1 / 8

Cloud Service Procurement: Engaging the CISO for a Risk Assessment

Cloud Service Procurement: Engaging the CISO for a Risk Assessment. Walter Petruska Information security officer University of San francisco Educause SPC May 5, 2015. Conversation Starter: Asking Questions. Is your CISO involved in the procurement process?

carolynr
Download Presentation

Cloud Service Procurement: Engaging the CISO for a Risk Assessment

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Cloud Service Procurement:Engaging the CISO for a Risk Assessment Walter Petruska Information security officer University of San francisco Educause SPC May 5, 2015

  2. Conversation Starter: Asking Questions • Is your CISO involved in the procurement process? • Do you have a CISO? Do you have a procurement process? • HOW is, or how SHOULD your CISO be involved? • Business Process – Coordination between key parties • Business Units / Schools • IT Organization – Operations and Project Management Office • Purchasing Organization • Legal / Contract review focuses on LEGALITY and completeness • Finance and Accounting (Registered Vendor / D&B report) • Risk Management staff including Insurance and Liability review • Finance- Periodic review of open-ended service agreements

  3. Hypothesis: The Cloud is the Future • Trend data from Forrester and Gartner agree • Educause Top 10 #8: Mobile, Cloud, Digital Policy • HEISC #3: Develop effective Cloud 3rd Party Policy • Promised Benefits: • Quick implementation – Reap rewards earlier • Minimal internal support costs – Reduces ongoing expense • However- Critical questions are not asked or considered before signing agreements or starting service delivery with Cloud Services.

  4. Generic Resources – Frameworks • Educause Security Guide - HEISC • Shared Assessments • Cloud Security Alliance (CSA) CCM • PCI - DSS • FEDramp Security Assessment Framework • Controls and Maturity: • ISO 27001 • SSAE16 • Internet2 Net+ solutions program

  5. USF Process Documents and Authorities Security Services VSA 3rd Party Data Release Agreement SSN Release – via AVP of Human Resources Accounting & Business Services Vendor Application OGC Contract Review Departmental Budget and Finance Managers - POs Purchasing Review – Checklist of above items Accounts Payable – Contract Management

  6. Develop Policies AND Standards • Policy in a vacuum is oftentimes ineffective- • Communicate regularly with your key stakeholders • Providing consultative support as well as clear standards for assessment. – ITSM approach • Give guiding outcomes, provide sample language for each facet of the Technology initiative (Service/Platform/Resource) • VSA: Vendor Security Assessment (form) • Iterative – Required • Finance: Annual Vendor Scorecard

  7. Conversation – Process – Assess – Communicate Standards - Monitor and Collaborate Start the conversation early Invite yourself – write yourself into a process Build support – work together Use Common Frameworks to guide the Assessment Communicate customized technology standards and preferences to potential vendors to assure best fit Continuously Monitor your agreements for changes Maintain Vendor performance records Collaborate outside of your organization> Educause

  8. End Note Note: Several documents and framework examples referenced on slides contained within this PowerPoint file were demonstrated live during the conference session. These items are not included within this presentation due to file size, complexity or due to the sensitive nature of the Vendor Security Assessment questions or the Systems Architecture reflected or revealed by those items. If you attended the session, and would like to receive a ‘generic’ version of these items, email: infosec@usfca.edu

More Related