Cloud Vendor Security Risk Assessments: An Update from the HEISC Shared Assessments Working Group. Charles Escue, Indiana University

Similar documents
Higher Education Cloud Vendor Assessment Tool

Solutions Technology, Inc. (STI) Corporate Capability Brief

Manchester Metropolitan University Information Security Strategy

ISO STANDARD IMPLEMENTATION AND TECHNOLOGY CONSOLIDATION

Threat and Vulnerability Assessment Tool

HITRUST CSF Assurance Program HITRUST, Frisco, TX. All Rights Reserved.

I n f o r m a t i o n S y s t e m s C y b e r s e c u r i t y A s s e s s m e n t

May 14, :30PM to 2:30PM CST. In Plain English: Cybersecurity and IT Exam Expectations

STRATEGIC PLAN

Building a Resilient Security Posture for Effective Breach Prevention

Computer Security Incident Response Plan. Date of Approval: 23-FEB-2014

Altius IT Policy Collection Compliance and Standards Matrix

IT SECURITY OFFICER. Department: Information Technology. Pay Range: Professional 18

No More Security Empires The CISO as an Individual Contributor

Table of Contents. Preface xvii PART ONE: FOUNDATIONS OF MODERN INTERNAL AUDITING

Framework for Improving Critical Infrastructure Cybersecurity

Consideration of Issues and Directives Federal Energy Regulatory Commission Order No. 791 January 23, 2015

Altius IT Policy Collection Compliance and Standards Matrix

CYBERSECURITY FOR STARTUPS AND SMALL BUSINESSES OVERVIEW OF CYBERSECURITY FRAMEWORKS

Will you be PCI DSS Compliant by September 2010?

Decoding security frameworks for effective cyber defense. David Allott McAfee

Peer Collaboration The Next Best Practice for Third Party Risk Management

Mapping Your Requirements to the NIST Cybersecurity Framework. Industry Perspective

Security Diagnostics for IAM

The Role of IT in HIPAA Security & Compliance

SECURITY AUTOMATION SIMPLIFIED VIA NIST OSCAL: WE RE NOT IN KANSAS ANYMORE

Cloud Computing Standard 1.1 INTRODUCTION 2.1 PURPOSE. Effective Date: July 28, 2015

DSS in Transition RMS Pilot

Clinical Information Security Pre-Purchase Security Assessment Vendor Packet Instructions

Robert Brammer. Senior Advisor to the Internet2 CEO Internet2 NET+ Security Assessment Forum. 8 April 2014

SERVICE ORGANIZATION CONTROL (SOC) REPORTS: WHAT ARE THEY?

Sirius Security Overview

the steps that IS Services should take to ensure that this document is aligned with the SNH s KIMS and SNH s Change Requirement;

Certified Information Security Manager (CISM) Course Overview

Position Description IT Auditor

The HITRUST CSF. A Revolutionary Way to Protect Electronic Health Information

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

Florida Government Finance Officers Association. Staying Secure when Transforming to a Digital Government

NE HIMSS Vendor Risk. October 9, 2015 MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS

Florida PALM Project Update Agenda

Cyber Partnership Blueprint: An Outline

Establishing Enterprise-Wide Data Governance

2012PHILIPPINES ECC International :: MALAYSIA :: VIETNAM :: INDONESIA :: INDIA :: CHINA

Mo n t a n a S t a te Fu n d. FY 2011 Business Plan Performance September 23, 2011

Internet2 NET+ Security and Identity Portfolio

CACUBO Higher Education Accounting Workshop Top 10 Cyber Security Issues for Higher Education Business Managers. May 2017

NERC-Led Technical Conferences

NORTH CAROLINA NC MRITE. Nominating Category: Enterprise IT Management Initiatives

Background FAST FACTS

ISE North America Leadership Summit and Awards

The PCI Security Standards Council PCI DSS Virtualization Webinar

DHS Election Task Force Updates. Geoff Hale, Elections Task Force

Cybersecurity in Higher Ed

112 th Annual Conference May 6-9, 2018 St. Louis, Missouri

The Project Charter. Date of Issue Author Description. Revision Number. Version 0.9 October 27 th, 2014 Moe Yousof Initial Draft

Performing a Vendor Security Review TCTC 2017 FALL EVENT PRESENTER: KATIE MCINTOSH

North Carolina Visit and Assessment Tom Clarke Vice President for Research and Technology National Center for State Courts

Smart Grid Task Force Scope

01.0 Policy Responsibilities and Oversight

Information Security Controls Policy

DUNS CAGE 5T5C3

How Switching to the Cloud Drives Employee and Agency Growth

Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV

Final Project Report. Abstract. Document information

Objectives of the Security Policy Project for the University of Cyprus

Information Technology Security Plan Policies, Controls, and Procedures Identify Risk Assessment ID.RA

Business continuity management and cyber resiliency

Cloud First Policy General Directorate of Governance and Operations Version April 2017

POSITION DESCRIPTION

ERO Compliance Enforcement Authority Staff Training

Leveraging Best Practices to Determine your Cyber Insurance Needs. Sector Conference, Toronto November 2017

10 Considerations for a Cloud Procurement. March 2017

Todmorden High School Job Description

ARRA State & Local Energy Assurance Planning & Implementation

Defining Computer Security Incident Response Teams

Data Sheet The PCI DSS

PREPARE FOR TAKE OFF. Accelerate your organisation s journey to the Cloud.

Compliance & Security in Azure. April 21, 2018

CYBERSECURITY TRAINING EXERCISE KMU TRAINING CENTER NOVEMBER 7, 2017

IT Town Hall Meeting. IT Town Hall - October 6,

Master Information Security Policy & Procedures [Organization / Project Name]

Introduction to AWS GoldBase

FedRAMP: Understanding Agency and Cloud Provider Responsibilities

INTELLIGENCE DRIVEN GRC FOR SECURITY

IT risks and controls

WORK AUTHORIZATION NO. 4 CONTRACT FOR PROFESSIONAL ACCOUNTING SERVICES

SYSTEMS ASSET MANAGEMENT POLICY

Using Metrics to Gain Management Support for Cyber Security Initiatives

Audit and Compliance Committee - Agenda

Federal Continuous Monitoring Working Group. March 21, DOJ Cybersecurity Conference 2/8/2011

Cyber Security for Process Control Systems ABB's view

2018 HIPAA One All Rights Reserved. Beyond HIPAA Compliance to Certification

Information Security Governance and IT Governance

MARCH 2016 ONE BILLION COALITION FOR RESILIENCE

Standard for Security of Information Technology Resources

Achieving third-party reporting proficiency with SOC 2+

COMPLIANCE IN THE CLOUD

The Nasuni Security Model

OG0-091 Q&As TOGAF 9 Part 1

Service Description: CNS Federal High Touch Technical Support

Transcription:

Cloud Vendor Security Risk Assessments: An Update from the HEISC Shared Assessments Working Group Charles Escue, Indiana University cescue@iu.edu

Agenda https://www.educause.edu/hecvat https://www.ren-isac.net/hecvat HECVAT Promotion HEISC Shared Assessments working group Project inspiration & collective vision Phase I & Phase II deliverables Current State Using the HECVAT in your institution Leveraging community strength Securing leadership buy-in Early HECVAT adoption successes What s next for the HECVAT? Questions

Project inspiration came from many sources Rapid Cloud Service Adoption Enterprise Risk Management Program Development Proper Assessment Becoming Burdensome Information Security Programs Evolving Quickly Vendor Risk Management Program Development Too Much Going On!

Outlining the job to be done Share work done at one organization with others Create a space for finding/sharing existing assessments Reduce unnecessary burden, focus on critical functions Support the HigherEd information security community

Working group founders created a robust charter, quickly steering development efforts Charter Objectives Standard Security Controls Document Provide a tool to facilitate HE usage Address unique operations of HE Many existing questionnaires but none that covered the broad range of subjects to the degree needed in Higher Ed

So what has it taken to forge this new opportunity for collaboration? Committed, Action Oriented Work Group(s) A multi-phase development approach 19+ Contributing Organizations HE excitement, openness to change, feedback

Initial Contributors; Phase 1 Jon Allen, Baylor University John Bruggeman, Hebrew Union College, Jewish Institute of Religion Charles Escue, Indiana University Karl Hassler, University of Delaware Craig Munson, Minnesota State Colleges & Universities Mitch Parks, University of Idaho Laura Raderman, Carnegie Mellon University Sandy Silk, Harvard University Staff Liaisons from EDUCAUSE, Internet2, and REN-ISAC: Joanna Grama Todd Herring Nick Lewis Kim Milford Valerie Vogel

More Contributors; Phase 2 Jon Allen, Baylor University Samantha Birk, IMS Global Learning Consortium Jeff Bohrer, IMS Global Learning Consortium Sarah Braun, University of Colorado Denver David Cassada, University of California Davis Matthew Dalton, University of Massachusetts Amherst Charles Escue, Indiana University Kolin Hodgson, University of Notre Dame Tom Horton, Cornell University Leo Howell, North Carolina State University Alex Jalso, West Virginia University Wyman Miles, Cornell University Staff Liaisons from EDUCAUSE, Internet2, and REN-ISAC: Joanna Grama Todd Herring Nick Lewis Kim Milford Valerie Vogel

Show a general workflow of 3PA Cloud Vendor / Data Sharing Request Documentation Approval Onboarding Assessment Reporting

We are all doing the same thing with minor changes to fit our environments + + + X VENDOR M A I N T A I N

Using similar documentation facilitates HE sharing and reduces vendor burden + HECVAT + HECVAT X VENDOR HECVAT M A I N T A I N + HECVAT

The Higher Education Cloud Vendor Assessment Tool (HECVAT), what is it? A tool used to improve efficiency and consistency in vendor assessments within HE A holistic document that covers our common operating environments in HE An avenue to state HE expectations for security to vendors offering services in the cloud

So how did the HECVAT come to life? Existing Questionnaires Other Institutions H.E. Indiana University Carnegie Mellon University C A I Q C U T S Performed a gap analysis against the CAIQ Reduced from 300+ to 282 questions

Generally, there are three information gathering goals General Information Sharing Disclosure Qualifiers* Documentation Safeguards CORE Range from Application Security to Vulnerability Scanning Company Overview Third (Fourth) Parties * Consulting * Use Case PCI DSS * HIPAA *

The HECVAT covers a broad range of safeguard groups Application/Service Security Authentication, Authorization, and Accounting Business Continuity Plan * Change Management Data Database Datacenter Disaster Recovery Plan * Firewalls, IDS, IPS, and Networking Mobile Applications * Physical Security Policies, Procedures, and Processes Product Evaluation Quality Assurance Systems Management & Configuration Vulnerability Scanning

What can the HECVAT do for your organization? Onboarding 10/80/10 Assessment Reporting

There are many factors in successfully adopting the HECVAT at your institution Data Stewards Leadership Purchasing Security/Risk Assessment Expectations Policy Resources Skills

The HECVAT s scope is specific and it has some limitations May not be appropriate for vendor engagements using lower-level data classifications Requires committed resources to properly digest and analyze vendor responses Can be cumbersome for low risk evaluations

Making the HECVAT usable for many institutions meant making it smaller 282 81 HECVAT HECVAT Lite Short on time? Short on personnel to review? Short on budget? Short on risk?

Many institutions have some assessment capability; how can the HECVAT fit in? Understanding how HECVAT questions compare to industry standards is useful Standards mapping enable smoother adoption of the HECVAT Phase 2 contributors spent countless hours creating the crosswalk of six initial standards CIS 20 Critical Security Controls (v6.1) HIPAA ISO 27002:2013 NIST Cybersecurity Framework (CSF) NIST SP 800-53r4 NIST SP 800-171r1

Staff Liaisons from EDUCAUSE, Internet2, and REN-ISAC truly support the effort! CLOUD BROKER INDEX NET+ COMMS & THE REST

Indiana University was one of the first adopters of HECVAT; we saw immediate improvement Pilot use began October 2016 Exclusive use of HECVAT for all third-party assessments began January 2017 HECVAT-Lite released in May 2017; used in RFP process when appropriate As of September 2017, we have received 34 populated HECVATs Next Step: Matching HECVAT standards crosswalk to IU program After That: Improve assessment reporting for HECVAT standards HECVAT & HECVAT-Lite V1.06 released October 2017

What will Phase 3 efforts focus on? Cloud Broker Index Support and Usage Obstacles to adopt HECVAT at your institution HECVAT & HECVAT-Lite Use and Participation

Questions? Cloud Vendor Security Risk Assessments: An Update from the HEISC Shared Assessments Working Group Charles Escue, Indiana University cescue@iu.edu

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback