Cloud Computing: Background, Risks and Audit Recommendations

Similar documents
Orchestrating the New Paradigm Cloud Assurance


The Cloud is Not Enough Why Hybrid Infrastructure is Shaping the Future of Cloud Computing

Security Issues in Cloud Computing

Cloud Computing and Security Risk Analysis Qing Liu Technology Architect STREAM Technology Lab

Managing Cloud Computing Risk

Key Considerations of Regulatory Compliance in the Public Cloud

Cloud Security Keeping Data Safe in the Boundaryless World of Cloud Computing

On Premise Vs Cloud: Selection Approach & Implementation Strategies

Cloud Computing; What is it, How long has it been here, and Where is it going?

Security, Compliance & Risk Management for Cloud Relationships. Adnan Dakhwe, MS, CISA, CRISC, CRMA Safeway Inc. In-Depth Seminars D32

I D C V E N D O R S P O T L I G H T

Cloud Security Introduction and Overview

Private & Hybrid Cloud: Risk, Security and Audit. Scott Lowry, Hassan Javed VMware, Inc. March 2012

GETTING THE MOST FROM THE CLOUD. A White Paper presented by

Public Clouds. Krishnan Subramanian Analyst & Researcher Krishworld.com. A whitepaper sponsored by Trend Micro Inc.

Cloud Services Overview

Cloud Computing. Bringing the Cloud into Focus

Cloud Computing in the Enterprise An Overview. For INF 5890 IT & Management Ben Eaton 24/04/2013

Asia/Pacific. Yanna Dharmasthira

Virginia Government Finance Officers Association Spring Conference May 28, Cloud Security 101

OWASP Chapter Meeting June Presented by: Brayton Rider, SecureState Chief Architect

Cloud Computing demystified! ISACA-IIA Joint Meeting Dec 9, 2014 By: Juman Doleh-Alomary Office of Internal Audit

The Cloud in Regulatory Affairs - Validation, Risk Management and Chances -

Clinical Trials in the Cloud: A New Paradigm?

Strategic Compliance & Securing the Cloud. Annalea Sharack-Ilg, CISSP, AMBCI Technical Director of Information Security

Running head: TAKING A DEEPER LOOK AT THE CLOUD: SOLUTION OR 1

Cloud models and compliance requirements which is right for you?

East African Information Conference th August, 2013, Kampala, Uganda. Security and Privacy: Can we trust the cloud?

Securing and Auditing Cloud Computing. Jason Alexander Chief Information Security Officer

Are You Prepared for the Cloud? Nick Kael Principal Security Strategist Symantec

Cloud Computing: Risks and Auditing

How to ensure control and security when moving to SaaS/cloud applications

Enhancing Operational Capacities and Capabilities through Cloud Technologies

Architecting the Cloud

50x Zettabytes*

IBM Cloud Security Draft for Discussion September 12, IBM Corporation

Cloud Assurance: Ensuring Security and Compliance for your IT Environment

How To Run A Cloud Computer System

Kent State University s Cloud Strategy

Cloud Security Implications for Financial Institutions By Scott Galyk Director of Software Development FIMAC Solutions, LLC

Cloud Computing Security Issues

IBM EXAM QUESTIONS & ANSWERS

Cloud Computing and Records Management

CLOUD STORAGE SECURITY INTRODUCTION. Gordon Arnold, IBM

Cloud Security considerations for business adoption. Ricci IEONG CSA-HK&M Chapter

Cloud Security Alliance New Zealand Contribution to the Privacy Commissioner. 23 February 2012

IBM Cognos TM1 on Cloud Solution scalability with rapid time to value

Security & Trust in the Cloud

Current Reality: A Look at Cloud Opportunities Beyond the Hype

Cloud Security and Managing Use Risks

Cloud Computing. What is Cloud Computing?

6 Cloud computing overview

The Need for Service Catalog Design in Cloud Services Development

Cloud Computing: The Next Computing Paradigm

2014 HIMSS Analytics Cloud Survey

Addressing Cloud Computing Security Considerations

STORAGE SECURITY TUTORIAL With a focus on Cloud Storage. Gordon Arnold, IBM

What Is The Cloud And How Can Your Agency Use It. Tom Konop Mark Piontek Cathleen Christensen

Securing The Cloud. Foundational Best Practices For Securing Cloud Computing. Scott Clark. Insert presenter logo here on slide master

Cloud Computing: Legal Risks and Best Practices

The Push and Pull of the Cloud. TPI Cloud Computing Overview. April 5 th 2011

NETWORK ACCESS CONTROL AND CLOUD SECURITY. Tran Song Dat Phuc SeoulTech 2015

How To Understand Cloud Computing

Cloud Computing: Contracting and Compliance Issues for In-House Counsel

SSAE 16 for Transportation & Logistics Companies. Chris Kradjan Kim Koch

PCI Compliance and the Cloud: What You Can and What You Can t Outsource Presented By:

Secure Cloud Computing Concepts Supporting Big Data in Healthcare. Ryan D. Pehrson Director, Solutions & Architecture Integrated Data Storage, LLC

CPNI VIEWPOINT 01/2010 CLOUD COMPUTING

The Elephant in the Room: What s the Buzz Around Cloud Computing?

Compliance and the Cloud: What You Can and What You Can t Outsource

D. L. Corbet & Assoc., LLC

Cloud Computing Governance & Security. Security Risks in the Cloud

Cloud Computing An Auditor s Perspective

Security Considerations for Public Mobile Cloud Computing

Sensitive Data Management: Current Trends in HIPAA and HITRUST

Overview of Cloud Computing and Cloud Computing s Use in Government Justin Heyman CGCIO, Information Technology Specialist, Township of Franklin

CLOUD COMPUTING. A Primer

IT Audit in the Cloud

Keeping up with the World of Cloud Computing: What Should Internal Audit be Thinking About?

AskAvanade: Answering the Burning Questions around Cloud Computing

OVERVIEW Cloud Deployment Services

HIPAA CRITICAL AREAS TECHNICAL SECURITY FOCUS FOR CLOUD DEPLOYMENT

Cloud Computing. Cloud computing:

Cloud Computing: What needs to Be Validated and Qualified. Ivan Soto

A.Prof. Dr. Markus Hagenbuchner CSCI319 A Brief Introduction to Cloud Computing. CSCI319 Page: 1

CLOUD COMPUTING OVERVIEW

A white paper from Fordway on CLOUD COMPUTING. Why private cloud should be your first step on the cloud computing journey - and how to get there

SMS. Cloud Computing. Systems Management Specialists. Grupo SMS option 3 for sales

Cloud Security Who do you trust?

Deploying a Geospatial Cloud

See Appendix A for the complete definition which includes the five essential characteristics, three service models, and four deployment models.

Transcription:

Cloud Computing: Background, Risks and Audit Recommendations October 30, 2014

Table of Contents Cloud Computing: Overview 3 Multiple Models of Cloud Computing 11 Deployment Models 16 Considerations For Moving To The Cloud 21 Risks 32 Cloud Computing Audit Approach 49 Appendix 69 2

Cloud Computing: Overview

Cloud Computing - Definition Cloud Computing describes the use of a collection of services, applications, information, and infrastructure comprised of pools of compute, network, information, and storage resources These components can be rapidly orchestrated, provisioned, implemented and decommissioned, and scaled up or down; providing for an ondemand utility-like model of allocation and consumption Key Features On demand self service Standardized IT based capability Rapid Elasticity Web based accessibility & flexibility Location independent resource pooling Scalability & resilience as key design components Prices on a consumption based model Ubiquitous network access 4

Essential Characteristics Of Cloud Computing According to National Institute of Standards and Technology (NIST), the five essential characteristics of cloud computing are: On-Demand Self Service Authorized agencies must be able to provide and release capabilities, as needed, automatically, without requiring human interaction with each services provider. Broad Network Access Once provisioned, the software, platform, or infrastructure maintained by the cloud provider should be available over a network using thin or thick clients. Resource Pooling The resources provisioned from the cloud provider should be pooled to serve multiple agencies or programs using a multitenant model, with different physical and virtual resources dynamically assigned and reassigned according to the agency s self-service demand Rapid Elasticity Elasticity is defined as the ability to scale resources both up and down as needed. Cloud Computing capabilities should be rapidly and elastically provisioned and released. Measured Service Cloud resource usage should be monitored, controlled, and reported providing transparency for both the provider and consumer of the service. 5

The Latest Evolution Of Hosting Source: http://blog.karmona.com/wp-content/uploads/2009/01/cloud-computing-the-latest-evolution-of-hosting.jpg 6

Cloud Computing Drivers and Inhibitors Pay-as-you-go Immediately scalable Cloud characteristics Multi-tenant Highly abstracted Drivers Inhibitors 7

Top 5 Reasons For Moving To The Cloud 41.5 41.3% 41 40.5 40.5% 40.4% 40.3% 40 39.5 39 39% 38.5 38 37.5 Get Access to the newest functuonality faster Increase revenue by enabling us to build new revenue generating products and services faster Improve Resource Utilization Reduce The total size of IT Budget Give Business units more direct control over sourcing their own IT Solutions Percentage Respondents n = 1,109 Source: IDC's CloudTrack Survey, October 2013 8

Top 6 Inhibitors for Considering Public Cloud Services Moving to cloud based systems not only has many benefits but also is accompanied by some challenges that need to be addressed. 60 50 49% 40 30 35.3% 32.9% 32.3% 31% 30.7% 20 10 0 Security Concerns Regulatory or Compliance Issues Reliability concerns in terms of service availability Concerns cloud cannot support the operational Requirements IT Governance Immaturity of cloud issues including challenges related to defining standard services Percentage Respondents n = 1,109 Source: IDC's CloudTrack Survey, October 2013 9

Multiple Models of Cloud Computing

Multiple Models of Cloud Computing Cloud computing is a model for enabling on-demand network access to a shared pool of configurable computing resources that can be rapidly provisioned and released with minimal management effort or service provider interaction. OR more simply, IT runs over the Internet instead of installing hardware and software yourself. Characteristics Service Models Deployment Models On demand self-service Pay as you use Rapid elasticity (expand / contract) Multi tenancy (shared pool) Broad network access Business Process as a Service (emerging) Entire business process as a service in the cloud Software as a Service Finished applications that you rent and customize Platform as a Service Developer platform that abstracts the infrastructure, OS, and middleware for developer productivity Infrastructure as a Service Deployment platform that abstracts the infrastructure Public Cloud Community Cloud Hybrid Cloud Private Cloud 11

Cloud Computing Offerings Business / Enterprise Influenced System Infrastructure Application Infrastructure Application and Information Process Consumer / Web Influenced * A sample list only. There are many more players. 12

Public Cloud Buyer Preference by Providers AWS 27 19 27 27 Google 19 37 35 9 Microsoft 17 38 37 8 AT&T 7 27 34 32 Rackspace 7 36 35 22 Verizon-Terremark 5 20 34 41 IBM 5 35 46 14 CenturyLink-Savvis 4 12 32 52 HP 4 33 45 18 CSC 2 9 31 58 Joyent 2 11 44 43 GoGrid 1 13 32 54 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% Already Using Aware of and likely to consider Aware of and not considering Not aware 13 Percentage Respondents n = 101 Source: Everest Group, Enterprise Cloud Adoption Survey 2013

Cloud Usage How Can It Help Businesses Operationally? Allowing High Variable Demand - Elastic nature of the infrastructure to rapidly allocate and de-allocate massively scalable resources to business services on a demand basis Reaching Geographically Dispersed Users Consolidating Company IT Planning for Disaster Recovery Decoupling and separation of the business service from the infrastructure needed to run it (virtualization) Flexibility to choose multiple vendors that provide reliable and scalable business services, development environments, and infrastructure that can be leveraged out of the box and billed on a metered basis with no long term contracts Cost allocation flexibility for customers wanting to move CapEx into OpEx Reduced costs due to operational efficiencies, and more rapid deployment of new business services Operational Expertise Patch Management, Version Updates, Data Security Management 14

Cloud Usage How The Cloud Is Being Utilized? 35% 30% 30% 25% 25% 20% 15% 15% 10% 5% 5% 5% 5% 5% 5% 5% 0% Collaboration Social Media File Sharing Content Sharing Cloud Infrastructure Back-Up & Archiving CRM IT Services Media Source: Skyhigh Cloud Adoption Risk Report Q1 2014 15

A Shift Toward Decentralized, Vertical, Subscription-Based Buying The broader software implementation trends illustrate how enterprises are already changing their approach to purchasing applications and IT. Approach to Software Implementation Vertical Specific software n=532 16 42 17 13 7 5 Question Asked: What was the chosen approach for the implementation of those software applications? Base: Respondents are piloting or have deployed the software application enterprise wide and/or in some business units. Percentages may not add up to 100% because of rounding. Web Conferencing, Collaboration/Social Software Suites n=582 Enterprise Control Management n=473 Digital Content Creation n=442 Office suites n=688 Project and Portfolio Management n=541 Customer relationship management n=596 Supply chain management n=481 Enterprise resource planning n=529 17 17 15 19 18 20 18 17 35 40 38 45 37 41 35 41 20 15 22 14 18 15 22 19 14 9 6 15 6 9 14 6 5 13 7 3 14 8 5 14 5 5 14 6 5 13 4 5 Business Intelligence n=517 15 41 16 15 5 8 Source: Market Trends Application 0 10 20 30 40 50 60 70 80 90 100 110 SaaS On-Premise License Hosted License On-Premise Subscription Open Source Don t Know 16

Most Used Applications In The Public Cloud SaaS is a turnkey service, with application, presentation, and data tiers and all associated services in a single service that can be accessed and provisioned over the Internet. 21.5 21 21.2% 20.9% 20.5 20 19.5 19.6% 19.3% 19 18.9% 18.5 18 17.5 CRM Applications(Marketing/sales) CRM Applications(Call Centers/Contact Centers) Supply Chain & Logistics Human Resource Application Financial/Accounting Applications Percentage Respondents n = 1,109 Source: IDC's CloudTrack Survey, October 2013 17

Cloud Adoption by Company Size < 20 Employees 68% 6% 20-99 Employees 61% 7% 100-249 Employees 66% 9% 250-499 Employees 50% 11% 500+ Employees 53% 9% Source: Infographic: SMB Cloud Adoption Trends in 2014 18

Cloud Maturity SMB vs Enterprise SMB Enterprise 20% Developing a cloud strategy 16% 29% 35% Working on first cloud project 25% Multiple projects & developing 31% apps in the cloud 26% Heavily using cloud infrastructure 18% Source: Infographic: SMB Cloud Adoption Trends in 2014 19

Market Forecast

Cloud Services Market Outlook Source: Investors' Business Daily 21

Cloud Services Market Outlook Cloud service revenue is expected to be USD 220bn by 2015, and USD 480bn by 2019 Business processes (cloud-based advertising, e-commerce, human resources, payment processing and other business processes) cloud services market is expected to be USD 370bn by 2019 Data from Intuit and Emergent Research reveals that by 2020, 78 percent of small businesses will be fully adapted to cloud computing. That s more than double the current 37 percent adoption rate as of 2014. Source: Research Pedia; Small Business Trends 22

Cloud Services Market Outlook Cisco predicts Cloud Data Center traffic to grow at 35% CAGR. By 2017, over twothirds of all data center traffic is expected to be based in the cloud. Source: http://www.cisco.com/c/en/us/solutions/collateral/service-provider/global-cloud-index-gci/cloud_index_white_paper.pdf 23

Risks

Clouds Are Cloudy Requirements Services As visibility is lost Where is the data? Who can see the data? Who has seen the data? Has data been tampered with? Where is processing performed? How is processing configured? Does backup happen? How? Where? security, compliance, and value are lost as well. 25

Top Risks Loss of Governance Lock-In Management Interface Compromise Incomplete or Insecure Data Deletion Data Protection Malicious Insider / Investigative Support Isolation Failure Compliance Risks 26

Categories of Control Objectives Compliance Data Governance Facility Security Human Resources Information Security Legal Operations Management Risk Management Release Management Resiliency 27

Control Objectives Independent Regulatory Audits Compliance Vendor Management Information System Regulatory Mapping Intellectual Property Classification Data Governance Handling / Labeling / Security Policy Retention Policy Risk Assessments Policy Facility User Access Asset Management Background Screening Human Resources Employment Agreements Employment Termination 28

Control Objectives Management Program Policy, Reviews, Enforcement User Access Restriction / Authorization / Reviews Awareness Training Roles / Responsibilities Information Security Management Oversight User Access Policy Workspace Cleanliness Anti-Virus / Malicious Software Incident Management Identification, Reporting and Monitoring Incident Response Legal Preparation 29

Control Objectives Non-Disclosure Agreements Legal Third Party Agreements Service Level Agreements Operations Management Capacity / Resource Planning Program Assessments Risk Management Mitigation / Acceptance Business / Policy Change Impacts Third Party Access Release Management Resiliency Production Changes Outsourced Development Management Program Impact Analysis Business Continuity Planning Business Continuity Testing 30

Cloud Computing Audit Approach

Involvement of Internal Audit in Cloud Computing Vendor Selection & Contract Negotiation Validation of business case Right to Audit Clause and/or SSAE16 Compliance Scope Impact of Regulations on Data Security Stability of Partners and Services Providers Contractual Data Protection Responsibilities and Related Clauses Impact of Regulations on Provider Infrastructure Prepare Evidence of How Each Requirement Is Being Met Project management - roles and responsibilities Data migration strategy Inherent and residual risk assessment Pre-Implementation Review Post-Implementation Review Accuracy of data Policies and procedures pertaining to data security, privacy of data Regulatory changes - HIPAA, PCI, etc. 32

Audit/Projects Around Cloud Computing Cloud computing platform evaluation / due diligence Data migration review to the new platform Management of the cloud computing function Security reviews Security of data Network accessibility User administration Regular review of SOC Type 1/provider sponsored audit reports Cost/Savings impact Realignment of controls for regulatory reporting SLA/KPI review to ensure the provider is living up to their end of the bargain Impacts to Disaster Recovery/Business Continuity 33

Scoping Define the audit objectives and scope. Understand the core business process and its alignment with IT, in its non-cloud form and current or future cloud implementation. Obtain a description of all cloud computing environments in use and under consideration. Obtain a description of all cloud computing applications in use and under consideration. Identify the types of cloud services (IaaS, PaaS, SaaS) in use and under consideration, and determine the services and business solutions to be included in the review. Obtain and review any previous audit reports with remediation plans. Identify open issues, and assess updates to the documents with respect to these issues. Since the areas under review rely heavily on the effectiveness of core IT general controls, it is recommended that audit/assurance reviews of the following areas be performed prior to the execution of the cloud computing review, so that appropriate reliance can be placed on these assessments: Identity management (if the organization s identity management system is integrated with the cloud computing system) Security incident management (to interface with and manage cloud computing incidents) Network perimeter security (as an access point to the Internet) Systems development (in which the cloud is part of the application infrastructure) Project management IT risk management Data management (for data transmitted and stored on cloud systems) Vulnerability management 34 ISACA, Cloud Computing Management Audit/Assurance Program, USA, 2010, CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed http://www.isaca.org/knowledge-center/research/researchdeliverables/pages/cloud- to another third party. Computing-Management-Audit-Assurance-Program.aspx

Audit Approach The ISACA approach breaks down an audit into two categories Governing the Cloud Operating in the Cloud Each area has Control Objectives that are subsequently reviewed. 35 ISACA, Cloud Computing Management Audit/Assurance Program, USA, 2010, CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed http://www.isaca.org/knowledge-center/research/researchdeliverables/pages/cloud- to another third party. Computing-Management-Audit-Assurance-Program.aspx

Audit Approach Governing the Cloud includes the following processes. The controls associated with these processes are then evaluated. Governance Audit/Assurance Objective: Governance functions are established to ensure effective and sustainable management processes that result in transparency of business decisions, clear lines of responsibility, information security in alignment with regulatory and customer organization standards, and accountability. Enterprise Risk Management Audit/Assurance Objective: Risk management practices are implemented to evaluate inherent risks within the cloud computing model, identify appropriate control mechanisms, and ensure that residual risk is within acceptable levels. Information Risk Management Audit/Assurance Objective: A process to manage information risk exists and is integrated into the organization s overall ERM framework. Information risk management information and metrics are available for the information security function to manage risks within the risk tolerance of the data owner. 36

Audit Approach Governing the Cloud includes the following processes. Third-party Management Audit/Assurance Objective: The customer recognizes the outsourced relationship with the service provider. The customer understands its responsibilities for controls, and the service provider has provided assurances of sustainability of those controls. Contractual Obligations Audit/Assurance Objective: The service provider and customer establish bilateral agreements and procedures to ensure contractual obligations are satisfied, and these obligations address the compliance requirements of both the customer and service provider.. Legal Compliance Audit/Assurance Objective: Legal issues relating to functional, jurisdictional and contractual requirements are addressed to protect both parties, and these issues are documented, approved and monitored. Right to Audit Audit/Assurance Objective: The right to audit is clearly defined and satisfies the assurance requirements of the customer s board of directors, audit charter, external auditors and any regulators having jurisdiction over the customer. 37

Audit Approach Governing the Cloud includes the following processes. Auditability Audit/Assurance Objective: The service provider s operating environment should be subject to audit to satisfy the customer s audit charter, compliance requirements and good practice controls without restriction. Compliance Scope Audit/Assurance Objective: The use of cloud computing does not invalidate or violate any customer compliance agreement. ISO 27001 Certification Audit/Assurance Objective: Service provider security assurance is provided through ISO27001 Certification. Service Transition Planning Audit/Assurance Objective: Planning for the migration of data, such as formats and access, is essential to reducing operational and financial risks at the end of the contract. The transition of services should be considered at the beginning of contract negotiations. 38

Audit Approach Operating in the Cloud includes the following processes. The controls associated with these processes are then evaluated. Incident Response, Notification and Remediation Audit/Assurance Objective: Incident notifications, responses, and remediation are documented, timely, address the risk of the incident, escalated as necessary and are formally closed. Application Security Architecture Audit/Assurance Objective: Applications are developed with an understanding of the interdependencies inherent in cloud applications, requiring a risk analysis and design of configuration management and provisioning process that will withstand changing application architectures. Compliance Audit/Assurance Objective: Compliance requirements are an integral component of the design and implementation of the application security architecture. 39

Audit Approach Operating in the Cloud includes the following processes. Tools and Services Audit/Assurance Objective: Use of development tools, application management libraries and other software are evaluated to ensure their use will not negatively impact the security of applications. Application Functionality Audit/Assurance Objective: For SaaS implementations, the application outsourced to the cloud contains the appropriate functionality and processing controls required by the customer s control policies within the processing scope (financial, operational, etc.). Encryption Audit/Assurance Objective: Data are securely transmitted and maintained to prevent unauthorized access and modification. 40

Audit Approach Operating in the Cloud includes the following processes. Key Management Audit/Assurance Objective: Encryption keys are securely protected against unauthorized access, separation of duties exists between the key managers and the hosting organization, and the keys are recoverable. Identity and Access Management Audit/Assurance Objective: Identity processes assure only authorized users have access to the data and resources, user activities can be audited and analyzed, and the customer has control over access management. Virtualization Audit/Assurance Objective: Virtualization operating systems are hardened to prevent crosscontamination with other customer environments. 41

At A Minimum: Execute A Cloud Service Provider Questionnaire Ask the basic questions Where do you store our data? Who can access and retrieve the data? Do you have auditing enabled? Is it available to us? How do you determine if our data has been tampered with? What are your configuration standards? Does backup happen? How? Where? Have you attained any external/independent security certifications? Follow-up with a detailed information security questionnaire 42

Ensure Basic Mitigation Techniques Are In Place Intellectual Property Loss Monitoring controls Encryption design and requirements Data backup management Compliance Reporting Specify a breach notification process Ask for independent reviews and certifications Use your own Golden Rule Treat my data like I treat my own Security Administration Analyze the cloud service provider (CSP) security model Ensure strong authentication and access controls Require the CSP to be completely transparent 43

Q & A

Thank You Cal Slemp Managing Director New York, NY +1.203.905.2926 cal.slemp@protiviti.com 45

Confidentiality Statement and Restriction for Use 46 This document contains confidential material proprietary to Protiviti Inc. ("Protiviti"), a wholly-owned subsidiary of Robert Half ("RHI"). RHI is a publicly-traded company and as such, the materials, information, ideas, and concepts contained herein are non-public, should be used solely and exclusively to evaluate the capabilities of Protiviti to provide assistance to your Company, and should not be used in any inappropriate manner or in violation of applicable securities laws. The contents are intended for the use of your Company and may not be distributed to third parties.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information