SlideShare ist ein Scribd-Unternehmen logo

Simplify Your Approach To_Assess The Risks Of Moving Into The Cloud

Happiest Minds Technologies
Happiest Minds Technologies

Engaging with a vendor especially one who provides some sort of Information and/or technology based services is necessary for many global organizations. Managing risks related to vendors presents its own challenges particularly if they are high technology companies such as Cloud Service Providers (CSP). Cloud based services add to the complexities of managing traditional security & compliance risks. Identifying and addressing risks associated with moving your data, applications and services are not the only thing that an organization has to consider. An organization also needs to think about and plan for vendor related risks, legal, regulatory and contractual risks. This spectrum of risks continues to expand particularly when dealing with customers and vendors who are operating in different geographies governed by different regulations, data protection laws, culture and operating models. For more information, visit - http://www.happiestminds.com/technology-focus/cloud-computing/

1 von 6
Downloaden Sie, um offline zu lesen
Moving to Clouds? Simplify your approach to understand the risks and protect your data By Thiruvadinathan Happiest Minds, Infrastructure Management and Security Services © Happiest Minds Technologies Pvt. Ltd. All Rights Reserved
How to work with your Cloud vendor to secure sensitive and critical data on the cloud? Engaging with a vendor especially one who provides some sort of Information and/or technology based services is necessary for many global organizations. Managing risks related to vendors presents its own challenges particularly if they are high technology companies such as Cloud Service Providers (CSP). Cloud based services add to the complexities of managing traditional security & compliance risks. Identifying and addressing risks associated with moving your data, applications and services are not the only thing that an organization has to consider. An organization also needs to think about and plan for vendor related risks, legal, regulatory and contractual risks. This spectrum of risks continues to expand particularly when dealing with customers and vendors who are operating in different geographies governed by different regulations, data protection laws, culture and operating models. The following sections discuss some of the challenges involved in assessing those risks. Are risks in the Cloud different? The answer is yes and no. Clouds bring in both traditional information security risks such as malicious users, malware, etc. as well as lack of control over and visibility into your data in terms of who has access, where the data is located, how it is secured, etc. Some of the common lacunae in addressing the risks in the Cloud are  Lack of or inadequate security and compliance risk evaluation of CSPs due to: o Business pressures and deadlines o Lack of involvement from information security, risk and internal audit teams or specialists during evaluation o Inadequate knowledge about cloud security risks, mitigation and monitoring technologies o Legal complexities.  Complexities involved in evaluating risk, security and compliance aspects of engaging with a CSP since risks and requirements can vary widely depending on the type of Cloud service(SaaS, IaaS, etc.) and model (Public, Private, etc.)  Finding CSPs that treat all customers equally when it comes to risk, security and compliance  Lack of a formal contract or inadequate service contracts o Lack of awareness on what need to be addressed in the contract such as o Ownership & confidentiality of data © Happiest Minds Technologies Pvt. Ltd. All Rights Reserved
o Compliance with your security policies based on mapping your controls to CSP’s capabilities o Data classification and corresponding security requirements for transmission, storage, handling/usage, sharing, back-up, retention, geographical restrictions on data movement within the cloud, disposal and e-discovery o The right to audit and actual audit of CSP’ security controls There are many other areas that need to be addressed in a contract. An article by a New York business law firm provides insights into what needs to be addressed in a contract. The article can be read at http://bit.ly/xMZNx6. Another article published on The Financial Times details about the grey areas in a Cloud service contract, http://on.ft.com/N89J3Z. This list of such lacunae could easily expand into other areas such as risks related to CSP’s staff in terms of their background credentials, operational risks such as inadequate change management, errors and omissions, failed back-ups and so on. However, there is help available to address these challenges. No matter what standards you use among ISO27001, PCI-DSS, NIST SP 800-53, CoBIT, etc., you can leverage your experience on those and bring value to your assessment Cloud & Vendor risks. To know more about how, read on… Simplify your approach to assess Cloud vendor risks The Cloud Security Alliance (CSA) provides a security controls framework that can be used by CSPs as well as Cloud consumers both. The assessment tools namely, the Consensus Assessment Initiative Questionnaire (CAIQ) and Cloud Controls Matrix (CCM) are specifically designed for Cloud environment to assess the associated risk and security requirements. The rigor of going through multiple and long security assessment questionnaire can be quite challenging both for the Cloud consumers as well as CSPs. Vendor risk assessment tools would typically span multiple security domains requiring the involvement of staff from various functions within the organization. The process takes considerable time, resources and skills to go through. Smaller organizations may require additional resources and skills to do the evaluation of CSP. Using CSA STAR in Cloud security assessments To assist potential Cloud consumers and CSPs, the Cloud Security Alliance has come up with an initiative known as STAR (CSA Security, Trust & Assurance Registry). STAR is a program participated by many of the leading CSP. Participants of this program voluntarily prepare a self-assessment of their controls and compliance posture in a format specified by CSA. CSPs can make use of either CAIQ or CCM to perform self-assessment of their Cloud security controls. The self-assessment reports are published by the respective CSPs and are made available. The reports are free to download from https://cloudsecurityalliance.org/star/ © Happiest Minds Technologies Pvt. Ltd. All Rights Reserved
The STAR program also encourages participating vendors to be available for any question from the consumers. The advantage of this report is that the format provides for mapping with international standards and best practices such as IS027001, COBIT, NIST, etc. This can simplify the overall assessment in terms of rigor and also improve the focus on the controls that require more attention. The CSA also provides a GRC stack those organizations that are willing to integrate CAIQ and CCM into their GRC management solution. The following section provides a simplified approach to assess the Cloud related risks. Steps 1 – Prepare yourselves  Determine what type of Cloud service (SaaS, PaaS, and IaaS) and Cloud model (Public, Private, etc.) you require.  Many CSPs are very likely to have implemented ISO27001. It is important to understand the scope of such certification and to understand what controls have either been implemented or omitted.  If CSP have implemented ISO27001, then ask for their Statement of Applicability and have a dialogue with them to understand how the applicable controls are implemented. For CSPs that have not implemented ISO27001, ask for any other standard or regulatory compliance that’s been implemented. Even a SAS70 Type 2 or SOC 2 report can be a very good starting point.  Determine if the CSP has undergone a self-assessment and obtain the report from CSA website.  Shortlist potential CSP vendors based on the above, check for credible references from existing customers of the CSPs you are going to evaluate. Step 2 – Perform an Analysis  Perform a detailed analysis of the self-assessment reports from the CSPs. Evaluate the controls in line with your data security and compliance requirements.  Speak to their references to understand how their needs relates to your business  Provide weightage to the CSP that is willing co-operate fully with your requirements  Involve your legal, IT, security, risk and audit teams throughout the process  Have a list of your regulatory compliance requirements to understand how the CSP would help Step 3 – Prioritize your requirements  Based on your analysis, narrow down and prioritize risk areas that remain to be addressed. © Happiest Minds Technologies Pvt. Ltd. All Rights Reserved
 Use CAIQ to extract those areas as to how you need to prepare yourself for further analysis  Prepare your assessment questionnaire and have your shortlisted vendors respond to them.  Plan a site visit where you can get evaluate the responses you received as to how they have been implemented  During your visit, observe, inspect and document the controls implemented and practiced as you would understand. Step 4 - Prepare a risk and control plan  Develop a plan that identifies the risks and controls that would address the risks.  Make this plan as the basis for preparing your contractual terms and conditions in conjunction with your shortlisted vendors  Sensitize your users on on-going basis about the risks and controls The huge advantage of this approach is that it can certainly help save a lot of time for the consumer as well as provider. The actual assessment can effectively be reduced significantly depending on the other factors such as availability of relevant skills and so on. Depending on your organization’s unique cloud computing needs, security and compliance requirements, your assessment must be tailored accordingly. A good understanding of the various types of Cloud services and models would be required. For example, SaaS based model offers very little room for control of data by the Cloud consumer, whereas IaaS offers the most flexibility. An assessment for a SaaS service should cover infrastructure security, IT operational security, application & data security as all these are fully under the control of CSP. The contract for a SaaS service shall also be designed to address security risks in these areas. Physical and environmental security is to be addressed anyway irrespective of the Cloud service, which determines the nature and extent of any Cloud security assessment and contractual requirements. Conclusion As Cloud based services evolve along with the associated technologies, the standards for cloud based risk management and assurance framework will have to evolve. The good news is existing standards such as PCI DSS, ISO27001, etc. can be judiciously leveraged for initial as well as on-going assessment of risk exposure and compliance status in conjunction with CSA’s initiatives. The key is to keep updating your risk assessment framework and continuously engage with the CSP who’s partnered with you to improve its services. © Happiest Minds Technologies Pvt. Ltd. All Rights Reserved
To learn more about the Happiest Minds Cloud Security Offerings, please write to us at business@happiestminds.com About Happiest Minds Happiest Minds is a next-generation IT services company helping clients differentiate and win with a unique blend of innovative solutions and services based on the core technology pillars of cloud computing, social computing, mobility and analytics. We combine an unparalleled experience, comprehensive capabilities in the following industries: Retail, Media, CPG, Manufacturing, Banking and Financial services, Travel and Hospitality and Hi-Tech with pragmatic, forward-thinking advisory capabilities for the world’s top businesses, governments and organizations. Founded in 2011, Happiest Minds is privately held with headquarters in Bangalore, India and offices in the USA and UK. Corporate Office United States Happiest Minds Technologies Pvt. Ltd. 116 Village Boulevard, Suite 200 Block II, Velankani Tech Park Princeton, New Jersey, 08540 43 Electronics City Phone:+1 609 951 2296 Hosur Road, Bangalore 560100, INDIA 2018 156th Avenue NE #224 Phone: +91 80 332 03333 Bellevue, WA 98007 Fax: +91 80 332 03000 United Kingdom 200 Brook Drive, Green Park, Reading Berkshire, RG2 6UB Phone: +44 11892 56072 Fax: + 44 11892 56073 About the author Thiruvadinathan A (thiruvadinathan.a@happiestminds.com) is the Technical Director and Practice Lead for IT Governance, Risk Management, Security & Compliance services. He credits his rich experience in the field to his global clientele across industry verticals gained in the last 16 years. One of his recent achievements is having successfully led Happiest Minds Technologies to meet the stringent requirements of ISO27001 global standard. © Happiest Minds Technologies Pvt. Ltd. All Rights Reserved

Empfohlen

Whitepaper: Moving to Clouds? Simplify your approach to understand the risks ...
Whitepaper: Moving to Clouds? Simplify your approach to understand the risks ...Whitepaper: Moving to Clouds? Simplify your approach to understand the risks ...
Whitepaper: Moving to Clouds? Simplify your approach to understand the risks ...Happiest Minds Technologies
 
A Guide to Managed Security Services
A Guide to Managed Security ServicesA Guide to Managed Security Services
A Guide to Managed Security ServicesGraham Mann
 
Weakest links of an organization's Cybersecurity chain
Weakest links of an organization's Cybersecurity chainWeakest links of an organization's Cybersecurity chain
Weakest links of an organization's Cybersecurity chainSanjay Chadha, CPA, CA
 
The Cloud Crossover
The Cloud CrossoverThe Cloud Crossover
The Cloud CrossoverArmor
 
Cyber Risk Quantification | Safe Security
Cyber Risk Quantification | Safe SecurityCyber Risk Quantification | Safe Security
Cyber Risk Quantification | Safe SecurityRahul Tyagi
 
Integrating-Cyber-Security-for-Increased-Effectiveness
Integrating-Cyber-Security-for-Increased-EffectivenessIntegrating-Cyber-Security-for-Increased-Effectiveness
Integrating-Cyber-Security-for-Increased-EffectivenessAyham Kochaji
 
Security operations center inhouse vs outsource
Security operations center inhouse vs outsourceSecurity operations center inhouse vs outsource
Security operations center inhouse vs outsourceNetmagic Solutions Pvt. Ltd.
 
bsi-cyber-resilience-presentation
bsi-cyber-resilience-presentationbsi-cyber-resilience-presentation
bsi-cyber-resilience-presentationAjai Srivastava
 

Empfohlen

Whitepaper: Moving to Clouds? Simplify your approach to understand the risks ...
Whitepaper: Moving to Clouds? Simplify your approach to understand the risks ...Whitepaper: Moving to Clouds? Simplify your approach to understand the risks ...
Whitepaper: Moving to Clouds? Simplify your approach to understand the risks ...Happiest Minds Technologies
 
A Guide to Managed Security Services
A Guide to Managed Security ServicesA Guide to Managed Security Services
A Guide to Managed Security ServicesGraham Mann
 
Weakest links of an organization's Cybersecurity chain
Weakest links of an organization's Cybersecurity chainWeakest links of an organization's Cybersecurity chain
Weakest links of an organization's Cybersecurity chainSanjay Chadha, CPA, CA
 
The Cloud Crossover
The Cloud CrossoverThe Cloud Crossover
The Cloud CrossoverArmor
 
Cyber Risk Quantification | Safe Security
Cyber Risk Quantification | Safe SecurityCyber Risk Quantification | Safe Security
Cyber Risk Quantification | Safe SecurityRahul Tyagi
 
Integrating-Cyber-Security-for-Increased-Effectiveness
Integrating-Cyber-Security-for-Increased-EffectivenessIntegrating-Cyber-Security-for-Increased-Effectiveness
Integrating-Cyber-Security-for-Increased-EffectivenessAyham Kochaji
 
Security operations center inhouse vs outsource
Security operations center inhouse vs outsourceSecurity operations center inhouse vs outsource
Security operations center inhouse vs outsourceNetmagic Solutions Pvt. Ltd.
 
bsi-cyber-resilience-presentation
bsi-cyber-resilience-presentationbsi-cyber-resilience-presentation
bsi-cyber-resilience-presentationAjai Srivastava
 
AUTOMATING CYBER RISK DETECTION AND PROTECTION WITH SOC 2.0
AUTOMATING CYBER RISK DETECTION AND PROTECTION WITH SOC 2.0AUTOMATING CYBER RISK DETECTION AND PROTECTION WITH SOC 2.0
AUTOMATING CYBER RISK DETECTION AND PROTECTION WITH SOC 2.0Happiest Minds Technologies
 
A case for Managed Detection and Response
A case for Managed Detection and ResponseA case for Managed Detection and Response
A case for Managed Detection and ResponseDigital Transformation EXPO Event Series
 
Building an Effective Supply Chain Security Program
Building an Effective Supply Chain Security ProgramBuilding an Effective Supply Chain Security Program
Building an Effective Supply Chain Security ProgramPriyanka Aash
 
State of Security Operations 2016 report of capabilities and maturity of cybe...
State of Security Operations 2016 report of capabilities and maturity of cybe...State of Security Operations 2016 report of capabilities and maturity of cybe...
State of Security Operations 2016 report of capabilities and maturity of cybe...at MicroFocus Italy ❖✔
 
Virtualization and cloud impact overview auditor spin enterprise gr-cv3
Virtualization and cloud impact overview auditor spin enterprise gr-cv3Virtualization and cloud impact overview auditor spin enterprise gr-cv3
Virtualization and cloud impact overview auditor spin enterprise gr-cv3EnterpriseGRC Solutions, Inc.
 
Data Sheet For Erg
Data Sheet For ErgData Sheet For Erg
Data Sheet For Ergmjschreck
 
Aligning to the NIST Cybersecurity Framework in the AWS
Aligning to the NIST Cybersecurity Framework in the AWSAligning to the NIST Cybersecurity Framework in the AWS
Aligning to the NIST Cybersecurity Framework in the AWSAmazon Web Services
 
Gartner Magic Quadrant for Secure Email Gateways 2014
Gartner Magic Quadrant for Secure Email Gateways 2014Gartner Magic Quadrant for Secure Email Gateways 2014
Gartner Magic Quadrant for Secure Email Gateways 2014Michael Bunn
 
Crush Cloud Complexity, Simplify Security - Shield X
Crush Cloud Complexity, Simplify Security - Shield XCrush Cloud Complexity, Simplify Security - Shield X
Crush Cloud Complexity, Simplify Security - Shield XPrime Infoserv
 
OWASP based Threat Modeling Framework
OWASP based Threat Modeling FrameworkOWASP based Threat Modeling Framework
OWASP based Threat Modeling FrameworkChaitanya Bhatt
 
Security assessment isaca sv presentation jan 2016
Security assessment isaca sv presentation jan 2016Security assessment isaca sv presentation jan 2016
Security assessment isaca sv presentation jan 2016EnterpriseGRC Solutions, Inc.
 
SFScon21 - Christian Notdurfter - Data Protection by Design and by Default fo...
SFScon21 - Christian Notdurfter - Data Protection by Design and by Default fo...SFScon21 - Christian Notdurfter - Data Protection by Design and by Default fo...
SFScon21 - Christian Notdurfter - Data Protection by Design and by Default fo...South Tyrol Free Software Conference
 
17 domains
17 domains17 domains
17 domainsAllison Giddens
 
NIST Cybersecurity Framework (CSF) on the Public Cloud
NIST Cybersecurity Framework (CSF) on the Public CloudNIST Cybersecurity Framework (CSF) on the Public Cloud
NIST Cybersecurity Framework (CSF) on the Public CloudCloudHesive
 
Owasp top 10_proactive_controls_v3
Owasp top 10_proactive_controls_v3Owasp top 10_proactive_controls_v3
Owasp top 10_proactive_controls_v3RazaMehmood7
 
How close is your organization to being breached | Safe Security
How close is your organization to being breached | Safe SecurityHow close is your organization to being breached | Safe Security
How close is your organization to being breached | Safe SecurityRahul Tyagi
 
FFIEC and NIST: What You Need to Know About Two Prevalent New IT Security Com...
FFIEC and NIST: What You Need to Know About Two Prevalent New IT Security Com...FFIEC and NIST: What You Need to Know About Two Prevalent New IT Security Com...
FFIEC and NIST: What You Need to Know About Two Prevalent New IT Security Com...West Monroe Partners
 
Understanding the New PCI DSS Scoping Supplement
Understanding the New PCI DSS Scoping SupplementUnderstanding the New PCI DSS Scoping Supplement
Understanding the New PCI DSS Scoping SupplementSecurityMetrics
 
Legal And Regulatory Issues Cloud Computing...V2.0
Legal And Regulatory Issues Cloud Computing...V2.0Legal And Regulatory Issues Cloud Computing...V2.0
Legal And Regulatory Issues Cloud Computing...V2.0David Spinks
 
Risk management for cloud computing hb final
Risk management for cloud computing hb finalRisk management for cloud computing hb final
Risk management for cloud computing hb finalChristophe Monnier
 
Asset 1 security-in-the-cloud
Asset 1 security-in-the-cloudAsset 1 security-in-the-cloud
Asset 1 security-in-the-clouddrewz lin
 
The Art of Cloud Auditing - ISACA ID
The Art of Cloud Auditing - ISACA IDThe Art of Cloud Auditing - ISACA ID
The Art of Cloud Auditing - ISACA IDEryk Budi Pratama
 

Weitere ähnliche Inhalte

Was ist angesagt?

AUTOMATING CYBER RISK DETECTION AND PROTECTION WITH SOC 2.0
AUTOMATING CYBER RISK DETECTION AND PROTECTION WITH SOC 2.0AUTOMATING CYBER RISK DETECTION AND PROTECTION WITH SOC 2.0
AUTOMATING CYBER RISK DETECTION AND PROTECTION WITH SOC 2.0Happiest Minds Technologies
 
Building an Effective Supply Chain Security Program
Building an Effective Supply Chain Security ProgramBuilding an Effective Supply Chain Security Program
Building an Effective Supply Chain Security ProgramPriyanka Aash
 
State of Security Operations 2016 report of capabilities and maturity of cybe...
State of Security Operations 2016 report of capabilities and maturity of cybe...State of Security Operations 2016 report of capabilities and maturity of cybe...
State of Security Operations 2016 report of capabilities and maturity of cybe...at MicroFocus Italy ❖✔
 
Virtualization and cloud impact overview auditor spin enterprise gr-cv3
Virtualization and cloud impact overview auditor spin enterprise gr-cv3Virtualization and cloud impact overview auditor spin enterprise gr-cv3
Virtualization and cloud impact overview auditor spin enterprise gr-cv3EnterpriseGRC Solutions, Inc.
 
Data Sheet For Erg
Data Sheet For ErgData Sheet For Erg
Data Sheet For Ergmjschreck
 
Aligning to the NIST Cybersecurity Framework in the AWS
Aligning to the NIST Cybersecurity Framework in the AWSAligning to the NIST Cybersecurity Framework in the AWS
Aligning to the NIST Cybersecurity Framework in the AWSAmazon Web Services
 
Gartner Magic Quadrant for Secure Email Gateways 2014
Gartner Magic Quadrant for Secure Email Gateways 2014Gartner Magic Quadrant for Secure Email Gateways 2014
Gartner Magic Quadrant for Secure Email Gateways 2014Michael Bunn
 
Crush Cloud Complexity, Simplify Security - Shield X
Crush Cloud Complexity, Simplify Security - Shield XCrush Cloud Complexity, Simplify Security - Shield X
Crush Cloud Complexity, Simplify Security - Shield XPrime Infoserv
 
OWASP based Threat Modeling Framework
OWASP based Threat Modeling FrameworkOWASP based Threat Modeling Framework
OWASP based Threat Modeling FrameworkChaitanya Bhatt
 
SFScon21 - Christian Notdurfter - Data Protection by Design and by Default fo...
SFScon21 - Christian Notdurfter - Data Protection by Design and by Default fo...SFScon21 - Christian Notdurfter - Data Protection by Design and by Default fo...
SFScon21 - Christian Notdurfter - Data Protection by Design and by Default fo...South Tyrol Free Software Conference
 
NIST Cybersecurity Framework (CSF) on the Public Cloud
NIST Cybersecurity Framework (CSF) on the Public CloudNIST Cybersecurity Framework (CSF) on the Public Cloud
NIST Cybersecurity Framework (CSF) on the Public CloudCloudHesive
 
Owasp top 10_proactive_controls_v3
Owasp top 10_proactive_controls_v3Owasp top 10_proactive_controls_v3
Owasp top 10_proactive_controls_v3RazaMehmood7
 
How close is your organization to being breached | Safe Security
How close is your organization to being breached | Safe SecurityHow close is your organization to being breached | Safe Security
How close is your organization to being breached | Safe SecurityRahul Tyagi
 
FFIEC and NIST: What You Need to Know About Two Prevalent New IT Security Com...
FFIEC and NIST: What You Need to Know About Two Prevalent New IT Security Com...FFIEC and NIST: What You Need to Know About Two Prevalent New IT Security Com...
FFIEC and NIST: What You Need to Know About Two Prevalent New IT Security Com...West Monroe Partners
 
Understanding the New PCI DSS Scoping Supplement
Understanding the New PCI DSS Scoping SupplementUnderstanding the New PCI DSS Scoping Supplement
Understanding the New PCI DSS Scoping SupplementSecurityMetrics
 

Was ist angesagt? (18)

AUTOMATING CYBER RISK DETECTION AND PROTECTION WITH SOC 2.0
AUTOMATING CYBER RISK DETECTION AND PROTECTION WITH SOC 2.0AUTOMATING CYBER RISK DETECTION AND PROTECTION WITH SOC 2.0
AUTOMATING CYBER RISK DETECTION AND PROTECTION WITH SOC 2.0
 
A case for Managed Detection and Response
A case for Managed Detection and ResponseA case for Managed Detection and Response
A case for Managed Detection and Response
 
Building an Effective Supply Chain Security Program
Building an Effective Supply Chain Security ProgramBuilding an Effective Supply Chain Security Program
Building an Effective Supply Chain Security Program
 
State of Security Operations 2016 report of capabilities and maturity of cybe...
State of Security Operations 2016 report of capabilities and maturity of cybe...State of Security Operations 2016 report of capabilities and maturity of cybe...
State of Security Operations 2016 report of capabilities and maturity of cybe...
 
Virtualization and cloud impact overview auditor spin enterprise gr-cv3
Virtualization and cloud impact overview auditor spin enterprise gr-cv3Virtualization and cloud impact overview auditor spin enterprise gr-cv3
Virtualization and cloud impact overview auditor spin enterprise gr-cv3
 
Data Sheet For Erg
Data Sheet For ErgData Sheet For Erg
Data Sheet For Erg
 
Aligning to the NIST Cybersecurity Framework in the AWS
Aligning to the NIST Cybersecurity Framework in the AWSAligning to the NIST Cybersecurity Framework in the AWS
Aligning to the NIST Cybersecurity Framework in the AWS
 
Gartner Magic Quadrant for Secure Email Gateways 2014
Gartner Magic Quadrant for Secure Email Gateways 2014Gartner Magic Quadrant for Secure Email Gateways 2014
Gartner Magic Quadrant for Secure Email Gateways 2014
 
Crush Cloud Complexity, Simplify Security - Shield X
Crush Cloud Complexity, Simplify Security - Shield XCrush Cloud Complexity, Simplify Security - Shield X
Crush Cloud Complexity, Simplify Security - Shield X
 
OWASP based Threat Modeling Framework
OWASP based Threat Modeling FrameworkOWASP based Threat Modeling Framework
OWASP based Threat Modeling Framework
 
Security assessment isaca sv presentation jan 2016
Security assessment isaca sv presentation jan 2016Security assessment isaca sv presentation jan 2016
Security assessment isaca sv presentation jan 2016
 
SFScon21 - Christian Notdurfter - Data Protection by Design and by Default fo...
SFScon21 - Christian Notdurfter - Data Protection by Design and by Default fo...SFScon21 - Christian Notdurfter - Data Protection by Design and by Default fo...
SFScon21 - Christian Notdurfter - Data Protection by Design and by Default fo...
 
17 domains
17 domains17 domains
17 domains
 
NIST Cybersecurity Framework (CSF) on the Public Cloud
NIST Cybersecurity Framework (CSF) on the Public CloudNIST Cybersecurity Framework (CSF) on the Public Cloud
NIST Cybersecurity Framework (CSF) on the Public Cloud
 
Owasp top 10_proactive_controls_v3
Owasp top 10_proactive_controls_v3Owasp top 10_proactive_controls_v3
Owasp top 10_proactive_controls_v3
 
How close is your organization to being breached | Safe Security
How close is your organization to being breached | Safe SecurityHow close is your organization to being breached | Safe Security
How close is your organization to being breached | Safe Security
 
FFIEC and NIST: What You Need to Know About Two Prevalent New IT Security Com...
FFIEC and NIST: What You Need to Know About Two Prevalent New IT Security Com...FFIEC and NIST: What You Need to Know About Two Prevalent New IT Security Com...
FFIEC and NIST: What You Need to Know About Two Prevalent New IT Security Com...
 
Understanding the New PCI DSS Scoping Supplement
Understanding the New PCI DSS Scoping SupplementUnderstanding the New PCI DSS Scoping Supplement
Understanding the New PCI DSS Scoping Supplement
 

Ähnlich wie Simplify Your Approach To_Assess The Risks Of Moving Into The Cloud

Legal And Regulatory Issues Cloud Computing...V2.0
Legal And Regulatory Issues Cloud Computing...V2.0Legal And Regulatory Issues Cloud Computing...V2.0
Legal And Regulatory Issues Cloud Computing...V2.0David Spinks
 
Risk management for cloud computing hb final
Risk management for cloud computing hb finalRisk management for cloud computing hb final
Risk management for cloud computing hb finalChristophe Monnier
 
Asset 1 security-in-the-cloud
Asset 1 security-in-the-cloudAsset 1 security-in-the-cloud
Asset 1 security-in-the-clouddrewz lin
 
The Art of Cloud Auditing - ISACA ID
The Art of Cloud Auditing - ISACA IDThe Art of Cloud Auditing - ISACA ID
The Art of Cloud Auditing - ISACA IDEryk Budi Pratama
 
Ensuring PCI DSS Compliance in the Cloud
Ensuring PCI DSS Compliance in the CloudEnsuring PCI DSS Compliance in the Cloud
Ensuring PCI DSS Compliance in the CloudCognizant
 
Secure Cloud Adoption - Checklist
Secure Cloud Adoption - ChecklistSecure Cloud Adoption - Checklist
Secure Cloud Adoption - ChecklistSecurestorm
 
Cloud Security, Standards and Applications
Cloud Security, Standards and ApplicationsCloud Security, Standards and Applications
Cloud Security, Standards and ApplicationsDr. Sunil Kr. Pandey
 
Cloud computing Risk management
Cloud computing Risk management Cloud computing Risk management
Cloud computing Risk management Padma Jella
 
Cloud computing & service level agreements
Cloud computing & service level agreementsCloud computing & service level agreements
Cloud computing & service level agreementsCade Zvavanjanja
 
Cyber presentation spet 2019 v8sentfor upload
Cyber presentation spet 2019 v8sentfor uploadCyber presentation spet 2019 v8sentfor upload
Cyber presentation spet 2019 v8sentfor uploadsavassociates1
 
Facility Environmental Audit Guidelines
Facility Environmental Audit GuidelinesFacility Environmental Audit Guidelines
Facility Environmental Audit Guidelinesamburyj3c9
 
Simplifying Security for Cloud Adoption - Defining your game plan
Simplifying Security for Cloud Adoption - Defining your game planSimplifying Security for Cloud Adoption - Defining your game plan
Simplifying Security for Cloud Adoption - Defining your game planSecurestorm
 
EMC Perspective: What Customers Seek from Cloud Services Providers
EMC Perspective: What Customers Seek from Cloud Services ProvidersEMC Perspective: What Customers Seek from Cloud Services Providers
EMC Perspective: What Customers Seek from Cloud Services ProvidersEMC
 
IRJET- SAAS Attacks Defense Mechanisms and Digital Forensic
IRJET- SAAS Attacks Defense Mechanisms and Digital ForensicIRJET- SAAS Attacks Defense Mechanisms and Digital Forensic
IRJET- SAAS Attacks Defense Mechanisms and Digital ForensicIRJET Journal
 
Cyber Security in The Cloud
Cyber Security in The CloudCyber Security in The Cloud
Cyber Security in The CloudPECB
 
Sia Partners Insights when Considering a SaaS Solution
Sia Partners Insights when Considering a SaaS SolutionSia Partners Insights when Considering a SaaS Solution
Sia Partners Insights when Considering a SaaS SolutionDaniel Connor
 
Mitigate Risks of Cloud Computing
Mitigate Risks of Cloud ComputingMitigate Risks of Cloud Computing
Mitigate Risks of Cloud ComputingDarienYamin
 
#ALSummit: SCOR Velogica's Journey to SOC2/TYPE2 Via AWS
#ALSummit: SCOR Velogica's Journey to SOC2/TYPE2 Via AWS#ALSummit: SCOR Velogica's Journey to SOC2/TYPE2 Via AWS
#ALSummit: SCOR Velogica's Journey to SOC2/TYPE2 Via AWSAlert Logic
 

Ähnlich wie Simplify Your Approach To_Assess The Risks Of Moving Into The Cloud (20)

Legal And Regulatory Issues Cloud Computing...V2.0
Legal And Regulatory Issues Cloud Computing...V2.0Legal And Regulatory Issues Cloud Computing...V2.0
Legal And Regulatory Issues Cloud Computing...V2.0
 
Risk management for cloud computing hb final
Risk management for cloud computing hb finalRisk management for cloud computing hb final
Risk management for cloud computing hb final
 
Asset 1 security-in-the-cloud
Asset 1 security-in-the-cloudAsset 1 security-in-the-cloud
Asset 1 security-in-the-cloud
 
The Art of Cloud Auditing - ISACA ID
The Art of Cloud Auditing - ISACA IDThe Art of Cloud Auditing - ISACA ID
The Art of Cloud Auditing - ISACA ID
 
Ensuring PCI DSS Compliance in the Cloud
Ensuring PCI DSS Compliance in the CloudEnsuring PCI DSS Compliance in the Cloud
Ensuring PCI DSS Compliance in the Cloud
 
Secure Cloud Adoption - Checklist
Secure Cloud Adoption - ChecklistSecure Cloud Adoption - Checklist
Secure Cloud Adoption - Checklist
 
Cloud Security, Standards and Applications
Cloud Security, Standards and ApplicationsCloud Security, Standards and Applications
Cloud Security, Standards and Applications
 
Cloud computing Risk management
Cloud computing Risk management Cloud computing Risk management
Cloud computing Risk management
 
Cloud services and it security
Cloud services and it securityCloud services and it security
Cloud services and it security
 
Cloud computing & service level agreements
Cloud computing & service level agreementsCloud computing & service level agreements
Cloud computing & service level agreements
 
Cyber presentation spet 2019 v8sentfor upload
Cyber presentation spet 2019 v8sentfor uploadCyber presentation spet 2019 v8sentfor upload
Cyber presentation spet 2019 v8sentfor upload
 
Facility Environmental Audit Guidelines
Facility Environmental Audit GuidelinesFacility Environmental Audit Guidelines
Facility Environmental Audit Guidelines
 
Simplifying Security for Cloud Adoption - Defining your game plan
Simplifying Security for Cloud Adoption - Defining your game planSimplifying Security for Cloud Adoption - Defining your game plan
Simplifying Security for Cloud Adoption - Defining your game plan
 
EMC Perspective: What Customers Seek from Cloud Services Providers
EMC Perspective: What Customers Seek from Cloud Services ProvidersEMC Perspective: What Customers Seek from Cloud Services Providers
EMC Perspective: What Customers Seek from Cloud Services Providers
 
IRJET- SAAS Attacks Defense Mechanisms and Digital Forensic
IRJET- SAAS Attacks Defense Mechanisms and Digital ForensicIRJET- SAAS Attacks Defense Mechanisms and Digital Forensic
IRJET- SAAS Attacks Defense Mechanisms and Digital Forensic
 
Governing in the Cloud
Governing in the CloudGoverning in the Cloud
Governing in the Cloud
 
Cyber Security in The Cloud
Cyber Security in The CloudCyber Security in The Cloud
Cyber Security in The Cloud
 
Sia Partners Insights when Considering a SaaS Solution
Sia Partners Insights when Considering a SaaS SolutionSia Partners Insights when Considering a SaaS Solution
Sia Partners Insights when Considering a SaaS Solution
 
Mitigate Risks of Cloud Computing
Mitigate Risks of Cloud ComputingMitigate Risks of Cloud Computing
Mitigate Risks of Cloud Computing
 
#ALSummit: SCOR Velogica's Journey to SOC2/TYPE2 Via AWS
#ALSummit: SCOR Velogica's Journey to SOC2/TYPE2 Via AWS#ALSummit: SCOR Velogica's Journey to SOC2/TYPE2 Via AWS
#ALSummit: SCOR Velogica's Journey to SOC2/TYPE2 Via AWS
 

Mehr von Happiest Minds Technologies

Largest Electricity provider in the US- Case Study
Largest Electricity provider in the US- Case StudyLargest Electricity provider in the US- Case Study
Largest Electricity provider in the US- Case StudyHappiest Minds Technologies
 
Exploring the Potential of ChatGPT in Banking, Financial SERVICES & Insurance
Exploring the Potential of ChatGPT in Banking, Financial SERVICES & InsuranceExploring the Potential of ChatGPT in Banking, Financial SERVICES & Insurance
Exploring the Potential of ChatGPT in Banking, Financial SERVICES & InsuranceHappiest Minds Technologies
 
Automating SOC1/2 Compliance- For a leading Software solution company in UK
Automating SOC1/2 Compliance- For a leading Software solution company in UKAutomating SOC1/2 Compliance- For a leading Software solution company in UK
Automating SOC1/2 Compliance- For a leading Software solution company in UKHappiest Minds Technologies
 
GUIDE TO KEEP YOUR END-USERS CONNECTED TO THE DIGITAL WORKPLACE DURING DISRUP...
GUIDE TO KEEP YOUR END-USERS CONNECTED TO THE DIGITAL WORKPLACE DURING DISRUP...GUIDE TO KEEP YOUR END-USERS CONNECTED TO THE DIGITAL WORKPLACE DURING DISRUP...
GUIDE TO KEEP YOUR END-USERS CONNECTED TO THE DIGITAL WORKPLACE DURING DISRUP...Happiest Minds Technologies
 
Complete Guide to General Data Protection Regulation (GDPR)
Complete Guide to General Data Protection Regulation (GDPR)Complete Guide to General Data Protection Regulation (GDPR)
Complete Guide to General Data Protection Regulation (GDPR)Happiest Minds Technologies
 
Azure bastion- Remote desktop RDP/SSH in Azure using Bastion Service as (PaaS)
Azure bastion- Remote desktop RDP/SSH in Azure using Bastion Service as (PaaS)Azure bastion- Remote desktop RDP/SSH in Azure using Bastion Service as (PaaS)
Azure bastion- Remote desktop RDP/SSH in Azure using Bastion Service as (PaaS)Happiest Minds Technologies
 
REDUCING TRANSPORTATION COSTS IN RETAIL THROUGH INTELLIGENT FREIGHT AUDIT
REDUCING TRANSPORTATION COSTS IN RETAIL THROUGH INTELLIGENT FREIGHT AUDITREDUCING TRANSPORTATION COSTS IN RETAIL THROUGH INTELLIGENT FREIGHT AUDIT
REDUCING TRANSPORTATION COSTS IN RETAIL THROUGH INTELLIGENT FREIGHT AUDITHappiest Minds Technologies
 
REDUCING TRANSPORTATION COSTS IN CPG THROUGH INTELLIGENT FREIGHT AUDIT
REDUCING TRANSPORTATION COSTS IN CPG THROUGH INTELLIGENT FREIGHT AUDITREDUCING TRANSPORTATION COSTS IN CPG THROUGH INTELLIGENT FREIGHT AUDIT
REDUCING TRANSPORTATION COSTS IN CPG THROUGH INTELLIGENT FREIGHT AUDITHappiest Minds Technologies
 
REDUCING TRANSPORTATION COSTS IN RETAIL THROUGH INTELLIGENT FREIGHT AUDIT
REDUCING TRANSPORTATION COSTS IN RETAIL THROUGH INTELLIGENT FREIGHT AUDITREDUCING TRANSPORTATION COSTS IN RETAIL THROUGH INTELLIGENT FREIGHT AUDIT
REDUCING TRANSPORTATION COSTS IN RETAIL THROUGH INTELLIGENT FREIGHT AUDITHappiest Minds Technologies
 

Mehr von Happiest Minds Technologies (20)

Largest Electricity provider in the US- Case Study
Largest Electricity provider in the US- Case StudyLargest Electricity provider in the US- Case Study
Largest Electricity provider in the US- Case Study
 
BFSI GLOBAL TRENDS FY 24
BFSI GLOBAL TRENDS FY 24BFSI GLOBAL TRENDS FY 24
BFSI GLOBAL TRENDS FY 24
 
ARTIFICIAL INTELLIGENCE IN DIGITAL BANKING
ARTIFICIAL INTELLIGENCE IN DIGITAL BANKINGARTIFICIAL INTELLIGENCE IN DIGITAL BANKING
ARTIFICIAL INTELLIGENCE IN DIGITAL BANKING
 
DIGITAL MANUFACTURING
DIGITAL MANUFACTURINGDIGITAL MANUFACTURING
DIGITAL MANUFACTURING
 
Exploring the Potential of ChatGPT in Banking, Financial SERVICES & Insurance
Exploring the Potential of ChatGPT in Banking, Financial SERVICES & InsuranceExploring the Potential of ChatGPT in Banking, Financial SERVICES & Insurance
Exploring the Potential of ChatGPT in Banking, Financial SERVICES & Insurance
 
AN OVERVIEW OF THE METAVERSE
AN OVERVIEW OF THE METAVERSEAN OVERVIEW OF THE METAVERSE
AN OVERVIEW OF THE METAVERSE
 
VMware to AWS Cloud Migration
VMware to AWS Cloud MigrationVMware to AWS Cloud Migration
VMware to AWS Cloud Migration
 
Digital-Content-Monetization-DCM-Platform-2.pdf
Digital-Content-Monetization-DCM-Platform-2.pdfDigital-Content-Monetization-DCM-Platform-2.pdf
Digital-Content-Monetization-DCM-Platform-2.pdf
 
Cloud Reshaping Banking
Cloud Reshaping BankingCloud Reshaping Banking
Cloud Reshaping Banking
 
Automating SOC1/2 Compliance- For a leading Software solution company in UK
Automating SOC1/2 Compliance- For a leading Software solution company in UKAutomating SOC1/2 Compliance- For a leading Software solution company in UK
Automating SOC1/2 Compliance- For a leading Software solution company in UK
 
PAMaaS- Powered by CyberArk
PAMaaS- Powered by CyberArkPAMaaS- Powered by CyberArk
PAMaaS- Powered by CyberArk
 
GUIDE TO KEEP YOUR END-USERS CONNECTED TO THE DIGITAL WORKPLACE DURING DISRUP...
GUIDE TO KEEP YOUR END-USERS CONNECTED TO THE DIGITAL WORKPLACE DURING DISRUP...GUIDE TO KEEP YOUR END-USERS CONNECTED TO THE DIGITAL WORKPLACE DURING DISRUP...
GUIDE TO KEEP YOUR END-USERS CONNECTED TO THE DIGITAL WORKPLACE DURING DISRUP...
 
SECURING THE CLOUD DATA LAKES
SECURING THE CLOUD DATA LAKESSECURING THE CLOUD DATA LAKES
SECURING THE CLOUD DATA LAKES
 
Complete Guide to General Data Protection Regulation (GDPR)
Complete Guide to General Data Protection Regulation (GDPR)Complete Guide to General Data Protection Regulation (GDPR)
Complete Guide to General Data Protection Regulation (GDPR)
 
Azure bastion- Remote desktop RDP/SSH in Azure using Bastion Service as (PaaS)
Azure bastion- Remote desktop RDP/SSH in Azure using Bastion Service as (PaaS)Azure bastion- Remote desktop RDP/SSH in Azure using Bastion Service as (PaaS)
Azure bastion- Remote desktop RDP/SSH in Azure using Bastion Service as (PaaS)
 
REDUCING TRANSPORTATION COSTS IN RETAIL THROUGH INTELLIGENT FREIGHT AUDIT
REDUCING TRANSPORTATION COSTS IN RETAIL THROUGH INTELLIGENT FREIGHT AUDITREDUCING TRANSPORTATION COSTS IN RETAIL THROUGH INTELLIGENT FREIGHT AUDIT
REDUCING TRANSPORTATION COSTS IN RETAIL THROUGH INTELLIGENT FREIGHT AUDIT
 
REDUCING TRANSPORTATION COSTS IN CPG THROUGH INTELLIGENT FREIGHT AUDIT
REDUCING TRANSPORTATION COSTS IN CPG THROUGH INTELLIGENT FREIGHT AUDITREDUCING TRANSPORTATION COSTS IN CPG THROUGH INTELLIGENT FREIGHT AUDIT
REDUCING TRANSPORTATION COSTS IN CPG THROUGH INTELLIGENT FREIGHT AUDIT
 
How to Approach Tool Integrations
How to Approach Tool IntegrationsHow to Approach Tool Integrations
How to Approach Tool Integrations
 
REDUCING TRANSPORTATION COSTS IN RETAIL THROUGH INTELLIGENT FREIGHT AUDIT
REDUCING TRANSPORTATION COSTS IN RETAIL THROUGH INTELLIGENT FREIGHT AUDITREDUCING TRANSPORTATION COSTS IN RETAIL THROUGH INTELLIGENT FREIGHT AUDIT
REDUCING TRANSPORTATION COSTS IN RETAIL THROUGH INTELLIGENT FREIGHT AUDIT
 
Contact Centre Growing Digital
Contact Centre Growing DigitalContact Centre Growing Digital
Contact Centre Growing Digital
 

Simplify Your Approach To_Assess The Risks Of Moving Into The Cloud

  • 1. Moving to Clouds? Simplify your approach to understand the risks and protect your data By Thiruvadinathan Happiest Minds, Infrastructure Management and Security Services © Happiest Minds Technologies Pvt. Ltd. All Rights Reserved
  • 2. How to work with your Cloud vendor to secure sensitive and critical data on the cloud? Engaging with a vendor especially one who provides some sort of Information and/or technology based services is necessary for many global organizations. Managing risks related to vendors presents its own challenges particularly if they are high technology companies such as Cloud Service Providers (CSP). Cloud based services add to the complexities of managing traditional security & compliance risks. Identifying and addressing risks associated with moving your data, applications and services are not the only thing that an organization has to consider. An organization also needs to think about and plan for vendor related risks, legal, regulatory and contractual risks. This spectrum of risks continues to expand particularly when dealing with customers and vendors who are operating in different geographies governed by different regulations, data protection laws, culture and operating models. The following sections discuss some of the challenges involved in assessing those risks. Are risks in the Cloud different? The answer is yes and no. Clouds bring in both traditional information security risks such as malicious users, malware, etc. as well as lack of control over and visibility into your data in terms of who has access, where the data is located, how it is secured, etc. Some of the common lacunae in addressing the risks in the Cloud are  Lack of or inadequate security and compliance risk evaluation of CSPs due to: o Business pressures and deadlines o Lack of involvement from information security, risk and internal audit teams or specialists during evaluation o Inadequate knowledge about cloud security risks, mitigation and monitoring technologies o Legal complexities.  Complexities involved in evaluating risk, security and compliance aspects of engaging with a CSP since risks and requirements can vary widely depending on the type of Cloud service(SaaS, IaaS, etc.) and model (Public, Private, etc.)  Finding CSPs that treat all customers equally when it comes to risk, security and compliance  Lack of a formal contract or inadequate service contracts o Lack of awareness on what need to be addressed in the contract such as o Ownership & confidentiality of data © Happiest Minds Technologies Pvt. Ltd. All Rights Reserved
  • 3. o Compliance with your security policies based on mapping your controls to CSP’s capabilities o Data classification and corresponding security requirements for transmission, storage, handling/usage, sharing, back-up, retention, geographical restrictions on data movement within the cloud, disposal and e-discovery o The right to audit and actual audit of CSP’ security controls There are many other areas that need to be addressed in a contract. An article by a New York business law firm provides insights into what needs to be addressed in a contract. The article can be read at http://bit.ly/xMZNx6. Another article published on The Financial Times details about the grey areas in a Cloud service contract, http://on.ft.com/N89J3Z. This list of such lacunae could easily expand into other areas such as risks related to CSP’s staff in terms of their background credentials, operational risks such as inadequate change management, errors and omissions, failed back-ups and so on. However, there is help available to address these challenges. No matter what standards you use among ISO27001, PCI-DSS, NIST SP 800-53, CoBIT, etc., you can leverage your experience on those and bring value to your assessment Cloud & Vendor risks. To know more about how, read on… Simplify your approach to assess Cloud vendor risks The Cloud Security Alliance (CSA) provides a security controls framework that can be used by CSPs as well as Cloud consumers both. The assessment tools namely, the Consensus Assessment Initiative Questionnaire (CAIQ) and Cloud Controls Matrix (CCM) are specifically designed for Cloud environment to assess the associated risk and security requirements. The rigor of going through multiple and long security assessment questionnaire can be quite challenging both for the Cloud consumers as well as CSPs. Vendor risk assessment tools would typically span multiple security domains requiring the involvement of staff from various functions within the organization. The process takes considerable time, resources and skills to go through. Smaller organizations may require additional resources and skills to do the evaluation of CSP. Using CSA STAR in Cloud security assessments To assist potential Cloud consumers and CSPs, the Cloud Security Alliance has come up with an initiative known as STAR (CSA Security, Trust & Assurance Registry). STAR is a program participated by many of the leading CSP. Participants of this program voluntarily prepare a self-assessment of their controls and compliance posture in a format specified by CSA. CSPs can make use of either CAIQ or CCM to perform self-assessment of their Cloud security controls. The self-assessment reports are published by the respective CSPs and are made available. The reports are free to download from https://cloudsecurityalliance.org/star/ © Happiest Minds Technologies Pvt. Ltd. All Rights Reserved
  • 4. The STAR program also encourages participating vendors to be available for any question from the consumers. The advantage of this report is that the format provides for mapping with international standards and best practices such as IS027001, COBIT, NIST, etc. This can simplify the overall assessment in terms of rigor and also improve the focus on the controls that require more attention. The CSA also provides a GRC stack those organizations that are willing to integrate CAIQ and CCM into their GRC management solution. The following section provides a simplified approach to assess the Cloud related risks. Steps 1 – Prepare yourselves  Determine what type of Cloud service (SaaS, PaaS, and IaaS) and Cloud model (Public, Private, etc.) you require.  Many CSPs are very likely to have implemented ISO27001. It is important to understand the scope of such certification and to understand what controls have either been implemented or omitted.  If CSP have implemented ISO27001, then ask for their Statement of Applicability and have a dialogue with them to understand how the applicable controls are implemented. For CSPs that have not implemented ISO27001, ask for any other standard or regulatory compliance that’s been implemented. Even a SAS70 Type 2 or SOC 2 report can be a very good starting point.  Determine if the CSP has undergone a self-assessment and obtain the report from CSA website.  Shortlist potential CSP vendors based on the above, check for credible references from existing customers of the CSPs you are going to evaluate. Step 2 – Perform an Analysis  Perform a detailed analysis of the self-assessment reports from the CSPs. Evaluate the controls in line with your data security and compliance requirements.  Speak to their references to understand how their needs relates to your business  Provide weightage to the CSP that is willing co-operate fully with your requirements  Involve your legal, IT, security, risk and audit teams throughout the process  Have a list of your regulatory compliance requirements to understand how the CSP would help Step 3 – Prioritize your requirements  Based on your analysis, narrow down and prioritize risk areas that remain to be addressed. © Happiest Minds Technologies Pvt. Ltd. All Rights Reserved
  • 5. Use CAIQ to extract those areas as to how you need to prepare yourself for further analysis  Prepare your assessment questionnaire and have your shortlisted vendors respond to them.  Plan a site visit where you can get evaluate the responses you received as to how they have been implemented  During your visit, observe, inspect and document the controls implemented and practiced as you would understand. Step 4 - Prepare a risk and control plan  Develop a plan that identifies the risks and controls that would address the risks.  Make this plan as the basis for preparing your contractual terms and conditions in conjunction with your shortlisted vendors  Sensitize your users on on-going basis about the risks and controls The huge advantage of this approach is that it can certainly help save a lot of time for the consumer as well as provider. The actual assessment can effectively be reduced significantly depending on the other factors such as availability of relevant skills and so on. Depending on your organization’s unique cloud computing needs, security and compliance requirements, your assessment must be tailored accordingly. A good understanding of the various types of Cloud services and models would be required. For example, SaaS based model offers very little room for control of data by the Cloud consumer, whereas IaaS offers the most flexibility. An assessment for a SaaS service should cover infrastructure security, IT operational security, application & data security as all these are fully under the control of CSP. The contract for a SaaS service shall also be designed to address security risks in these areas. Physical and environmental security is to be addressed anyway irrespective of the Cloud service, which determines the nature and extent of any Cloud security assessment and contractual requirements. Conclusion As Cloud based services evolve along with the associated technologies, the standards for cloud based risk management and assurance framework will have to evolve. The good news is existing standards such as PCI DSS, ISO27001, etc. can be judiciously leveraged for initial as well as on-going assessment of risk exposure and compliance status in conjunction with CSA’s initiatives. The key is to keep updating your risk assessment framework and continuously engage with the CSP who’s partnered with you to improve its services. © Happiest Minds Technologies Pvt. Ltd. All Rights Reserved
  • 6. To learn more about the Happiest Minds Cloud Security Offerings, please write to us at business@happiestminds.com About Happiest Minds Happiest Minds is a next-generation IT services company helping clients differentiate and win with a unique blend of innovative solutions and services based on the core technology pillars of cloud computing, social computing, mobility and analytics. We combine an unparalleled experience, comprehensive capabilities in the following industries: Retail, Media, CPG, Manufacturing, Banking and Financial services, Travel and Hospitality and Hi-Tech with pragmatic, forward-thinking advisory capabilities for the world’s top businesses, governments and organizations. Founded in 2011, Happiest Minds is privately held with headquarters in Bangalore, India and offices in the USA and UK. Corporate Office United States Happiest Minds Technologies Pvt. Ltd. 116 Village Boulevard, Suite 200 Block II, Velankani Tech Park Princeton, New Jersey, 08540 43 Electronics City Phone:+1 609 951 2296 Hosur Road, Bangalore 560100, INDIA 2018 156th Avenue NE #224 Phone: +91 80 332 03333 Bellevue, WA 98007 Fax: +91 80 332 03000 United Kingdom 200 Brook Drive, Green Park, Reading Berkshire, RG2 6UB Phone: +44 11892 56072 Fax: + 44 11892 56073 About the author Thiruvadinathan A (thiruvadinathan.a@happiestminds.com) is the Technical Director and Practice Lead for IT Governance, Risk Management, Security & Compliance services. He credits his rich experience in the field to his global clientele across industry verticals gained in the last 16 years. One of his recent achievements is having successfully led Happiest Minds Technologies to meet the stringent requirements of ISO27001 global standard. © Happiest Minds Technologies Pvt. Ltd. All Rights Reserved