CLOUD RISK AND GOVERNANCE Professional services for the enterprise

Transcription

1 cloud consulting CLOUD RISK AND GOVERNANCE Professional services for the enterprise Effectively gauge cloud risk to implement the proper security measures and reporting metrics for your journey to the cloud Let Guide Holdings help you understand the impact of cloud adoption on your IT infrastructure, but just as importantly compare options of services and the necessity/efficiency of mitigations. Are security concerns keeping your organization from migrating to the cloud? Where are the serious risks within your cloud strategy? SURVEY - Security Concerns When Migrating to the Cloud GH will guide you through your transformation with advisory or co-development as you move through the stages of cloud deployment. As you prepare for your cloud journey, GH can: Review or develop an organizational cloud strategy Generate requirements for successful cloud deployment Compare your organizational needs with cloud expectations Perform a risk assessment and discuss risk tolerances Review, validate or create institutional policies for cloud appropriateness Review or develop a data classification methodology and protection capabilities Provide your team cloud baseline understanding through group training Provide best practices and find institutional deficiencies PREPARE - Getting Your Cloud Project Off the Ground For the next level in your cloud voyage, look to GH during your readiness efforts. Resiliency, speed and cost are common benefits of cloud adoption not accounting for cloud native designs and security patterns will destroy most of those advantages. These oversights may also leave an organization open to security and compliance risks. The preparation stage elements involve: Evaluate/recommend security tools for cloud capabilities Document areas of concern by security domain, business segment or internal processes Identify, catalog and architect risk mitigations Compare organizational performance against similarly sized companies, by industry verticals or by compliance obligations Design, review and integrate third party cloud vendor assessment methodologies Develop a deployment roadmap

2 cloud consulting cloud risk and governance EXECUTE The How and When for the Initial Move At this point in the adventure, you ll need to identify an initial application candidate and recommend a deployment methodology. Our goal involves institutionalizing the process with the identified stakeholders, decision makers and reviewers. Knowing where and how to integrate the capabilities into the organizational structure will pay dividends. We ll identify the quick win with the expectation other future migrations will be less painful. Execution phase elements include: Schedule timelines and a project plan Identify and catalog top transition candidate applications Design and Integrate cloud into existing processes Identify and architect necessary security patterns Implement and test a sand boxed pilot demo with sample data Migrate and test in the production environment Document the lessons learned KEY BENEFITS Our cloud risk & governance framework utilizes industry best practices and open source tools from the Cloud Security Alliance, Microsoft and others. This framework allows control category comparisons, gap analyses and asset value based compensating controls. Compare quantified cloud and enterprise migration risks side by side for better decision making. Assessment methodologies facilitate application transition from internal/enterprise environments to public cloud infrastructures and include third party risk transference knowledge when combined with the CSA Security Trust and Assurance Registry (STAR). Experts with the Cloud Controls Matrix (CCM) utilized in the NIST cloud computing standards for risk identification and control. Performed Consensus Assessment Initiative Questionnaire (CAIQ) assessments of the largest, most demanding environments, creating and refining time saving processes and tools. Insider access as long-term CSA contributors for troubleshooting, CCM/CAIQ developer feedback and advanced knowledge of project enhancements. Experience with architectural and risk assessments for wide range of industry verticals and process integration at all levels of company size and maturity. CONTACT: Jon-Michael C. Brook Principal: Cloud, Security & Privacy jcbrook@ghllc.co (G) (m)

3 professional profile JON-MICHAEL C. BROOK Principal: Security, Privacy, Cloud CISSP #25593 Jon-Michael C. Brook has over 20 years of IT Privacy, Cyber Security and Cloud Computing experience advising Fortune 500 customers across multiple industry verticals. Jon-Michael C. Brook is a certified, 20-year practitioner of information security, cloud and privacy. He is educated in both business and technology and often translates requirements between executives and technologists. Mr. Brook navigates customers, partners and multi-disciplined corporate teams, identifying areas of synergy resulting in higher productivity and profitability. He is the principal contributor to certification sites for privacy and cloud security, and published books on privacy. He received numerous awards and recognitions during his time with Raytheon, Northrop Grumman and Symantec, and holds patents and trade secrets in intrusion detection, GUI design and semantic data redaction. In 2017, the Cloud Security Alliance (CSA) recognized Mr. Brook s contributions as their first professional Research Fellow. Contact: jcbrook@ghllc.co (G) (m) Mr. Brook currently co-chairs the CSA s most successful publication, the Top Threats to Cloud Security Working Group, which released the 2016 Treacherous Twelve report. He previously co-chaired the Cloud Broker working group and contributed to several CSA publications including the 2013 Top Threats, DLP as a Service Guide and Trusted Cloud Initiative/Enterprise Architecture. He regularly presents on security, cloud and privacy. He is a certified trainer for the CSA's Certificate of Cloud Security Knowledge (CCSK), teaching the CCSK Plus training at the 2015 and 2016 Black Hat Conferences with Securosis. To better share the risks inherent in cloud computing, he is currently codeveloping training for the Cloud Controls Matrix (CCM), the cloud security standard and an internationally-accepted GRC framework. Relevant Publication Samples Top Threats Working Group Co-Chair, and Co-Author for The Notorious Nine (2013), The Treacherous Twelve (2016) and Industry insights (2017) - Co-author for the Cloud Security Alliance Trusted Cloud Initiative/Enterprise Architecture - More Available - Credentials MBA, BS Computer Engineering, CISSP, CCSK, GCIA, CCNP, AWS Certified: Business Development and Solutions Architect: Associate, ITIL v3, 6-Sigma Greenbelt Professional References John Yeoh (Sr. Research Analyst, Cloud Security Alliance) jyeoh@cloudsecurityalliance.org Rich Mogull (Co-founder & CEO, Securosis) rmogull@securosis.com Jim Reavis (Co-founder & CEO, Cloud Security Alliance) - jreavis@cloudsecurityalliance.org Raj Samani (Chief Scientist, Intel Security) - raj@samani.eu Dave Elliott (Global Product Lead, Google Cloud Platform) - dave.elliott2005@gmail.com

4 professional profile RANDALL BROOKS Engineering Fellow & Trainer CISSP #25595 Randall Brooks has 20 years of IT, Cyber Security and Cloud Computing experience directing some of the largest initiatives at Raytheon. Randall Brooks is an Engineering Fellow for Raytheon Company (NYSE: RTN), representing the company within the U.S. International Committee for Information Technology Standards Cyber Security 1 (CS1). Mr. Brooks has more than 15 years of experience in Cybersecurity with a recognized expertise in Software Assurance (SwA) and secure development life cycles (SDLC). He received multiple top corporate engineering awards and holds seven patents. Contact: Mr. Brooks currently is the lead corporate representative to the Cloud Security Alliance for his company. This work, along with work on CS1 drives domestic and international Cloud Security standards such as the cloud controls matrix (CCM) and ISO He also contributed to the Top Threats to Cloud Security Working Group and a working group to map the CCM to FedRAMP. Mr. Brooks is a frequent speaker at cloud security focused events such as RSA, P.S.R. CSA Summits and CSA Congress. He teaches cloud security within Raytheon and holds the Certificate of Cloud Security Knowledge (CCSK). brooks@ghllc.co (G) (m) Credentials BS Computer Science, CISSP, CCSK, CSSLP, ISSEP, ISSAP and ISSMP

5 company profile ABOUT GUIDE HOLDINGS, LLC Founded in 2008, Guide Holdings furthers Cloud and Cyber Security in today s ever-changing threat landscape. Guide Holdings provides consulting, architecture and training services for security and privacy in the Public Cloud. Industry clients may recognize the exam preparation sites for Information Privacy (CIPP Guide) and Cloud Security Professionals (CCSK Guide, CCSP Guide). Consulting Services The Guide Holdings team draws on years of combined experience and successful execution. Our associates work at the largest companies across multiple industry verticals. Advisement services for such a wide range of verticals gives a unique and multi-tiered perspective of security and cloud landscapes. The Guide Holdings team collaborated and defined standards within CSA, NIST and the ISO. This expertise yields capability integrations and best practices knowledge provided to our clients. Industry Experience Government Department of Defense Intelligence Agencies Gaming Insurance Finance Software Development Oil and Gas Pharmaceutical Healthcare Banking Aerospace Travel/Hospitality Agriculture Commercial Legal Professional Training Since 2008, the CIPP Guide, CCSK Guide and CCSP Guide provided exam preparation materials and commentary for privacy and cloud security to over 8,000 security practitioners, legal and IT professionals. These include employees of the Fortune 500, with titles ranging from implementer to C-level executive. Our staff are certified trainers in their areas of expertise. We co-author or significantly contribute to the organization responsible for the core concepts. This includes such groups as the International Information Systems Security Certification Consortium (ISC2), the Cloud Security Alliance (CSA), the International Association of Privacy Professionals (IAPP), the National Institute of Standards and Technologies (NIST), the International Standards Organization (ISO) and the SANS Institute.