Presentation is loading. Please wait.

Presentation is loading. Please wait.

Cloud Vendor Security INFOSEC ASSESSMENTS & REPORTS.

Published byDora Magdalen Jennings Modified over 8 years ago

Similar presentations

Presentation on theme: "Cloud Vendor Security INFOSEC ASSESSMENTS & REPORTS."— Presentation transcript:

1 Cloud Vendor Security INFOSEC ASSESSMENTS & REPORTS

2 April 1 - News Flash! Conficker…  A master computer was reportedly scheduled to gain control of millions of infected zombie machines on April 1, 2009  Conficker malware uses flaws in Windows OS software and dictionary attacks on administrator passwords to propagate while forming a botnet, and has been unusually difficult to counter because of its combined use of many advanced malware techniques  Anti-worm researchers banded together in a group called the Conficker Cabal. Members searched for the malicious software program's author and for ways to do damage control if he or she couldn’t be stopped. They were motivated in part by a $250,000 bounty from Microsoft.

3 Introduction Cloud Vendor Security – - Are company “Crown Jewels” in the cloud? - What evidence do you have that company data in the cloud is secure? Abstract: Lloyd Guyot will lead a collaborative discussion based on his experience implementing and leading a Cloud Vendor Security Assessment service for a global, Fortune 100 company. Topics to be discussed include the processes, procedures and tools used in assessing a Cloud Vendor security posture. Speaker: Lloyd Guyot, CISSP, CISM resides in West Michigan and is a Lead Security Analyst for Johnson Controls, a global Fortune 100 company headquartered in Milwaukee, Wisconsin. Lloyd has over 15 years’ experience in the Information Security field and is an Adjunct at Davenport University and serves on the FBI InfraGard / U.S. Homeland Security – West Michigan Board of Directors.

4 Agenda - It’s all about the Data! 1.Who’s Accountable for What? 2.Where’s the Data? 3.The Cloud Vendor Security Assessment Service a)The SLO – Service Level Objective b)The Service Web Portal c)The Request Form d)Where’s the Beef? …the Vendor Evidence e)Calculating the Vendor Risk Score f)Writing the Cloud Vendor Security Report g)The Annual Cloud Vendor Re-Assessment h)The Cloud Vendor Service Team Dashboard i)The Cloud Vendor Service Metrics 4.A Few Good Resources…

5 Who’s Accountable for What?

6 #1 - Identify and Follow the Data… Public > Internal > Confidential > Restricted Identify  Engineering, Financial, Business, HR, legal, and regulatory data (HIPAA, PCI, FISMA, DFARS, ITAR, EAR)  PII - Personally Identifiable Information (social security numbers, credit card information, personal health data)  IP - Intellectual Property (patents, trademarks, design plans - Engineering drawings) Follow  Once this information has been identified, a flow analysis needs to be conducted to identify all systems and devices the data either resides on or flows through.  Data Flow Diagram - Transport > Storage > Process

7 Cloud Vendor Security Assessment Service  Service Description  Review Vendor security controls related to Vendor policy, process, and people for protecting the confidentiality, integrity and availability of company information Note: The assessment does not include a security review of the project or system architecture, application, infrastructure design or related technologies.  Service Level Objectives - SLO  3 business days to respond to request  7 business days to provide a report & position statement after all requested Vendor documentation has been provided

8 The Cloud Vendor Service Web Portal SharePoint… Customer View  Service Description  Benefits  Process Map  Inputs / Outputs  Resources  Requested Vendor Documents  How to Submit a Request  Checklist Prior to Submit  FAQ’s Security Team View  Vendor Support Documents  Team Member Data Entry  Vendor Dashboard

9 The Vendor Service Request Form  Requester Name / Title, Department, BU  Procurement Staff Contact Info  Project Name and Business Scope Info  Vendor Name and Service(s) Provided  Vendor Sub-Service Providers  IaaS / PaaS / SaaS  Data Classification – Public > Internal > Confidential > Restricted  Example Data Types Transported / Stored / Processed Cont.…

10 The Vendor Service Request Form Cont.… Cloud Vendor Documentation Requested…  Data Flow doc including security controls and all end points  Third-party evidence of a Security Program Eg. ISO 27001:27005  Third-party evidence of Infosec Controls and their effective operation Eg. SSAE-16 SOC 2 Type 2  Third-Party System / application Penetration test report  Third-Party System / application Vulnerability scan report  Business Continuity and Disaster Recovery Questionnaire  Privacy Questionnaire

11 Vendor Evidence of InfoSec Controls  SSAE-16 (U.S.) / CSAE 3416 (Canada) / ISAE 3402 (International) Note: We request the above security reports to be SOC 2, Type 2 documents which include tests confirming the effectiveness of the Vendor service security controls  ISO/IEC 27001:27013 - certification that the Vendor service has a security program  Application Penetration Test and Vulnerability Scan Reports In an Exception…  CSA STAR - CCM / Cloud Security Alliance - Cloud Controls Matrix Attestation of cloud service provider security practices  Other - Independent security / privacy assessment from a known trusted security firm

12 The Cloud Vendor Risk Score NIST CVSS Risk Calculator - Common Vulnerability Scoring System The National Vulnerability Database assigns risk rankings according to CVSS Base risk scores – Low: 0.0 to 3.9 Medium: 4.0 to 6.9 High: 7.0 to 10.0

13 NIST CVSS Risk Calculator Cont.…  Base Metrics - characteristics that are constant over time and between different environments  Exploitability: Access Vector / Access Complexity / Authentication  Impact: Confidentiality / Integrity / Availability  Temporal Metrics characteristics that change over time.  Exploitability: Unproven / Proof of Concept / Functional / High  Remediation Level: Official Fix / Temp Fix / Workaround / Unavailable  Report Confidence: Unconfirmed / Uncorroborated / Confirmed  Environmental Metrics - tied to an implementation in a specific users environment.  Collateral Damage Potential: None / Low / Medium / High  Targeted Distribution: None / Low / Medium / High  Impact: Confidentiality / Integrity / Availability

14

15 The Cloud Vendor Security Report  Cloud Vendor Name and Scope of Service  Names of Vendor Sub-Service Providers (all providers that transport, store or process company data)  Data Classification and Example Data Types  Vendor security assessment position statement  “Acceptable” / “Not Acceptable”  High / Medium / Low Risk Rating < Note: By default the CVSS number is not presented  Scope of Review  General Comments & Action Items  Vendor defined Complimentary Security Controls  Project Background  Data Flow Diagram  Vendor Background  Findings / Example issues of concern based on evidence and/or attestations provided for review

16 Annual Cloud Vendor Re- Assessments Any changes to…  MSA / SLA?  Services Provided?  Scope of Engagement?  Data Types / Data Classification?  Changes in Cloud Vendor Infosec controls? Remediation follow-up required?  All “Action Items” addressed and completed satisfactorily?  All current Cloud Vendor security reports been provided?  Any issues / findings? New > Security Team Position Statement  “Acceptable” / “Not Acceptable”  High / Medium / Low Risk Rating

17 The Vendor Service Team Dashboard  SharePoint Database / Archive  Vendor Name  Data Classification  Work Status – Cancelled, Pending > Open > Completed  Security Assessment Manager  Vendor Position Statement  Vendor Status Flag  Open / Close Dates  Requester, BU, Department  CVSS Risk Rating  Evidence Provided & ISO / SOC Expiration Dates  Remediation & Complimentary Control Requirements  Re-Assessment - Required, In-Process, Date

18 The Vendor Service Metrics  Hard to manage or improve what we don’t measure!

19 Resources  AICPA SOC Report Standards - http://www.aicpa.org/interestareas/frc/assuranceadvisoryservices/pages/sorhome.aspx http://www.aicpa.org/interestareas/frc/assuranceadvisoryservices/pages/sorhome.aspx  AICPA Trust Services Principles and Criteria - http://www.aicpa.org/InterestAreas/InformationTechnology/Resources/TrustServices/Pages/Trust%20Ser vices%20Principles%E2%80%94An%20Overview.aspx?_sm_au_=iVVQNvt0QHWWTtFq http://www.aicpa.org/InterestAreas/InformationTechnology/Resources/TrustServices/Pages/Trust%20Ser vices%20Principles%E2%80%94An%20Overview.aspx?_sm_au_=iVVQNvt0QHWWTtFq  NIST CVSS Risk Scoring - https://nvd.nist.gov/cvss.cfm https://nvd.nist.gov/cvss.cfm  NIST CVSS Calculator - https://nvd.nist.gov/cvss.cfm?calculator&version=2 https://nvd.nist.gov/cvss.cfm?calculator&version=2  CSA / Cloud Security Alliance - https://cloudsecurityalliance.org/ https://cloudsecurityalliance.org/  CCM / Cloud Controls Matrix - https://cloudsecurityalliance.org/research/ccm/ https://cloudsecurityalliance.org/research/ccm/  CSA STAR / Trust & Assurance Registry - https://cloudsecurityalliance.org/star/ https://cloudsecurityalliance.org/star/  Shared Assessments - https://sharedassessments.org/ https://sharedassessments.org/

20 Questions? Who Owns the Risk? Lloyd Guyot, CISSP, CISM Contact Info: Email – Lloyd.Guyot@Baseline-Security.comLloyd.Guyot@Baseline-Security.com LinkedIn – http://www.linkedin.com/in/lguyothttp://www.linkedin.com/in/lguyot

Download ppt "Cloud Vendor Security INFOSEC ASSESSMENTS & REPORTS."

Similar presentations

So You Think The Cloud Isn’t Secure?. How is this secure?

So You Think The Cloud Isn’t Secure?. How is this secure?
Notes: Update as of 1/13/2010. Vulnerabilities are included for SQL Server 2000, SQL Server 2005, SQL Server 2008. Oracle (8i, 9i, 9iR2, 10g, 10gR2,11g),

Notes: Update as of 1/13/2010. Vulnerabilities are included for SQL Server 2000, SQL Server 2005, SQL Server Oracle (8i, 9i, 9iR2, 10g, 10gR2,11g),
Navigating Compliance Requirements DCM 6.2 Regs and Codes linford & co llp.

Navigating Compliance Requirements DCM 6.2 Regs and Codes linford & co llp.
Security, Privacy and the Cloud Connecticut Community Providers’ Association June 20, 2014 Steven R Bulmer, VP of Professional Services.

Security, Privacy and the Cloud Connecticut Community Providers’ Association June 20, 2014 Steven R Bulmer, VP of Professional Services.
March 6, 2012 SOC Reporting: What is New in the Audit Guides?

March 6, 2012 SOC Reporting: What is New in the Audit Guides?
Security Controls – What Works

Security Controls – What Works
CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.

CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.
SOX & ISO 27001 Protect your data and be ready to be audited!!!

SOX & ISO Protect your data and be ready to be audited!!!
Vulnerability Assessments

Vulnerability Assessments
Network security policy: best practices

Network security policy: best practices
SOC1 vs. SOC2 vs. SOC3 Source: ryServices/Pages/AICPASOC3Report.aspx.

SOC1 vs. SOC2 vs. SOC3 Source: ryServices/Pages/AICPASOC3Report.aspx.
Securing Information Systems

Securing Information Systems
No one questions that Microsoft can write great software. Customers want to know if we can be innovative, scalable, reliable in the cloud. (1996) 450M+

No one questions that Microsoft can write great software. Customers want to know if we can be innovative, scalable, reliable in the cloud. (1996) 450M+
SEC835 Database and Web application security Information Security Architecture.

SEC835 Database and Web application security Information Security Architecture.
1 Talal Abu Ghazaleh Information Technology International (TAG-ITI)

1 Talal Abu Ghazaleh Information Technology International (TAG-ITI)
Service Organization Control (SOC) Reporting Options and Information

Service Organization Control (SOC) Reporting Options and Information
Information Systems Security Computer System Life Cycle Security.

Information Systems Security Computer System Life Cycle Security.
A Framework for Automated Web Application Security Evaluation

A Framework for Automated Web Application Security Evaluation
© Cloud Security Alliance, 2015 Sean Cordero, Chair CCM Laura Posey, Chair CAIQ.

© Cloud Security Alliance, 2015 Sean Cordero, Chair CCM Laura Posey, Chair CAIQ.
ISMS for Mobile Devices Page 1 ISO/IEC 27001 Information Security Management System (ISMS) for Mobile Devices Why apply ISMS to Mobile Devices? Overview.

ISMS for Mobile Devices Page 1 ISO/IEC Information Security Management System (ISMS) for Mobile Devices Why apply ISMS to Mobile Devices? Overview.

Similar presentations

Ads by Google