Escolar Documentos
Profissional Documentos
Cultura Documentos
APPLICATION DEVELOPMENT
STORAGE ARCHITECTURE
BI/APPLICATIONS
VIRTUALIZATION
Handbook
SECURITY
NETWORKING
HEALTH IT
CLOUD
1 2 3 4
EDITORS NOTE
EDITORS NOTE
Home Editors Note Extending Information Governance Controls to the Cloud Due Diligence, Provider Research Key to Compliance in the Cloud Three Steps to Maintain GRC During Cloud Deployment
CLOUD CONTRACTS
2
Home
Editors Note Extending Information Governance Controls to the Cloud Due Diligence, Provider Research Key to Compliance in the Cloud Three Steps to Maintain GRC During Cloud Deployment
A centralized tool manag ing lifecycle rules for the organization needs to have the proper hooks into the data residing in the cloud.
the organization itself and extend to cloudbased repositories. A centralized tool managing lifecycle rules for the organization needs to have the proper hooks into the data residing in the cloud. These tools need to have a complete view of the information owned by the
CLOUD CONTRACTS
2
Home
Editors Note Extending Information Governance Controls to the Cloud Due Diligence, Provider Research Key to Compliance in the Cloud Three Steps to Maintain GRC During Cloud Deployment
organization to be responsive to internal and external requests. According to Gatewood, The reality is this: The tools may not exist, but organizations are movingor have already moveddata into the cloud. Data relationships and management controls inside of organizations are more important than ever. Unless the management controls are already in place, it is unlikely that individuals are going to seek advice about extending controls to cloud-based repositories. Cloud computing is not going away. It can be a valuable tool, but a tool that needs to be understood and managed. Applying information governance controls, with the proper relationships in legal and information technology and services, can help to reasonably manage information in the cloud.
Contracts: What service are we contracting for and what are the vendors records management and compliance obligations?
What
kind of data controls does the vendor have in place? is information destroyed?
How Can
we set minimum and maximum retentions and at what level? there secure destruction options?
Are
What
are the vendors policies for backups, replication or failover? do we confirm disposition takes place on a timely basis and according to our rules?
How
Gatewood recommends that organizations considering a cloud-based initiativeor reviewing a solution already in placefind answers to the following questions about contracts, audit controls and integration points:
CLOUD CONTRACTS
2
Home
What Is
the vendor open to being audited for compliance? (If not, this may be a sign of bigger issues.)
Editors Note Extending Information Governance Controls to the Cloud Due Diligence, Provider Research Key to Compliance in the Cloud Three Steps to Maintain GRC During Cloud Deployment
Integration points: Is the vendor open to integration with our systems and applications?
Has
the vendor integrated with any systems that provide a structure for compliance? Organizations must also consider if the
vendors policies and procedures related to the handling and management of information are acceptable. If they are not, Gatewood believes the organization should either move the data elsewhere or require an auditable change that meets its needs. Gatewood also recommends that organizations require a data map that details where the information resides. Data maps can be complicated because they detail what is often a complex infrastructure that might involve third-party relationships specific to your data, but the effort to review them is definitely worthwhile. Marilyn Bier
PROVIDER NEGOTIATIONS
3
Home
Editors Note Extending Information Governance Controls to the Cloud Due Diligence, Provider Research Key to Compliance in the Cloud Three Steps to Maintain GRC During Cloud Deployment
Because physical audits sometimes arent possible, reputable cloud service providers should have certifications. In the United States, the two major certifications are ISO/IEC 27001:2005 and SOC 2. ISO/IEC 27001:2005 provides a definition for how to run an information security management system. It does not say whether youre particularly good at it, and it doesnt say that you have the controls in place [that] are actually working, Howie cautioned. It just certifies that you have an information security system that understands these problems and is trying to improve. SOC 2, which is the replacement for SAS 72 and is based on the audit standard AP 101,
PROVIDER NEGOTIATIONS
3
Home
Editors Note Extending Information Governance Controls to the Cloud Due Diligence, Provider Research Key to Compliance in the Cloud Three Steps to Maintain GRC During Cloud Deployment
contains the five SysTrust principles developed by the American Institute of Certified Public Accountants and the Canadian Institute of Chartered Accountants: confidentiality, integrity, availability, security and privacy, according to Howie. Privacy is a little bit of a misnomer, because its not privacy of the customers data, he said. Rather, it means the privacy of the cloud providers customer, not the customers of the company that signs up for service. SOC 2 requires an audit by a large firm to ensure the controls are adequate and working. An SOC 2 report is then presented that contains detailed information about vulnerabilities and the environment as a whole. These details often make cloud providers hesitant to let customers see the results of SOC 2 reports, Howie said.
Before choosing a cloud provider, companies need to ask prospective vendors some hard questions to ensure theyll stay on the right side of regulators. Its about asking questions
around what arrangements are going to be in place to protect your information from the creation stage to the processing, the storage, the transmission and, of course, destruction, said Steve Durbin, global vice president of the Information Security Forum. Eventually, the contract with the provider will end and organizations need to know what will happen to their data when that occurs, he added. Other questions should include how secure the connection is, including whether a VPN is required to connect, and what the availability is, Durbin said. Companies also need to ask encryption-related questions, including whether the data needs to be encrypted, what facilities the cloud provider has to encrypt data and if data should be encrypted before being transmitted to the cloud service, he added. Physical security is also important, according to Mac McMillan, current chairman of the HIMSS Privacy and Security Policy Task Force and CEO of Austin, Texas-based IT security consulting firm CynergisTek. Questions should include how the cloud provider controls physical access and how systems are protected from other customers data in colocation situations.
PROVIDER NEGOTIATIONS
3
Home
Finally, companies should check on the status of the cloud providers insurance, McMillan said. For example, if theres a security breach, its important to know if the provider will indemnify the customer and pay for the notifications, he said.
Editors Note Extending Information Governance Controls to the Cloud Due Diligence, Provider Research Key to Compliance in the Cloud Three Steps to Maintain GRC During Cloud Deployment
Due diligence doesnt stop at the negotiating table. There is no one provision to include in the contract to maintain compliance, but careful language can help limit liability, according to Robert Scott, managing partner at Southlake, Texas-based technology law firm Scott & Scott LLP. If you outsource to a third-party cloud service provider to handle or store personally identifiable, financial or healthcare information thats regulated in any way, the law has a non-delegable duty that you cant just outsource these legal responsibilities, Scott said. Even changes to payment card industry compliance standards, which now
apply to third-party services, do not absolve enterprises of maintaining regulatory compliance, he said. Enterprises need to ensure that their cloud services providers agree to be bound by the same regulations that they are, Scott said. For financial institutions, that means adhering to regulations such as the Gramm-Leach-Bliley Act, for example. One thing to be wary of in contracts is provisions where the cloud services provider asks the enterprise to agree to limit data breach liability, Scott cautioned. Such a provision could work to significantly limit the availability of insurance and/or the ability to recover for privacy-related claims that result from a data breach, he said. Contracts are always negotiable, and any reasonable cloud provider will be willing to negotiate with a customer regarding legitimate regulatory compliance, data security and privacy concerns, Scott said. Theyre not going to be a successful cloud service provider without being sensitive to customer concerns in those areas, he said. Christine Parizo
CLOUD RISK
4
Home
Editors Note Extending Information Governance Controls to the Cloud Due Diligence, Provider Research Key to Compliance in the Cloud Three Steps to Maintain GRC During Cloud Deployment
CLOUD RISK
4
Home
diligence assessments have already been completedor, in some cases, not. What can compliance professionals do at that point? Below are a few immediate steps they can take.
Editors Note Extending Information Governance Controls to the Cloud Due Diligence, Provider Research Key to Compliance in the Cloud Three Steps to Maintain GRC During Cloud Deployment
Lets say a hospitals compliance professional discovers that a clinical system (an electronic medical record, for example) has been relocated to an Infrastructure as a Service provider. The questions that arise as a result of this transition are legion: Have business associate agreements been signed? Is personal health information being protected appropriately? Is there a contractual arrangement to ensure notification in the event of a data breach? Instead of immediately pushing back, a prudent first step might be to undertake a systematic analysis of the situation. After all, if the vendor services healthcare providers regularly,
this wont be the first time it has heard about HIPAA, and it may have already spent quite a bit of time thinking through how to address the administrative, technical and physical controls associated with its security rule. Compliance officers should first engage with internal teams to find out what level of due diligence theyve done regarding information security during the cloud deployment, as well as what controls the vendor already has in place. Its vital to understand two things: new compliance gaps this cloud deployment introduces to your organization, and any newly introduced risk. The first item is relatively straightforward: Walk through each of your compliance requirements and evaluate the cloud deployment documentation to ensure the vendor agreement meets these rules. To evaluate risk, you can use one of the many readily available risk assessment templates to assist in this regard. Some examples include the Cloud Security Alliances GRC stack (notably the Consensus
Its vital to understand new com pliance gaps a cloud deployment introduces to your organization, and any newly introduced risk.
1 0 KEEP CLOUD COMPLIANT
CLOUD RISK
4
Home
Assessments Initiative Questionnaire and Cloud Controls Matrix), the European Network and Information Security Agencys cloud computing risk assessment and the NIST SP 800-30.
Editors Note Extending Information Governance Controls to the Cloud Due Diligence, Provider Research Key to Compliance in the Cloud Three Steps to Maintain GRC During Cloud Deployment
STEP TWO: KNOW WHAT YOU CAN CHANGE, AND WHAT YOU CANT
to change your environment versus theirs. During long-term remediation talks, ask what controls you can implement in the short term to offset cloud-related security gaps. For example, can you encrypt data in transit or at rest to add a layer of protection? Or will implementing additional monitoring controls help notify you of inappropriate access?
Its important to remember that the vendors controls are what they are, and changing them rapidly to meet your companys control gaps is unlikely to be the most efficient path to maintaining security. Compliance officers can probably lean on vendors enough to make changes, but they will not come quickly. Instead of railing against a vendors deficiencies, companies should look inward to see if there are things they can change on their end to maintain data security during a cloud deployment. Of course, you should call out areas where vendors controls are woefully inadequate and note these concerns in risk assessments, in reports to management and in long-term remediation plans. But also remember that its easier
If you followed the steps outlined above, by this point youll have two crucial pieces of data: a gap analysis showing where you dont meet your particular compliance requirements, and a risk assessment identifying any potential problem areas after the cloud deployment. You will have also put in place short-term stopgaps to address as many of those areas as you can. At this point, youll want to take a comprehensive look at changes that both you and the vendor can make to maintain compliance. Keep in mind that many cloud service providers have resources on staff specifically to understand
CLOUD RISK
4
Home
Editors Note Extending Information Governance Controls to the Cloud Due Diligence, Provider Research Key to Compliance in the Cloud Three Steps to Maintain GRC During Cloud Deployment
customer compliance requirements and address them when developing and offering services. It behooves you to engage with those vendor resourcesyou might be surprised at the responsiveness and expertise. Also remember that most responsible vendors have a commercial incentive not to stonewall you. Any changes they make to meet your compliance requirements or alleviate risk ultimately helps them become more competitive in
your industry. Long term, maintaining a compliant cloud environment is an exercise in cooperation between the company and its vendor(s). By objectively analyzing and documenting compliance gaps and risks, changing what the company can do internally to close short-term gaps and putting together a long-term plan, dealing with unexpected cloud deployment doesnt have to be as painful as it seems. Ed Moyle
Home Editors Note Extending Information Governance Controls to the Cloud Due Diligence, Provider Research Key to Compliance in the Cloud Three Steps to Maintain GRC During Cloud Deployment
profit records management and information governance professional association. ARMA provides education, publications and resources for the creation, organization, security, maintenance and disposal of information in a manner that align with and contribute to an organizations goals.
CHRISTINE PARIZO is
a freelance writer specializing in business and technology. She focuses on feature articles for a variety of technology and business-focused publications, as well as case studies and white papers for business-to-business technology companies. Christine has a background in litigation technology and compliance and was an assistant news editor for searchCRM .com prior to launching her freelance career.
ED MOYLE is
Ben Cole | Site Editor Marilyn Bier, Ed Moyle, Christine Parizo | Contributing Writers Christina Torode | Editorial Director Linda Koury | Director of Online Design Neva Maniscalco | Graphic Designer Amalie Keerl | Director of Product Management akeerl@techtarget.com TechTarget 275 Grove Street, Newton, MA 02466 www.techtarget.com
2013 TechTarget Inc. No part of this publication may be transmitted or reproduced in any form or by any means without written permission from the publisher. TechTarget reprints are available through The YGS Group. About TechTarget: TechTarget publishes media for information technology professionals. More than 100 focused websites enable quick access to a deep store of news, advice and analysis about the technologies, products and processes crucial to your job. Our live and virtual events give you direct access to independent expert commentary and advice. At IT Knowledge Exchange, our social community, you can get advice and share solutions with peers and experts.
director of emerging business and technology at ISACA. Moyle previously worked as a senior security strategist for Savvis and a senior manager at CTG. Prior to that, Moyle served as a vice president and information security officer at Merrill Lynch Investment Managers.