Recommandé
Contenu connexe
En vedette
Dernier
Dernier (20)
Isaca Victoria Cloud Computing And Associated Risks V01r8
- 8. CICA is a new approach to message design aimed at resolving the costly proliferation of differing (and often incompatible) XML messages used for business-to-business data exchange. CICA gives developers access to reusable components that can be used to construct interface standards to satisfy common business requirements as well as industry-specific needs. CICA is a syntax-neutral architecture that supports both business content and implementation information. CICA messages ("documents") can currently be expressed as XML schemata.
- 34. SCOPE: Review and assess proposed Cloud services for Software as a Service, Platform as a Service and Infrastructure as a Service. RATIONAL: Consideration was given for the fact that Cloud services are a new service deliver approach that has not yet been fully implemented. Based on this fact we believe that there will be more emphasis on partnering with service providers who can demonstrate the ability to manage required controls through collaborative partnerships successfully transferring risk to the service providers. Critical areas such as procurement, systems acquisition and development will be of primary importance. Transparency of processes, consistency of outcomes, and quality of service and deliverables will become more and more important and thus understanding of the potential issues important to its success. The threat-risk assessment was facilitated against existing best practices for information security management systems, ISO/IEC 27001:2005. These controls are based on industry best practice for information handling based on known vulnerabilities and risks associated with most businesses. The ISO/IEC 27001:2005 standard was initially developed by the UK Government.
- 46. Contact – http://ca.linkedin.com/in/markesbernard ;
Notes de l'éditeur
- Software: The capability provided to the consumer is to use the provider’s applications running on a cloud infrastructure. The applications are accessible from various client devices through a thin client interface such as a web browser (e.g., web-based email). The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, storage, or individual application capabilities, with the possible exception of limited user-specific application configuration settings. Platform: The capability provided to the consumer is to deploy onto the cloud infrastructure consumer-created or acquired applications created using programming languages and tools supported by the provider. The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, or storage. The consumer has control over the deployed applications and possibly application hosting environment configurations. Infrastructure: The capability provided to the consumer is to provision processing, storage, networks, and other fundamental computing resources where the consumer is able to deploy and run arbitrary software, which can include operating systems and applications. The consumer does not manage or control the underlying cloud infrastructure. The consumer has control over operating systems, storage, deployed applications, and possibly limited control of select networking components (e.g., host firewalls).
- Software: The capability provided to the consumer is to use the provider’s applications running on a cloud infrastructure. The applications are accessible from various client devices through a thin client interface such as a web browser (e.g., web-based email). The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, storage, or individual application capabilities, with the possible exception of limited user-specific application configuration settings. Platform: The capability provided to the consumer is to deploy onto the cloud infrastructure consumer-created or acquired applications created using programming languages and tools supported by the provider. The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, or storage. The consumer has control over the deployed applications and possibly application hosting environment configurations. Infrastructure: The capability provided to the consumer is to provision processing, storage, networks, and other fundamental computing resources where the consumer is able to deploy and run arbitrary software, which can include operating systems and applications. The consumer does not manage or control the underlying cloud infrastructure. The consumer has control over operating systems, storage, deployed applications, and possibly limited control of select networking components (e.g., host firewalls).
- Software: The capability provided to the consumer is to use the provider’s applications running on a cloud infrastructure. The applications are accessible from various client devices through a thin client interface such as a web browser (e.g., web-based email). The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, storage, or individual application capabilities, with the possible exception of limited user-specific application configuration settings. Platform: The capability provided to the consumer is to deploy onto the cloud infrastructure consumer-created or acquired applications created using programming languages and tools supported by the provider. The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, or storage. The consumer has control over the deployed applications and possibly application hosting environment configurations. Infrastructure: The capability provided to the consumer is to provision processing, storage, networks, and other fundamental computing resources where the consumer is able to deploy and run arbitrary software, which can include operating systems and applications. The consumer does not manage or control the underlying cloud infrastructure. The consumer has control over operating systems, storage, deployed applications, and possibly limited control of select networking components (e.g., host firewalls).
- Software: The capability provided to the consumer is to use the provider’s applications running on a cloud infrastructure. The applications are accessible from various client devices through a thin client interface such as a web browser (e.g., web-based email). The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, storage, or individual application capabilities, with the possible exception of limited user-specific application configuration settings. Platform: The capability provided to the consumer is to deploy onto the cloud infrastructure consumer-created or acquired applications created using programming languages and tools supported by the provider. The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, or storage. The consumer has control over the deployed applications and possibly application hosting environment configurations. Infrastructure: The capability provided to the consumer is to provision processing, storage, networks, and other fundamental computing resources where the consumer is able to deploy and run arbitrary software, which can include operating systems and applications. The consumer does not manage or control the underlying cloud infrastructure. The consumer has control over operating systems, storage, deployed applications, and possibly limited control of select networking components (e.g., host firewalls).
- Software: The capability provided to the consumer is to use the provider’s applications running on a cloud infrastructure. The applications are accessible from various client devices through a thin client interface such as a web browser (e.g., web-based email). The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, storage, or individual application capabilities, with the possible exception of limited user-specific application configuration settings. Platform: The capability provided to the consumer is to deploy onto the cloud infrastructure consumer-created or acquired applications created using programming languages and tools supported by the provider. The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, or storage. The consumer has control over the deployed applications and possibly application hosting environment configurations. Infrastructure: The capability provided to the consumer is to provision processing, storage, networks, and other fundamental computing resources where the consumer is able to deploy and run arbitrary software, which can include operating systems and applications. The consumer does not manage or control the underlying cloud infrastructure. The consumer has control over operating systems, storage, deployed applications, and possibly limited control of select networking components (e.g., host firewalls).
- Software: The capability provided to the consumer is to use the provider’s applications running on a cloud infrastructure. The applications are accessible from various client devices through a thin client interface such as a web browser (e.g., web-based email). The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, storage, or individual application capabilities, with the possible exception of limited user-specific application configuration settings. Platform: The capability provided to the consumer is to deploy onto the cloud infrastructure consumer-created or acquired applications created using programming languages and tools supported by the provider. The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, or storage. The consumer has control over the deployed applications and possibly application hosting environment configurations. Infrastructure: The capability provided to the consumer is to provision processing, storage, networks, and other fundamental computing resources where the consumer is able to deploy and run arbitrary software, which can include operating systems and applications. The consumer does not manage or control the underlying cloud infrastructure. The consumer has control over operating systems, storage, deployed applications, and possibly limited control of select networking components (e.g., host firewalls).
- Software: The capability provided to the consumer is to use the provider’s applications running on a cloud infrastructure. The applications are accessible from various client devices through a thin client interface such as a web browser (e.g., web-based email). The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, storage, or individual application capabilities, with the possible exception of limited user-specific application configuration settings. Platform: The capability provided to the consumer is to deploy onto the cloud infrastructure consumer-created or acquired applications created using programming languages and tools supported by the provider. The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, or storage. The consumer has control over the deployed applications and possibly application hosting environment configurations. Infrastructure: The capability provided to the consumer is to provision processing, storage, networks, and other fundamental computing resources where the consumer is able to deploy and run arbitrary software, which can include operating systems and applications. The consumer does not manage or control the underlying cloud infrastructure. The consumer has control over operating systems, storage, deployed applications, and possibly limited control of select networking components (e.g., host firewalls).
- c) Define the risk assessment approach of the organization. 1) Identify a risk assessment methodology that is suited to the ISMS, and the identified business information security, legal and regulatory requirements. 2) Develop criteria for accepting risks and identify the acceptable levels of risk. (see 5.1f)). The risk assessment methodology selected shall ensure that risk assessments produce comparable and reproducible results. d) Identify the risks. 1) Identify the assets within the scope of the ISMS, and the owners2) of these assets. 2) Identify the threats to those assets. 3) Identify the vulnerabilities that might be exploited by the threats. 4) Identify the impacts that losses of confidentiality, integrity and availability may have on the assets. e) Analyse and evaluate the risks. 1) Assess the business impacts upon the organization that might result from security failures, taking into account the consequences of a loss of confidentiality, integrity or availability of the assets. 2) Assess the realistic likelihood of security failures occurring in the light of prevailing threats and vulnerabilities, and impacts associated with these assets, and the controls currently implemented. 3) Estimate the levels of risks. 4) Determine whether the risks are acceptable or require treatment using the criteria for accepting risks established in 4.2.1c)2). f) Identify and evaluate options for the treatment of risks. Possible actions include: 1) applying appropriate controls; 2) knowingly and objectively accepting risks, providing they clearly satisfy the organization’s policies and the criteria for accepting risks (see 4.2.1c)2)); 3) avoiding risks; and 4) transferring the associated business risks to other parties, e.g. insurers, suppliers. g) Select control objectives and controls for the treatment of risks. Control objectives and controls shall be selected and implemented to meet the requirements identified by the risk assessment and risk treatment process. This selection shall take account of the criteria for accepting risks (see 4.2.1c)2)) as well as legal, regulatory and contractual requirements. The control objectives and controls from Annex A shall be selected as part of this process as suitable to cover the identified requirements. The control objectives and controls listed in Annex A are not exhaustive and additional control objectives and controls may also be selected. h) Obtain management approval of the proposed residual risks. i) Obtain management authorization to implement and operate the ISMS. j) Prepare a Statement of Applicability. A Statement of Applicability shall be prepared that includes the following: 1) the control objectives and controls selected in 4.2.1g) and the reasons for their selection; 2) the control objectives and controls currently implemented (see 4.2.1e)2)); and 3) the exclusion of any control objectives and controls in Annex A and the justification for their exclusion.
- Software: The capability provided to the consumer is to use the provider’s applications running on a cloud infrastructure. The applications are accessible from various client devices through a thin client interface such as a web browser (e.g., web-based email). The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, storage, or individual application capabilities, with the possible exception of limited user-specific application configuration settings. Platform: The capability provided to the consumer is to deploy onto the cloud infrastructure consumer-created or acquired applications created using programming languages and tools supported by the provider. The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, or storage. The consumer has control over the deployed applications and possibly application hosting environment configurations. Infrastructure: The capability provided to the consumer is to provision processing, storage, networks, and other fundamental computing resources where the consumer is able to deploy and run arbitrary software, which can include operating systems and applications. The consumer does not manage or control the underlying cloud infrastructure. The consumer has control over operating systems, storage, deployed applications, and possibly limited control of select networking components (e.g., host firewalls).
- Software: The capability provided to the consumer is to use the provider’s applications running on a cloud infrastructure. The applications are accessible from various client devices through a thin client interface such as a web browser (e.g., web-based email). The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, storage, or individual application capabilities, with the possible exception of limited user-specific application configuration settings. Platform: The capability provided to the consumer is to deploy onto the cloud infrastructure consumer-created or acquired applications created using programming languages and tools supported by the provider. The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, or storage. The consumer has control over the deployed applications and possibly application hosting environment configurations. Infrastructure: The capability provided to the consumer is to provision processing, storage, networks, and other fundamental computing resources where the consumer is able to deploy and run arbitrary software, which can include operating systems and applications. The consumer does not manage or control the underlying cloud infrastructure. The consumer has control over operating systems, storage, deployed applications, and possibly limited control of select networking components (e.g., host firewalls).
- c) Define the risk assessment approach of the organization. 1) Identify a risk assessment methodology that is suited to the ISMS, and the identified business information security, legal and regulatory requirements. 2) Develop criteria for accepting risks and identify the acceptable levels of risk. (see 5.1f)). The risk assessment methodology selected shall ensure that risk assessments produce comparable and reproducible results. d) Identify the risks. 1) Identify the assets within the scope of the ISMS, and the owners2) of these assets. 2) Identify the threats to those assets. 3) Identify the vulnerabilities that might be exploited by the threats. 4) Identify the impacts that losses of confidentiality, integrity and availability may have on the assets. e) Analyse and evaluate the risks. 1) Assess the business impacts upon the organization that might result from security failures, taking into account the consequences of a loss of confidentiality, integrity or availability of the assets. 2) Assess the realistic likelihood of security failures occurring in the light of prevailing threats and vulnerabilities, and impacts associated with these assets, and the controls currently implemented. 3) Estimate the levels of risks. 4) Determine whether the risks are acceptable or require treatment using the criteria for accepting risks established in 4.2.1c)2). f) Identify and evaluate options for the treatment of risks. Possible actions include: 1) applying appropriate controls; 2) knowingly and objectively accepting risks, providing they clearly satisfy the organization’s policies and the criteria for accepting risks (see 4.2.1c)2)); 3) avoiding risks; and 4) transferring the associated business risks to other parties, e.g. insurers, suppliers. g) Select control objectives and controls for the treatment of risks. Control objectives and controls shall be selected and implemented to meet the requirements identified by the risk assessment and risk treatment process. This selection shall take account of the criteria for accepting risks (see 4.2.1c)2)) as well as legal, regulatory and contractual requirements. The control objectives and controls from Annex A shall be selected as part of this process as suitable to cover the identified requirements. The control objectives and controls listed in Annex A are not exhaustive and additional control objectives and controls may also be selected. h) Obtain management approval of the proposed residual risks. i) Obtain management authorization to implement and operate the ISMS. j) Prepare a Statement of Applicability. A Statement of Applicability shall be prepared that includes the following: 1) the control objectives and controls selected in 4.2.1g) and the reasons for their selection; 2) the control objectives and controls currently implemented (see 4.2.1e)2)); and 3) the exclusion of any control objectives and controls in Annex A and the justification for their exclusion.
- c) Define the risk assessment approach of the organization. 1) Identify a risk assessment methodology that is suited to the ISMS, and the identified business information security, legal and regulatory requirements. 2) Develop criteria for accepting risks and identify the acceptable levels of risk. (see 5.1f)). The risk assessment methodology selected shall ensure that risk assessments produce comparable and reproducible results. d) Identify the risks. 1) Identify the assets within the scope of the ISMS, and the owners2) of these assets. 2) Identify the threats to those assets. 3) Identify the vulnerabilities that might be exploited by the threats. 4) Identify the impacts that losses of confidentiality, integrity and availability may have on the assets. e) Analyse and evaluate the risks. 1) Assess the business impacts upon the organization that might result from security failures, taking into account the consequences of a loss of confidentiality, integrity or availability of the assets. 2) Assess the realistic likelihood of security failures occurring in the light of prevailing threats and vulnerabilities, and impacts associated with these assets, and the controls currently implemented. 3) Estimate the levels of risks. 4) Determine whether the risks are acceptable or require treatment using the criteria for accepting risks established in 4.2.1c)2). f) Identify and evaluate options for the treatment of risks. Possible actions include: 1) applying appropriate controls; 2) knowingly and objectively accepting risks, providing they clearly satisfy the organization’s policies and the criteria for accepting risks (see 4.2.1c)2)); 3) avoiding risks; and 4) transferring the associated business risks to other parties, e.g. insurers, suppliers. g) Select control objectives and controls for the treatment of risks. Control objectives and controls shall be selected and implemented to meet the requirements identified by the risk assessment and risk treatment process. This selection shall take account of the criteria for accepting risks (see 4.2.1c)2)) as well as legal, regulatory and contractual requirements. The control objectives and controls from Annex A shall be selected as part of this process as suitable to cover the identified requirements. The control objectives and controls listed in Annex A are not exhaustive and additional control objectives and controls may also be selected. h) Obtain management approval of the proposed residual risks. i) Obtain management authorization to implement and operate the ISMS. j) Prepare a Statement of Applicability. A Statement of Applicability shall be prepared that includes the following: 1) the control objectives and controls selected in 4.2.1g) and the reasons for their selection; 2) the control objectives and controls currently implemented (see 4.2.1e)2)); and 3) the exclusion of any control objectives and controls in Annex A and the justification for their exclusion.