors

Kent State University s Cloud Strategy

SECURITY MODELS FOR CLOUD Kurtis E. Minder, CISSP

AHLA. JJ. Keeping Your Cloud Services Provider from Raining on Your Parade. Jean Hess Manager HORNE LLP Ridgeland, MS

CHAPTER 8 CLOUD COMPUTING

A.Prof. Dr. Markus Hagenbuchner CSCI319 A Brief Introduction to Cloud Computing. CSCI319 Page: 1

Security and Privacy in Cloud Computing

Keeping up with the World of Cloud Computing: What Should Internal Audit be Thinking About?

Cloud Computing 101 Dissipating the Fog 2012/Dec/xx Grid-Interop 2012

Qualification Guideline

CSA Position Paper on AICPA Service Organization Control Reports

IT Audit in the Cloud

Oracle ERP & The Cloud. Presented by Adriaan Kruger

Cloud Computing. What is Cloud Computing?

Cloud Computing Security Issues

BUSINESS MANAGEMENT SUPPORT

How To Understand Cloud Computing

Cloud Computing An Internal Audit Perspective. Heather Paquette, Partner Tom Humbert, Manager

CYBERSECURITY SLAs: MANANGING REQUIREMENTS AT ARM S LENGTH

Auditing Cloud Computing and Outsourced Operations

Managing Cloud Computing Risk

What Every User Needs To Know Before Moving To The Cloud. LawyerDoneDeal Corp.

Effectively using SOC 1, SOC 2, and SOC 3 reports for increased assurance over outsourced operations. kpmg.com

Cloud Services Overview

CLOUD COMPUTING DEMYSTIFIED

Welcome. Panel. Cloud Computing New Challenges in Data Integrity and Security 13 November 2014

SOC on Amazon Web Services (AWS) What You Need To Know Understanding the regulatory roadmap for SOC on AWS

A COALFIRE PERSPECTIVE. Moving to the Cloud. NCHELP Spring Convention Panel May 2012

Optimizing Service Levels in Public Cloud Deployments

Cloud Security & Risk. Adam Cravedi, CISA Senior IT Auditor acravedi@compassitc.com

Cloud Computing: Risks and Auditing

Strategic Compliance & Securing the Cloud. Annalea Sharack-Ilg, CISSP, AMBCI Technical Director of Information Security

Cloud Computing: Opportunities, Challenges, and Solutions. Jungwoo Ryoo, Ph.D., CISSP, CISA The Pennsylvania State University

How To Understand Cloud Computing

Cloud Security considerations for business adoption. Ricci IEONG CSA-HK&M Chapter

Vormetric Data Security Securing and Controlling Data in the Cloud

The Elephant in the Room: What s the Buzz Around Cloud Computing?

Cloud Computing What Auditors need to know

Cloud Based Solutions for Media and Entertainment

Cloud Computing. Bringing the Cloud into Focus

A Flexible and Comprehensive Approach to a Cloud Compliance Program

Cloud Computing in a Regulated Environment

Clo l ud d C ompu p tin i g

Understanding SOC Reports for Effective Vendor Management. Jason T. Clinton January 26, 2016

Cloud definitions you've been pretending to understand. Jack Daniel, Reluctant CISSP, MVP Community Development Manager, Astaro

Cloud IT, Privacy, and Security. June 13, 2013

10/25/2012 BY VORAPOJ LOOKMAIPUN CISSP, CISA, CISM, CRISC, CEH Agenda. Security Cases What is Cloud? Road Map Security Concerns

Hans Bos Microsoft Nederland.

Cloud and Regulations: A match made in heaven, or the worst blind date ever?

Identity & Access Management The Cloud Perspective. Andrea Themistou 08 October 2015

Addressing the SANS Top 20 Critical Security Controls for Effective Cyber Defense

Cloud models and compliance requirements which is right for you?

Webtrends Inc. Service Organization Controls (SOC) 3 SM Report on the SaaS Solutions Services System Relevant to Security

Cloud Security Certification


CLOUD COMPUTING An Overview

OWASP Chapter Meeting June Presented by: Brayton Rider, SecureState Chief Architect

Trust but Verify. Vincent Campitelli. VP IT Risk Management

Why Private Cloud? Nenad BUNCIC VPSI 29-JUNE-2015 EPFL, SI-EXHEB

Seeing Though the Clouds

Cloud Computing Overview

Auditing Software as a Service (SaaS): Balancing Security with Performance

Securing Oracle E-Business Suite in the Cloud

BECOME A SMARTER CLOUD CONSUMER

The Keys to the Cloud: The Essentials of Cloud Contracting

Cloud Security Introduction and Overview

Cloud Security Alliance New Zealand Contribution to the Privacy Commissioner. 23 February 2012

How To Be A Successful Compliance Officer

Cloud Computing Flying High (or not) Ben Roper IT Director City of College Station

THE BLUENOSE SECURITY FRAMEWORK

Securing The Cloud. Foundational Best Practices For Securing Cloud Computing. Scott Clark. Insert presenter logo here on slide master

Perspectives on Moving to the Cloud Paradigm and the Need for Standards. Peter Mell, Tim Grance NIST, Information Technology Laboratory

Transcription:

Risk Management & Cloud Security Setting & Enforcing Policy

Agenda - - - - - Define the cloud ecosystem Business use of cloud services Cloud service risks Governance of the cloud critical policies, procedures & controls Third-party management considerations for the cloud

DEFINE THE CLOUD ECOSYSTEM

Define the Cloud Ecosystem What is the cloud? Define the cloud Cloud service models Cloud deployment models

Define the Cloud Ecosystem?

Define the Cloud Ecosystem Cloud Computing: Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model is composed of five essential characteristics, three service models, and four deployment models. ) Source: NIST Special Publication 800-145 - The NIST Definition of Cloud Computing (http://csrc.nist.gov/publications/nistpubs/800-145/sp800-145.pdf

Define the Cloud Ecosystem Essential Characteristics On demand self service Broad network access Resource pooling Rapid elasticity Measured service

Define the Cloud Ecosystem Service Models Software as a Service (SaaS) Platform as a Service (PaaS) Infrastructure as a Service (IaaS)

Define the Cloud Ecosystem Software as a Service (SaaS) Examples Sales Force CRM Google Apps Microsoft Office 365

Define the Cloud Ecosystem Platform as a Service (PaaS) Examples Microsoft Azure Google App Engine

Define the Cloud Ecosystem Infrastructure as a Service (IaaS) Examples Amazon Web Services (AWS) RackSpace GoGrid

Audience Question Are you currently using Cloud Services and if so which service model are you using? a) Yes SaaS b) Yes PaaS c) Yes IaaS d) Yes A combination of service models e) Have not adopted cloud computing at this time

Define the Cloud Ecosystem Deployment Models Private cloud Community cloud Public cloud Hybrid cloud

Define the Cloud Ecosystem Private Cloud Provisioned for single organization May exist on or off site May be managed by organization or outsourced

Define the Cloud Ecosystem Community Cloud Provisioned for exclusive use by a specific community May be managed by one or more of the community organizations May be managed by community organization or outsourced

Define the Cloud Ecosystem Public Cloud Provisioned for general public Exists on the premise of the cloud provider May be owned, managed & operated by a business, academic or government organization or a combination

Define the Cloud Ecosystem Hybrid Cloud Combination of two or more distinct cloud infrastructures Combines characteristics of private, public & community clouds

BUSINESS USE OF CLOUD SERVICES

Business Use of Cloud Services Financial Savings Equipment Personnel Infrastructure Space & utilities Reduced obsolescence Reduced capital expenditures Reduced implementation costs

Business Use of Cloud Services Increased Flexibility Rapid deployment Ability to add or reduce capacity On-demand provisioning Disaster recovery Business expansion (across town or across the globe)

Business Use of Cloud Services Streamlined business development Focus on innovation & research Reduced effort on management, maintenance & support Simplified entry into or exiting from business initiatives Increased access to technical expertise

CLOUD SERVICE RISKS

Cloud Service Risks Security Physical access to infrastructure, systems & data Physical location of systems, data Logical access to the network, OS, applications & databases Network & data segregation

Cloud Service Risks Availability Cloud provider service interruptions Data location/availability for restoration Network/connectivity interruptions Failure of the provider to adhere to SLAs Service provider disaster recovery

Cloud Service Risks Processing Integrity Adherence to change management procedures Incident management Failure of the provider to adhere to SLAs Timeliness Accuracy Authorization Completeness

Cloud Service Risks Confidentiality Comingling of data & other assets Unauthorized access to sensitive or trade secret information Privacy International laws affecting service provider location Regulatory compliance/legal liability Breach & incident management

Audience Question Are the risks associated with cloud computing (e.g., data security, availability, long term viability, etc.) preventing you from adopting cloud services? a) Yes b) No

GOVERNANCE OF THE CLOUD Critical Policies, Procedures & Controls

Governance of the Cloud Governance Risk Management Tools

Governance of the Cloud Governance Information Security Metrics Service-Level Agreements

Governance of the Cloud Governance Information Security o Data life cycle o Data classification o Formal policies & procedures

Governance of the Cloud Governance Metrics o Objectives o Define metrics o Periodic assessment & review

Governance of the Cloud Governance Service-Level Agreements o Ensure SLAs & contracts give customer access to necessary performance & security data (e.g., audit logs, usage, etc.) o Ensure SLAs contain appropriate controls o Ensure executive management, legal, IT & business process owners are involved in the SLA development process

Governance of the Cloud Risk Management Data-flow analysis Managing risks associated with unique cloud computing components Audit & compliance

Governance of the Cloud Risk Management Data-flow analysis o Understand the information life cycle o Develop data-flow schematics o Develop policies to periodically review & update data-flow documentation

Governance of the Cloud Risk Management Managing Cloud Computing Risks o Maintain application & technology layer inventory o Develop inventory in conjunction with the data-flow analysis o Develop controls to address risks associated with each layer of the cloud stack

Governance of the Cloud Risk Management Audit & compliance o Understanding cloud risks & regulatory implications o Leverage existing risk assessment tools & control frameworks o Assessing control maturity o Vendor management

Governance of the Cloud Procedures/Tools Control frameworks (NIST, COBIT, CSA) Data-flow analysis The CIS Security Metrics v1.0.0 Cloud Security Alliance NIST 800-146

Audience Question If your organization is currently utilizing cloud services, have formal documented policies, procedures and controls been developed to address cloud computing specific risks? a) Yes b) No

Governance of the Cloud Procedures/Tools Links NIST Guidance http://csrc.nist.gov/publications/drafts/800-146/draft-nist-sp800-146.pdf Cloud Security Alliance (CSA) https://cloudsecurityalliance.org/guidance/csaguide.v3.0.pdf https://cloudsecurityalliance.org/research/ccm/ Information System Audit and Control Association (ISACA) http://www.isaca.org/knowledge-center/research/researchdeliverables/pages/cloud- Computing-Management-Audit-Assurance-Program.aspx The Center for Internet Security (CIS) https://benchmarks.cisecurity.org/tools2/metrics/cis_security_metrics_v1.1.0.pdf

THIRD-PARTY MANAGEMENT CONSIDERATIONS FOR THE CLOUD

Third-Party Management Use of the cloud Transfers risk Reduces control Requires new control considerations Service-level management Third-party management

Third-Party Management Define & Manage Service Levels Control Objective - Controls provide reasonable assurance that service levels are defined & managed in a manner that satisfies financial reporting system requirements & provides a common understanding of performance levels with which the quality of services will be measured Sample Control Activities 1) Service levels are defined & managed to support financial reporting system requirements 2) A framework is defined to establish key performance indicators to manage service level agreements, both internally & externally

Third-Party Management Manage Third-party Services Control Objective - Controls provide reasonable assurance that third-party services are secure, accurate & available, support processing integrity & defined appropriately in performance contracts Sample Control Activities 1) A designated individual is responsible for regular monitoring & reporting on the achievement of the third-party service level performance criteria 2) Selection of vendors for outsourced services is performed in accordance with the organization s vendor management policy

Third-Party Management Sample Control Activities (Continued) 3) IT management determines that, before selection, potential third parties are properly qualified through an assessment of their capability to deliver the required service & a review of their financial viability 4) Third-party service contracts address risks, security controls & procedures for information systems & networks in the contract between the parties 5) Procedures exist & are followed to ensure that a formal contract is defined & agreed for all third-party services before work is initiated, including definition of internal control requirements & acceptance of the organization s policies & procedures 6) A regular review of security, availability & processing integrity is performed for service- level agreements & related contracts with thirdparty service providers

Service Organization Control Reports Purpose SOC 1 SOC 2 SOC 3 Report on controls relevant to user entities ICFR 1 Report on controls related to compliance & operations Use of Report Restricted 2 Restricted 3 General Report on controls related to compliance & operations Report Detail Includes Testing Detail Includes Testing Detail No Testing Detail AICPA Interpretive Guidance SSAE 16 & AICPA Guide AT 101, Trust Services Principles, & AICPA Guide AT 101 & Trust Services Principles 1 Internal Control Over Financial Reporting 2 Service Organization Management, Users, Users Auditor 3 Service Organization Management, Users, Knowledgeable Parties

SOC 1 SSAE 16 SSAE 16 Focus is on controls relevant to a user entities internal control over financial reporting (ICFR) Typical cloud organizations providing SOC 1 reports SaaS For processes/ applications impacting ICFR Third-party administrators Payroll providers Tax management Specialized A/P services IaaS/PaaS If deemed relevant to ICFR by user management

SOC 1 Content Auditor opinion Management assertion Narrative description of the system User considerations Control objectives, activities (description & results of testing for Type 2) Other relevant unaudited information

SOC 2 Reporting Governed by AT 101 Attestation service SSAE 16 guidance also to be used Criteria for evaluation is Trust Services Principles (TSP) (not ICFR) Risk Basis for control objectives & activities SOC 1/SSAE 16 ICFR SOC 2 - TSP

SOC 2 Reporting TSP Criteria Security Confidentiality of information processed Availability Processing Integrity of the system Privacy of information processed

SOC 2 Reporting Limited Use report Users generally user entity management not user auditors Service organization Knowledgeable parties Helps user entity management Obtain information about service organization controls Assess & address risks Carry out its responsibility for monitoring

SOC 2 Reporting Auditor opinion Management assertion Narrative description of the system User considerations Control objectives, activities (description & results of testing for Type 2) TSP/control matrix to demonstrate support of selected TSPs Other relevant unaudited information

Audience Question Have you formally inventoried and reviewed all cloud vendor contracts to ensure security controls have been appropriately addressed, measurable service-level agreements are in place and SOC audits have been performed, when required? a) Yes b) No

Questions?

Thank You Rod Walsh Director IT Risk Services 816.221.6300 rwalsh@bkd.com

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information