1 / 30

Lifting the Fog to See the Cloud

Lifting the Fog to See the Cloud. Information Security in a Hosted Environment. William Prohn Managing Director. Thomas O’Connor Consultant. Background. William M. Prohn CISSP ® , CISA ® , CGEIT ® , CRISC ®, Managing Director Dopkins System Consultants.

demi
Download Presentation

Lifting the Fog to See the Cloud

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Lifting the Fog to See the Cloud Information Security in a Hosted Environment William Prohn Managing Director Thomas O’Connor Consultant

  2. Background William M. Prohn CISSP®, CISA®, CGEIT®, CRISC®, Managing Director Dopkins System Consultants Thomas M. O’Connor B.S. Accounting Information Systems M.S. Forensic Accounting Consultant Dopkins System Consultants

  3. Agenda • Introduction to the Cloud • Benefits & Challenges in the Cloud • Certifications • ISACA Knowledge Center • HIPAA • HITECH • HITRUST

  4. What is That? But now they only block the sunThey rain and snow on everyoneSo many things I would have doneBut clouds got in my wayI've looked at clouds from both sides nowFrom up and down, and still somehowIt's cloud illusions I recallI really don't know clouds at all – Joni Mitchell, “Both Sides Now”

  5. Introduction to the Cloud Alternate: Utilizing third party resources accessible through the internet Simple Definition: Using the internet • Replace the term ‘in the cloud’ in a statement with ‘on the internet’ • We all use the ‘cloud,’ we just might not know it • The term originates from network diagrams US Patent US_5485455

  6. It’s All About the Compromise Why Move to the Cloud? Reduce storage and archive costs Allow for remote access Allow for collaboration Improve search efficiency 24/7 Access and support Increased security with redundancy Reduce administrative overhead

  7. The Role of the Auditors • Oversee and provide input on governance • Consideration of security COBIT Objectives: • May be concerned with any of the COBIT objectives

  8. What Moves to the Cloud? • Applications & Software • Software as a Service [SaaS] • Servers & IT Personnel • Infrastructure as a Service [IaaS] • Programming languages, libraries, tools and services • Platform as a Service [PaaS]

  9. Controls • The compromise with each benefit is risk • Controls are a response to that risk • Are the controls designed and implemented appropriately? • Are they operating effectively?

  10. Controls ITGC audits typically focus on identifying and testing controls Manage Changes • Are changes authorized, tested and monitored? Logical Access • Is privileged access restricted to appropriate users? Other IT Operations • Is critical data regularly backed up? • Are incidents reported and addressed timely?

  11. Challenges in the Cloud What about controls in a hosted environment? • Who owns the data? • Who has access to the data? [i.e. CSP] [i.e. Data Center] [i.e. System Admin] New Risks | New Controls | New Audit Steps

  12. Challenges in the Cloud What about controls in a hosted environment? • Who is responsible for backing up the data? • What about incidents? New Risks | New Controls | New Audit Steps

  13. Challenges in the Cloud Service Level Agreements End-User Licensing Agreements Alternate providers Bankruptcy Acquisition Threats to CSPs Disaster Recovery & Business Continuity 1-in-4 Vendors Will Be Gone By 2015 -- Gartner

  14. Challenges in the Cloud Cyber Security Insurance • 31% of companies have a cyber security insurance policy 1 • 39% planned to purchase a policy within a year • ‘Cloud Protection’ policies gaining popularity Cloud Coverage Typically Includes: • Loss of income due to vendor down time • Costs associated with procuring new vendor • Costs of migrating to new vendor Managing Cyber Security as a Business Risk: Cyber Insurance in the Digital Age -- (Ponemon Institute & Experian), August 2013

  15. Certifications & Compliance

  16. Certifications & Compliance PCI DSS HIPAA ISO 27001:2005 • Payment Card Transactions • Protected Health Information • Business Associate Agreements • International Information Security Standard

  17. ISACA Knowledge Center Cloud Computing Management Audit/Assurance Program • Topical Coverage: • Governance affecting cloud computing • Contractual compliance • Control issues specific to cloud computing • COBIT & COSO Cross-references • Intended to compliment other audit(s) One of 25+ ISACA audit programs available: ISACA Cloud Computing Management Audit/Assurance Program

  18. Auditing in the Cloud Service Provider Responsibilities • Service Level Agreements (SLAs) • Performance and frequency of risk assessments Compliance and Audit: • Right to Audit • Third-party Reviews • Compliance • ISO 27001 Certification

  19. Auditing in the Cloud Incident Response, Notification and Remediation • Review of SLAs • Legal and regulatory compliance Data Security • Encryption Identity and Access Management

  20. HIPAA & HITECH

  21. HIPAA Health Insurance Portability and Accountability Act Established in 1996 by Clinton Administration Make it easier for workers to maintain insurance coverage when changing jobs (portability) This is facilitated by digital files and electronic data This requires a level of security

  22. HIPAA Health Insurance Portability and Accountability Act Applies to health care organizations (HCOs) PROVIDERS and INSURERS Specifically EXCLUDES Workers’ Compensation Does NOT apply to medical records in other contexts, like employers

  23. HIPAA Health Insurance Portability and Accountability Act Three Rules that are relevant to compliance: EDI Rule ICD-9 ICD-10

  24. HIPAA Health Insurance Portability and Accountability Act Privacy Rule HCOs must “Reasonably safeguard” patient data

  25. HIPAA Health Insurance Portability and Accountability Act Security Rule Protect the Confidentiality, Integrity and Availability of Protected Health Information against “reasonably anticipated threats or hazards” Access Controls Audit Controls Authentication Transmission Security

  26. HITECH Health Information Technology for Economic and Clinical Health Enacted in 2009 as part of economic stimulus legislation Gives grant money to HCOs to implement new technologies such as EHR Creates fines and sanctions for HIPAA violations to pay for the grants

  27. HITECH Health Information Technology for Economic and Clinical Health Broadens the scope of HIPAA to include “Business Associates” of HCOs accountants, lawyers, consultants “create, maintain, receive or transmit”  “Cloud” even if they disclaim access New data breach notification rules Enforcement is on a “contingent fee” basis HHS gets to keep the money

  28. HIPAA Specific Controls Required: Risk Analysis/Risk Management Sanction Policy Incident Response/reporting process Data Backup plan Disaster Recovery Plan Data disposal/media re-use Written contracts with Business Associates

  29. Common Security Framework (CSF), a certifiable framework that can be used by any and all organizations that create, access, store or exchange personal health and financial information. • harmonizes the requirements of existing standards and regulations, including federal (HIPAA, HITECH), third party (PCI, COBIT) and government (NIST, FTC). • As a framework, the CSF provides organizations with the needed structure, detail and clarity relating to information security tailored to the healthcare industry. • www.hitrustalliance.net

  30. Questions

More Related