Tweet #csamtg                Cloud Security Alliance                Q1’12 Chapter Meeting                                 ...
WelcomeDefinition of some commonly used, butoften misunderstood terms.Subject matter might be controversialPlease make a n...
Standardstand·ard[stan-derd] noun1. something considered byan authority or by generalconsent as a basis ofcomparison; an a...
Who Defines Standards?What does it mean to have aclean house?                            WhyWho should decide?          no...
Standards          “Clean” Defined by Occupant:          1. Self defined-not a standard by              definition  Bare  ...
Standards              “Clean” Defined by Authority:   Get todecide what   2. Broad objectives this means   to you.      ...
Standards             “Clean” Defined by Authority (cont.):             3. More detailed                     No clutter  ...
Standards“Clean” Defined by Authority (cont.):4. Hybrid – Even More Detailed in some areas, but     not applicable in othe...
Assuranceas·sur·ance[uh-shoor-uhns, -shur-] noun1. a positive declarationintended to give confidence:                     ...
Assurance  Really?            1. My house is clean.  What                                                 What  about     ...
Assurance“My house is clean.” Self Assessment or  Management Attestation High risk – Low Reliability Requires high degr...
Assurance“His house was clean when Ichecked.” Third Party Attestation (Point   in Time) Medium Risk & Reliability Provi...
Assurance“His house was clean all lastyear.” Third Party Attestation  (Period of Time) Low Risk – High Reliability  “Tru...
Assurance“His house is continually clean.”• Perpetual Validation (Real  Time - Utopia)• Little to No Risk – Very High  Rel...
Certifiedcer·ti·fied                 I am a                             CISA.[sur-tuh-fahyd] adjective1. having or proved ...
Please tweet      Which Assurance Shouldanswer.             “Certified” Belong To?          1. Self Assessment          2....
Security Standards & AssuranceStandard                       Standard Category            AssuranceCSA STAR (CCM, CAIQ, et...
Issues Created for  Service Organizations Forced to satisfy customer’s need  for assurance with multiple  standards and a...
Is there a “Silver Bullet”  to Satisfy Everyone?              No. Governing bodies will always  require their own standar...
What can be done to reducethe burden of compliance?Take the best from each available Standard and                        ...
What can be done to reduceWhat?           the burden of compliance?                Use SOC2 Type 2 Report as             ...
SOC2 and                  “Additional Subject Matter”  PCI-DSS        The SOC2 Attestation                  Standard (AT-...
SOC2 and “Additional Subject Matter” At the end of the engagement,  organizations receive a SOC2  report that covers a pe...
SOC2 and “Additional Subject Matter” One core set of audit work  serves as the basis for  multiple reports Customers rec...
Objectors Say                               CPA firms that are not competent                                to perform CS...
Objectors Say ISO 27001 is a real time  assurance because the  certificate is valid for three  years. We say, read the f...
Objectors Say Period of Time assurance is no  better than Point in Time  assurance because both are  “dated”, meaning the...
Discussion & ReadingThe Risk Assurance Revolution has Begunhttp://riskassuranceguy.blogspot.com/2012/01/risk-assurance-rev...
The Cloud Security Alliance Governance,   Risk, and Compliance (CSA GRC) Stack• A suite of four integrated and reinforcing...
The CSA GRC Stack                             Bringing the Stack Pack Together     Delivering                      Stack ...
CSA GRC Value Equation Contributions for Consumers and Providers                                                          ...
Using the GRC Stack          Making the Stack Pack Approach Work for You• Easy to get started• Many successful combination...
2011 Recap•GRC Stack Training Courses offered across US and Europe•Cloud Security Alliance acquires CTP from CSC (July)•CC...
2012•CCM v1.3•CAIQ and CCM migrating to database format•More GRC Stack Training Courses (TBA)•2012 CTP Roadmap release – V...
https://cloudsecurityalliance.org/star/The CSA Security, Trust & Assurance Registry (STAR) is a publicly accessibleregistr...
CSA Summit 2012 at RSA-USAFebruary 27 – March 2Moscone Center - San Francisco
Help Us Secure Cloud Computing –   www.cloudsecurityalliance.org –   info@cloudsecurityalliance.org –   LinkedIn: www.link...
About UsPhil Agcaoili@hacksec                           38
Upcoming SlideShare
Loading in …5
×

Cloud Security Alliance, Atlanta Chapter Meeting Q1 2012 - SSAE16 SOC 1 2 3 ISO 27001 FedRAMP CCM

1,607 views
1,505 views

Published on

Clearing up the confusion as we transition from SAS 70 to SSAE 16 SOC 1, SOC 2, and SOC 3. Sprinkle in ISO 27001, CSA CCM, and FedRAMP

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,607
On SlideShare
0
From Embeds
0
Number of Embeds
7
Actions
Shares
0
Downloads
26
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • Do visit the websiteDo join the LinkedIn Groups – you will receive regular email updates
  • Do visit the websiteDo join the LinkedIn Groups – you will receive regular email updates
  • Cloud Security Alliance, Atlanta Chapter Meeting Q1 2012 - SSAE16 SOC 1 2 3 ISO 27001 FedRAMP CCM

    1. 1. Tweet #csamtg Cloud Security Alliance Q1’12 Chapter Meeting 1
    2. 2. WelcomeDefinition of some commonly used, butoften misunderstood terms.Subject matter might be controversialPlease make a note of the page number,jot down your thoughts, and holdquestions and comments for thediscussion period (Only 30 seconds per Pleaseslide! ). keep clean? OR tweet #csamtg with slide number X and your question or comment 2
    3. 3. Standardstand·ard[stan-derd] noun1. something considered byan authority or by generalconsent as a basis ofcomparison; an approvedmodel. 3
    4. 4. Who Defines Standards?What does it mean to have aclean house? WhyWho should decide? not?Occupants of the houseIndependent authority or general consent 4
    5. 5. Standards “Clean” Defined by Occupant: 1. Self defined-not a standard by definition Bare  No clutterMinimum  Clean floors  No food left on the counter 5
    6. 6. Standards “Clean” Defined by Authority: Get todecide what 2. Broad objectives this means to you.  No clutter  No dishes in the sink  Clean floors  No dust  No food left on the counter  Everything in its place 6
    7. 7. Standards “Clean” Defined by Authority (cont.): 3. More detailed  No clutter  No clothes on the floor  Beds must be made  No excessive trinket collection or picture hanging  No dishes in the sink  Dishes must be placed in the dishwasherSometimes immediately not  Sink must be washed after useapplicable  Clean floors  Carpeted floors must be vacuumed daily  Tiled floors must be cleaned daily with bleach  Baseboards must be wiped down with a rag by hand  No dust  All furniture surface areas must be dusted daily  The inside of the refrigerator, stove, and all 7 appliances must be wiped daily
    8. 8. Standards“Clean” Defined by Authority (cont.):4. Hybrid – Even More Detailed in some areas, but not applicable in others  No clutter (In the kitchen)  Nothing on the floor  No counter top appliances  Range must be electric  All appliances must be stainless steel  No dishes in the sink  Sink must not be used for washing dishes  Dishwasher must be commercial quality  Clean floors (In the kitchen)  Floors must be cleaned daily with bleach  Baseboards must be wiped down with a rag by hand  Anti-bacterial spray must be used daily  No dust (In the kitchen)  The outside of the refrigerator, stove, and all appliances must be wiped daily  The inside of the refrigerator, stove, and all appliances must be wiped daily  Bedrooms, living rooms, den, bathrooms, etc. (N/A) 8
    9. 9. Assuranceas·sur·ance[uh-shoor-uhns, -shur-] noun1. a positive declarationintended to give confidence: 9
    10. 10. Assurance Really? 1. My house is clean. What What about 2. His house was clean when I about before? inspected it. after? What 3. His house was clean all last about after? How do year.you know? 4. His house is continually clean. 10
    11. 11. Assurance“My house is clean.” Self Assessment or Management Attestation High risk – Low Reliability Requires high degree of trust in the person making the attestation Lack of accountability. Leads to cutting corners because no one is looking. 11
    12. 12. Assurance“His house was clean when Ichecked.” Third Party Attestation (Point in Time) Medium Risk & Reliability Provides minimal if any assurance, and still requires trust. Lack of accountability. Leads to cutting corners when no one is looking. 12
    13. 13. Assurance“His house was clean all lastyear.” Third Party Attestation (Period of Time) Low Risk – High Reliability “Trust, but verify” Provides reasonable assurance. Accountability exists - When corners are cut, there is a high likelihood of being caught 13
    14. 14. Assurance“His house is continually clean.”• Perpetual Validation (Real Time - Utopia)• Little to No Risk – Very High Reliability• Provides near absolute assurance, and does not require trust• Accountability exists. Corners cannot be cut, or there is a certainty of being caught 14
    15. 15. Certifiedcer·ti·fied I am a CISA.[sur-tuh-fahyd] adjective1. having or proved by acertificate Does2. guaranteed; reliably ISACA guaranteeendorsed: my work? 15
    16. 16. Please tweet Which Assurance Shouldanswer. “Certified” Belong To? 1. Self Assessment 2. Third Party Attestation – Point in Time 3. Third Party Attestation – Period of Time 4. Perpetual Validation – Real Time Utopia 16
    17. 17. Security Standards & AssuranceStandard Standard Category AssuranceCSA STAR (CCM, CAIQ, etc.) More Detailed Self AssessmentNIST/FedRAMP More Detailed Self AssessmentCOBIT Broad Objectives Self AssessmentHIPAA / HITRUST Broad Objectives Point in TimeISO 27001 Broad Objectives Point in TimePCI-DSS Hybrid – Focused on Point in Time cardholder data environmentsN/A – Controls Related to Self Defined AICPA SSAE 16 - SOC1Financial Statement Accuracy (formerly SAS70)Only Type 1 – Point in Time Type 2 – Period of TimeTrust Services Principles & Broad Objectives AICPA SSAE 10~14 –Criteria (TSPC) SOC2/SOC3 Type 1 – Point in Time Type 2 – Period of Time 17
    18. 18. Issues Created for Service Organizations Forced to satisfy customer’s need for assurance with multiple standards and audits. Wasting time scheduling and supporting external auditors from multiple firms. Wasting time scheduling and supporting audits by customers exercising their “right to audit.” Lack of clarity and confusion regarding customer expectations. 18
    19. 19. Is there a “Silver Bullet” to Satisfy Everyone? No. Governing bodies will always require their own standards and reports- (ie VISA, Mastercard require PCI, Federal Government requires HIPAA compliance) Customers have to provide their external auditors reports that meet their requirements. 19
    20. 20. What can be done to reducethe burden of compliance?Take the best from each available Standard and How? AssuranceGet Period of Time Assurance WithMore Detailed Standards 20
    21. 21. What can be done to reduceWhat? the burden of compliance? Use SOC2 Type 2 Report as the Assurance wrapper for: Any or all of the following: o ISO 27002 What good would it do? o CSA CCM Who wouldReports comefrom separate o PCI-DSS Test? auditors. Accountants? o HITECH o NIST/FedRamp 21
    22. 22. SOC2 and “Additional Subject Matter” PCI-DSS The SOC2 Attestation Standard (AT-101 or SSAE TSPC 10~14) allows for inclusion of other standards Is this even CPA firms can partner with allowed?Yes…”Technical QSAs and ISO registrars to Specialists” AT-101 conduct testing together Is there much eliminating testing overlap in standards? redundancy Yes. 22
    23. 23. SOC2 and “Additional Subject Matter” At the end of the engagement, organizations receive a SOC2 report that covers a period of time AND They receive separate reports covering the other standards- i.e. PCI-DSS (ROC), and / or ISO 27001 Certificate 23
    24. 24. SOC2 and “Additional Subject Matter” One core set of audit work serves as the basis for multiple reports Customers receive o Solid detail great standards like CSA CCM provide o Little to No Risk – Very high reliability provided by period of time testing o Specific reports to satisfy everybody o International Acceptance 24
    25. 25. Objectors Say  CPA firms that are not competent to perform CSA STAR, ISO 27001,AT-101 This knowledgerequirement may be met, PCI-DSS, etc. testing are notin part, through the useof one or more specialists competent to accept theon a particular attestengagement if the engagement referencing SAS 73practitioner has sufficientknowledge of the subject as the Technical Specialistmatter (a) tocommunicate to the guideline CPA firms must follow.specialist the objectivesof the work and (b) toevaluate the specialistswork to determine if theobjectives were achieved.  We say, the AICPA provided for the use of technical specialists in AT-101, and the standard is clear. The use of specialists to demonstrate competence is allowed. 25
    26. 26. Objectors Say ISO 27001 is a real time assurance because the certificate is valid for three years. We say, read the fine print. The certificate is void if any of the terms in the certificate agreement are broken. See - "Proof that ISO 27001 is a Point-in-Time Assurance" 26
    27. 27. Objectors Say Period of Time assurance is no better than Point in Time assurance because both are “dated”, meaning they are irrelevant even before they are issued. We say, the discipline that is instilled in an organization, that knows there is an increased likelihood of being caught when they stray, shifts culture in the direction of better security. 27
    28. 28. Discussion & ReadingThe Risk Assurance Revolution has Begunhttp://riskassuranceguy.blogspot.com/2012/01/risk-assurance-revolution-has-begun.htmlSOC Reports: The customer is always righthttp://turnkeyit.blogspot.com/2012/01/soc-reports-customer-is-always-right.htmlStandards, Audits, and Certifications: Which One is Right?http://www.infosecisland.com/blog/show/slug/19296-Standards-Audits-and-Certifications-Which-One-is-Right/page/2.htmlWhen I See a Can in the Road, All I Want to do is Smash Ithttps://www.infosecisland.com/blogview/19769-When-I-See-a-Can-in-the-Road-All-I-Want-to-do-is-Smash-It.htmlWhy Data Centers Dont Need SSAE 16https://www.infosecisland.com/blogview/16080-Why-Data-Centers-Dont-Need-SSAE-16.htmlWhy Data Centers Need SSAE 16https://www.infosecisland.com/blogview/16952-Why-Data-Centers-Need-SSAE-16.htmlSOC 2 for Cloud Computinghttps://www.infosecisland.com/blogview/17174-SOC-2-for-Cloud-Computing.htmlAICPA Fumbles Audit Standards at the 5-Yard Linehttp://www.datacenterknowledge.com/archives/2012/01/19/aicpa-fumbles-audit-standards-at-the-5-yard-line/Good Reading:http://www.schrammassurance.com/wp-content/uploads/2012/01/11-Schramm-SAS70-to-AT101-KLv4.pdfhttp://cpa2biz.com/AST/Main/CPA2BIZ_Primary/AuditAttest/Standards/StandardsImplementationGuidanceCSA Atlanta Chapter Q1’12 Meeting Feedback:http://www.linkedin.com/groupItem?view=&gid=3664160&type=member&item=91992030&qid=bd5c4379-ecac-4383-b1e8-1a7387f86ac3&trk=group_most_recent_rich-0-b-ttl&goback=.gmr_3664160http://www.linkedin.com/groupItem?view=&gid=3664160&type=member&item=46520870&qid=bd5c4379-ecac-4383-b1e8-1a7387f86ac3&goback=.gmr_3664160.gde_3664160_member_91992030LinkedIn Group on SOC Reports:http://www.linkedin.com/groups/SOC-formerly-SAS70-Reports-4223260? 28
    29. 29. The Cloud Security Alliance Governance, Risk, and Compliance (CSA GRC) Stack• A suite of four integrated and reinforcing CSA initiatives (the “stack packages”) – The Stack Packs • Cloud Controls Matrix • Consensus Assessments Initiative • Cloud Audit • CloudTrust Protocol• Designed to support cloud consumers and cloud providers• Prepared to capture value from the cloud as well as support compliance and control within the cloud The CSA GRC V2.0 Workshop | Ron Knode 7 Oct 2011 Page 29
    30. 30. The CSA GRC Stack Bringing the Stack Pack Together Delivering  Stack Pack  Descri • Common technique anContinuous monitoring … request and receive ev with a purpose of current cloud servic circumstances from clo Claims, offers, and the • Common interface andbasis for auditing service automate the Audit, As delivery and Assurance (A6) ofPre-audit checklists and • Industry-accepted way questionnaires to inventory controls security controls exist • Fundamental security p The recommended The CSA GRC V2.0 Workshop | Ron Knode specifying the overall s 7 Oct 2011 Page 30
    31. 31. CSA GRC Value Equation Contributions for Consumers and Providers • Individually usefulWhat control requirements should I • Collectively powerfulhave as a cloud consumer or cloud • Productive way to reclaimprovider? end-to-end information risk management capability How do I ask about the control requirements that are satisfied (consumer) or express my claim of control response (provider)? Static How do I announce and automate my claims & claims of audit support for all of the assurances various compliance mandates and control obligations? How do I know that the controls I Dynamic need are working for me now (continuous) (consumer)? How do I provide actual monitoring and security and transparency of service transparency to all of my cloud users (provider)? The CSA GRC V2.0 Workshop | Ron Knode 7 Oct 2011 Page 31
    32. 32. Using the GRC Stack Making the Stack Pack Approach Work for You• Easy to get started• Many successful combinations• Benefits accrue with each stack pack addition• Multiple alternatives to application and deployment• Mapped across multiple compliance mandates The CSA GRC V2.0 Workshop | Ron Knode 7 Oct 2011 Page 32
    33. 33. 2011 Recap•GRC Stack Training Courses offered across US and Europe•Cloud Security Alliance acquires CTP from CSC (July)•CCM 1.2 released (August)•CAIQ 1.1 released (September)
    34. 34. 2012•CCM v1.3•CAIQ and CCM migrating to database format•More GRC Stack Training Courses (TBA)•2012 CTP Roadmap release – Volunteer opportunities and moredetails will be announced in Q1https://cloudsecurityalliance.org/research/grc-stack/
    35. 35. https://cloudsecurityalliance.org/star/The CSA Security, Trust & Assurance Registry (STAR) is a publicly accessibleregistry that documents the security controls provided by various cloudservice providers.It helps users assess the security of cloud providers they currently use orare considering contracting with.It is a simple but powerful idea, cloud providers post self assessments oftheir cloud services, CSA makes these assessments publicly available andcloud consumers can use this data to make informed purchasing decisions.It supports CSA GRC Stack, AICPA SOC, ISO 27001, FedRAMP, etc.
    36. 36. CSA Summit 2012 at RSA-USAFebruary 27 – March 2Moscone Center - San Francisco
    37. 37. Help Us Secure Cloud Computing – www.cloudsecurityalliance.org – info@cloudsecurityalliance.org – LinkedIn: www.linkedin.com/groups?gid=1864210 – Twitter: @cloudsa
    38. 38. About UsPhil Agcaoili@hacksec 38

    ×