Composite Compliance: Demonstra1ng Suitability of Cloud Layering for Sensi1ve and Regulated Workloads
|
|
- Bertha Taylor
- 5 years ago
- Views:
Transcription
1 Composite Compliance: Demonstra1ng Suitability of Cloud Layering for Sensi1ve and Regulated Workloads Heather Hinton, PhD IBM Dis1nguished Engineer Master Inventor, Member IBM AoT 7 December 2015
2 Agenda 1 Composite Compliance : What is it, why do we need it? 2 Composite Compliance: How does it work? 3 Composite Compliance and Roles and Responsibili1es 4 What s Next?
3 As customers move from tradi0on hos0ng and co- loca0on arrangements to cloud hosted scenarios, they are being forced to change how they sa0sfy their requirements for end- to- end compliance (*) SoVware as a Service Marketplace of high value consumable business applica1ons How do I know you are taking all due and required care of my (sensi0ve) data? PlaWorm as a Service Composable and integrated applica1on development plaworm If I build my applica0on using provided plahorms, are they hardened and patched to my specifica0ons? Infrastructure as a Service Enterprise class, op1mized infrastructure If I host my regulated data here, how do I know it won t be read or exfiltrated by the provider? (*) Note that in this world, compliance with interna0onal and regulatory standards typically is how we provide evidence of security
4 Background: Tradi0onal Data Centers Customer A Auditors Customer B Auditors Customer C Auditors Tradi&onal Data Center Customer A Support Staff Customer B Support Staff Customer C Support Staff Data Center Support Staff Cage: Customer A Cage: Customer B Cage: Customer C Hos0ng Provider manages the data center (physical and environmental) security May or may not publish policies Will describe what and how managed Will perform independent audits Customer (or managed services provider) manages servers, devices, cages To internally published policies Will perform independent audits! These audits will include access to the data center and raised floor to inspect and audit the cages and their contents Small number of customers on dedicated, labelled servers hosted in locked racks and cages Customers have physical and logical access to servers for maintenance, audit, checkup Data Center support staff will maintain raised floor and may have access to customer s racks/ servers based on hos0ng agreement Customer retains right to enter at any 0me, including for purposes of audit
5 Background: Cloud Data Centers Cloud Provider manages the data center (physical and environmental) security XXX May or may not publish policies Customer Cloud Data Center Will describe what and how managed Support Will perform independent audits Staff Not Cloud Provider manages physical servers ALLOWED health and maintenance Customer manages O/S layer and up for servers through logical/remote access Data Center Support Staff Will perform independent audits ONLY! They want these audits to include access Thousands of customers on co- mingled, unlabeled servers to the data center and raised floor to What changes? inspect and audit their servers Small large number of customers on dedicated, labelled shared, unmarked servers hosted in locked racks and cages hosted in open, accessible racks and rows Customers have physical and logical access to servers for maintenance, audit, checkup Data Center support staff will maintain raised floor and may have access to customer s racks/servers based on hos0ng agreement Customer retains right to enter at any 0me, including for purposes of audit Servers instrumented for transparency through extensive logging and repor0ng available through Web portal/api X Customer A Auditors X Customer B Auditors X Customer C Auditors
6 Tradi0onal & Cloud Hosted Servers : A Banking Analogy The model of cash deposit and withdrawal is analogous to server use in a Cloud/IaaS model Bank Client uses bank provided money on demand Cloud Client uses Cloud provided servers on demand 1. Client takes money (bills, coins, checks) to the bank 2. Bank keeps safe in the bank vault. Client trusts bank to safely hold money and is not allowed to see the vault 3. Client accesses money as needed but almost certainly these are not the exact same bills that were deposited The model of safety box deposit / bank vault use is analogous to the tradi0onal hos0ng model Bank Client uses bank s safety deposit to isolate and store client s owned and iden=fiable valuables Tradi=onal Client uses physical cages in Data Center to isolate and protect client s iden=fiable servers 1. Client takes iden0fiable valuables to the bank 2. Bank keeps valuables in customer iden0fied safety deposit box. Client has access to the safety deposit box 3. Client withdraws their iden0fiable valuables the exact same valuables that were deposited. Customer does not get access to other customer s valuables #
7 Composite Compliance allows workloads to leverage compliance asser0ons of their hos0ng plahorms to demonstrate compliance of their workloads without having to do an end- to- end audit SoVware as a Service Marketplace of high value consumable business applica1ons Service Compliance (including as a statement of security) is demonstrated by Service s E2E compliance statements and audit reports PlaWorm as a Service Composable and integrated applica1on development plaworm PlaHorm s Readiness (applicability) for a given workload is demonstrated by PaaS provider s compliance statements and audit reports Customer s E2E security and compliance depends on PlaHorm provider Infrastructure as a Service Enterprise class, op1mized infrastructure Infrastructure s Readiness (applicability) for a given workload is demonstrated by IaaS provider s compliance statements and audit reports Customer s E2E security and compliance depends on IaaS provider
8 Composite compliance : Described using a bigger, beber cake metaphor $ Transi0ve trust is the means by which we do most cryptographic rela0onships Provides guidelines that allow building blocks to work together Secret sauce is in providing evidence that trust is deserved and is based on mathema0cal proofs $ Composite compliance: emerging approach for cloud Provides guidelines for making bigger building blocks out of smaller starter- set building blocks Secret sauce is in how to connect these building blocks into a bigger, seamless building block With compliance, this secret sauce is based on the clear ar0cula0on of the division of labor and communica0ons between A, B and assump0ons governing these Transi1ve Trust Composite Compliance Alice Trusts Bob Bob Trusts Carol Chocolate cake Vanilla Cake Means that because of Transi0ve Trust Alice Trusts Carol Means that with Composite Compliance, Vanilla Cake layered with Chocolate Cake is also a cake as long as combined with icing and not extra spicy salsa (nouvelle cuisine aside)
9 Reprise 1 Composite Compliance : What is it, why do we need it? What is it: A means of demonstra0ng that users can trust the lower levels of an E2E applica0on/infrastructure stack, even when they can t touch it or test it Why do we need it: This allows us to describe security and compliance of lower levels in the stack to a customer s risk management and audit teams. This is necessary as risk management teams have the ability to block or restrict adop0on of Cloud solu0ons.
10 Agenda 1 Composite Compliance : What is it, why do we need it? 2 Composite Compliance: How does it work? 3 Composite Compliance and Roles and Responsibili1es 4 What s Next?
11 Composi0on compliance builds on the founda0on laid by policy frameworks such as NIST and standards such as ISO27001 Using these types of frameworks, it becomes possible for us to frame a discussion based on who does what and build a decision process to guide our assessment NIST ISO / IEC 27001: 2013 AC Access Control A.5 Informa0on Security Policy AT Awareness and Training A.6 Organiza0on of Info Security AU Audit and Accountability A.7 Asset Management CA Security Assessment and Authoriza0on A.8 Human Resources Security CM Configura0on Management A.9 Access Control CP Con0ngency Planning A.10 Cryptography IA Iden0ty and Authen0ca0on A.11 Physical and environmental Security IR Incident Response A.12 Opera0ons Security MA Maintenance A.13 Communica0ons Security MP Media Protec0on A.14 Systems Acquisi0on, Development and Maintenance PE Physical and Envrionmental Protec0on A.15 Supplier Rela0onships PL Planning A.16 Informa0on Security Incident Management PS Personnel Security A.17 Info Security aspects of Business Con0nuity Management RA Risk Assessment A.18 Compliance SA Systems and Services Acquisi0on SC Systems and Communica0ons Protec0on SI Systems and Informa0on Integrity
12 Composite compliance can be assessed with a simple decision process CFP = Cloud Founda0on Provider Start Assert: CFP Manages To Published, Recognised Standards or Frameworks Assert: CFP is Audited/Cer0fied to Interna0onally Accepted Standards 12 Do standards match client requirements? Does audit report demonstrate required controls and maturity? NO NO NO NO % Regulated, Sensi0ve Workloads Roles and responsibili0es very clearly defined? Is Yrequired evidence available for use? Op0onal Asser0on: Supported Workloads Require Addi0onal Workload Specific Evidence from CFP
13 Assert: CFP Manages To Published, Recognised Standards or Frameworks Having internal security policies that align with a published framework means that - Regulators can iden0fy a meets- min set of requirements that founda0on layers must sa0sfy, and - Clients can assess if cloud founda0on providers sa0sfy the requirements of their regulators, and - Clients can asset the types of risks and controls that the cloud founda0on providers manage to in the context of the client s specific workload Provider Manages To Published, Recognised Standards or Frameworks: (*) NIST ISO family NIST and ISO are two well- known, interna0onally recognized standards that are suited to a Composite compliance founda0onal model. TAKEWAY: Cloud Founda0on Provider MUST iden0fy a public standard or published framework to which their security policies and controls align EVIDENCE: Cloud Founda0on Provider SHOULD provide a formal statement that they manage to policies based on a given framework / standard (in addi0on to audit reports) BENEFIT: Client can evaluate maturity of Cloud Founda0on Provider s policy scope and coverage (*) This is not intended to be an exhaus0ve list
14 Assert: CFP is Audited/Cer0fied to Interna0onally Accepted Standards Publishing a detailed audit report assessing effec0veness of controls means that - Regulators can use this as evidence as part of inves0ga0on of client workload compliance - Client can rely on the audit reports/asser0ons of an independent third- party auditor to abest to readiness/suitability of cloud founda0on Provider is Audited/Cer0fied to Interna0onally Accepted Standards: SOC1/SOC2 ISO family TAKEWAY: Cloud Founda0on Provider MUST undergo a detailed unedited assessment such as a SOC2, ISO27001, FISMA EVIDENCE: Cloud Founda0on Provider MUST provide the associated details of the assessment in the form of a SOC2 Type II report or an ISO27001 Statement of Applicability BENEFIT: Client can evaluate maturity and effec0veness of controls implementa0on by Cloud Founda0on Provider Audit to standards that are appropriate/ representa0ve of the controls in place by cloud founda0on provider 14 (*) This is not intended to be an exhaus0ve list
15 Op0onal Asser0on: Supported Workloads Require Addi0onal Workload Specific Evidence from CFP Par0al compliance assessments (assessment of Cloud Founda0on Provider s relevant controls) supports Composite compliance by allowing addi0vity of controls as we move up the stack - Regulators can use this as evidence as part of inves0ga0on of client workload compliance - Client can rely on the audit reports/asser0ons of an independent third- party auditor to abest to readiness/suitability of cloud founda0on IaaS Support for Explicit Workloads: PCI DSS v3.0 AOC for Physical Security TAKEWAY: For those workloads that support explicit par0al assessments, Cloud Founda0on Provider must have appropriate assessments in place EVIDENCE: Cloud Founda0on Provider MUST provide (at least) the public facing cer0fica0on, including scope, of required workload assessment BENEFIT: Client can evaluate maturity controls implementa0on for a specific workload
16 Regulated, Sensi0ve Workloads Clients SHOULD leverage evidence from IaaS Cloud Founda0on Provider - This is how clients make the move from tradi0onal IT I need to do it all myself to cloud- based the founda0on is suited to my needs Supported Workloads Require Addi0onal Workload Specific Evidence from IaaS Provider (*) Full transparency for evidence API based access to evidence Portal based visualiza0on (*) RIN (Really Important Note): This is very difficult to do if roles and responsibili0es are not very clearly defined and delineated (Think of how hard it is to use a func0on or class if its interface is not defined) TAKEWAY: Cloud Founda0on Provider MUST provide full visibility and transparency into both how client uses IaaS tools to manage the environment and how IaaS tools and privileged users interact with client s provisioned environment and hosted workload EVIDENCE: Cloud Founda0on Provider MUST provide evidence of founda0on usage by Cloud Founda0on Provider and client s users in support of client s workload BENEFIT: Client can build a complete picture of what their Cloud Founda0on Provider hosted environment looks like and how it is managed
17 HOWEVER: Composite compliance with appropriate Cloud Founda0on Providers is NOT sufficient to support regulated/sensi0ve workloads WHAT DOES THIS MEAN? Not only must client must have full visibility into their workload as hosted on the cloud founda0on, client must also have opera0onal prac0ces and controls in place for their management of their workload TAKEWAY: Client is s0ll responsible for security and compliance of their workload; Composite compliance allows client to reduce their individual opera0onal requirements but does not remove all opera0onal requirements Supported Workloads May Include EU Data Privacy
18 Composite compliance can be assessed with a simple decision process CFP = Cloud Founda0on Provider Start Assert: CFP Manages To Published, Recognised Standards or Frameworks Assert: CFP is Audited/Cer0fied to Interna0onally Accepted Standards 18 Do standards match client requirements? Does audit report demonstrate required controls and maturity? NO NO NO NO % Regulated, Sensi0ve Workloads Roles and responsibili0es very clearly defined? Is Yrequired evidence available for use? Op0onal Asser0on: Supported Workloads Require Addi0onal Workload Specific Evidence from CFP
19 Reprise 2 Composite Compliance: How does it work? How does it work: Through a structured means of assessing who does what at each layer and how the roles and responsibili0es are split at the boundary between the provider and the customer, we can demonstrate to risk assessment and compliance teams how they can rely on the assessments of others (how to break away from the risk management equivalent of not invented here )
20 Agenda 1 Composite Compliance : What is it, why do we need it, how does it work? 2 Composite Compliance: How does it work? 3 Composite Compliance and Roles and Responsibili1es 4 What s Next?
21 Example: Transi0ve Decision Process with Provider for PCI Workloads Start Desired Workload Support & E2E can be shown to be compliant %. Do standards match client requirements? Is required evidence available for use? %. Ready for HIPAA PCI DSS v3.0 AoC % AOC Available for Customer Does audit report demonstrate required controls and maturity? Roles and responsibili0es Y very clearly defined? Cloudiness ensues. 21
22 IaaS Provider has clearly defined roles and responsibili0es covering E2E workload management Applica1on Stack Workload, Applica0on Manage Opera0ng System Replace / Manage Hardware Monitor Opera0ng System Provision Hardware Provision Automa0on Hardware Manage (hands & feet Upgrade/ Repair) Infrastructure Manage Facili0es Manage Opera1onal Management by Security Governed by Compliance Demonstrated by Client / Authorized Agent Client s security policy Client- driven workload audit Provider s Automa0on N/A (*) N/A (*) Provider Automa0on Provider Server Technicians Provider Automa0on, Infra Mgmt Teams Provider s Data Center Providers Provider s NIST based Security Policy and Opera0onal Controls Provider s NIST based Security Policy and Opera0onal Controls Provider NIST based Security Policy and Opera0onal Controls Use Provider SOC2, ISO27001, FISMA, PCI AOC as needed for infrastructure, facili0es management and compliance Provider Portal/API and Service Tickets as evidence Provider Service Tickets, Audit Logs and Compliance Reports Provider SOC1, SOC2, SOC3, ISO27001, FISMA, PCI AOC (*) Provider cannot ensure opera0ng system is provisioned as compliant with client s policies ; client handles as part of O/S Manage responsibility
23 But, sor0ng through R&R for an IaaS model, there are s0ll areas that both customer and provider have role Scope of Cloud Provider s responsibility Scope of Customer s responsibility Clear roles, but customer wants evidence Clear R&R, unclear evidence Internet Facing Customer User/ Customer, Public Network Switches Routers Devices Customer s provisioned servers (physical or virtual) VPN Out- of- Band Management Network Cloud Data Center Internal, VPN- enabled Customer Server Admin Customer responsibility Public Network Internet Facing Customer Provider Admin Provider provided management tools Direct API access Web Portal access Provider s support teams Provider s scope and access
24 Reprise 2 Composite Compliance and Roles and Responsibili1es How does it work: Through a structured means of assessing who does what at each layer and how the roles and responsibili0es are split at the boundary between the provider and the customer But Heather, you sort of sidestepped a detailed discussion of the roles and responsibili0es angle here
25 Agenda 1 Composite Compliance : What is it, why do we need it, how does it work? 2 Composite Compliance: How does it work? 3 Composite Compliance and Roles and Responsibili1es 4 What s Next?
26 What s next? 1. Pick a framework (my preference is NIST v4) 2. Iden0fy controls that are single- owner, shared/split, EDT (each do this) 1. Single Owner: responsibility is 100% with either Provider XOR Customer 2. Shared/Split: One provides input, the other provides ac0on 3. EDT: each has to maintain informa0on/perform ac0on for their clearly defined responsibility area 3. For each, 1. Look at what evidence is provided, 2. What addi0onal evidence is needed. 3. Are secondary controls required? 4. Look for gaps, fix them NIST AC AT AU CA CM CP IA IR MA MP PE PL PS RA SA SC SI Access Control Awareness and Training Audit and Accountability Security Assessment and Authoriza0on Configura0on Management Con0ngency Planning Iden0ty and Authen0ca0on Incident Response Maintenance Media Protec0on Physical and Envrionmental Protec0on Planning Personnel Security Risk Assessment Systems and Services Acquisi0on Systems and Communica0ons Protec0on Systems and Informa0on Integrity
27 What s next?: A call to arms and research We need to do the work described (or similar of other approaches prove to have more trac0on) We need to get buy in from customers, and their risk assessment teams We need to be able to ar0culate this to regulators so that they get it & Research results that prove or at least demonstrate provability of this (or similar) approaches would really help. Formal proves are great for papers and theses, but industry needs something that they can wrap their heads around so proofs need to have good examples and use cases as part of their demonstra0ons
Putting the Pieces Together:
Putting the Pieces Together: Leveraging Current Audits to Solve the HITRUST Puzzle Presenter Gene Geiger, A-LIGN Partner - HITRUST Prac77oner CPA CISSP CCSK QSA PCIP ISO 27K LA performance resourceful
More informationFour Deadly Traps of Using Frameworks NIST Examples
Four Deadly Traps of Using Frameworks NIST 800-53 Examples ISACA Feb. 2015 Meeting Doug Landoll dlandoll@lantego.com (512) 633-8405 Session Agenda Framework Definition & Uses NIST 800-53 Framework Intro
More informationAltius IT Policy Collection Compliance and Standards Matrix
Governance Context and Alignment Policy 4.1 4.4 800-26 164.308 12.4 EDM01 IT Governance Policy 5.1 800-30 12.5 EDM02 Leadership Mergers and Acquisitions Policy A.6.1.1 800-33 EDM03 Context Terms and Definitions
More informationAltius IT Policy Collection Compliance and Standards Matrix
Governance Context and Alignment Policy 4.1 4.4 800-26 164.308 12.4 EDM01 IT Governance Policy 5.1 800-30 12.5 EDM02 Leadership Mergers and Acquisitions Policy A.6.1.1 800-33 EDM03 Context Terms and Definitions
More informationAssessing Medical Device. Cyber Risks in a Healthcare. Environment
Assessing Medical Device Medical Devices Security Cyber Risks in a Healthcare Phil Englert Director Technology Operations Environment Catholic Health Ini
More informationMapping of FedRAMP Tailored LI SaaS Baseline to ISO Security Controls
Mapping of FedRAMP Tailored LI SaaS Baseline to ISO 27001 Security Controls This document provides a list of all controls that require the Cloud Service Provider, Esri, to provide detailed descriptions
More informationMINIMUM SECURITY CONTROLS SUMMARY
APPENDIX D MINIMUM SECURITY CONTROLS SUMMARY LOW-IMPACT, MODERATE-IMPACT, AND HIGH-IMPACT INFORMATION SYSTEMS The following table lists the minimum security controls, or security control baselines, for
More informationSAC PA Security Frameworks - FISMA and NIST
SAC PA Security Frameworks - FISMA and NIST 800-171 June 23, 2017 SECURITY FRAMEWORKS Chris Seiders, CISSP Scott Weinman, CISSP, CISA Agenda Compliance standards FISMA NIST SP 800-171 Importance of Compliance
More informationAn introduc/on to Sir0i
Authen4ca4on and Authorisa4on for Research and Collabora4on An introduc/on to Sir0i Addressing Federated Security Incident Response Hannah Short CERN hannah.short@cern.ch TF-CSIRT May, 2016 Agenda Federated
More informationSecurity Control Mapping of CJIS Security Policy Version 5.3 Requirements to NIST Special Publication Revision 4 4/1/2015
U. S. Department of Justice Federal Bureau of Investigation Criminal Justice Information Services Division Security Control Mapping of CJIS Security Policy Version 5.3 s to NIST Special Publication 800-53
More informationBecause Security Gives Us Freedom
Because Security Gives Us Freedom PANOPTIC CYBERDEFENSE CYBERSECURITY LEADERSHIP Panoptic Cyberdefense is a monitoring and detection service in three levels: Security Management and Reporting Managed Detection
More informationSoftLayer Security and Compliance:
SoftLayer Security and Compliance: How security and compliance are implemented and managed Introduction Cloud computing generally gets a bad rap when security is discussed. However, most major cloud providers
More informationDatabase Machine Administration v/s Database Administration: Similarities and Differences
Database Machine Administration v/s Database Administration: Similarities and Differences IOUG Exadata Virtual Conference Vivek Puri Manager Database Administration & Engineered Systems The Sherwin-Williams
More informationexisting customer base (commercial and guidance and directives and all Federal regulations as federal)
ATTACHMENT 7 BSS RISK MANAGEMENT FRAMEWORK PLAN [L.30.2.7, M.2.2.(7), G.5.6; F.2.1(41) THROUGH (76)] A7.1 BSS SECURITY REQUIREMENTS Our Business Support Systems (BSS) Risk MetTel ensures the security of
More informationTop 10 ICS Cybersecurity Problems Observed in Critical Infrastructure
SESSION ID: SBX1-R07 Top 10 ICS Cybersecurity Problems Observed in Critical Infrastructure Bryan Hatton Cyber Security Researcher Idaho National Laboratory In support of DHS ICS-CERT @phaktor 16 Critical
More informationSpecial Publication
Special Publication 800-171 Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations Patricia Toth NIST MEP What is Information Security? Personnel Security Cybersecurity
More informationMESC Conference Security and Privacy for Medicaid Information Systems. Scott Glover Deloitte & Touche, LLP
MESC Conference Security and Privacy for Medicaid Information Systems Scott Glover Deloitte & Touche, LLP Agenda Security and privacy requirements for Medicaid systems Implementing or applying a security
More informationInformation Security Management Systems Standards ISO/IEC Global Opportunity for the Business Community
Information Security Management Systems Standards ISO/IEC 27001 Global Opportunity for the Business Community Prof. Edward (Ted) Humphreys IPA Global Symposium 2013 23 rd May 2013, Tokyo, Japan CyberSecurity
More informationBusiness Case Components
How to Build A SOC Agenda Mission Business Case Components Regulatory requirements SOC Terminology Technology Components Events categories Staff Requirements Organiza>on s Considera>ons Training Requirements
More informationEXABEAM HELPS PROTECT INFORMATION SYSTEMS
WHITE PAPER EXABEAM HELPS PROTECT INFORMATION SYSTEMS Meeting the Latest NIST SP 800-53 Revision 4 Guidelines SECURITY GUIDELINE COMPLIANCE There has been a rapid increase in malicious insider threats,
More informationProtecting Controlled Unclassified Information(CUI) in Nonfederal Information Systems and Organizations
Protecting Controlled Unclassified Information(CUI) in Nonfederal Information Systems and Organizations January 9 th, 2018 SPEAKER Chris Seiders, CISSP Security Analyst Computing Services and Systems Development
More informationACHIEVING COMPLIANCE WITH NIST SP REV. 4:
ACHIEVING COMPLIANCE WITH NIST SP 800-53 REV. 4: How Thycotic Helps Implement Access Controls OVERVIEW NIST Special Publication 800-53, Revision 4 (SP 800-53, Rev. 4) reflects the U.S. federal government
More informationIntroduction to AWS GoldBase
Introduction to AWS GoldBase A Solution to Automate Security, Compliance, and Governance in AWS October 2015 2015, Amazon Web Services, Inc. or its affiliates. All rights reserved. Notices This document
More informationCon$nuous Audi$ng and Risk Management in Cloud Compu$ng
Con$nuous Audi$ng and Risk Management in Cloud Compu$ng Marcus Spies Chair of Knowledge Management LMU University of Munich Scien$fic / Technical Director of EU Integrated Research Project MUSING Cloud
More informationGDPR ESSENTIALS END-USER COMPLIANCE TRAINING. Copyright 2018 Logical Operations, Inc. All rights reserved.
GDPR ESSENTIALS END-USER COMPLIANCE TRAINING 1 POTENTIAL MAXIMUM GDPR PENALTY 2 WHAT IS DATA PRIVACY? MOST NOTABLE US/CA PRIVACY LAWS Federal Trade Commission Act, Sec4on 5 California Online Privacy Protec4on
More informationHow to implement NIST Cybersecurity Framework using ISO WHITE PAPER. Copyright 2017 Advisera Expert Solutions Ltd. All rights reserved.
How to implement NIST Cybersecurity Framework using ISO 27001 WHITE PAPER Copyright 2017 Advisera Expert Solutions Ltd. All rights reserved. Copyright 2017 Advisera Expert Solutions Ltd. All rights reserved.
More informationBuilding Secure Systems
Building Secure Systems Antony Selim, CISSP, P.E. Cyber Security and Enterprise Security Architecture 13 November 2015 Copyright 2015 Raytheon Company. All rights reserved. Customer Success Is Our Mission
More informationCloud Adop)on, Risks & Security & GDPR An Ac)on Guide
April 2016 Cloud Adop)on, Risks & Security & GDPR An Ac)on Guide Nigel Hawthorn, Skyhigh Networks Cloud Adop)on and Risk Agenda Skyhigh Networks An Introduc)on European Cloud Adop)on and Risk Report Q1
More informationINTO THE CLOUD WHAT YOU NEED TO KNOW ABOUT ADOPTION AND ENSURING COMPLIANCE
INTO THE CLOUD WHAT YOU NEED TO KNOW ABOUT ADOPTION AND ENSURING COMPLIANCE INTRODUCTION AGENDA 01. Overview of Cloud Services 02. Cloud Computing Compliance Framework 03. Cloud Adoption and Enhancing
More informationDFARS Safeguarding Covered Defense Information The Interim Rule: Cause for Confusion and Request for Questions
DFARS 252.204.7012 Safeguarding Covered Defense Information The Interim Rule: Cause for Confusion and Request for Questions By Jonathan Hard, CEO And Carol Claflin, Director of Business Development H2L
More informationEAS- SEC: Framework for Securing Enterprise Business Applica;ons
Invest in security to secure investments EAS- SEC: Framework for Securing Enterprise Business Applica;ons Alexander Polyakov CTO ERPScan About ERPScan The only 360- degree SAP Security solu8on - ERPScan
More informationInformation Technology Security Plan Policies, Controls, and Procedures Protect: Identity Management and Access Control PR.AC
Information Technology Security Plan Policies, Controls, and Procedures Protect: Identity Management and Access Control PR.AC Location: https://www.pdsimplified.com/ndcbf_pdframework/nist_csf_prc/documents/protect/ndcbf_
More informationINTERNATIONAL CIVIL AVIATION ORGANIZATION ASIA and PACIFIC OFFICE ASIA/PAC RECOMMENDED SECURITY CHECKLIST
INTERNATIONAL CIVIL AVIATION ORGANIZATION ASIA and PACIFIC OFFICE Aeronautical Telecommunication Network Implementation Coordination Group (ATNICG) ASIA/PAC RECOMMENDED SECURITY CHECKLIST September 2009
More informationBuilding Trust in the Era of Cloud Computing
Building Trust in the Era of Cloud Computing ICMC 2017 Conference May 17, 2017 v1.0 David Gerendas Group Product Manager TRUST A FIRM belief in the! Reliability! Truth! Ability of someone or something.
More informationCloud Customer Architecture for Securing Workloads on Cloud Services
Cloud Customer Architecture for Securing Workloads on Cloud Services http://www.cloud-council.org/deliverables/cloud-customer-architecture-for-securing-workloads-on-cloud-services.htm Webinar April 19,
More informationModifying an Exis.ng Commercial Product for Cryptographic Module Evalua.on
Modifying an Exis.ng Commercial Product for Cryptographic Module Evalua.on ICMC16 O?awa, Canada 18-20 May 2016 Presented by Alan Gornall Introduc.on I provide cer.fica.on support to my clients: compliance
More informationREAD ME for the Agency ATO Review Template
READ ME for the Agency ATO Review Template Below is the template that the FedRAMP Program Management Office (PMO) uses when reviewing an Agency ATO package. Agencies and CSPs should be cautious to not
More informationEvolving Cybersecurity Strategies
Evolving Cybersecurity Strategies NIST Special Publication 800-53, Revision 4 ISSA National Capital Chapter April 17, 2012 Dr. Ron Ross Computer Security Division Information Technology Laboratory NATIONAL
More informationCOMPLIANCE IN THE CLOUD
COMPLIANCE IN THE CLOUD 3:45-4:30PM Scott Edwards, President, Summit 7 Dave Harris Society for International Affairs COMPLIANCE IN THE CLOUD Scott Edwards scott.edwards@summit7systems.com 256-541-9638
More informationWatson Developer Cloud Security Overview
Watson Developer Cloud Security Overview Introduction This document provides a high-level overview of the measures and safeguards that IBM implements to protect and separate data between customers for
More informationEnterprise Risk Management (ERM) and Cybersecurity. Na9onal Science Founda9on March 14, 2018
Enterprise Risk Management (ERM) and Cybersecurity Na9onal Science Founda9on March 14, 2018 Agenda Guiding Principles for Implementing ERM at NSF (Based on COSO) NSF s ERM Framework ERM Cybersecurity Risk
More information10 Considerations for a Cloud Procurement. March 2017
10 Considerations for a Cloud Procurement March 2017 2017, Amazon Web Services, Inc. or its affiliates. All rights reserved. Notices This document is provided for informational purposes only. It represents
More informationContinuous auditing certification
State of the Art in cloud service certification Cloud computing has emerged as the de-facto-standard when it comes to IT delivery. It comes with many benefits, such as flexibility, cost-efficiency and
More informationVirtualization Security & Audit. John Tannahill, CA, CISM, CGEIT, CRISC
Virtualization Security & Audit John Tannahill, CA, CISM, CGEIT, CRISC jtannahi@rogers.com Session Overview Virtualization Concepts Virtualization Technologies Key Risk & Control Areas Audit Programs /
More informationSECURITY ON AWS 8/3/17. AWS Security Standards MORE. By Max Ellsberry
SECURITY ON AWS By Max Ellsberry AWS Security Standards The IT infrastructure that AWS provides has been designed and managed in alignment with the best practices and meets a variety of standards. Below
More informationWELCOME ISO/IEC 27001:2017 Information Briefing
WELCOME ISO/IEC 27001:2017 Information Briefing Denis Ryan C.I.S.S.P NSAI Lead Auditor Running Order 1. Market survey 2. Why ISO 27001 3. Requirements of ISO 27001 4. Annex A 5. Registration process 6.
More informationeguide: Designing a Continuous Response Architecture 5 Steps to Reduce the Complexity of PCI Security Assessments
eguide: Designing a Continuous Response Architecture 5 Steps to Reduce the Complexity of PCI Security Assessments Today s PCI compliance landscape is one of continuing change and scrutiny. Given the number
More informationSecuring the Cloud Today: How do we get there?
Samson Tai, Chief Technologist, IBM Innovation Network Securing the Cloud Today: How do we get there 9/15/2009 What is Cloud Computing Cloud is a new consumption and delivery model for many IT-based services,
More informationWhat can the OnBase Cloud do for you? lbmctech.com
What can the OnBase Cloud do for you? lbmctech.com The OnBase Cloud by Hyland When it comes to cloud deployments, experience matters. With experience comes more functionality, long tracks of outstanding
More informationA Pragmatic Path to Compliance. Jaffa Law
A Pragmatic Path to Compliance Jaffa Law jaffalaw@hk1.ibm.com Introduction & Agenda What are the typical regulatory & corporate governance requirements? What do they imply in terms of adjusting the organization's
More informationBig Brother is Watching Your Big Data: z/os Actions Buried in the FISMA Security Regulation
Big Brother is Watching Your Big Data: z/os Actions Buried in the FISMA Security Regulation Bill Valyo CA Technologies February 7, 2013 Session #12765 Quick Abstract: About this Presentation This presentation
More informationInformation Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV
Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV Location: https://www.pdsimplified.com/ndcbf_pdframework/nist_csf_prc/documents/identify/ndcbf _ITSecPlan_IDGV2017.pdf
More informationBYOD. Transformation. Joe Leonard Director, Secure Networks. April 3, 2013
BYOD Transformation April 3, 2013 Joe Leonard Director, Secure Networks Agenda Joe Leonard Introduction CIO Top 10 Tech Priorities What is BYOD? BYOD Trends BYOD Threats Security Best Practices HIPAA Security
More informationSecurity by Design Running Compliant workloads in AWS
Security by Design Running Compliant workloads in 2015 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified, or distributed in whole or in part without the express consent
More informationCSAM Support for C&A Transformation
CSAM Support for C&A Transformation Cyber Security Assessment and Management (CSAM) 1 2 3 4 5 Five Services, One Complete C&A Solution Mission/Risk-Based Policy & Implementation/Test Guidance Program Management
More informationSecuring Hadoop. Keys Botzum, MapR Technologies Jan MapR Technologies - Confiden6al
Securing Hadoop Keys Botzum, MapR Technologies kbotzum@maprtech.com Jan 2014 MapR Technologies - Confiden6al 1 Why Secure Hadoop Historically security wasn t a high priority Reflec6on of the type of data
More informationCLOUD SERVICES. Cloud Value Assessment.
CLOUD SERVICES Cloud Value Assessment www.cloudcomrade.com Comrade a companion who shares one's ac8vi8es or is a fellow member of an organiza8on 2 Today s Agenda! Why Companies Should Consider Moving Business
More informationAZURE CLOUD SECURITY GUIDE: 6 BEST PRACTICES. To Secure Azure and Hybrid Cloud Environments
AZURE CLOUD SECURITY GUIDE: 6 BEST PRACTICES To Secure Azure and Hybrid Cloud Environments Introduction Cloud is at the core of every successful digital transformation initiative. With cloud comes new
More informationSecuring Your Cloud Introduction Presentation
Securing Your Cloud Introduction Presentation Slides originally created by IBM Partial deck derived by Continental Resources, Inc. (ConRes) Security Division Revision March 17, 2017 1 IBM Security Today
More informationAWS continually manages risk and undergoes recurring assessments to ensure compliance with industry standards.
Security Practices Freshservice Security Practices Freshservice is online IT service desk software that allows IT teams of organizations to support their users through email, phone, website and mobile.
More informationThe Convergence of Security and Compliance
ebook The Convergence of Security and Compliance How Next Generation Endpoint Security Manages 5 Core Compliance Controls Table of Contents Introduction....3 Positive versus Negative Application Security....3
More informationIntroduction. Deployment Models. IBM Watson on the IBM Cloud Security Overview
IBM Watson on the IBM Cloud Security Overview Introduction IBM Watson on the IBM Cloud helps to transform businesses, enhancing competitive advantage and disrupting industries by unlocking the potential
More information2018 HIPAA One All Rights Reserved. Beyond HIPAA Compliance to Certification
2018 HIPAA One All Rights Reserved. Beyond HIPAA Compliance to Certification Presenters Jared Hamilton CISSP CCSK, CCSFP, MCSE:S Healthcare Cybersecurity Leader, Crowe Horwath Erika Del Giudice CISA, CRISC,
More informationManchester Metropolitan University Information Security Strategy
Manchester Metropolitan University Information Security Strategy 2017-2019 Document Information Document owner Tom Stoddart, Information Security Manager Version: 1.0 Release Date: 01/02/2017 Change History
More informationWeighing in on the Benefits of a SAS 70 Audit for Third Party Administrators
Weighing in on the Benefits of a SAS 70 Audit for Third Party Administrators With increasing oversight and growing demands for industry regulations, third party assurance has never been under a keener
More informationIT your way - Hybrid IT FAQs
Hybrid IT IT your way - Hybrid IT FAQs Create a strategy that integrates in-house and outsourced IT services to meet ever-changing business requirements. Combine on-premise and off premise solutions Mix
More informationContemporary Challenges for Cloud Service Providers Seeking FedRAMP Compliance
Contemporary Challenges for Cloud Service Providers Seeking FedRAMP Compliance July 2017 Jeff Roth, CISSP-ISSEP, CISA, CGEIT, QSA Regional Director NCC Group Agenda FedRAMP - Foundations/Frameworks Cloud
More informationTB+ 1.5 Billion+ The OnBase Cloud by Hyland 600,000,000+ content stored. pages stored
the onbase cloud ONBASE CLOUD // Experience Matters The OnBase Cloud by Hyland When it comes to cloud deployments, experience matters. With experience comes more functionality, an established history of
More informationVersion 1/2018. GDPR Processor Security Controls
Version 1/2018 GDPR Processor Security Controls Guidance Purpose of this document This document describes the information security controls that are in place by an organisation acting as a processor in
More informationDavid Jenkins (QSA CISA) Director of PCI and Payment Services
David Jenkins (QSA CISA) Director of PCI and Payment Services PCI and the Cloud, where is my Atlas Agenda About Cognosec PCI DSS 3.0 and CSPs SLA Considerations Technical considerations Auditing About
More informationAutomate sharing. Empower users. Retain control. Utilizes our purposebuilt cloud, not public shared clouds
EXECUTIVE BRIEF SHAREBASE BY HYLAND Automate sharing. Empower users. Retain control. With ShareBase by Hyland, empower users with enterprise file sync and share (EFSS) technology and retain control over
More informationENTS 650 Network Security. Dr. Edward Schneider
ENTS 650 Network Security Dr. Edward Schneider http://www.ece.umd.edu/class/ents650/ Schneide@umd.edu Stallings. Cryptography and Network Security, 4e. Prentice-Hall. 2006. NIST Special Pubs: csrc.nist.gov/publications/pubssps.html
More informationApril 17, Ronald Layne Manager, Data Quality and Data Governance
Ensuring the highest quality data is delivered throughout the university providing valuable information serving individual and organizational need April 17, 2015 Ronald Layne Manager, Data Quality and
More informationFISMA Compliance. with O365 Manager Plus.
FISMA Compliance with O365 Manager Plus www.o365managerplus.com About FISMA The Federal Information Security Management Act (FISMA) is a United States federal law passed in 2002 that made it a requirement
More informationAWS SECURITY AND COMPLIANCE QUICK REFERENCE GUIDE
AWS SECURITY AND COMPLIANCE QUICK REFERENCE GUIDE 2018 1 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Notices This document is provided for informational purposes only. It represents
More informationlocuz.com SOC Services
locuz.com SOC Services 1 Locuz IT Security Lifecycle services combine people, processes and technologies to provide secure access to business applications, over any network and from any device. Our security
More informationUsing Metrics to Gain Management Support for Cyber Security Initiatives
Using Metrics to Gain Management Support for Cyber Security Initiatives Craig Schumacher Chief Information Security Officer Idaho Transportation Dept. January 2016 Why Metrics Based on NIST Framework?
More informationNETWORKING &SECURITY SOLUTIONSPORTFOLIO
NETWORKING &SECURITY SOLUTIONSPORTFOLIO NETWORKING &SECURITY SOLUTIONSPORTFOLIO Acomprehensivesolutionsportfoliotohelpyougetyourbusiness securelyconnected.clickononeofoursolutionstoknowmore NETWORKING
More informationTwilio cloud communications SECURITY
WHITEPAPER Twilio cloud communications SECURITY From the world s largest public companies to early-stage startups, people rely on Twilio s cloud communications platform to exchange millions of calls and
More informationTrust Eleva,on Architecture v03
Trust Eleva,on Architecture v03 DISCUSSION DRAFT 2015-01- 27 Andrew Hughes 1 Purpose of this presenta,on To alempt to explain the Trust Eleva,on mechanism as a form of ALribute Based Access Control To
More informationLayer Security White Paper
Layer Security White Paper Content PEOPLE SECURITY PRODUCT SECURITY CLOUD & NETWORK INFRASTRUCTURE SECURITY RISK MANAGEMENT PHYSICAL SECURITY BUSINESS CONTINUITY & DISASTER RECOVERY VENDOR SECURITY SECURITY
More informationIRODS USER GROUP 2014 CAMBRIDGE,MA John Burns. 6/25/14 Archive Analy3cs Solu3ons 1
IRODS USER GROUP 2014 CAMBRIDGE,MA John Burns 6/25/14 Archive Analy3cs Solu3ons 1 Credits Archive Analy3cs Solu3ons is presen3ng an archive system that embodies best prac3ce for long- term, high integrity
More informationJanuary 2011 Joint ISACA/IIA Mee5ng
January 2011 Joint ISACA/IIA Mee5ng Panel Discussion - Cloud Compu5ng January 13, 2011 Agenda Learning Objec5ves Introduc5ons Defini5ons Discussion Resource Links Note: Electronic copies of this presenta2on
More informationNOTHING IS WHAT IT SIEMs: COVER PAGE. Simpler Way to Effective Threat Management TEMPLATE. Dan Pitman Principal Security Architect
NOTHING IS WHAT IT SIEMs: COVER PAGE Simpler Way to Effective Threat Management TEMPLATE Dan Pitman Principal Security Architect Cybersecurity is harder than it should be 2 SIEM can be harder than it should
More informationCloud is the 'Only' Way Forward in Information Security. Leveraging Scale to Make the Unknown Known, in Dev, Sec & Ops.
George Gerchow, Sumo Logic Chief Information Security Officer Cloud is the 'Only' Way Forward in Information Security. Leveraging Scale to Make the Unknown Known, in Dev, Sec & Ops. Agenda Sumo Security
More informationRecommendations for Implementing an Information Security Framework for Life Science Organizations
Recommendations for Implementing an Information Security Framework for Life Science Organizations Introduction Doug Shaw CISA, CRISC Director of CSV & IT Compliance Azzur Consulting Agenda Why is information
More informationWHITE PAPER CONTINUOUS MONITORING INTRODUCTION & CONSIDERATIONS PART 2 OF 3
WHITE PAPER CONTINUOUS MONITORING INTRODUCTION & CONSIDERATIONS PART 2 OF 3 ABSTRACT This white paper is Part 2 in a three-part series of white papers on the sometimes daunting subject of continuous monitoring
More informationCompliance & Security in Azure. April 21, 2018
Compliance & Security in Azure April 21, 2018 Presenter Bio Jeff Gainer, CISSP Senior Information Security & Risk Management Consultant Senior Security Architect Have conducted multiple Third-Party risk
More informationToday s Objec4ves. Data Center. Virtualiza4on Cloud Compu4ng Amazon Web Services. What did you think? 10/23/17. Oct 23, 2017 Sprenkle - CSCI325
Today s Objec4ves Virtualiza4on Cloud Compu4ng Amazon Web Services Oct 23, 2017 Sprenkle - CSCI325 1 Data Center What did you think? Oct 23, 2017 Sprenkle - CSCI325 2 1 10/23/17 Oct 23, 2017 Sprenkle -
More informationCloud Security. Copyright Ramesh Nagappan. All rights reserved.
Cloud Security 1 Cloud Security Week 1 Lecture 1 Ramesh Nagappan Harvard University Extension School Brandeis University GPS 2 Week 1 Lecture - 1 Course Introduction Evolution of Cloud Computing Introduction
More informationData Center Management and Automation Strategic Briefing
Data Center and Automation Strategic Briefing Contents Why is Data Center and Automation (DCMA) so important? 2 The Solution Pathway: Data Center and Automation 2 Identifying and Addressing the Challenges
More informationTowards Provably Secure and Correct Systems. Avik Chaudhuri
Towards Provably Secure and Correct Systems Avik Chaudhuri Systems we rely on Opera
More informationAWS alignment with Motion Picture of America Association (MPAA) Content Security Best Practices Application in the Cloud
AWS alignment with Motion Picture of America Association (MPAA) Content Security Best Practices Application in the Cloud The Motion Picture of America Association (MPAA) has established a set of best practices
More informationAutomated System Analysis using Executable SysML Modeling Pa8erns
Automated System Analysis using Executable SysML Modeling Pa8erns Maged Elaasar* Modelware Solu
More informationAccelerating the HCLS Industry Through Cloud Computing
Accelerating the HCLS Industry Through Cloud Computing Use cloud computing to accelerate life sciences and healthcare specific workloads, and meet the unique computation, storage, security, and compliance
More informationehealth in the implementa,on of the cross border direc,ve: role of the ehealth Network 26th February 2012
ehealth in the implementa,on of the cross border direc,ve: role of the ehealth Network 26th February 2012 Agenda EU in health Ehealth in the EU ehealth Network ehealth High- Level Governance Ini,a,ve Goals
More informationADVENTURES IN OPENBANKING: UNDERSTANDING OAUTH AND OPENID CONNECT CLIENT ECOSYSTEMS
SESSION ID: IDY-R04 ADVENTURES IN OPENBANKING: UNDERSTANDING OAUTH AND OPENID CONNECT CLIENT ECOSYSTEMS Pamela Dingle Director of Iden7ty Standards @ Microso= @pamelarosiedee Disclaimer The work I describe
More informationCritical Infrastructure Protection for the Energy Industries. Building Identity Into the Network
Critical Infrastructure Protection for the Energy Industries Building Identity Into the Network Executive Summary Organizations in the oil, gas, and power industries are under increasing pressure to implement
More informationData Security Standards
Data Security Standards Overall guide The bigger picture of where the standards fit in 2018 Copyright 2017 Health and Social Care Information Centre. The Health and Social Care Information Centre is a
More information