Presented by Wayne Tufek at CISO Platform Annual Summit, 2013. Wayne Tufek is currently the IT Security and Risk Manager at the University of Melbourne. His career spans over 17 years as an active hands on practitioner of information security and technology risk management. He has worked in the public sector, Big 4, financial services, consumer products and education sectors.

1. CISO PLATFORM ANNUAL SUMMIT
Mitigating the Security Risks
of Cloud Service Adoption
Wayne Tufek
CISO Platform Annual Summit
November 15-16
Hyatt Regency
Mumbai

2. AGENDA
•
•
•
•
•
•
•
Introductions
Overview
What is the Cloud?
What are the Risks?
A Process
Summary
Questions

3. Overview
• What is this presentation about?
• What won’t be covered?

4. What is the Cloud?
• “A scalable, multi-tenant, multiplatform, multi-network method
of delivering information
technology services.”
• Why the Cloud?

5. What are the Risks?
•
•
•
•
•
•
Data security
Network availability
Cloud provider viability
Security incident handling
Business continuity
Legal or regulatory compliance

6. What are the Risks?
• Risk transparency
• Risk management and control
responsibilities between the Cloud
Service Provider (CSP) and the
customer vary according to the cloud
model

7. What are the Risks?
Source: Gartner (March 2013)

8. Process – Who are the
Players?
•
•
•
•
•
•
Data owner
IT Department
Project team (if one exists)
Legal
Vendor management
CSP

9. Process
1. Confirm the data
2. Engage the data
owner
3. Understand process
4. Other considerations
5. Assess risk
6. Evaluate the CSP
7. Assess risk
8. Negotiate the contract
9. Assess risk
10.Monitor and assess
risk

10. Process – Start With the Data
•
•
•
•
•
Identify the CSP
Identify exactly what the data is
Understand the business process(es)
Engage with the data owner
Perform a risk assessment

11. Process – How Critical is the
Data?
• Consider the business value of the
process vs. the importance of the
information
Source: Gartner 2013

12. Process – Other
Considerations
• Integrations/web services
• Support and maintenance processes
• Development/test and production?
– Data masking requirements

13. Process – How Critical is the
Data?
• Does moving to the Cloud still make
sense?
• Does the proposed business process
need to change?
• Assess the risk

14. Process – Assess the CSP
• Ask questions about the controls in
place
• Cloud security control guidance
–
–
–
–
–
Cloud Security Alliance (CSA) and STAR
Defence Signals Directorate (DSD)
Common Assurance Maturity Model (CAMM)
The Shared Assessments Program
The European Network and Information Security
Agency

15. Process – Assess the CSP
• Is the CSP independently assessed?
–
–
–
–
ISO 27001
ISO 27017 and 27018 (Draft)
PCI DSS
SSAE 16 (SOC 1, 2 and 3) –> replaced SAS 70

16. Assess the CSP
• Understand the controls in place
–
–
–
–
Ask questions
Review documentation
Conduct interviews
Site visit
• Assess the risk

17. Process – Review the
Contract
• Contractual considerations
–
–
–
–
List controls and processes
Include regular formal third party assessments
Gartner (G00247574)
Gartner (G00211616)

18. Process – Review the
Contract
• Service Level Agreements
– Define RTO and RPO
– Immediate notification of a security breach
– Increase liability limits
• Assess the risk

19. Process - Monitor
• Results of security assessments
• Vendor management function
• Assess the risk

20. Summary
1. Confirm the data
6. Evaluate the CSP
2. Engage the data
7. Assess risk
owner
8. Negotiate the contract
3. Understand process 9. Assess risk
4. Other considerations 10.Monitor and assess
5. Assess risk
risk

21. Questions?

22. Contact
• wtufek@unimelb.edu.au
• LinkedIn
• http://www.linkedin.com/pub/wayne-tufek/0/338/312