Aicpa tech+panel presentation t6 managing risks and security 2014 v3
Upcoming SlideShare
Loading in...5
×
 

Aicpa tech+panel presentation t6 managing risks and security 2014 v3

on

  • 41 views

 

Statistics

Views

Total Views
41
Views on SlideShare
41
Embed Views
0

Actions

Likes
0
Downloads
2
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • BEFORE BOARDING/CONSIDERATIONS: <br />   <br /> Cloud risk sample questions, feel free to add or change.......... <br />   <br /> -What information and Services would you move to the cloud? BRIAN <br />   <br /> •How do users know if the cloud vendor is in compliance with regulations and obligations? STEVE <br />   <br /> Are you going to be able to gain measure against established or best practice benchmarks? AARON <br />   <br /> •What are some of the Cost, Legal and Contractual considerations? AARON <br />   <br /> •Can a user determine the Return on Investment (ROI) or the risk to the Total Cost of Ownership (TCO)? BRIAN <br />   <br /> •Should a user continue paying existing contractual costs for assets and services that are to be moved to the cloud? STEVE <br />   <br /> •What are other factors that a user should consider? BRIAN <br />   <br /> •STEVE <br />   <br />
  •   <br /> •Should a user continue paying existing contractual costs for assets and services that are to be moved to the cloud? STEVE <br /> <br />  •Can a user determine the Return on Investment (ROI) or the risk to the Total Cost of Ownership (TCO)? BRIAN <br />   <br /> <br /> •What are other factors that a user should consider? BRIAN <br />   <br />   <br />
  • AFTER Boarding...... <br />   <br /> •What should be considered if your organization or entity is currently engaged in the use of a cloud vendor (after the fact)? BRIAN <br />   <br /> -What are the options to help mitigate risks associated with engaging with a cloud vendor? STEVE <br />   <br /> -How can an user ensure that risks are mitigated? BRIAN <br />   <br /> -What should a user consider in relation to legal implications? AARON <br />   <br /> -If an incident (such as a security breach) does occur with your cloud vendor, what are the appropriate escalation procedures? STEVE <br />   <br /> -What Best practices for resource and cost monitoring are available? Ex. Usage, scope creep, power or bandwidth consumption and the process controls around it. AARON <br />   <br />

Aicpa tech+panel presentation t6 managing risks and security 2014 v3 Aicpa tech+panel presentation t6 managing risks and security 2014 v3 Presentation Transcript

  • Aria Resort and Casino Las Vegas, NV Session T6: Managing Risks and Security in the Cloud Environment (Panel Discussion) Catherine Bruder Steve Ursillo, Jr. Brian Thomas Aaron Klein Peter Karpas #PSTECH 1
  • American Institute of CPAs® #PSTECH Session Agenda Introduction to the Cloud Panel Discussion • Q&A Format - Assessing the risks prior to moving into the Cloud environment - Managing the risks after moving into the Cloud environment 2
  • American Institute of CPAs® #PSTECH Steve Ursillo, Jr. CPA, CIA, CFE, CISA, CISM, CITP, CISSP, CGEIT, CRISC Principal, Director of Technology & Assurance Services Sparrow, Johnson & Ursillo, Inc. sursillojr@sju.com Steve is a principal and the director of Information Technology and Assurance Services at Sparrow, Johnson & Ursillo, Inc., a Rhode Island-based full- service CPA firm. Steve specializes in information security and privacy assurance services such as network and system vulnerability testing, penetration testing, information systems audits, internal control over financial reporting audits and Service Organization Control (SOC) attestations. Steve is currently the Co- Lead for the AICPA Cyber Security Task Force, along with serving on the Service Organization Control (SOC) Reporting Task Force. He graduated with a master’s degree in computer information systems (security) from Boston University and a bachelor’s degree in business administration (accounting) from Bryant University. 3
  • American Institute of CPAs® #PSTECH Catherine Bruder CPA, CITP, CISA, CISM Shareholder, Doeren Mayhew bruder@doeren.com Catherine is the Shareholder of Information Technology Assurance Services for Doeren Mayhew, a CPA firm in Troy, Michigan. She is responsible for the planning and supervision of all forms of technology assurance including SSAE 16 and SOC reporting, IT audits, network vulnerability assessments, penetration testing, security program development, and disaster recovery planning. Catherine currently serves on the AICPA Service Organization Controls Task Force. 4
  • American Institute of CPAs® #PSTECH Brian Thomas CISA, CISSP Partner, Weaver Brian.Thomas@WeaverLLP.com Brian is the partner in charge of Weaver’s IT Advisory Services team, which provides a range of technology based assurance and consulting related services. With experience managing teams delivering IT-focused solutions such as SOC reporting, system integration, information security assessment, SOX assistance, IT audits, and IT project management, Brian brings diverse knowledge and technical skills to his clients. He is a member of the AICPA’s SOC Reporting Task Force and a member of the IM Advisory Council at the McCombs School of Business of The University of Texas. He graduated with a master’s degree and a bachelor’s degree in engineering from the University of Texas – i.e. not a CPA. 5
  • American Institute of CPAs® #PSTECH Aaron Klein Founder- COO CloudCheckr Inc. aaron.klein@cloudcheckr.com Aaron is the Founder and Chief Operating Officer of CloudCheckr Inc. CloudCheckr’s industry leading software solution provides visibility, security, cost management, and compliance controls so that users can confidently maximize their agility in the decentralized cloud environment. He has authored a series of whitepapers around public cloud best practices and mapping infrastructure controls to NIST 800-53 requirements. Aaron is also a regular contributor to Amazon Cloud Journal, DZone, DevOps.com, and other leading publications. Aaron earned a J.D. from State University of New York at Buffalo and a B.A. from Brandeis University. 6
  • American Institute of CPAs® #PSTECH Peter Karpas CEO – Xero North America Peter.karpas@xero.com Peter recently joined Xero as the CEO of North America. Prior to Xero, Peter held a number of senior roles at PayPal and Intuit. He was Vice President & General Manager of Small Business for PayPal, responsible for driving all of PayPal's small business efforts in North America. Prior to PayPal, Karpas spent over 10 years at Intuit. He was President and General Manager of the Quicken Health Group and served as the company's Chief Marketing and Product Management Officer, VP and General Manager of the Quicken Solutions Group, and General Manager for QuickBooks Industry-Specific Solutions. He is currently a member of the Board of Trustees for the Computer History Museum. 7
  • American Institute of CPAs® #PSTECH Introduction to the Cloud 8
  • American Institute of CPAs® #PSTECH 9
  • American Institute of CPAs® #PSTECH IDC Forecasts Spending on public IT cloud services will reach $47.4 billion in 2013 and is expected to be more than $107 billion in 2017 Over the 2013–2017 forecast period, public IT cloud services will have a compound annual growth rate (CAGR) of 23.5%, five times that of the industry overall •Software as a service (SaaS) will remain the largest public IT cloud services category, capturing 59.7% of revenues in 2017 10
  • American Institute of CPAs® #PSTECH What is changing in the industry? 11
  • American Institute of CPAs® #PSTECH Introduction Software as a Service (Saas) • Provides web-based access to software systems. This arrangement provides specialty or industry specific automation functionality without the capital investment in equipment and ongoing support and maintenance expense. Platform as a Service (PaaS) • Offers hardware and software layers comprising a computing platform which is delivered like a service. This particular layer of cloud computing enables companies to construct, test and deploy systems from a centralized environment. Infrastructure as a Service (IaaS) • Where software and hardware, the equipment which supports automated operations, are purchased as a fully outsourced service versus buying and maintaining these assets in-house. IaaS provides a company on-demand storage, computing and networking capacity. 12
  • American Institute of CPAs® #PSTECH Cloud Deployment Options Private Cloud • Colocation: server racks (equipped with power, cooling, and bandwidth) are rented on a monthly basis. Public Cloud • Managed Hosting: service provider provides IT infrastructure resources, such as applications and storage, available over the Internet. Services may be free or subscribed on a pay-per-usage basis. Hybrid Cloud • Combination of Private and Public 13
  • American Institute of CPAs® #PSTECH Cloud Supply Chain Information Security Risks You can outsource business capability or function but you cannot outsource accountability for information security • Control Gaps (shared control) - Information security (access controls, vulnerability, & patch management) - Security architecture - Data governance (lifecycle management) - Release management (change control) - Facility security • Control dependencies - Corporate governance - Incident response - Resiliency - Risk and compliance management 14
  • American Institute of CPAs® #PSTECH Panel Discussion 15
  • American Institute of CPAs® #PSTECH Prior to Moving Into the Cloud Business Considerations • What information and Services would you move to the cloud? • Who is the right person to help manage the Cloud vendor relationship? • Are you going to be able to gain measure against established or best practice benchmarks? Legal and compliance considerations • How do users know if the Cloud vendor is in compliance with regulations and obligations? • What should a user consider in relations to legal implications? 16
  • American Institute of CPAs® #PSTECH Prior to Moving Into the Cloud Cost and contractual considerations • Should a user continue paying existing contractual costs for assets and services that are to be moved to the Cloud? • Can a user determine the Return on Investment (ROI) or the risk to the Total Cost of Ownership (TCO)? • What are other factors that a user should consider? - Existing software licenses, flexibility of solution/ contract, etc. 17
  • American Institute of CPAs® #PSTECH After Moving Into the Cloud • What should be considered if your organization or entity is currently engaged in the use of a cloud vendor (after the fact)? • What are the options to help mitigate risks associated with engaging with a cloud vendor? • How can an user ensure that risks are mitigated? • What should a user consider in relation to legal implications? • If an incident (such as a security breach) does occur with your cloud vendor, what are the appropriate escalation procedures? • What Best practices for resource and cost monitoring are available? - Usage, scope creep, power or bandwidth consumption and the process controls around it. 18
  • American Institute of CPAs® #PSTECH Additional Resources 19
  • American Institute of CPAs® #PSTECH Join Information Management and Technology Assurance (IMTA) IMTA Premium Member Benefits: • Safari Books Online • Discounts on educational programs, such as AICPA TECH+ conference, NAAATS conference, and IT Audit School program • Discounts on valuable software and tools, including Audimation Services, Inc IDEA® products/ training sessions and InformationActive ActiveData® products • Valuable technology content, including discussion papers, content suites, studies & practice aids • Communications, including electronic newsletters, featured articles, and news about the profession and the community • Networking groups and IT Section events at AICPA conferences 20 Visit http://www.aicpa.org/InterestAreas/InformationTechnology for more details.
  • American Institute of CPAs® #PSTECH What is a Certified Information Technology Professional (CITP)? A CITP is a CPA: • Specialty designation that identifies CPAs with the unique ability to bridge between business and technology • The CITP Body of Knowledge represents the fundamental concepts of information management and technology assurance including: - Risk Assessment - Fraud Considerations - Internal Control and IT General Controls - Evaluate, Test and Report - Information Management and Business Intelligence 21
  • American Institute of CPAs® #PSTECH CITP Credential Holder Benefits CITP Marketing Toolkit CPA Practice Advisor – A CPA Focused magazine Full access to technical resources, content suites and practice aids. Find a CPA/CITP Online Database Member Discounts Information Management and Technology Assurance (IMTA) Division Web Seminars 22
  • American Institute of CPAs® #PSTECH CSA 23 https://cloudsecurityalliance.org/
  • American Institute of CPAs® #PSTECH CSA_CCM v3.0 24 https://cloudsecurityalliance.org/
  • American Institute of CPAs® #PSTECH AICPA SOC 25
  • American Institute of CPAs® #PSTECH AICPA SOC 26 http://www.aicpa.org/interestareas/frc/assuranceadviso ryservices/pages/sorhome.aspx
  • Copyright © 2014 American Institute of CPAs. All rights reserved. Thank You American Institute of CPAs® #PSTECH 27