EuroCACS 2016 There are giants in the sky

Amalia Steiu, CRISC, CISM, CIPM, CIPT, PMP

Carlos Chalico, CISA,CISSP, CISM, CRISC, CGEIT, PbDA, ISO27001LA

© ISACA 2016.

All Rights Reserved.

#EUROCACS @SteiINformed

@carloschalico

Setting the stage

Existing Cloud Standards

ISACA Resources

Our Proposed Approach to Tackle the Cloud (aka How to

tackle the Giants)

Cloud Assurance and Contract considerations

Ready…Set…Go!

Agenda

© ISACA 2016.



@carloschalico

Why Giants?

Image Source: Clash of Clans

© ISACA 2016.



@carloschalico

Why the Concern?

Source: Creating trust in the digital world: EY’s Global Information Security Survey 2015

© ISACA 2016.



@carloschalico

ITU-T X.805 (ANSIS) – 8 dimensions Security Model

ISO/ISEC 27001:2005 & 27002, PCI DSS

ISO/IEC 2005: 2011 & ITU-T X.1055

ISO 38500, ISO 31000

ISO 27018, ISP 27017

ITIL, ISO 20000

COBIT 5

SANS 27011, ISO 27001

SANS 24762

ISO 10181, ITU X1056

NIST SP 800-39

APEC, OECD, just to mention some

Standards and Frameworks

© ISACA 2016.



@carloschalico

(More) Standards and Frameworks

© ISACA 2016.



@carloschalico

(Even More) Standards and Frameworks

© ISACA 2016.



@carloschalico

How to Navigate all These?

Understand risks and formulate objectives to be

achieved in line with IT Goals, Bus Goals, Risk

Appetite

Have a clear understanding of laws and regulations

AND obligations to comply

Ensure risks are managed in a cost-effective

manner

Support you with your information security, privacy

and other regulatory requirements

Demonstrate ongoing compliance

© ISACA 2016.



@carloschalico

Guidance is directed at public cloud providers acting as processors of

PI

Protection requirements: a) Legal, Regulatory and Contractual Obligations;

b) Risk – taking into account the organization’s overall business strategy and

objectives; ISO/IEC 29134 provides guidance on privacy impact assessment; c)

Corporate Policies and possible added requirements from a)

PI Lifecycle requirements

Information Security:

IS , HR policies (incl. termination), Management Responsibilities,

Access/Identity Management: privileged and non-privileged access,

reviews and monitoring; System and application access control; PI

protection through Projects and Project Management

Use of privileged utility programs; Application development and coding

practices; Access control to program source code; Cryptography; Physical

Environment Security…

ISO 27018

© ISACA 2016.



@carloschalico

Use of privileged utility programs; Application development and coding

practices; Access control to program source code; Cryptography; Physical

Environment Security;

Operations Security; Documenting Standards and Procedures; Change

Control; Capacity Management; Separating testing, dev and prod

environments, Protection of malware; Backup; Logging and monitoring;

Protection of logs; Technical vulnerability management; Information

systems audit considerations; Network Security Management; Information

transfer; Electronic messaging/other collaboration tools; Incident

Management, Business Continuity;

Compliance; Security Audits

Privacy Policy

Enable the organization using the Cloud Provider to meet their Consent

and Choice, Access to their information for correction or removal;

Purpose which does not exceed the agreed upon (in contract) scope for

processing

ISO 27018 cont’d

© ISACA 2016.



@carloschalico

Respect the Organization’s data minimization requirements;

Use, retention and disclosure limitation

Accuracy and quality obligations

Obligations to cooperate with regulators

Individual participation and involvement

Breach Notification and Management

Dispute management and retention of administrative policies

PI return, transfer and disposal

Policies for creation and retention of hard copy PI information

Confidentiality and non-disclosure agreements

Training and Awareness

Retention and Protection of data restoration logs

Protection of all storage media, at any time

Encryption of PI transmission over networks

Records of authorized users; Unique IDs;

ISO 27018 cont’d

© ISACA 2016.



@carloschalico

Geographic location of PI;

Intended destination of PI;

NIST SP 800-53 rev4, DRAFT Security and Privacy Controls for Federal Information Systems

and Organizations (Initial Public Draft), February 2012

(http://csrc.nist.gov/publications/drafts/800-53-rev4/sp800-53-rev4-ipd.pdf).

[16] NIST SP 800-122, Guide to Protecting the Confidentiality of Personally Identifiable

Information (PII), April 2010 (http://csrc.nist.gov/publications/nistpubs/800-122/sp800-

122.pdf).

[17] NIST SP 800-144, Guidelines on Security and Privacy in Public Cloud Computing,

December 2011 (http://csrc.nist.gov/publications/nistpubs/800-144/SP800-144.pdf).

ISO 27018 cont’d

© ISACA 2016.



@carloschalico

CSA is the leading organization dedicated to defining and

raising awareness of best practices to help ensure a secure

cloud computing environment

Operates the CSA Security, Trust & Assurance Registry

(STAR) program to certify cloud providers on security

It supports the individual designation known as: Certificate of

Cloud Security Knowledge (CCSK)

Corporate and individual members

Chapters around the world

Constantly generates related content

Among this the “Security Guidance for Critical Areas of Focus

in Cloud Computing 3.0” was released

Cloud Security Alliance

Source: https://cloudsecurityalliance.org

© ISACA 2016.



@carloschalico

Document recognizes that cloud computing market is

maturing

Originally released in 2009

Considering this, information security, privacy and related

risks become relevant

Controls are crucial

Document focuses in best practices delivery based on

comments from seventy industry experts distributed worldwide

Progress is recognized

Information security professionals from around the world are

working to secure the future on the cloud

Security Guidance

© ISACA 2016.



@carloschalico

1. Cloud Computing Architectural Framework

2. Governance and Enterprise Risk Management

3. Legal Issues: Contracts and Electronic Discovery

4. Compliance and Audit Management

5. Information Management and Data Security

6. Interoperability and Portability

7. Traditional Security, Business Continuity and Disaster Recovery

8. Data Centre Operations

9. Incident Response

10. Application Security

11. Encryption and Key Management

12. Identity, Entitlement and Access Management

13. Virtualization

14. Security as a Service

Document Structure

Cloud

Architecture

Governing in

the Cloud

Operating in the

Cloud

Sections (I-III)

© ISACA 2016.



@carloschalico

Risk tolerance is considered to be key when thinking of going

to the cloud

Understanding the right combination of deployment and

services model for the organization is crucial

Identification of sensitive information is mandatory

Potential exposure points should be identified

Weaknesses in operations need to be pointed

The value of the assets should influence the level of concern

This is just the beginning when considering a potential

operation in the cloud

Remember: Having a third party taking care of a portion of

your processes does not make you less responsible for them

To Keep in mind

“…the security of the

organization’s

information and

information processing

facilities should not be

reduced by the

introduction of external

party products or

services…”

ISO/IEC 27002, section 6.2

© ISACA 2016.



@carloschalico

Visual Model

Cloud

Architecture

Governing in

the Cloud

Operating in the

Cloud

Sections (I-III)

Source: Security Guidance for Critical Areas of Focus in Cloud Computing 3.0; CSA

© ISACA 2016.



@carloschalico

Classic

SaaS

PaaS

IaaS

DaaS

Service Models (Extended)

Emerg

DaaS

SecaaS

DRaaS

IDaaS

BDaaS

InfoaaS

IPaaS

FRaaS

HkaaS

Cloud Deployment Models (aka “The Giants”)

ed

ing

© ISACA 2016.



@carloschalico

Shall we consider for

Cloud Computing the

same controls as in

traditional

environments?

Cloud

Architecture

Governing in

the Cloud

Operating in the

Cloud

Sections (I-III)

© ISACA 2016.



@carloschalico

Cloud

Architecture

Governing in

the Cloud

Operating in the

Cloud

Sections (I-III)

Source: Ernst & Young

Extended Organization

© ISACA 2016.



@carloschalico

Cloud

Architecture

Governing in

the Cloud

Operating in the

Cloud

Sections (I-III)

Cloud Controls Matrix


© ISACA 2016.



@carloschalico

You have heard about this concept: Processes, technology,

customs, policies, laws, and institutions affecting the way the

enterprise is directed, administered or controlled

Five basic principles:

Auditing Supply Chains

Board and Management Structure and Process

Corporate Responsibility and Compliance

Financial Transparency and Information Disclosure

Ownership Structure and Exercise of Control Rights

Cloud

Architecture

Governing in

the Cloud

Operating in the

Cloud

Sections (I-III)

Corporate Governance


© ISACA 2016.



@carloschalico

Cloud

Architecture

Governing in

the Cloud

Operating in the

Cloud

Sections (I-III)

Enterprise Risk Management

© ISACA 2016.



@carloschalico

1. Choice and consent

2. Legitimate purpose specification and use limitation

3. Personal information and sensitive information lifecycle

4. Accuracy and quality

5. Openness, transparency and notice

6. Individual participation

7. Accountability

8. Security safeguards

9. Monitoring, measuring and reporting

10. Preventing harm

11. Third party/vendor management

12. Breach management

13. Security and privacy by design

14. Free flow of information and legitimate restriction

Cloud

Architecture

Governing in

the Cloud

Operating in the

Cloud

Sections (I-III)

Legal Concerns – Privacy, Contracts

Source: : ISACA Privacy Principles and Program Management Guide

© ISACA 2016.



@carloschalico

Compliance and Audit

Management

Information Management and

Data Security

Interoperability and Portability

Cloud

Architecture

Governing in

the Cloud

Operating in the

Cloud

Sections (I-III)

Governing the Cloud

GRC Value Ecosystem

Data Lifecycle


© ISACA 2016.



@carloschalico

Business continuity management

Operations

Responding to the unexpected

Protecting a critical tier: The application

Securing the SDLC

Encryption and key management

Identity, entitlement and access management

Virtualization

Security as a Service (SecaaS)

Cloud

Architecture

Governing in

the Cloud

Operating in the

Cloud

Sections (I-III)

Operating in the Cloud


© ISACA 2016.



@carloschalico

ISACA has created a number of “tools” to help organizations

understand the Cloud:

Vendor Management Using COBIT 5

COBIT 5 for Risk

Controls and Assurance in the Cloud using COBIT 5

Privacy Principles and Program Management Guide

Publications discussing Governance, Risk and Security

matters

ISACA Resources

© ISACA 2016.



@carloschalico

Treat your relationship with the cloud provide the way you

would if extending your Data Center

Add all the necessary due diligence for a Third-Party

What are you reporting on? What KPIs, KCIs etc

This will drive your requirements for:

a) setting up the relationship in with IT Goals in mind and using

a risk-cost based approach;

b) managing the relationship;

c) the contract

Our Proposed Approach to Cloud (How to

tackle the Giants?)

© ISACA 2016.



@carloschalico

Governance of your “Total” Enterprise IT

Total Data Center

Total IT - Business

Goals RISK = Cloud

Risk + Third Party Risk

+ IT Risk

Giants

Governance of Total Enterprise IT

Controls and Assurance (incl. Cloud)

Our Proposed Approach to Cloud… cont’d

© ISACA 2016.



@carloschalico

Includes:

Governance model, Policy, IT Strategy

IT-Business Goals

Stakeholders Needs Analysis (see matrix)

GRC in the Data Center (what other obligations: PCI DSS,

others?)

Third Party risks and analysis

Internal Standards and Controls, KCIs, KRIs

Internal Service Delivery metrics

Data Localization, Privacy Laws


© ISACA 2016.



@carloschalico

“The CIO needs to manage the Total Enterprise IT (incl. Cloud) as a service value chain.

With cloud computing, the CIO must weave together and optimize this value chain to best

support various business partners, customers and enable the enterprise’s business”

Management and Governance of Enterprise IT includes:

Manage increasing risk effectively, including security, compliance, privacy,

projects and business partners (stakeholders)

Ensure continuity of services that are now in the “extended” data center

Clearly communicate the enterprise objectives to the internal IT organization as

well as third parties (through contracts)

Build Agility in: remain flexible and adaptable to harvest new value (enable new

business processes/practices) and opportunities and reduce costs

Facilitate continuity of IT knowledge through adaptive learning and awareness

models

Be prepared to handle a myriad of industry and country regulations and laws


© ISACA 2016.



@carloschalico


© ISACA 2016.



@carloschalico


© ISACA 2016.



@carloschalico

Total Data Center


© ISACA 2016.



@carloschalico

GRC in the Total Data Center


© ISACA 2016.



@carloschalico

Executive Oversight= Compliance

function( to provide regulatory and other

compliance requirements specific to third

party risk management) + IT Risk &

Control Function (risk level based on the

nature of access/data sensitivity shared

with the third parties) + Contract

Governance Function (adequately

addressing security/privacy/other

obligations)

Vendors and contracts database

Trust level (as a good practice, areas

of assessment could be drawn from ISO

27001, COBIT, OWASP combined with

specific compliance requirements (e.g.

[PCI DSS]) as applicable)

Validate Trust Level

Monitor and Report


© ISACA 2016.



@carloschalico

Cloud Risk –Framework for Assessment (ISACA)

Others: CSA Cloud Security Matrix, ENISA, NIST, ISO/IEC

9126, AICPA SOC1, AICPA SysTrust, FedRAMP, HITRUST,

BITS Shared Assessment Program, Jericho Forum SAS etc.

Top Risk Ranking offered by CSA, OWASP and ENISA

Risk Mapping according to ISA 9126 (Information Technology

– Software product evaluation – Quality characteristics and

guidelines for their use) – useful for SaaS, PaaS, IaaS

Security related risk based on COBIT 5 DS5

4 Guiding Principles for the Cloud:

Vision

Visibility

Accountability

Sustainability


© ISACA 2016.



@carloschalico


© ISACA 2016.



@carloschalico


© ISACA 2016.



@carloschalico


© ISACA 2016.



@carloschalico


© ISACA 2016.



@carloschalico


© ISACA 2016.



@carloschalico


© ISACA 2016.



@carloschalico

Privacy compliance


© ISACA 2016.



@carloschalico

COBIT 5 for Risk

Evolution of Risk IT (released to support COBIT 4.1)


Source: COBIT 5 for Risk; ISACA

© ISACA 2016.



@carloschalico

Principles



© ISACA 2016.



@carloschalico

COBIT 5 Risk Support



© ISACA 2016.



@carloschalico

Defending



© ISACA 2016.



@carloschalico

Understanding



Service

Deployment

IaaS

PaaSSaaS

PrivateCommunity

Hybrid Public

© ISACA 2016.



@carloschalico

Understanding



© ISACA 2016.



@carloschalico

Vendor Management Using COBIT 5

Recognizes relevance of third parties and considers cloud

Reinforces process APO10 “Manage Suppliers” in COBIT 5

Focuses on IT related services

Chapter 6 focuses on Cloud Vendor Management

Definition:

A vendor is a third party that supplies products or services to an

enterprise. These products or services may be outsourcing,

hardware, software, services, commodities, etc. Vendor

management is a strategic process that is dedicated to the

sourcing and management of vendor relationships so that value

creation is maximized and risk to the enterprise is minimized.

This process requires dedicated effort from the enterprise and

the vendor and varies based on the relationship and the scope of

services and products.


Source: Vendor Management Using COBIT 5; ISACA

© ISACA 2016.



@carloschalico

Risk Factors by Service Model


Source: Controls and Assurance in the Cloud Using COBIT 5; ISACA

© ISACA 2016.



@carloschalico

Risk Factors by Deployment Model



© ISACA 2016.



@carloschalico

Satisfying Stakeholders



© ISACA 2016.



@carloschalico

Controls and Assurance in the Cloud

Stakeholder Needs

Stakeholder value of business investments

Managed business risk (safeguarding

assets and business value)

Compliance with external laws and

regulations

Agile response to an ever changing business

environment

Optimization of service delivery

costs

IT Goals

Client

Responsibilities

Cloud Service

Provider (CSP)

Responsibilities

Cloud Assurance and Contract Considerations


© ISACA 2016.



@carloschalico

Controls in the Cloud

Client

Governance and Enterprise Risk

Management:• Governance Framework

• Risk & Resources Optimization;

• Manage Cloud Strategy

• Manage/Communicate Desired Outcomes

• Manage suppliers

• Manage Service Agreements

• Monitor Compliance

Legal and Electronic Discovery• Define & Communicate requirements

• Document requirements in contracts and

SLAs


CSP

Governance and Enterprise Risk

Management :

n/a

Legal and Electronic Discovery• Meet requirements for data retention

• Meet requirements for evidence protection

• Provide data as needed for e-discovery and

legal procedures



© ISACA 2016.



@carloschalico


Client

Compliance and Audit• Define & Communicate requirements

• Document requirements in Agreements, SLAs

• Identify changes in external compliance

requirements

• Optimize response to external requirements

• Confirm external compliance

• Obtain assurance of external compliance

requirements

• Request proof of independent reviews

Information Lifecycle Management• Identify assets

• Classify assets

• Define & Communicate requirements


CSP

Compliance and Audit• Establish a monitoring approach

• Set performance and conformance targets

• Collect and process performance and conformance

data

• Analyze and report performance

• Ensure the implementation of corrective actions

• Monitor internal controls

• Review business process control effectiveness

• Perform control self-assessment

• Identify and report control deficiencies

• Ensure that assurance providers are independent and

qualified

• Plan assurance initiatives

• Scope assurance initiatives

• Execute assurance initiatives

Information Lifecycle Management• Meet data management requirements

• Implement adequate processes to dispose of data and

storage media/devices

• Return data to client when contract expires/severed



© ISACA 2016.



@carloschalico


Portability and Interoperability

Security, Business Continuity and Disaster Recovery

Incident Response, Notification and Remediation

Data Center Operations

Application Security

Encryption and Key Management

Identity and Access Management

Virtualization

Infrastructure



© ISACA 2016.



@carloschalico

Enterprise Goals IT Goals

EG01 – Stakeholder value of business

investments

ITG05, 07, 11, AP009(Manage Service

Agreements)

ITG05 – Realized benefits from IT-enabled

investments and services portfolio

EG03 – Managed business risk ITG04, 10, AP010, 012, 013, DSS05, MEA03

ITG04 – Manage IT-related business risk

EG04 – Compliance with external laws and

regulations

ITG02, ITG10, AP012, 013, DSS05, MEA03

ITG02 – IT compliance and support with

external laws and regulations

ITG10 – Security of information, processing

infrastructure and applications

EG08- Agile response to an ever changing

business environment

ITG07, 09, AP010

ITG07 – Delivery of IT Services in line with

business requirements

EG10 – Optimization of service delivery costs ITG04, 11, AP010, 012, 013, DSS05, MEA03

ITG04 – Manage IT-related business risk

Assurance in the Cloud



© ISACA 2016.



@carloschalico

Contract Requirements

Access to information (logical)

Meeting the “Access” principle

in Privacy

Data Protection = Lifecycle

(extended) -Encryption

Anonymization/Pseudo

Right to be Forgotten/Correction

Logs

Security Incidents

Privacy breaches

Secure disposal /Retention

periods monitoring

Business Continuity & testing

Data Quality/Integrity

Enterprise Risk

Assessment (Security,

Privacy)

Connectivity

(availability)

Regulatory

Investigations to the

cloud (Data)

Disaster declaration

Customer Notification

Changes in Cloud

Ownership

E-Discovery

Application Security

Business Impact

Analysis (interruptions)

Managing Changes of

contract

New applications*

Rqrmt’s for changes

in functionality

KRIs, KCIs, KPIs –

monitoring and

reporting

Severing the

relationship

Security Technical

Safeguards

(virtualization,

networks etc.)

PCI DSS compliance

Data transfer cross-

borders



© ISACA 2016.



@carloschalico

Contract Requirements:

Your Organizational Standards

and Controls

Identity Management

Access Management (for the cloud

environment;(Access Standards:

User vs/ Privileged)

Identity Management

Retention and Destruction Standard

PI (PII) Protection Standards

Data Flows/Inventory

Data Classification Policy

DLP implications

Data processing compliance

IT Change Control and

Configuration Management



© ISACA 2016.



@carloschalico

Contract Requirements cont’d

Term and Termination

Cloud staff “segregation” of duties and

“need to know”

Cloud staff background checks

Cloud staff training

Alignment of password requirements with

internal standards

Cloud staff Confidentiality Agreements

Cloud Services annual certification

(SOC1/2 or equivalent)

Third party subcontracting to a vendor

Crisis Management

Incident Response

Value Generation

ISO 27017, 27018, NIST



© ISACA 2016.



@carloschalico

Ready…Set….GO!!!

“Bringing value to the organization, enabling transformation while minimizing risk and without

compromising privacy”

Appropriate Governance (End to End GEIT)

Risk to Business Objectives : IT Risk + Bus Risk + Third

Party Risk (SLAs, Legal/Regulatory, Security, Privacy, etc.)

Total Data Center Security (&

Privacy) requirements

Controls & Assurance in the

Cloud

Internal Policies,

Standards etc.

Contract

Requirements


© ISACA 2016.



@carloschalico

What’s This?

Source: Status of the Cloud Report; RightScale; 2016;

http://assets.rightscale.com/uploads/pdfs/RightScale-2016-State-of-the-Cloud-Report.pdf

© ISACA 2016.



@carloschalico

What’s This?

Source: Status of the Cloud Report; RightScale; 2016;


© ISACA 2016.



@carloschalico

https://www.cloudlock.com/wp-content/uploads/2015/07/ISO-IEC-Compliance-Guide-

CloudLock.pdf

https://www.itsc.org.sg/userfiles/files/content/Item_7_-

_Wong_Onn_Chee_Presentation_Slides_Overview_of_Cloud_Security.pdf

Volume 3, 2015 “Governance and Management of Enterprise IT (CGEIT)”, see Article

“Toward a secure data center model”

Volume 4, 2015 “Regulations and Compliance“, see Article “Vendor Risk Management

Demystified”

ISACA Volume 5, 2012 “Privacy and the Cloud”, see Article “Meeting PCI DSS when using a

Cloud Service Provider”

ISACA Volume 5, 2012

ISACA “Controls and Assurance in the Cloud using COBIT 5”

ISACA “COBIT 5 for Risk”

ISACA “Vendor Management Using COBIT 5”

Security Guidance for Critical Areas of Focus in Cloud Computing

https://cloudsecurityalliance.org/guidance/csaguide.v3.0.pdf

Status of the Cloud Report; RightScale; 2016;


Resources

https://www.cloudlock.com/wp-content/uploads/2015/07/ISO-IEC-Compliance-Guide-CloudLock.pdf

https://www.itsc.org.sg/userfiles/files/content/Item_7_-_Wong_Onn_Chee_Presentation_Slides_Overview_of_Cloud_Security.pdf

https://cloudsecurityalliance.org/guidance/csaguide.v3.0.pdf


© ISACA 2016.



@carloschalico

Questions?

Amalia SteiuCRISC, CISM, CIPM, CIPT, PMP

Privacy Solutions Advisor

Nymity Inc.

+1(416)433-6406

[email protected]

Carlos ChalicoCISA, CISSP, CISM, CGEIT, CRISC, PbDA, ISO27001LA

Director, Strategic Alliance

Nymity Inc.

+1(647)406-7785

[email protected]