How to Establish Security & Privacy Due Diligence in the Cloud

Similar documents
How icims Supports. Your Readiness for the European Union General Data Protection Regulation

The Evolving Threat to Corporate Cyber & Data Security

Cybersecurity Auditing in an Unsecure World

CSA GUIDANCE VERSION 4 S TAT E O F T H E A R T CLOUD SECURITY AND GDPR NOTES. Hing-Yan Lee (Dr.) EVP, APAC, Cloud Security Alliance

General Data Protection Regulation April 3, Sarah Ackerman, Managing Director Ross Patz, Consultant

DeMystifying Data Breaches and Information Security Compliance

INTO THE CLOUD WHAT YOU NEED TO KNOW ABOUT ADOPTION AND ENSURING COMPLIANCE

Cloud Computing, SaaS and Outsourcing

Incident Response and Cybersecurity: A View from the Boardroom

Data Security: Public Contracts and the Cloud

Compliance & Security in Azure. April 21, 2018

ANATOMY OF A DATA BREACH: DEVELOPMENTS IN DATA SECURITY AND CLOUD COMPUTING LAW

Securing the cloud ISACA Korea. Han Ther, Lee CISA, CISM, CISSP, CRISC, ITILF, MCSA

Performing a Vendor Security Review TCTC 2017 FALL EVENT PRESENTER: KATIE MCINTOSH

SOARING THROUGH THE CLOUDS IT S A BREEZE

Cyber Risks in the Boardroom Conference

A Checklist for Cybersecurity and Data Privacy Diligence in TMT Transactions

2017 INVESTMENT MANAGEMENT CONFERENCE NEW YORK Big Data: Risks and Rewards for Investment Management

NIST Cloud Security Architecture Tool (CSAT) Leveraging Cyber Security Framework to Architect a FISMA-compliant Cloud Solution

STANDARDS TO HELP COMPLY WITH EU LEGISLATION. EUROPE HAS WHAT IT TAKES INCLUDING THE WILL?

BHConsulting. Your trusted cybersecurity partner

2017 RIMS CYBER SURVEY

EU General Data Protection Regulation (GDPR) Achieving compliance

How to work your cloud around the UK ICO s Data Protection Act

GDPR AMC SAAS AND HOSTED MODULES. UK version. AMC Consult A/S June 26, 2018 Version 1.10

Top Privacy Issues for Infosec Professionals

Stephanie Zierten Associate Counsel Federal Reserve Bank of Boston

NYDFS Cybersecurity Regulations

Building a Business Case for Cyber Threat Intelligence. 5Reasons Your. Organization Needs a Risk-Based 5Approach to Cybersecurity

Protecting Your Business: Best Practices for Implementing a Legally Compliant Cybersecurity Program Trivalent Solutions Expo June 19, 2014

TIPS FOR FORGING A BETTER WORKING RELATIONSHIP BETWEEN COUNSEL AND IT TO IMPROVE CYBER-RESPONSE

COMPLIANCE IN THE CLOUD

Controlled Document Page 1 of 6. Effective Date: 6/19/13. Approved by: CAB/F. Approved on: 6/19/13. Version Supersedes:

Building Trust in the Era of Cloud Computing

Understanding Cyber Insurance & Regulatory Drivers for Business Continuity

CLOUD COMPUTING. The Old Ways Are New Again. Jeff Rowland, Vice President, USAA IT/Security Audit Services. Public Information

Managing Cybersecurity Risk

EU GDPR & NEW YORK CYBERSECURITY REQUIREMENTS 3 KEYS TO SUCCESS

BHConsulting. Your trusted cybersecurity partner

Cloud Customer Architecture for Securing Workloads on Cloud Services

Data Breach Preparation and Response. April 21, 2017

Angela McKay Director, Government Security Policy and Strategy Microsoft

Jim Reavis CEO and Founder Cloud Security Alliance December 2017

GDPR compliance: some basics & practical to do list

European Union Agency for Network and Information Security

Plan a Pragmatic Approach to the new EU Data Privacy Regulation

Cloud computing the use of contracts as a means of governing networked computer services.

Managing SaaS risks for cloud customers

2018 Data Security Incident Response Report Building Cyber Resilience: Compromise Response Intelligence in Action

TRACKVIA SECURITY OVERVIEW

How will cyber risk management affect tomorrow's business?

Smart Software Licensing tools and Smart Account Management Privacy DataSheet

Advising the C-Suite and Boards of Directors on Cybersecurity. February 11, 2015

Choosing a Secure Cloud Service Provider

Building Trust in the Cloud Era - Protect, Respect Personal Data

Cloud Computing Risks & Reality. Sandra Liepkalns, CRISC

Cloud Computing: A European Perspective. Rolf von Roessing CISA, CGEIT, CISM International Vice President, ISACA

CYBER RISK MANAGEMENT

Disruptive Technologies Legal and Regulatory Aspects. 16 May 2017 Investment Summit - Swiss Gobal Enterprise

EU DATA PRIVACY COMPLIANCE FOR US DRIVEN PROJECTS

TRULY INDEPENDENT CYBER SECURITY SPECIALISTS. Cyber Major

On the Radar: IBM Resilient applies incident response orchestration to GDPR data breaches

Bringing cyber to the Board of Directors & C-level and keeping it there. Dirk Lybaert, Proximus September 9 th 2016

Maintaining Security Parity in the Shift to Cloud and Mobile Applications. Jamie Yu, Clark Sessions Cisco Systems October 2016

SCCE ECEI 2014 EU DATA PRIVACY COMPLIANCE FOR US DRIVEN PROJECTS. Monica Salgado JANINE REGAN CIPP/E

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

Agenda. I. Related Policies to Cloud Computing. Cloud Security Certification Scheme in KOREA. Guidelines for Information Security of Cloud Computing

Preempting Cyber Fraud: SWIFT Threat Indicator Sharing Tool. Cyber Security 3.0 Better Together August 18, 2017

Cybersecurity The Evolving Landscape

Model Approach to Efficient and Cost-Effective Third-Party Assurance

Level Access Information Security Policy

Playing in the Big (Data) Leagues: Consumer Data Mining Data Privacy and Compliance

Cyber Secure Dashboard Cyber Insurance Portfolio Analysis of Risk (CIPAR) Cyber insurance Legal Analytics Database (CLAD)

The GDPR Are you ready?

MITIGATE CYBER ATTACK RISK

Public vs private cloud for regulated entities

CYBER INSURANCE: MANAGING THE RISK

ISO / IEC 27001:2005. A brief introduction. Dimitris Petropoulos Managing Director ENCODE Middle East September 2006

In Accountable IoT We Trust

Robert Bond. Respecting Privacy, Securing Data and Enabling Trust a view from Europe

The Role of the Data Protection Officer

Overview Bank IT examination perspective Background information Elements of a sound plan Customer notifications

The Etihad Journey to a Secure Cloud

THE NEW EU DATA PROTECTION REGULATION: WHAT IS IT AND WHAT DO WE NEED TO DO? KALLIOPI SPYRIDAKI CHIEF PRIVACY STRATEGIST, EUROPE

locuz.com SOC Services

Data Security and Privacy Principles IBM Cloud Services

2016 Data Protection & Breach Readiness Webinar Will Start Shortly. please download the guide at

Virtual Machine Encryption Security & Compliance in the Cloud

EU GDPR and . The complete text of the EU GDPR can be found at What is GDPR?

AIRMIC ENTERPRISE RISK MANAGEMENT FORUM

SHELTERMANAGER LTD CUSTOMER DATA PROCESSING AGREEMENT

Critical Security Controls. COL Stef Horvath MNARNG Oct 21, 2015

READ ME for the Agency ATO Review Template

Demonstrating Compliance in the Financial Services Industry with Veriato

Our agenda. The basics

ADIENT VENDOR SECURITY STANDARD

Cloud Communications for Healthcare

Top Five Privacy and Data Security Issues for Nonprofit Organizations

Financial Regulations, Enforcement & Cybersecurity

FedRAMP: Understanding Agency and Cloud Provider Responsibilities

Transcription:

How to Establish Security & Privacy Due Diligence in the Cloud Presentation: Cloud Computing Expo 2015, Santa Clara, California Maria C. Horton, CISSP, ISSMP, Cloud Essentials, IAM CEO, EmeSec Incorporated November 5, 2015

Objectives Attendees will discuss cloud due diligence from the perspective of: A driver to security & privacy requirements for cloud data governance The implications of continuous monitoring and compliance Adapting data loss prevention and incidence response activities

Due Diligence: Why the Emphasis? In business negotiations, it is the information needed to assess risk accurately In compliance, it describes the degree of effort required by law or industry standard In civil law, it is the reasonable care taken to avoid harm For Cloud Services, IaaS, PaaS, and SaaS, both the Cloud Service Provider and the Cloud Customer will have obligations in the business, compliance and legal realms

to the Era of Cyber Liability Wyndham vs Federal Trade Commission (FTC) Federal Appeals courts decision gives authority to FTC without clear regulations Likely more lawsuits related to inadequate policies/practices or recurrent issues FTC has limited interest in clear regulations because that reduces ability to police, fine and re-define inadequate Data Breach Costs Total cost is$3.8 million - a 23% increase since 2013 Per record cost is $154 also up IBM Ponemon Institute 2015 Annual Study Cyber Insurance The number of conferences and articles suggest cyber liability (and its costs are here to stay.

Due Diligence Framework Begins with business and functional requirements Governance Roles and Responsibilities Monitoring/Reporting Risk tolerance Exposure, Control, Risk CSP strategy and SLAs Technical, Operational, and Management Security Processes Technology Standard based, proven

Due Diligence in Action Ask questions, see demonstrations Conduct evaluation(s) Technical vendor assessment Certifications (FedRAMP, ISO 27k) Site tour Negotiate Terms Service level agreements (SLA) Validate, validate, validate Continuous Monitoring Not just technically! Sample Questions Are there specific set up fees? What are the user authentication methods for our solution? What are the geolocation boundaries for the data? How are incidents and breaches reported? How often are third party audits conducted? Are there any termination fees?

Due Diligence for Value & Protection Leveraging FedRAMP Federal Risk and Authorization Management Program (FedRAMP) provides a foundation of uniform security standards Establishes continuous monitoring requirements Identifies externally vetted providers Cloud Service Providers 3PAOs Can be interpreted as an underwriter s seal of approval

Privacy Due Diligence Do you know where your data resides in the cloud? Do you have ownership rights? Preparing for US-EU convergence Adapting incident response Cloud notifications Negotiated SLAs Accounting for forensics Changing responsibilities and accountabilities Wait, watch and worry?

Benefits of a Due Diligence Approach Limits liability Builds trust with customers and users Proactive approach to security and regulatory compliance You can t delegate accountability!

Find What s Right Be Pragmatic: Demonstrate Reasonableness Build Cyber Resilience Consider a Virtual Compliance Officer Power of Simplicity --

Thank you for your time! Continue the discussion Twitter: @EmeSec Twitter: @mariahorton Phone: 703.429.4492/4491 Email: info@emesec.net

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback