CSA NY Metro Inaugural Event 5 17 2011 FinalPresentation Transcript
May 17, 2011
May 17, 2011 Agenda
6:00 – 6:20 Introductions, welcome and about NY Metro CSA Chapter
6:20 – 6:30 A few words from our sponsor: PWC
6:30 – 6:45 About CSA Global: Dov Yoran
6:45 – 7:15 Committee Chair Overview(s)
7:15 – 7:30 Open Discussion, Membership Points of Interest
How to get involved with CSA
7:30 - Food Drinks and Networking
Introductory Comments and Welcome: Pamela Fusco
Welcome to the CSA NY Metro Chapter Kickoff
How and why about the Chapter
CSA Global interaction
CSA NY Metro Chapter
New York, Connecticut and New Jersey
Mission – Cloud Risks and threats
To promote the use of best practices for
providing security assurance in reducing and
identifying threats and risks within Cloud Computing
CSA NY Metro Board Members
Dov Yoran - Chairman Role and Responsibility
Partner, MetroSITE Group
Founding Member CSA, contributed to Guidance v1 and v2
Establish / maintain relationship with CSA Global
Ensure NY Metro meets chapter requirements
Communications to/from Global CSA and NY Metro Chapter
Elad Yoran – Finance Chairman
Founder & CEO - Security Growth Partners
Wharton MBA (Truth is that no one else wanted this job)
CSA NYMetro Chapter - Not for profit entity
Responsible for financial management of our chapter
Not chief fundraiser. Fundraising is all of our responsibilities. Our chapter will be as successful as we enable it to be, i.e. we'll need funds for events, programs, educational and networking activities
Sponsorships - will put together a sponsorship program. Looking for volunteers to help develop and manage . Other ideas?
Peter Laberee, Esq. – General Council
B.A., J.D. – University of Pennsylvania
29 years of corporate law experience
Partner in several national law firms
Founder Laberee Law PC , a corporate law boutique
Serve as general counsel – legal resource for chapter
Form CSA NY legal entity and manage books/records with corporate secretary and officers
Interested in chapter formulating a model form of cloud-based SLA
Jason Falciola – Secretary
Previously Technical Security Practitioner with IBM MSS
Currently Technical Account Manager with Qualys - SaaS provider of security & compliance services
Board member of NJ Infragard chapter
Ensuring proper documentation and communication of Board meetings and Chapter business/records.
Supporting relationship with CSA Global.
Participate in chapter development – It is what we all make of it!
Volunteer on Events committee (Others?).
About the Cloud Security Alliance: Dov Yoran
Global, not-for-profit organization
19,000+ individual members, 90+ corporate members
Building best practices and a trusted cloud ecosystem
Agile philosophy, rapid development of applied research
GRC: Balance compliance with risk management
Reference models: build using existing standards
Identity: a key foundation of a functioning cloud economy
Advocacy of prudent public policy
“ To promote the use of best practices for providing security assurance within Cloud Computing, and provide education on the uses of Cloud Computing to help secure all other forms of computing.”
What is Cloud Computing?
On demand provisioning
Infrastructure as a Service (IaaS): basic O/S & storage
Platform as a Service (PaaS): IaaS + rapid dev
Software as a Service (SaaS): complete application
Public, Private, Community & Hybrid Cloud deployments
Industry leading practices for securing cloud computing.
14 Domains of concern – governing, operating groupings & Security as a Service (new Candidate!).
Version 2.1 Guidance already in Use
Version 3 of Guidance – Work in Progress
Scott Saltz – Operations Chairman
(212) 461-3322 x3007
• Website - www.CSANYMetro.org
• LinkedIn - Cloud Security Alliance - New York Metro Chapter
• All events will be listed on both sites
• Registration will be through www.CSANYMetro.org
• Content - submit to email@example.com
• Blogs, events, articles, ideas, etc.
Brian Peister – Events Chairman
President & Owner – iSecure LLC –Info. Risk Consulting
Over 12+ Years of information Security Experience in Retail, Manufacturing, Healthcare, Financial, Insurance, telecom and Gov Sectors.
Built application security, data protection and incident response programs for Large Enterprises.
Former NY/ NJ OWASP Board Member.
Recently architected and implemented Cloud risk framework for large financial institution.
Facilitate cloud security events focused towards our memberships goals and pain points.
Brian Peister – Events Chairman
Locations : New York, New Jersey and Connecticut
Event Committees - Coordinating and Programming
Committee Leads - Jason Falciola and Israel Bryski
Coordinating encompasses, logistics, confirming event agenda, registration and ordering food
Programs will consist of choosing event topics, confirming speakers, audience focus (CSO, Architect, developer, etc.) and assisting with building event agenda.
Event Topics & Format – Broad Focus from Executive to Developers Level
Cloud Security Domains – 14 and counting!
Projects - GRC Stack, CloudSIRT, Security as a Service, Cloud Audit.
Various meeting formats: SME Presentations , Roundtables, Panels, Hands on events, Competitions.
Tim Lynam – Education Chairman
Develop "Working Group Committees" - Invite individuals to join the CSA NY Metro Chapter and encourage them to be members of Working Groups by:
Contacting (NY/NJ/CT) (ISSA/ISC2/ISACA) Presidents to market CSA NY Metro Chapter in their respective organizations
Sending emails to CSA NY chapter member organizations socializing about the new CSA NY chapter
Documenting guidance on how to join the NY Metro CSA Chapter for new members (direct them to website and registration instructions)
Advertise (on the web site) committees inviting participation
Education Committee New Project Ideas
Prep program for the CCSK developed or guidance on vendors/personnel who offer it. Possibly for Prep program for the CCSK developed or guidance on vendors/personnel who offer it. Possibly for Q2/3 at CSA NY Metro Chapter
CSA framework aligned with other frameworks like ISO 27001/2, SafeHarbor, Cobit, etc., or repurposed as enhancing the CCM framework to align it with emerging regulatory trends to be determined
Security assessment in the cloud – guidelines to determine whether or not your vendor has placed you in the cloud without your knowledge. What mandatory controls are needed to be in place?
Privacy framework for an organization moving to the cloud - personal data in the cloud
Correlation between vendor risk management and cloud security – organizations typically have reasonably mature vendor risk management programs. We can look at how best to leverage this in a cloud scenario. What should be the approach and what are some of the additional processes and controls an organization would need to consider?
Education Committee New Project Ideas (Continued….)
Cloud Assurance – approach & methodology (leverage some of the recent SOC reporting changes)
Cloud Provider Assessments: Questionnaire to be provided on Web Site by CSA NY Metro to meet the minimum CSA baseline
Identify the additional information security risks associated with the Cloud and what are the additional risks the Cloud Provider is going to introduce by hosting your environment
Possible working group for SAS70 processes to be updated for the Cloud
Benefits of using the Cloud for a cost, recourse, time, and security perspective . Kill” White Paper Development
Education Committee New Project Ideas (Continued…)
3-5 people per whitepaper working group review, 1 to chair/editor, others to research/review:
Domain 7 DR/BC review whitepaper – Tim: Q2/3
Domain 4 Compliance and Audit whitepaper – Don, Karthik:Q3/4
Domain 3 - All Domains Overview for Contract and SLA Negotiations – Tim, Karthik: Q4
CCSK Training and Certification Support/Initiation
CSA CCSK Certificate versus a Certification: develop possible guidance for CSA to establish a certification program. (Right now, it is only a certificate after taking the test but input from our committee will be essential to determine the certification process with input from the other committees possibly)
(For example: Could a CIA, CISA, CRISC, CGEIT CISSP or CISM along with the CCSK certificate and work experience be part of a certification process?)
How can we increase the marketability of the CCSK? What is its USP (unique selling proposition)?
Developing our membership
Opportunities for members
How to get involved
Leveraging website for community and membership events, activities and committees
To volunteer and get involved please contact us at: [email_address]
Find us on LinkedIn: http://www.linkedin.com/groups?mostPopular=&gid=3606473