Robert Brammer. Senior Advisor to the Internet2 CEO Internet2 NET+ Security Assessment Forum. 8 April 2014

Similar documents
Exploring Emerging Cyber Attest Requirements

Security as a Service (Implementation Guides) Research Sponsorship

HITRUST CSF: One Framework

ISACA Cincinnati Chapter March Meeting

Business Assurance for the 21st Century

CCSK Research Sponsorship

Protecting vital data with NIST Framework

10 Considerations for a Cloud Procurement. March 2017

SOC for cybersecurity

Healthcare and the Cloud:

Introduction to AWS GoldBase

Compliance & Security in Azure. April 21, 2018

SOC Lessons Learned and Reporting Changes

Auditing the Cloud. Paul Engle CISA, CIA

Achieving third-party reporting proficiency with SOC 2+

Optimising cloud security, trust and transparency

The Business of Security in the Cloud

Protecting Sensitive Data in the Cloud. Presented by: Eric Wolff Thales e-security

CSF to Support SOC 2 Repor(ng

Microsoft Azure Security, Privacy, & Compliance

NIST Cloud Security Architecture Tool (CSAT) Leveraging Cyber Security Framework to Architect a FISMA-compliant Cloud Solution

Peer Collaboration The Next Best Practice for Third Party Risk Management

Data Security and Privacy at Handshake

Intermedia s Private Cloud Exchange

SOC 3 for Security and Availability

Security and Privacy Mechanisms: An Analysis of Cloud Service Providers for the US Government

FedRAMP: Understanding Agency and Cloud Provider Responsibilities

CSA GUIDANCE VERSION 4 S TAT E O F T H E A R T CLOUD SECURITY AND GDPR NOTES. Hing-Yan Lee (Dr.) EVP, APAC, Cloud Security Alliance

INTO THE CLOUD WHAT YOU NEED TO KNOW ABOUT ADOPTION AND ENSURING COMPLIANCE

HITRUST Common Security Framework - Are you prepared?

HITRUST ON THE CLOUD. Navigating Healthcare Compliance

EU Cloud Computing Policy. Luis C. Busquets Pérez 26 September 2017

Embedding Privacy by Design

COMPLIANCE IN THE CLOUD

BHConsulting. Your trusted cybersecurity partner

SERVICE ORGANIZATION CONTROL (SOC) REPORTS: WHAT ARE THEY?

Model Approach to Efficient and Cost-Effective Third-Party Assurance

Virtustream Cloud and Managed Services Solutions for US State & Local Governments and Education

SSAE 18 & new SOC approach to compliance. Moderator Name: Patricio Garcia Managing Partner ControlCase Attestation Services

This presentation is intended to provide an overview of GDPR and is not a definitive statement of the law.

HITRUST CSF Assurance Program HITRUST, Frisco, TX. All Rights Reserved.

BHConsulting. Your trusted cybersecurity partner

The HITRUST CSF. A Revolutionary Way to Protect Electronic Health Information

Top Reasons To Audit An IAM Program. Bryan Cook Focal Point Data Risk

SYSTEM SECURITY PLAN (SSP) [Official Company Name]

PREPARING FOR SOC CHANGES. AN ARMANINO WHITE PAPER By Liam Collins, Partner-In-Charge, SOC Audit Practice

A SERVICE ORGANIZATION S GUIDE SOC 1, 2, & 3 REPORTS

Table of Contents. Preface xvii PART ONE: FOUNDATIONS OF MODERN INTERNAL AUDITING

How Secure is Blockchain? June 6 th, 2017

Best Practices in Securing a Multicloud World

BSI C5 Status Quo. Dr. Clemens Doubrava, BSI,

Does a SAS 70 Audit Leave you at Risk of a Security Exposure or Failure to Comply with FISMA?

Performing a Vendor Security Review TCTC 2017 FALL EVENT PRESENTER: KATIE MCINTOSH

SaaS Security in Healthcare: Can the Fox Guard the Hen House? Pros and Cons of an In-House Security Validation and a Third- Party SOC 2 Audit

2018 HIPAA One All Rights Reserved. Beyond HIPAA Compliance to Certification

Contemporary Challenges for Cloud Service Providers Seeking FedRAMP Compliance

SAS 70 Audit Concepts. and Benefits JAYACHANDRAN.B,CISA,CISM. August 2010

SoftLayer Security and Compliance:

Driving Cloud Governance and Avoiding Cloud Chaos

Balancing Compliance and Operational Security Demands. Nov 2015 Steve Winterfeld

CloudTrust Protocol Orientation and Status

DeMystifying Data Breaches and Information Security Compliance

All Aboard the HIPAA Omnibus An Auditor s Perspective

Security Models for Cloud

Build confidence in the cloud Best practice frameworks for cloud security

ISO 27001:2013 certification

Deploying to the Cloud: A Case study on the Development of EHNAC s Cloud Enabled Accreditation Program (CEAP)

Where is the EU in cloud security certification?: Main findings

Maryland Health Care Commission

SWIFT Customer Security Controls Framework and self-attestation via The KYC Registry Security Attestation Application FAQ

Data Security Standards

HITRUST CSF Roadmap for 2018 and Beyond HITRUST Alliance.

locuz.com SOC Services

CLOUD COMPUTING APPLYING THIS NEW TECHNOLOGY TO YOUR PRACTICE

WHICH SOC REPORT IS RIGHT FOR YOUR CLIENT?

ITT Technical Institute. IT360 Networking Security I Onsite Course SYLLABUS

TEXAS CISO COUNCIL. Information Security Program Essentials Guide

Security & Compliance in the AWS Cloud. Vijay Rangarajan Senior Cloud Architect, ASEAN Amazon Web

ISACA Enterprise. Solutions and Resources

FedRAMP Digital Identity Requirements. Version 1.0

Cybersecurity & Privacy Enhancements

Cloud Computing Standard 1.1 INTRODUCTION 2.1 PURPOSE. Effective Date: July 28, 2015

NE HIMSS Vendor Risk. October 9, 2015 MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS

Telos and Amazon Web Services (AWS): Accelerating Secure and Compliant Cloud Deployments

Gain Control Over Your Cloud Use with Cisco Cloud Consumption Professional Services

Identity Assurance Framework: Realizing The Identity Opportunity With Consistency And Definition

Future Shifts in Enterprise Architecture Evolution. IPMA Marlyn Zelkowitz, SAP Industry Business Solutions May 22 nd, 2013

Copyright 2011 EMC Corporation. All rights reserved.

Microsoft 365 Business FAQs

SOC 2 examinations and SOC for Cybersecurity examinations: Understanding the key distinctions

IS305 Managing Risk in Information Systems [Onsite and Online]

IT Cloud Computing. Internal Audit Report. Report No. SC February David Lane Auditor-in-Charge

Framework for Improving Critical Infrastructure Cybersecurity

Document Title: IT Security Assessment Questionnaire

Security & Compliance in the AWS Cloud. Amazon Web Services

NS2 Cloud Overview The Cloud Built for Federal Security and Export Controlled Environments. Hunter Downey, Cloud Solution Director

INTELLIGENCE DRIVEN GRC FOR SECURITY

CLOUD COMPUTING. The Old Ways Are New Again. Jeff Rowland, Vice President, USAA IT/Security Audit Services. Public Information

AZURE CLOUD SECURITY GUIDE: 6 BEST PRACTICES. To Secure Azure and Hybrid Cloud Environments

Is Your Compliance Strategy Putting Your Business at Risk?

Transcription:

Robert Brammer Senior Advisor to the Internet2 CEO rfbtech@internet2.edu Internet2 NET+ Security Assessment Forum 8 April 2014

INTERNET2 NET+ Security Initiative Primary objective -- develop guidance to meet the security, privacy, and compliance needs of our NET+ participants, while helping to enable the service providers to manage their costs and to offer discounted prices Approach Focus on those issues most relevant in cloud-computing environments Develop material to aid in creating institutional cloud security strategy* A team of security experts from both higher education institutions and service providers continue to develop the guidance. Base on the Cloud Security Alliance (CSA) GRC Stack and NIST SP800 53, 144, 146 Tailor content to requirements for higher education Major milestones Began in June 2012, delivered initial version of security controls in December 2012, now in use by NET+ Program, next version update with CSA CCM 3.1 *Fewer than 30% of the 9300+ respondents to the PWC Global State of Information Security Survey 2013 said that their organizations have a cloud security strategy [ 2 ]

NIST, CSA, and AICPA NIST Part of the Dept. of Commerce, chartered to develop national standards CSA not-for-profit consortium, 43,000 individual members, ~150 corporate members, 20+ affiliate members, 60+ chapters globally AICPA -- world s largest member association representing the accounting profession, with nearly 400,000 members in 125+ countries Opportunity to complement their work with government and industry with our work with higher education institutions [ 3 ]

CSA GRC Stack Tools for governance, risk, and compliance management Consensus Assessments Initiative Cloud Controls Matrix Cloud Trust Protocol Cloud Audit https://cloudsecurityalliance.org/research/grc-stack/ Although it does not consider itself to be a standards body, as a global organization with high levels of participation from both cloud services buyers and providers, the Cloud Security Alliance (CSA) is the entity that is most likely to provide generally accepted control standards for public cloud computing. Jay Heiser and Rob McMillan, Cloud Security and Risk Standards Are Maturing, Gartner Research Note, 26 December 2012 [ 4 ]

NET+ Security Initiative Deliverable -- Extended CCM 3.0 Controls derived from NIST, CSA guidance, compliance requirements for higher ed, etc. Mapped to familiar frameworks: ISO 27001, COBIT, PCI, HIPAA, FISMA, FedRAMP, etc. Our extensions to CSA CCM V3.0 include FERPA, COPPA, ITAR/Export, international privacy, NIST SP800-53 R4 Appendix J, Current 136x28 modular structure provides flexibility Our extensions and the AICPA Trust Principles will be in CCM V3.0 and beyond [ 5 ]

CCM 3.0 Controls and Mappings 136 controls (risk mitigation) 28 mappings to various standards, regulations, other requirements ISO standards, FedRAMP, HIPAA, ENISA, Our NET+ Security Team has added seven mappings for requirements significant to higher education Mappings include large majority of 136 controls FERPA, PCI DSS, ITAR/EXPORT, international data privacy NIST 800-53 R4 Appendix J privacy controls [ 6 ]

3 rd Party Audit/Assessments are Significant for NET+ We are working with the AICPA and various FedRAMP 3 rd party firms to ensure that there are firms that can provide services based on our controls matrix The AICPA is collaborating with CSA and Internet2 to create a standardized industry attestation engagement provided by CPAs that incorporates the CCM The attestation is based on an existing, and proven, SOC Framework https://www.aicpa.org/interestareas/frc/assuranceadvisoryservices/pages/sorhome.aspx Nearly 50 cloud services included in CSA STAR, including some NET+ CSP s Amazon AWS, Box, Microsoft (Azure, Office 365), SHI - more to come As more buyers demand it, and as the standards mature, such questionnaires will increasingly be treated as normal practice, as evidenced by the growing number of SaaS providers that are registering their questionnaire responses on the Cloud Security Alliance's (CSA's) Security, Trust & Assurance Registry (STAR) site. Jay Heiser and Alexa Bona, Cloud Contracts Need Security Service Levels to Better Manage Risk, Gartner Research Note, 15 March 2013 [ 7 ]

Current Status and Future Directions Our strategy is to have our developments integrated with major standards and to maintain a presence for higher education with their ongoing evolution We have released the first version of our guidance and are working with the higher education community to get feedback and are beginning implementation Currently working on further extensions for privacy and identity Draft mapping for NIST SP 800-53 R4 Appendix J with higher ed extensions Draft additional controls for federated identity in development We are in discussions with training firms for users and 3 rd party assessment firms Your feedback and support are important to us [ 8 ]

Today s Panelists Robert Brammer Internet2 Mark Cather -- University of Maryland, Baltimore County Evelyn De Souza Cloud Security Alliance and Cisco Steve Devoti University of Wisconsin Audrey Katcher American Institute of CPA s Tracy Mitrano Cornell Michele Norin University of Arizona 9 [ 9 ]

Robert Brammer Senior Advisor to the Internet2 CEO rfbtech@internet2.edu Internet2 NET+ Security Assessment Forum 8 April 2014

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback