Granted: The Cloud comes with security and continuity...

Similar documents
COMPTIA CLO-001 EXAM QUESTIONS & ANSWERS

Version 1/2018. GDPR Processor Security Controls

TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS

INTO THE CLOUD WHAT YOU NEED TO KNOW ABOUT ADOPTION AND ENSURING COMPLIANCE

Securing the cloud ISACA Korea. Han Ther, Lee CISA, CISM, CISSP, CRISC, ITILF, MCSA

"Charting the Course... Certified Information Systems Auditor (CISA) Course Summary

Managing SaaS risks for cloud customers

ASD CERTIFICATION REPORT

ECSA Assessment Report

IT Attestation in the Cloud Era

GDPR Processor Security Controls. GDPR Toolkit Version 1 Datagator Ltd

Building Trust in the Era of Cloud Computing

Certified Information Security Manager (CISM) Course Overview

ADDING BUSINESS VALUE THROUGH EFFECTIVE IT SECURITY MANAGEMENT

University of Pittsburgh Security Assessment Questionnaire (v1.7)

ISO / IEC 27001:2005. A brief introduction. Dimitris Petropoulos Managing Director ENCODE Middle East September 2006

Google Cloud & the General Data Protection Regulation (GDPR)

SUBJECT: REQUEST FOR PROPOSALS FOR HARBOR DEPARTMENT CLOUD COMPUTING SERVICES

Moving to computing are auditors ready for the security challenges? Albert Otete CPA CISA ISACA Uganda Workshop

ISACA Phoenix Chapter Meeting

In this unit we are going to look at cloud computing. Cloud computing, also known as 'on-demand computing', is a kind of Internet-based computing,

Leveraging the Cloud for Law Enforcement. Richard A. Falkenrath, PhD Principal, The Chertoff Group

The Common Controls Framework BY ADOBE

SYSTEMKARAN ADVISER & INFORMATION CENTER. Information technology- security techniques information security management systems-requirement

Corporate Information Security Policy

Advent IM Ltd ISO/IEC 27001:2013 vs

Auditing the Cloud. Paul Engle CISA, CIA

Policy Document. PomSec-AllSitesBinder\Policy Docs, CompanyWide\Policy

Administration and Data Retention. Best Practices for Systems Management

Kroll Ontrack VMware Forum. Survey and Report

Cloud Computing and Its Impact on Software Licensing

DuncanPowell RESTRUCTURING TURNAROUND FORENSIC

Leveraging ITIL to improve Business Continuity and Availability. itsmf Conference 2009

Testing Cloud Services: SaaS, PaaS and IaaS. Kees Blokland Jeroen Mengerink

SECURITY & PRIVACY DOCUMENTATION

ISO & ISO & ISO Cloud Documentation Toolkit

Title: Planning AWS Platform Security Assessment?

Internet copy. EasyGo security policy. Annex 1.3 to Joint Venture Agreement Toll Service Provider Agreement

John Snare Chair Standards Australia Committee IT/12/4

Baseline Information Security and Privacy Requirements for Suppliers

DATA PROCESSING AGREEMENT

INFS 214: Introduction to Computing

itsmf Annual Conference 2012

FRAMEWORK MAPPING HITRUST CSF V9 TO ISO 27001/27002:2013. Visit us online at Flank.org to learn more.

Business Technology Briefing: Fear of Flying, And How You Can Overcome It

BUSINESS CONTINUITY MANAGEMENT

REVIEW OF MANAGEMENT AND OVERSIGHT OF THE INTEGRATED BUSINESS MANAGEMENT SYSTEM (IBMS) January 16, 2009

ISO/IEC Information technology Security techniques Code of practice for information security controls

Privacy Statement. Your privacy and trust are important to us and this Privacy Statement ( Statement ) provides important information

This document is a preview generated by EVS

Data Protection. Plugging the gap. Gary Comiskey 26 February 2010

An Introduction to the ISO Security Standards

CLOUD COMPUTING. The Old Ways Are New Again. Jeff Rowland, Vice President, USAA IT/Security Audit Services. Public Information

Cloud Security Standards and Guidelines

This website is managed by Club Systems International on behalf of the Hoburne and Burry and Knight Groups.

Internet of Things Toolkit for Small and Medium Businesses

General Data Protection Regulation

EU GDPR & ISO Integrated Documentation Toolkit integrated-documentation-toolkit

ISO27001 Preparing your business with Snare

Information technology Security techniques Information security controls for the energy utility industry

INFORMATION SECURITY. One line heading. > One line subheading. A briefing on the information security controls at Computershare

WELCOME ISO/IEC 27001:2017 Information Briefing

IT risks and controls

Tech Talk #11. Public Cloud UNIVERSITY OF COLORADO AT BOULDER 12/14/16 CU TECH TALK #11

External Supplier Control Obligations. Cyber Security

Manchester Metropolitan University Information Security Strategy

01.0 Policy Responsibilities and Oversight

Trust Services Principles and Criteria

Introduction to Cloud Computing

Why the cloud matters?

Introduction To Cloud Computing

Fundamental Concepts and Models

WEBSCALE CONVERGED APPLICATION DELIVERY PLATFORM

Risk Management in Electronic Banking: Concepts and Best Practices

Certified Information Systems Auditor (CISA)

Cloud Computing Overview. The Business and Technology Impact. October 2013

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

CCISO Blueprint v1. EC-Council

Copyright 2011 EMC Corporation. All rights reserved.

ADIENT VENDOR SECURITY STANDARD

Cloud Computing Standard 1.1 INTRODUCTION 2.1 PURPOSE. Effective Date: July 28, 2015

IBM Emptoris Managed Cloud Delivery

Checklist: Credit Union Information Security and Privacy Policies

Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud

Information technology Security techniques Code of practice for personally identifiable information protection


Twilio cloud communications SECURITY

ROLE DESCRIPTION IT SPECIALIST

Chapter 8: SDLC Reviews and Audit Learning objectives Introduction Role of IS Auditor in SDLC

Enabling efficiency through Data Governance: a phased approach

The ITIL Foundation Examination

Cloud Security Standards

Cloud Computing, SaaS and Outsourcing

Information Security Management

QuickBooks Online Security White Paper July 2017

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

1. You should attempt all 40 questions. Each question is worth one mark.

Oracle Data Cloud ( ODC ) Inbound Security Policies

SDL Privacy Policy Cloud Services

Clearswift Managed Security Service for

Transcription:

Granted: The Cloud comes with security and continuity... or, does it? Bogac Ozgen, MSc GyroFalco Ltd. http://www.gyrofalco.com

Questions & Answers Do we still need security and continuity? YES Should I be concerned about risks? The only thing you need is: YES Can To I manage migrate to the your Cloud? environment YES Can I implement security and continuity in the Cloud? YES

Benefits of The Cloud* 70%: Already claiming to have seen cost savings and higher levels of productivity 27%: Cloud enables faster entry into new markets 36%: Cloud helps manage their supply chain *KPMG Report, February 2013, 674 senior executives at organizations using cloud across 16 countries were surveyed

Worries in The Cloud* 35%: Fear data loss and security breaches 25%: See security problems as a hurdle that is yet to be overcome 27%: Focus on the absence of common standards used by providers 17%: See regulation as a challenge *KPMG Report, February 2013, 674 senior executives at organizations using cloud across 16 countries were surveyed

SOLUTION Being aware of your needs Planning the services you need Comparison of expectations and outcomes* Factual Decision Making Structured change management Contracts management Mutually beneficial relationship with your provider Run your security practices as usual Run your continuity practices as usual (assuming you have BCP s in place) *The term outcome was used deliberately, it is not output.

Topics for today Risk Management What is cloud? Details of services First time buyers Cloud consumers Conclusion

First step: Definitions Risk Management What is cloud? Details of services First time buyers Cloud owners Conclusion

What is cloud computing? Oxford Dictionary cloud computing [mass noun] the practice of using a network of remote servers hosted on the Internet to store, manage, and process data, rather than a local server or a personal computer. ISO/IEC WD 27017.4 definition 3.1 cloud computing a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable resources (e.g. networks, servers and storage systems), applications and services that can be rapidly provisioned and released with minimal management effort or service provider interaction. [ISO/IEC WD 17788] 8

What is cloud service? Software as a service Software, web applications, Google Mail, Office365, Google apps, Yahoo Mail,... Platform as a service Execution runtime, web servers, application platforms OrangeScape, databases (MySQL, SQL Server,...) Infrastructure as a service Virtual servers, storage, load balancers, network, DNS,... Amazon EC2, Rackspace, OpenStack providers 9

What is cloud service? Cloud Deployment models Private cloud Community cloud Public cloud Hybrid cloud 10

What is your responsibility as a consumer? SaaS PaaS IaaS Initial setup Access control SLA and Contract Management etc. Software Installation Platform and Software Access control Updates and patch management for Platform and Software Monitoring of Platform and Software Development and improvements of Platform and Software SLA and Contract Management etc. Software and Infrastructure systems Installation Platform and Software Access control Infrastructure systems access control Updates and patch management for Platform, Software and Infrastructure Monitoring of Platform, Software and Infrastructure Development and improvements of Platform, Software and Infrastructure API s and automation Internal software development Capacity management Network management SLA and Contract Management etc. Power, cooling, etc. Subscription management Infrastructure Maintenance Monitoring SLA and Contract Management etc. 11

One of the most important aspects of the Cloud services for the consumer is Management of Scope and via boundaries CONTRACT MANAGEMENT

Tips for consumers! Risk Management What is cloud? Details of services First time buyers Cloud owners Conclusion

Tips for First-Time buyers Risk Management What is cloud? Details of services First time buyers Cloud owners Conclusion

How to implement Cloud solutions? Day to day operations

Steps Negative consequences Threats Vulnerabilities Control Framework Analyse your existing system and design a new system -Incorrect analysis of the existing system to be taken as the basis of the contract, SLA s -Incorrect design of the new system -Customer satisfaction: MIN* -Financial: Longer time to production/market, so loss of revenue or interest -Legal: MIN* -Operations: Cost of travel time, meetings and rework -Incorrect identification of assets and their configuration -Incorrect identification of dependencies -Lack of documentation -Lack of understanding the specifications of existing system -Lack of knowledge over architecture -Wrong expectations from the new system -Incorrect authorization requirements -Lack of expertise -Lack of business analysis -Lack of understanding of real business impact ISO9001 ISO27001 ISO20000 ISO22301 COBIT ITIL Other best practices Evaluate providers and purchase the solution -Consequences from the previsous step -Customer satisfaction: MIN* -Financial: Re-purchasing the services -Legal: Dispute resolution with the supplier, counselling charges or court charges -Operations: Travel time, meetings and rework -Selection of the unsuitable supplier and service -Incorrectly defined scope of services in the contract -Incorrectly defined responsibilities of consumer, provider and sub-contractors 3 4 Migrate existing systems, run systems concurrently and test -Consequences from the previsous step -Customer satisfaction: MIN* -Financial: Re-purchasing the services -Legal: MIN* -Operations: Travel time, meetings and rework 2 -Insufficient planning -Insufficient impact analysis -Tight or unsuitable scheduling -Lack of testing -Small test case coverage -Inexistence of latest backups -Lack of rollback plans -Lack of business continuity, disaster recovery and emergency response plans ISO9001 ISO27001 ISO20000 ISO22301 COBIT ITIL Other best practices Publish production environment and monitor the system (baby sitting) 1 -Incorrect reporting of the system performance -Being unaware of incidents Also; Threats which are related to: -Information security -Business continuity -Operational effectiveness -Customer relations -etc. -Lack of formal hand-over process between the project team and the service management team -Lack of acceptance criteria -Lack of performance reporting -Lack of training for support personnel -Lack of formal incident management process Also; Vulnerabilities related to the Threats which are related to: -Information security -Business continuity -Operational effectiveness -Customer relations -etc. ISO9001 ISO27001 ISO20000 ISO22301 COBIT ITIL Other best practices Decommission the old infrastructure -Customer satisfaction Customer data protection requirements are breached, customer satisfaction is damaged -Financial Penalties, loss of a work, contract -Legal Dispute resolution, Court cases brought against the company, court and counselling charges -Operations Travel time, meetings and rework -Environmental: Natural life is impacted badly -Unauthorized access to customer/company/personal data -Loss of customer/company/personal data -Contamination of natural environment -Lack of data retention processes -Lack of formal data and records destruction process -Lack of qualified supplier -Lack of protection of data/records ready to be destroyed ISO9001 ISO27001 ISO20000 ISO22301 COBIT ITIL Other best practices

Steps Negative consequences Threats Vulnerabilities Control Framework Analyse your existing system and design a new system -Incorrect analysis of the existing system to be taken as the basis of the contract, SLA s -Incorrect design of the new system -Customer satisfaction: MIN* -Financial: Longer time to production/market, so loss of revenue or interest -Legal: MIN* -Operations: Cost of travel time, meetings and rework -Incorrect identification of assets and their configuration -Incorrect identification of dependencies -Lack of documentation -Lack of understanding the specifications of existing system -Lack of knowledge over architecture -Wrong expectations from the new system -Incorrect authorization requirements -Lack of expertise -Lack of business analysis -Lack of understanding of real business impact ISO9001 ISO27001 ISO20000 ISO22301 COBIT ITIL Other best practices Evaluate providers and purchase the solution -Consequences from the previsous step -Customer satisfaction: MIN* -Financial: Re-purchasing the services -Legal: Dispute resolution with the supplier, counselling charges or court charges -Operations: Travel time, meetings and rework -Selection of the unsuitable supplier and service -Incorrectly defined scope of services in the contract -Incorrectly defined responsibilities of consumer, provider and sub-contractors -Lack of knowledge of supplier evaluation process -Lack of measurable evaluation criteria-lack of objective evaluation and impartiality of assessor -Lack of formal service level agreements -Lack of penalties in case of low performance -Lack of early termination clauses -Lack of definition of change management process -Lack of formal testing environment ISO9001 ISO27001 ISO20000 ISO22301 COBIT ITIL Other best practices Migrate existing systems, run systems concurrently and test -Consequences from the previsous step -Customer satisfaction: MIN* -Financial: Re-purchasing the services -Legal: MIN* -Operations: Travel time, meetings and rework -Incorrect project plans -Incorrect release plans -Data corruption -Cannot rollback -Insufficient planning -Insufficient impact analysis -Tight or unsuitable scheduling -Lack of testing -Small test case coverage -Inexistence of latest backups -Lack of rollback plans -Lack of business continuity, disaster recovery and emergency response plans ISO9001 ISO27001 ISO20000 ISO22301 COBIT ITIL Other best practices Publish production environment and monitor the system (baby sitting) -Consequences from the previsous step -Customer satisfaction Cannot meet the SLA s and contractual requirements, customer satisfaction is damaged -Financial Penalties, loss of a work, contract or delayed payments, longer time to market -Legal Dispute resolution, Court cases brought against the company, court and counselling charges -Operations Travel time, meetings and rework -Incorrect reporting of the system performance -Being unaware of incidents Also; Threats which are related to: -Information security -Business continuity -Operational effectiveness -Customer relations -etc. -Lack of formal hand-over process between the project team and the service management team -Lack of acceptance criteria -Lack of performance reporting -Lack of training for support personnel -Lack of formal incident management process Also; Vulnerabilities related to the Threats which are related to: -Information security -Business continuity -Operational effectiveness -Customer relations -etc. ISO9001 ISO27001 ISO20000 ISO22301 COBIT ITIL Other best practices Decommission the old infrastructure -Customer satisfaction Customer data protection requirements are breached, customer satisfaction is damaged -Financial Penalties, loss of a work, contract -Legal Dispute resolution, Court cases brought against the company, court and counselling charges -Operations Travel time, meetings and rework -Environmental: Natural life is impacted badly -Unauthorized access to customer/company/personal data -Loss of customer/company/personal data -Contamination of natural environment -Lack of data retention processes -Lack of formal data and records destruction process -Lack of qualified supplier -Lack of protection of data/records ready to be destroyed ISO9001 ISO27001 ISO20000 ISO22301 COBIT ITIL Other best practices

Tips for consumers! Risk Management What is cloud? Details of services First time buyers Cloud owners Conclusion

Tips for consumers! Risk Management What is cloud? Details of services First time buyers Cloud owners Conclusion

What are the risks? Sample list of risk areas: Privacy and Data protection Storage and data ownership Legal / Compliance Change management and policy enforcement Risks of the service provider Continuity Open standards / services Systems development Abuse 20

Which controls in ISO27002? Aligned with DIS 27002 (N11907) 5 Security Policies 6 Organisation of information security 7 Human Resource Security 8 Asset management 9 Access Control 10 Cryptography 11 Physical and environmental security 12 Operations security 13 Communications security 14 Systems acquisition, development and maintenance 15 Supplier relationships 16 Information security incident management 17 Information security aspects of business continuity management 18 Compliance 21

As a summary We need to understand: Scope and boundaries of the system Relationship of us (Consumer) and the Provider (and its sub-contractors) Threats and vulnerabilities related to cloud computing Controls to mitigate risks in cloud computing 22

Conclusion Risk Management What is cloud? Details of services First time buyers Cloud owners Conclusion

The Answers Do we still need security and continuity? YES Should I be concerned about risks? YES Can I migrate to the Cloud? YES Can I implement security and continuity in the Cloud? YES The only thing you need is: To manage your environment

SOLUTION Being aware of your needs Planning the services you need Comparison of expectations and outcomes* Factual Decision Making Structured change management Contracts management Mutually beneficial relationship with your provider Run your security practices as usual Run your continuity practices as usual (assuming you have BCP s in place) *The term outcome was used deliberately, it is not output.

Questions? 22/05/2013 2013 Bogac Ozgen - GyroFalco Ltd. 26

Thank you for listening Bogac Ozgen Consultant, Assessor & Trainer Email: Bogac.Ozgen@GyroFalco.com Web: http://www.gyrofalco.com 22/05/2013 2013 Bogac Ozgen - GyroFalco Ltd. 27

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback