Upload
carlos-chalico
View
116
Download
1
Embed Size (px)
Citation preview
Amalia Steiu, CRISC, CISM, CIPM, CIPT, PMP
Carlos Chalico, CISA,CISSP, CISM, CRISC, CGEIT, PbDA, ISO27001LA
© ISACA 2016.
All Rights Reserved.
#EUROCACS @SteiINformed
@carloschalico
Setting the stage
Existing Cloud Standards
ISACA Resources
Our Proposed Approach to Tackle the Cloud (aka How to
tackle the Giants)
Cloud Assurance and Contract considerations
Ready…Set…Go!
Agenda
© ISACA 2016.
All Rights Reserved.
#EUROCACS @SteiINformed
@carloschalico
Why Giants?
Image Source: Clash of Clans
© ISACA 2016.
All Rights Reserved.
#EUROCACS @SteiINformed
@carloschalico
Why the Concern?
Source: Creating trust in the digital world: EY’s Global Information Security Survey 2015
© ISACA 2016.
All Rights Reserved.
#EUROCACS @SteiINformed
@carloschalico
ITU-T X.805 (ANSIS) – 8 dimensions Security Model
ISO/ISEC 27001:2005 & 27002, PCI DSS
ISO/IEC 2005: 2011 & ITU-T X.1055
ISO 38500, ISO 31000
ISO 27018, ISP 27017
ITIL, ISO 20000
COBIT 5
SANS 27011, ISO 27001
SANS 24762
ISO 10181, ITU X1056
NIST SP 800-39
APEC, OECD, just to mention some
Standards and Frameworks
© ISACA 2016.
All Rights Reserved.
#EUROCACS @SteiINformed
@carloschalico
(More) Standards and Frameworks
© ISACA 2016.
All Rights Reserved.
#EUROCACS @SteiINformed
@carloschalico
(Even More) Standards and Frameworks
© ISACA 2016.
All Rights Reserved.
#EUROCACS @SteiINformed
@carloschalico
How to Navigate all These?
Understand risks and formulate objectives to be
achieved in line with IT Goals, Bus Goals, Risk
Appetite
Have a clear understanding of laws and regulations
AND obligations to comply
Ensure risks are managed in a cost-effective
manner
Support you with your information security, privacy
and other regulatory requirements
Demonstrate ongoing compliance
© ISACA 2016.
All Rights Reserved.
#EUROCACS @SteiINformed
@carloschalico
Guidance is directed at public cloud providers acting as processors of
PI
Protection requirements: a) Legal, Regulatory and Contractual Obligations;
b) Risk – taking into account the organization’s overall business strategy and
objectives; ISO/IEC 29134 provides guidance on privacy impact assessment; c)
Corporate Policies and possible added requirements from a)
PI Lifecycle requirements
Information Security:
IS , HR policies (incl. termination), Management Responsibilities,
Access/Identity Management: privileged and non-privileged access,
reviews and monitoring; System and application access control; PI
protection through Projects and Project Management
Use of privileged utility programs; Application development and coding
practices; Access control to program source code; Cryptography; Physical
Environment Security…
ISO 27018
© ISACA 2016.
All Rights Reserved.
#EUROCACS @SteiINformed
@carloschalico
Use of privileged utility programs; Application development and coding
practices; Access control to program source code; Cryptography; Physical
Environment Security;
Operations Security; Documenting Standards and Procedures; Change
Control; Capacity Management; Separating testing, dev and prod
environments, Protection of malware; Backup; Logging and monitoring;
Protection of logs; Technical vulnerability management; Information
systems audit considerations; Network Security Management; Information
transfer; Electronic messaging/other collaboration tools; Incident
Management, Business Continuity;
Compliance; Security Audits
Privacy Policy
Enable the organization using the Cloud Provider to meet their Consent
and Choice, Access to their information for correction or removal;
Purpose which does not exceed the agreed upon (in contract) scope for
processing
ISO 27018 cont’d
© ISACA 2016.
All Rights Reserved.
#EUROCACS @SteiINformed
@carloschalico
Respect the Organization’s data minimization requirements;
Use, retention and disclosure limitation
Accuracy and quality obligations
Obligations to cooperate with regulators
Individual participation and involvement
Breach Notification and Management
Dispute management and retention of administrative policies
PI return, transfer and disposal
Policies for creation and retention of hard copy PI information
Confidentiality and non-disclosure agreements
Training and Awareness
Retention and Protection of data restoration logs
Protection of all storage media, at any time
Encryption of PI transmission over networks
Records of authorized users; Unique IDs;
ISO 27018 cont’d
© ISACA 2016.
All Rights Reserved.
#EUROCACS @SteiINformed
@carloschalico
Geographic location of PI;
Intended destination of PI;
NIST SP 800-53 rev4, DRAFT Security and Privacy Controls for Federal Information Systems
and Organizations (Initial Public Draft), February 2012
(http://csrc.nist.gov/publications/drafts/800-53-rev4/sp800-53-rev4-ipd.pdf).
[16] NIST SP 800-122, Guide to Protecting the Confidentiality of Personally Identifiable
Information (PII), April 2010 (http://csrc.nist.gov/publications/nistpubs/800-122/sp800-
122.pdf).
[17] NIST SP 800-144, Guidelines on Security and Privacy in Public Cloud Computing,
December 2011 (http://csrc.nist.gov/publications/nistpubs/800-144/SP800-144.pdf).
ISO 27018 cont’d
© ISACA 2016.
All Rights Reserved.
#EUROCACS @SteiINformed
@carloschalico
CSA is the leading organization dedicated to defining and
raising awareness of best practices to help ensure a secure
cloud computing environment
Operates the CSA Security, Trust & Assurance Registry
(STAR) program to certify cloud providers on security
It supports the individual designation known as: Certificate of
Cloud Security Knowledge (CCSK)
Corporate and individual members
Chapters around the world
Constantly generates related content
Among this the “Security Guidance for Critical Areas of Focus
in Cloud Computing 3.0” was released
Cloud Security Alliance
Source: https://cloudsecurityalliance.org
© ISACA 2016.
All Rights Reserved.
#EUROCACS @SteiINformed
@carloschalico
Document recognizes that cloud computing market is
maturing
Originally released in 2009
Considering this, information security, privacy and related
risks become relevant
Controls are crucial
Document focuses in best practices delivery based on
comments from seventy industry experts distributed worldwide
Progress is recognized
Information security professionals from around the world are
working to secure the future on the cloud
Security Guidance
© ISACA 2016.
All Rights Reserved.
#EUROCACS @SteiINformed
@carloschalico
1. Cloud Computing Architectural Framework
2. Governance and Enterprise Risk Management
3. Legal Issues: Contracts and Electronic Discovery
4. Compliance and Audit Management
5. Information Management and Data Security
6. Interoperability and Portability
7. Traditional Security, Business Continuity and Disaster Recovery
8. Data Centre Operations
9. Incident Response
10. Application Security
11. Encryption and Key Management
12. Identity, Entitlement and Access Management
13. Virtualization
14. Security as a Service
Document Structure
Cloud
Architecture
Governing in
the Cloud
Operating in the
Cloud
Sections (I-III)
© ISACA 2016.
All Rights Reserved.
#EUROCACS @SteiINformed
@carloschalico
Risk tolerance is considered to be key when thinking of going
to the cloud
Understanding the right combination of deployment and
services model for the organization is crucial
Identification of sensitive information is mandatory
Potential exposure points should be identified
Weaknesses in operations need to be pointed
The value of the assets should influence the level of concern
This is just the beginning when considering a potential
operation in the cloud
Remember: Having a third party taking care of a portion of
your processes does not make you less responsible for them
To Keep in mind
“…the security of the
organization’s
information and
information processing
facilities should not be
reduced by the
introduction of external
party products or
services…”
ISO/IEC 27002, section 6.2
© ISACA 2016.
All Rights Reserved.
#EUROCACS @SteiINformed
@carloschalico
Visual Model
Cloud
Architecture
Governing in
the Cloud
Operating in the
Cloud
Sections (I-III)
Source: Security Guidance for Critical Areas of Focus in Cloud Computing 3.0; CSA
© ISACA 2016.
All Rights Reserved.
#EUROCACS @SteiINformed
@carloschalico
Classic
SaaS
PaaS
IaaS
DaaS
Service Models (Extended)
Emerg
DaaS
SecaaS
DRaaS
IDaaS
BDaaS
InfoaaS
IPaaS
FRaaS
HkaaS
Cloud Deployment Models (aka “The Giants”)
ed
ing
© ISACA 2016.
All Rights Reserved.
#EUROCACS @SteiINformed
@carloschalico
Shall we consider for
Cloud Computing the
same controls as in
traditional
environments?
Cloud
Architecture
Governing in
the Cloud
Operating in the
Cloud
Sections (I-III)
© ISACA 2016.
All Rights Reserved.
#EUROCACS @SteiINformed
@carloschalico
Cloud
Architecture
Governing in
the Cloud
Operating in the
Cloud
Sections (I-III)
Source: Ernst & Young
Extended Organization
© ISACA 2016.
All Rights Reserved.
#EUROCACS @SteiINformed
@carloschalico
Cloud
Architecture
Governing in
the Cloud
Operating in the
Cloud
Sections (I-III)
Cloud Controls Matrix
Source: Security Guidance for Critical Areas of Focus in Cloud Computing 3.0; CSA
© ISACA 2016.
All Rights Reserved.
#EUROCACS @SteiINformed
@carloschalico
You have heard about this concept: Processes, technology,
customs, policies, laws, and institutions affecting the way the
enterprise is directed, administered or controlled
Five basic principles:
Auditing Supply Chains
Board and Management Structure and Process
Corporate Responsibility and Compliance
Financial Transparency and Information Disclosure
Ownership Structure and Exercise of Control Rights
Cloud
Architecture
Governing in
the Cloud
Operating in the
Cloud
Sections (I-III)
Corporate Governance
Source: Security Guidance for Critical Areas of Focus in Cloud Computing 3.0; CSA
© ISACA 2016.
All Rights Reserved.
#EUROCACS @SteiINformed
@carloschalico
Cloud
Architecture
Governing in
the Cloud
Operating in the
Cloud
Sections (I-III)
Enterprise Risk Management
© ISACA 2016.
All Rights Reserved.
#EUROCACS @SteiINformed
@carloschalico
1. Choice and consent
2. Legitimate purpose specification and use limitation
3. Personal information and sensitive information lifecycle
4. Accuracy and quality
5. Openness, transparency and notice
6. Individual participation
7. Accountability
8. Security safeguards
9. Monitoring, measuring and reporting
10. Preventing harm
11. Third party/vendor management
12. Breach management
13. Security and privacy by design
14. Free flow of information and legitimate restriction
Cloud
Architecture
Governing in
the Cloud
Operating in the
Cloud
Sections (I-III)
Legal Concerns – Privacy, Contracts
Source: : ISACA Privacy Principles and Program Management Guide
© ISACA 2016.
All Rights Reserved.
#EUROCACS @SteiINformed
@carloschalico
Compliance and Audit
Management
Information Management and
Data Security
Interoperability and Portability
Cloud
Architecture
Governing in
the Cloud
Operating in the
Cloud
Sections (I-III)
Governing the Cloud
GRC Value Ecosystem
Data Lifecycle
Source: Security Guidance for Critical Areas of Focus in Cloud Computing 3.0; CSA
© ISACA 2016.
All Rights Reserved.
#EUROCACS @SteiINformed
@carloschalico
Business continuity management
Operations
Responding to the unexpected
Protecting a critical tier: The application
Securing the SDLC
Encryption and key management
Identity, entitlement and access management
Virtualization
Security as a Service (SecaaS)
Cloud
Architecture
Governing in
the Cloud
Operating in the
Cloud
Sections (I-III)
Operating in the Cloud
Source: Security Guidance for Critical Areas of Focus in Cloud Computing 3.0; CSA
© ISACA 2016.
All Rights Reserved.
#EUROCACS @SteiINformed
@carloschalico
ISACA has created a number of “tools” to help organizations
understand the Cloud:
Vendor Management Using COBIT 5
COBIT 5 for Risk
Controls and Assurance in the Cloud using COBIT 5
Privacy Principles and Program Management Guide
Publications discussing Governance, Risk and Security
matters
ISACA Resources
© ISACA 2016.
All Rights Reserved.
#EUROCACS @SteiINformed
@carloschalico
Treat your relationship with the cloud provide the way you
would if extending your Data Center
Add all the necessary due diligence for a Third-Party
What are you reporting on? What KPIs, KCIs etc
This will drive your requirements for:
a) setting up the relationship in with IT Goals in mind and using
a risk-cost based approach;
b) managing the relationship;
c) the contract
Our Proposed Approach to Cloud (How to
tackle the Giants?)
© ISACA 2016.
All Rights Reserved.
#EUROCACS @SteiINformed
@carloschalico
Governance of your “Total” Enterprise IT
Total Data Center
Total IT - Business
Goals RISK = Cloud
Risk + Third Party Risk
+ IT Risk
Giants
Governance of Total Enterprise IT
Controls and Assurance (incl. Cloud)
Our Proposed Approach to Cloud… cont’d
© ISACA 2016.
All Rights Reserved.
#EUROCACS @SteiINformed
@carloschalico
Includes:
Governance model, Policy, IT Strategy
IT-Business Goals
Stakeholders Needs Analysis (see matrix)
GRC in the Data Center (what other obligations: PCI DSS,
others?)
Third Party risks and analysis
Internal Standards and Controls, KCIs, KRIs
Internal Service Delivery metrics
Data Localization, Privacy Laws
Our Proposed Approach to Cloud… cont’d
© ISACA 2016.
All Rights Reserved.
#EUROCACS @SteiINformed
@carloschalico
“The CIO needs to manage the Total Enterprise IT (incl. Cloud) as a service value chain.
With cloud computing, the CIO must weave together and optimize this value chain to best
support various business partners, customers and enable the enterprise’s business”
Management and Governance of Enterprise IT includes:
Manage increasing risk effectively, including security, compliance, privacy,
projects and business partners (stakeholders)
Ensure continuity of services that are now in the “extended” data center
Clearly communicate the enterprise objectives to the internal IT organization as
well as third parties (through contracts)
Build Agility in: remain flexible and adaptable to harvest new value (enable new
business processes/practices) and opportunities and reduce costs
Facilitate continuity of IT knowledge through adaptive learning and awareness
models
Be prepared to handle a myriad of industry and country regulations and laws
Our Proposed Approach to Cloud… cont’d
© ISACA 2016.
All Rights Reserved.
#EUROCACS @SteiINformed
@carloschalico
Our Proposed Approach to Cloud… cont’d
© ISACA 2016.
All Rights Reserved.
#EUROCACS @SteiINformed
@carloschalico
Our Proposed Approach to Cloud… cont’d
© ISACA 2016.
All Rights Reserved.
#EUROCACS @SteiINformed
@carloschalico
Total Data Center
Our Proposed Approach to Cloud… cont’d
© ISACA 2016.
All Rights Reserved.
#EUROCACS @SteiINformed
@carloschalico
GRC in the Total Data Center
Our Proposed Approach to Cloud… cont’d
© ISACA 2016.
All Rights Reserved.
#EUROCACS @SteiINformed
@carloschalico
Executive Oversight= Compliance
function( to provide regulatory and other
compliance requirements specific to third
party risk management) + IT Risk &
Control Function (risk level based on the
nature of access/data sensitivity shared
with the third parties) + Contract
Governance Function (adequately
addressing security/privacy/other
obligations)
Vendors and contracts database
Trust level (as a good practice, areas
of assessment could be drawn from ISO
27001, COBIT, OWASP combined with
specific compliance requirements (e.g.
[PCI DSS]) as applicable)
Validate Trust Level
Monitor and Report
Our Proposed Approach to Cloud… cont’d
© ISACA 2016.
All Rights Reserved.
#EUROCACS @SteiINformed
@carloschalico
Cloud Risk –Framework for Assessment (ISACA)
Others: CSA Cloud Security Matrix, ENISA, NIST, ISO/IEC
9126, AICPA SOC1, AICPA SysTrust, FedRAMP, HITRUST,
BITS Shared Assessment Program, Jericho Forum SAS etc.
Top Risk Ranking offered by CSA, OWASP and ENISA
Risk Mapping according to ISA 9126 (Information Technology
– Software product evaluation – Quality characteristics and
guidelines for their use) – useful for SaaS, PaaS, IaaS
Security related risk based on COBIT 5 DS5
4 Guiding Principles for the Cloud:
Vision
Visibility
Accountability
Sustainability
Our Proposed Approach to Cloud… cont’d
© ISACA 2016.
All Rights Reserved.
#EUROCACS @SteiINformed
@carloschalico
Our Proposed Approach to Cloud… cont’d
© ISACA 2016.
All Rights Reserved.
#EUROCACS @SteiINformed
@carloschalico
Our Proposed Approach to Cloud… cont’d
© ISACA 2016.
All Rights Reserved.
#EUROCACS @SteiINformed
@carloschalico
Our Proposed Approach to Cloud… cont’d
© ISACA 2016.
All Rights Reserved.
#EUROCACS @SteiINformed
@carloschalico
Our Proposed Approach to Cloud… cont’d
© ISACA 2016.
All Rights Reserved.
#EUROCACS @SteiINformed
@carloschalico
Our Proposed Approach to Cloud… cont’d
© ISACA 2016.
All Rights Reserved.
#EUROCACS @SteiINformed
@carloschalico
Our Proposed Approach to Cloud… cont’d
© ISACA 2016.
All Rights Reserved.
#EUROCACS @SteiINformed
@carloschalico
Privacy compliance
Our Proposed Approach to Cloud… cont’d
© ISACA 2016.
All Rights Reserved.
#EUROCACS @SteiINformed
@carloschalico
COBIT 5 for Risk
Evolution of Risk IT (released to support COBIT 4.1)
Our Proposed Approach to Cloud… cont’d
Source: COBIT 5 for Risk; ISACA
© ISACA 2016.
All Rights Reserved.
#EUROCACS @SteiINformed
@carloschalico
Principles
Our Proposed Approach to Cloud… cont’d
Source: COBIT 5 for Risk; ISACA
© ISACA 2016.
All Rights Reserved.
#EUROCACS @SteiINformed
@carloschalico
COBIT 5 Risk Support
Our Proposed Approach to Cloud… cont’d
Source: COBIT 5 for Risk; ISACA
© ISACA 2016.
All Rights Reserved.
#EUROCACS @SteiINformed
@carloschalico
Defending
Our Proposed Approach to Cloud… cont’d
Source: COBIT 5 for Risk; ISACA
© ISACA 2016.
All Rights Reserved.
#EUROCACS @SteiINformed
@carloschalico
Understanding
Our Proposed Approach to Cloud… cont’d
Source: COBIT 5 for Risk; ISACA
Service
Deployment
IaaS
PaaSSaaS
PrivateCommunity
Hybrid Public
© ISACA 2016.
All Rights Reserved.
#EUROCACS @SteiINformed
@carloschalico
Understanding
Our Proposed Approach to Cloud… cont’d
Source: COBIT 5 for Risk; ISACA
© ISACA 2016.
All Rights Reserved.
#EUROCACS @SteiINformed
@carloschalico
Vendor Management Using COBIT 5
Recognizes relevance of third parties and considers cloud
Reinforces process APO10 “Manage Suppliers” in COBIT 5
Focuses on IT related services
Chapter 6 focuses on Cloud Vendor Management
Definition:
A vendor is a third party that supplies products or services to an
enterprise. These products or services may be outsourcing,
hardware, software, services, commodities, etc. Vendor
management is a strategic process that is dedicated to the
sourcing and management of vendor relationships so that value
creation is maximized and risk to the enterprise is minimized.
This process requires dedicated effort from the enterprise and
the vendor and varies based on the relationship and the scope of
services and products.
Our Proposed Approach to Cloud… cont’d
Source: Vendor Management Using COBIT 5; ISACA
© ISACA 2016.
All Rights Reserved.
#EUROCACS @SteiINformed
@carloschalico
Risk Factors by Service Model
Our Proposed Approach to Cloud… cont’d
Source: Controls and Assurance in the Cloud Using COBIT 5; ISACA
© ISACA 2016.
All Rights Reserved.
#EUROCACS @SteiINformed
@carloschalico
Risk Factors by Deployment Model
Our Proposed Approach to Cloud… cont’d
Source: Controls and Assurance in the Cloud Using COBIT 5; ISACA
© ISACA 2016.
All Rights Reserved.
#EUROCACS @SteiINformed
@carloschalico
Satisfying Stakeholders
Our Proposed Approach to Cloud… cont’d
Source: Controls and Assurance in the Cloud Using COBIT 5; ISACA
© ISACA 2016.
All Rights Reserved.
#EUROCACS @SteiINformed
@carloschalico
Controls and Assurance in the Cloud
Stakeholder Needs
Stakeholder value of business investments
Managed business risk (safeguarding
assets and business value)
Compliance with external laws and
regulations
Agile response to an ever changing business
environment
Optimization of service delivery
costs
IT Goals
Client
Responsibilities
Cloud Service
Provider (CSP)
Responsibilities
Cloud Assurance and Contract Considerations
Source: Controls and Assurance in the Cloud Using COBIT 5; ISACA
© ISACA 2016.
All Rights Reserved.
#EUROCACS @SteiINformed
@carloschalico
Controls in the Cloud
Client
Governance and Enterprise Risk
Management:• Governance Framework
• Risk & Resources Optimization;
• Manage Cloud Strategy
• Manage/Communicate Desired Outcomes
• Manage suppliers
• Manage Service Agreements
• Monitor Compliance
Legal and Electronic Discovery• Define & Communicate requirements
• Document requirements in contracts and
SLAs
• Monitor Compliance
CSP
Governance and Enterprise Risk
Management :
n/a
Legal and Electronic Discovery• Meet requirements for data retention
• Meet requirements for evidence protection
• Provide data as needed for e-discovery and
legal procedures
Source: Controls and Assurance in the Cloud Using COBIT 5; ISACA
Cloud Assurance and Contract Considerations
© ISACA 2016.
All Rights Reserved.
#EUROCACS @SteiINformed
@carloschalico
Controls in the Cloud
Client
Compliance and Audit• Define & Communicate requirements
• Document requirements in Agreements, SLAs
• Identify changes in external compliance
requirements
• Optimize response to external requirements
• Confirm external compliance
• Obtain assurance of external compliance
requirements
• Request proof of independent reviews
Information Lifecycle Management• Identify assets
• Classify assets
• Define & Communicate requirements
• Monitor Compliance
CSP
Compliance and Audit• Establish a monitoring approach
• Set performance and conformance targets
• Collect and process performance and conformance
data
• Analyze and report performance
• Ensure the implementation of corrective actions
• Monitor internal controls
• Review business process control effectiveness
• Perform control self-assessment
• Identify and report control deficiencies
• Ensure that assurance providers are independent and
qualified
• Plan assurance initiatives
• Scope assurance initiatives
• Execute assurance initiatives
Information Lifecycle Management• Meet data management requirements
• Implement adequate processes to dispose of data and
storage media/devices
• Return data to client when contract expires/severed
Source: Controls and Assurance in the Cloud Using COBIT 5; ISACA
Cloud Assurance and Contract Considerations
© ISACA 2016.
All Rights Reserved.
#EUROCACS @SteiINformed
@carloschalico
Controls in the Cloud
Portability and Interoperability
Security, Business Continuity and Disaster Recovery
Incident Response, Notification and Remediation
Data Center Operations
Application Security
Encryption and Key Management
Identity and Access Management
Virtualization
Infrastructure
Source: Controls and Assurance in the Cloud Using COBIT 5; ISACA
Cloud Assurance and Contract Considerations
© ISACA 2016.
All Rights Reserved.
#EUROCACS @SteiINformed
@carloschalico
Enterprise Goals IT Goals
EG01 – Stakeholder value of business
investments
ITG05, 07, 11, AP009(Manage Service
Agreements)
ITG05 – Realized benefits from IT-enabled
investments and services portfolio
EG03 – Managed business risk ITG04, 10, AP010, 012, 013, DSS05, MEA03
ITG04 – Manage IT-related business risk
EG04 – Compliance with external laws and
regulations
ITG02, ITG10, AP012, 013, DSS05, MEA03
ITG02 – IT compliance and support with
external laws and regulations
ITG10 – Security of information, processing
infrastructure and applications
EG08- Agile response to an ever changing
business environment
ITG07, 09, AP010
ITG07 – Delivery of IT Services in line with
business requirements
EG10 – Optimization of service delivery costs ITG04, 11, AP010, 012, 013, DSS05, MEA03
ITG04 – Manage IT-related business risk
Assurance in the Cloud
Source: Controls and Assurance in the Cloud Using COBIT 5; ISACA
Cloud Assurance and Contract Considerations
© ISACA 2016.
All Rights Reserved.
#EUROCACS @SteiINformed
@carloschalico
Contract Requirements
Access to information (logical)
Meeting the “Access” principle
in Privacy
Data Protection = Lifecycle
(extended) -Encryption
Anonymization/Pseudo
Right to be Forgotten/Correction
Logs
Security Incidents
Privacy breaches
Secure disposal /Retention
periods monitoring
Business Continuity & testing
Data Quality/Integrity
Enterprise Risk
Assessment (Security,
Privacy)
Connectivity
(availability)
Regulatory
Investigations to the
cloud (Data)
Disaster declaration
Customer Notification
Changes in Cloud
Ownership
E-Discovery
Application Security
Business Impact
Analysis (interruptions)
Managing Changes of
contract
New applications*
Rqrmt’s for changes
in functionality
KRIs, KCIs, KPIs –
monitoring and
reporting
Severing the
relationship
Security Technical
Safeguards
(virtualization,
networks etc.)
PCI DSS compliance
Data transfer cross-
borders
Source: Controls and Assurance in the Cloud Using COBIT 5; ISACA
Cloud Assurance and Contract Considerations
© ISACA 2016.
All Rights Reserved.
#EUROCACS @SteiINformed
@carloschalico
Contract Requirements:
Your Organizational Standards
and Controls
Identity Management
Access Management (for the cloud
environment;(Access Standards:
User vs/ Privileged)
Identity Management
Retention and Destruction Standard
PI (PII) Protection Standards
Data Flows/Inventory
Data Classification Policy
DLP implications
Data processing compliance
IT Change Control and
Configuration Management
Source: Controls and Assurance in the Cloud Using COBIT 5; ISACA
Cloud Assurance and Contract Considerations
© ISACA 2016.
All Rights Reserved.
#EUROCACS @SteiINformed
@carloschalico
Contract Requirements cont’d
Term and Termination
Cloud staff “segregation” of duties and
“need to know”
Cloud staff background checks
Cloud staff training
Alignment of password requirements with
internal standards
Cloud staff Confidentiality Agreements
Cloud Services annual certification
(SOC1/2 or equivalent)
Third party subcontracting to a vendor
Crisis Management
Incident Response
Value Generation
ISO 27017, 27018, NIST
Source: Controls and Assurance in the Cloud Using COBIT 5; ISACA
Cloud Assurance and Contract Considerations
© ISACA 2016.
All Rights Reserved.
#EUROCACS @SteiINformed
@carloschalico
Ready…Set….GO!!!
“Bringing value to the organization, enabling transformation while minimizing risk and without
compromising privacy”
Appropriate Governance (End to End GEIT)
Risk to Business Objectives : IT Risk + Bus Risk + Third
Party Risk (SLAs, Legal/Regulatory, Security, Privacy, etc.)
Total Data Center Security (&
Privacy) requirements
Controls & Assurance in the
Cloud
Internal Policies,
Standards etc.
Contract
Requirements
Source: Controls and Assurance in the Cloud Using COBIT 5; ISACA
© ISACA 2016.
All Rights Reserved.
#EUROCACS @SteiINformed
@carloschalico
What’s This?
Source: Status of the Cloud Report; RightScale; 2016;
http://assets.rightscale.com/uploads/pdfs/RightScale-2016-State-of-the-Cloud-Report.pdf
© ISACA 2016.
All Rights Reserved.
#EUROCACS @SteiINformed
@carloschalico
What’s This?
Source: Status of the Cloud Report; RightScale; 2016;
http://assets.rightscale.com/uploads/pdfs/RightScale-2016-State-of-the-Cloud-Report.pdf
© ISACA 2016.
All Rights Reserved.
#EUROCACS @SteiINformed
@carloschalico
https://www.cloudlock.com/wp-content/uploads/2015/07/ISO-IEC-Compliance-Guide-
CloudLock.pdf
https://www.itsc.org.sg/userfiles/files/content/Item_7_-
_Wong_Onn_Chee_Presentation_Slides_Overview_of_Cloud_Security.pdf
Volume 3, 2015 “Governance and Management of Enterprise IT (CGEIT)”, see Article
“Toward a secure data center model”
Volume 4, 2015 “Regulations and Compliance“, see Article “Vendor Risk Management
Demystified”
ISACA Volume 5, 2012 “Privacy and the Cloud”, see Article “Meeting PCI DSS when using a
Cloud Service Provider”
ISACA Volume 5, 2012
ISACA “Controls and Assurance in the Cloud using COBIT 5”
ISACA “COBIT 5 for Risk”
ISACA “Vendor Management Using COBIT 5”
Security Guidance for Critical Areas of Focus in Cloud Computing
https://cloudsecurityalliance.org/guidance/csaguide.v3.0.pdf
Status of the Cloud Report; RightScale; 2016;
http://assets.rightscale.com/uploads/pdfs/RightScale-2016-State-of-the-Cloud-Report.pdf
Resources
© ISACA 2016.
All Rights Reserved.
#EUROCACS @SteiINformed
@carloschalico
Questions?
Amalia SteiuCRISC, CISM, CIPM, CIPT, PMP
Privacy Solutions Advisor
Nymity Inc.
+1(416)433-6406
Carlos ChalicoCISA, CISSP, CISM, CGEIT, CRISC, PbDA, ISO27001LA
Director, Strategic Alliance
Nymity Inc.
+1(647)406-7785