0
RSA: Cloud Security AllianceGRC Stack Update<br />Cloud Security Alliance, Atlanta Chapter<br />Phil Agcaoili, Cox Communi...
Cloud ComputingNIST Definition<br />UPDATED (Jan 2011) – National Institute of Standards and Technology (NIST) Special Pub...
Cloud Computing5 Essential Characteristics<br />On-demand tenant self-service model for provisioning computing capabilitie...
Cloud Computing3 Service Models<br />Software as a Service (SaaS)<br />Capability made available to tenant (or consumer) t...
Cloud Computing4 Deployment Models<br />(4) HYBRID<br /><ul><li>Composition of 2 or more deployment models that remain uni...
Bound together by standardized or proprietary technology enabling data and application portability</li></li></ul><li>Cloud...
What is Different about Cloud?<br />
What is Different about Cloud?<br />
What is Different about Cloud?<br />
Proposal for Atlanta Chapter Objective #1: Cloud Security Contract Template<br />Vendor and Customer Needs:<br />A simple,...
What is Different about Cloud?<br />
What is Different about Cloud?<br />
Cloud Controls Matrix<br />
Cloud Controls Matrix<br />Leadership Team<br /><ul><li>Becky Swain – Cisco Systems, Inc.
Philip Agcaoili – Cox Communications
Marlin Pohlman – EMC, RSA
Kip Boyle – CSA</li></ul>V1.1 Released Dec 2010<br />Rated as applicable to S-P-I with Cloud Provider / Tenant Delineation...
Cloud Controls MatrixGlobal Industry Contribution<br /><ul><li>AdalbertoAfonso A Navarro F do Valle – Deloitte LLP
Addison Lawrence – Dell
Akira Shibata – NTT DATA Corp
Andy Dancer
Anna Tang – Cisco Systems, Inc.
April Battle – MITRE
ChandrasekarUmpathy
Chris Brenton – Dell
Dale Pound – SAIC
Daniel Philpott – Tantus Technologies
Dr. Anton Chuvakin – Security Warrior Consulting
Elizabeth Ann Wickham – L47 Consulting Limited
Gary Sheehan – Advanced Server Mgmt Group, Inc.
Georg Heß
Georges Ataya Solvay – Brussels School of Economics & Mgmt
Glen Jones – Cisco Systems, Inc.
Greg Zimmerman – Jefferson Wells
Guy Bejerano - LivePerson
Henry Ojo – Kamhen Services Ltd,
Jakob Holm Hansen – Neupart A/S
Joel Cort – Xerox Corporation
John DiMaria – HISPI
John Sapp – McKesson Healthcare, HISPI
Joshua Schmidt – Vertafore, Inc.
KarthikAmrutesh – Ernst and Young LLP
Kelvin Arcelay – Arcelay& Associates
Kyle Lai – KLC Consulting, Inc.
Larry Harvey – Cisco Systems, Inc.
Laura Kuiper – Cisco Systems, Inc.
Lisa Peterson – Progressive Insurance
Lloyd Wilkerson – Robert Half International
Upcoming SlideShare
Loading in...5
×

RSA: CSA GRC Stack Update for the CSA Atlanta Chapter

1,432

Published on

RSA CSA GRC Stack Update for the Atlanta CSA Chapter by Phil Agcaoili

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,432
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
36
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • On-demand self-service. A consumer can unilaterally provision computing capabilities, such as server time and network storage, as needed automatically without requiring human interaction with each service’s provider.Broad network access. Capabilities are available over the network and accessed through standard mechanisms that promote use by heterogeneous thin or thick client platforms (e.g., mobile phones, laptops, and PDAs).Resource pooling. The provider’s computing resources are pooled to serve multiple consumers using a multi-tenant model, with different physical and virtual resources dynamically assigned and reassigned according to consumer demand. There is a sense of locationindependence in that the customer generally has no control or knowledge over the exact location of the provided resources but may be able to specify location at a higher level of abstraction (e.g., country, state, or datacenter). Examples of resources include storage, processing, memory, network bandwidth, and virtual machines.Rapid elasticity. Capabilities can be rapidly and elastically provisioned, in some cases automatically, to quickly scale out, and rapidly released to quickly scale in. To the consumer, the capabilities available for provisioning often appear to be unlimited and can be purchased in any quantity at any time.Measured Service. Cloud systems automatically control and optimize resource use by leveraging a metering capability at some level of abstraction appropriate to the type of service (e.g., storage, processing, bandwidth, and active user accounts). Resource usage can be monitored, controlled, and reported, providing transparency for both the provider and consumer of the utilized service.
  • Cloud Software as a Service (SaaS). The capability provided to the consumer is to use the provider’s applications running on a cloud infrastructure. The applications are accessible from various client devices through a thin client interface such as a web browser (e.g., web-based email). The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, storage, or even individual application capabilities, with the possible exception of limited user-specific application configuration settings.Cloud Platform as a Service (PaaS). The capability provided to the consumer is to deploy onto the cloud infrastructure consumer-created or acquired applications created using programming languages and tools supported by the provider. The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, or storage, but has control over the deployed applications and possibly application hosting environment configurations, typically through a pay-per-use business model.Cloud Infrastructure as a Service (IaaS). The capability provided to the consumer is to provision processing, storage, networks, and other fundamental computing resources where the consumer is able to deploy and run arbitrary software, which can include operating systems and applications. The consumer does not manage or control the underlying cloud infrastructure but has control over operating systems, storage, deployed applications, and possibly limited control of select networking components (e.g., host firewalls).
  • Private cloud. The cloud infrastructure is operated solely for an organization. It may be managed by the organization or a third party and may exist on premise or off premise.Community cloud. The cloud infrastructure is shared by several organizations and supports a specific community that has shared concerns (e.g., mission, security requirements, policy, and compliance considerations). It may be managed by the organizations or a third party and may exist on premise or off premise.Public cloud. The cloud infrastructure is made available to the general public or a large industry group and is owned by an organization selling cloud services.Hybrid cloud. The cloud infrastructure is a composition of two or more clouds (private, community, or public) that remain unique entities but are bound together by standardized or proprietary technology that enables data and application portability (e.g., cloud bursting for load balancing between clouds).
  • The NIST Security Content Automation Protocol (SCAP) Validation Program (SCAP) is designed to test the ability of products to use the features and functionality available through SCAP and its component standards.XBRL (eXtensible Business Reporting Language) is a freely available, standards-based way to communicate and exchange business information between business systems.
  • Do visit the websiteDo join the LinkedIn Groups – you will receive regular email updates
  • Transcript of "RSA: CSA GRC Stack Update for the CSA Atlanta Chapter"

    1. 1. RSA: Cloud Security AllianceGRC Stack Update<br />Cloud Security Alliance, Atlanta Chapter<br />Phil Agcaoili, Cox Communications<br />Dennis Hurst, HP<br />March 2011<br />
    2. 2. Cloud ComputingNIST Definition<br />UPDATED (Jan 2011) – National Institute of Standards and Technology (NIST) Special Publication 800-145 (Draft)<br />Model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) <br />Rapidly provisioned and released with minimal management effort or service provider interaction<br />Composed of 5 essential characteristics, 3 service models, and 4 deployment models.<br />Source: http://www.nist.gov/itl/csd/cloud-020111.cfm<br />
    3. 3. Cloud Computing5 Essential Characteristics<br />On-demand tenant self-service model for provisioning computing capabilities (server time, network storage, etc.)<br />Broad network access with capabilities over the network accessible by standard mechanisms and mobile platforms<br />Resource pooling through dynamically assigned physical and virtual capabilities delivered in a multi-tenant model and location independent<br />Rapid elasticity of provisioned resources automatically or manually adjusted aligned with service level flexibility and needs<br />Measured service to monitor, control and report on transparent resource optimization<br />
    4. 4. Cloud Computing3 Service Models<br />Software as a Service (SaaS)<br />Capability made available to tenant (or consumer) to use provider’s applications running on cloud infrastructure, accessible via web browser, mobile apps, and system interfaces.<br />Examples: Salesforce.com, Drop Box, Box.net, Google Docs, WebEx<br />Platform as a Service (PaaS)<br />Capability made available to tenant to deploy tenant owned (created or acquired) applications using programming languages and tools supported by provider.<br />Examples: Microsoft Azure, Amazon Web Services, Bungee Connect<br />Infrastructure as a Service (IaaS) / Datacenter as a Service (DaaS)<br />Capability made available to tenant to provision processing, storage, networks or other fundamental computing resources to host and run tenant’s applications.<br />Examples: Rackspace, Terremark (Verizon), Savvis, AT&T<br />
    5. 5. Cloud Computing4 Deployment Models<br />(4) HYBRID<br /><ul><li>Composition of 2 or more deployment models that remain unique entities
    6. 6. Bound together by standardized or proprietary technology enabling data and application portability</li></li></ul><li>Cloud ComputingSecurity: Largest Barrier to Adoption<br />
    7. 7. What is Different about Cloud?<br />
    8. 8. What is Different about Cloud?<br />
    9. 9. What is Different about Cloud?<br />
    10. 10. Proposal for Atlanta Chapter Objective #1: Cloud Security Contract Template<br />Vendor and Customer Needs:<br />A simple, but uniform security contract and questionnaire/checklist <br />Benefits:<br />Standard/uniform customer response<br />Minimizes unique customer requests<br />Provide basic security attestation and assurance<br />
    11. 11. What is Different about Cloud?<br />
    12. 12. What is Different about Cloud?<br />
    13. 13. Cloud Controls Matrix<br />
    14. 14. Cloud Controls Matrix<br />Leadership Team<br /><ul><li>Becky Swain – Cisco Systems, Inc.
    15. 15. Philip Agcaoili – Cox Communications
    16. 16. Marlin Pohlman – EMC, RSA
    17. 17. Kip Boyle – CSA</li></ul>V1.1 Released Dec 2010<br />Rated as applicable to S-P-I with Cloud Provider / Tenant Delineation<br />Controls baselined and mapped to:<br />COBIT<br />HIPAA / HITECH Act<br />ISO/IEC 27001-2005<br />NISTSP800-53<br />FedRAMP<br />PCI DSSv2.0<br />BITS Shared Assessments<br />GAPP<br />
    18. 18. Cloud Controls MatrixGlobal Industry Contribution<br /><ul><li>AdalbertoAfonso A Navarro F do Valle – Deloitte LLP
    19. 19. Addison Lawrence – Dell
    20. 20. Akira Shibata – NTT DATA Corp
    21. 21. Andy Dancer
    22. 22. Anna Tang – Cisco Systems, Inc.
    23. 23. April Battle – MITRE
    24. 24. ChandrasekarUmpathy
    25. 25. Chris Brenton – Dell
    26. 26. Dale Pound – SAIC
    27. 27. Daniel Philpott – Tantus Technologies
    28. 28. Dr. Anton Chuvakin – Security Warrior Consulting
    29. 29. Elizabeth Ann Wickham – L47 Consulting Limited
    30. 30. Gary Sheehan – Advanced Server Mgmt Group, Inc.
    31. 31. Georg Heß
    32. 32. Georges Ataya Solvay – Brussels School of Economics & Mgmt
    33. 33. Glen Jones – Cisco Systems, Inc.
    34. 34. Greg Zimmerman – Jefferson Wells
    35. 35. Guy Bejerano - LivePerson
    36. 36. Henry Ojo – Kamhen Services Ltd,
    37. 37. Jakob Holm Hansen – Neupart A/S
    38. 38. Joel Cort – Xerox Corporation
    39. 39. John DiMaria – HISPI
    40. 40. John Sapp – McKesson Healthcare, HISPI
    41. 41. Joshua Schmidt – Vertafore, Inc.
    42. 42. KarthikAmrutesh – Ernst and Young LLP
    43. 43. Kelvin Arcelay – Arcelay& Associates
    44. 44. Kyle Lai – KLC Consulting, Inc.
    45. 45. Larry Harvey – Cisco Systems, Inc.
    46. 46. Laura Kuiper – Cisco Systems, Inc.
    47. 47. Lisa Peterson – Progressive Insurance
    48. 48. Lloyd Wilkerson – Robert Half International
    49. 49. Marcelo Gonzalez – Banco Central Republica Argentina
    50. 50. Mark Lobel – PricewaterhouseCoopers LLP
    51. 51. Meenu Gupta – Mittal Technologies
    52. 52. Mike Craigue, Ph.D. – Dell
    53. 53. MS Prasad, Exec Dir CSA India
    54. 54. Niall BrowneI – LiveOps
    55. 55. Patrick Sullivan
    56. 56. Patty Williams – Symetra Financial
    57. 57. Paul Stephen – Ernst and Young LLP
    58. 58. Phil Genever-Watling - Dell
    59. 59. Philip Richardson – Logicalis UK Ltd
    60. 60. PritamBankar – Infosys Technologies Ltd.
    61. 61. RamesanRamani – Paramount Computer Systems
    62. 62. Steve Primost
    63. 63. TaiyeLambo – eFortresses, Inc .
    64. 64. Tajeshwar Singh
    65. 65. Thej Mehta – KPMG LLP
    66. 66. Thomas Loczewski – Ernst and Young GmbH, Germany
    67. 67. Vincent Samuel – KPMG LLP
    68. 68. Yves Le Roux – CA Technologies
    69. 69. HISPI membership (Release ISO Review Body)</li></li></ul><li>Cloud Controls MatrixCharacteristics<br /><ul><li>Objective measure to monitor activities and then take corrective action to accomplish organizational goals.
    70. 70. Comprised of a set of policies and processes (internal controls) affecting the way Cloud services are directed, administered or controlled.
    71. 71. Aligned to Information Security regulatory rules and industry accepted guidance.
    72. 72. Controls reflect the intent of the CSA Guidance as applied to existing patterns of Cloud execution.</li></li></ul><li>Cloud Controls MatrixOptimal & Holistic Compliance<br />Bridging Regulatory Governance And Practical Compliance<br />
    73. 73. Cloud Controls Matrix11 Domains<br />1. Compliance (CO)<br />2. Data Governance (DG)<br />3. Facility Security (FS)<br />4. Human Resources (HR)<br />5. Information Security (IS)<br />6. Legal (LG)<br />7. Operations Management (OM)<br />8. Risk Management (RI)<br />9. Release Management (RM)<br />10. Resiliency (RS)<br />11.Security Architecture (SA)<br />
    74. 74. Cloud Controls Matrix98 Controls<br />Compliance<br /><ul><li>CO01 – Audit Planning
    75. 75. CO02 – Independent Audits
    76. 76. CO03 – Third Party Audits
    77. 77. CO04 – Contact / Authority Maintenance
    78. 78. CO05 – Information System Regulatory Mapping
    79. 79. CO06 – Intellectual Property</li></ul>Legal<br /><ul><li>LG01 - Non-Disclosure Agreements
    80. 80. LG02 - Third Party Agreements</li></ul>Data Governance<br /><ul><li>DG01 – Ownership / Stewardship
    81. 81. DG02 – Classification
    82. 82. DG03 – Handling / Labeling / Security Policy
    83. 83. DG04 – Retention Policy
    84. 84. DG05 – Secure Disposal
    85. 85. DG06 – Non-Production Data
    86. 86. DG07 – Information Leakage
    87. 87. DG08 – Risk Assessments</li></ul>Risk Management<br /><ul><li>RI01 – Program
    88. 88. RI02 – Assessments
    89. 89. RI03 – Mitigation / Acceptance
    90. 90. RI04 – Business / Policy Change Impacts
    91. 91. RI05 – Third Party Access</li></li></ul><li>Cloud Controls Matrix98 Controls (cont.)<br />Resiliency<br /><ul><li>RS01 – Management Program
    92. 92. RS02 – Impact Analysis
    93. 93. RS03 – Business Continuity Planning
    94. 94. RS04 – Business Continuity Testing
    95. 95. RS05 – Environmental Risks
    96. 96. RS06 – Equipment Location
    97. 97. RS07 – Equipment Power Failures
    98. 98. RS08 – Power / Telecommunications</li></ul>Human Resources<br /><ul><li>HR01 – Background Screening
    99. 99. HR02 – Employment Agreements
    100. 100. HR03 – Employment Termination</li></ul>Release Management<br /><ul><li>RM01 – New Development / Acquisition
    101. 101. RM02 – Production Changes
    102. 102. RM03 – Quality Testing
    103. 103. RM04 – Outsourced Development
    104. 104. RM05 – Unauthorized Software Installations</li></ul>Operational Management<br /><ul><li>OP01 – Policy
    105. 105. OP02 – Documentation
    106. 106. OP03 – Capacity / Resource Planning
    107. 107. OP04 – Equipment Maintenance</li></li></ul><li>Cloud Controls Matrix98 Controls (cont.)<br />Security Architecture<br /><ul><li>SA01 – Customer Access Requirements
    108. 108. SA02 – User ID Credentials
    109. 109. SA03 – Data Security / Integrity
    110. 110. SA04 – Application Security
    111. 111. SA05 – Data Integrity
    112. 112. SA06 – Production / Non-Production Environments
    113. 113. SA07 – Remote User Multi-Factor Authentication
    114. 114. SA08 – Network Security
    115. 115. SA09 – Segmentation
    116. 116. SA10 – Wireless Security
    117. 117. SA11 – Shared Networks
    118. 118. SA12 – Clock Synchronization
    119. 119. SA13 – Equipment Identification
    120. 120. SA14 – Audit Logging / Intrusion Detection
    121. 121. SA15 – Mobile Code</li></ul>Facility Security<br /><ul><li>FS01 – Policy
    122. 122. FS02 – User Access
    123. 123. FS03 – Controlled Access Points
    124. 124. FS04 – Secure Area Authorization
    125. 125. FS05 – Unauthorized Persons Entry
    126. 126. FS06 – Off-Site Authorization
    127. 127. FS07 – Off-Site Equipment
    128. 128. FS08 – Asset Management</li></li></ul><li>Cloud Controls Matrix98 Controls (cont.)<br />Information Security<br /><ul><li>IS01 – Management Program
    129. 129. IS02 – Management Support / Involvement
    130. 130. IS03 – Policy
    131. 131. IS04 – Baseline Requirements
    132. 132. IS05 – Policy Reviews
    133. 133. IS06 – Policy Enforcement
    134. 134. IS07 – User Access Policy
    135. 135. IS08 – User Access Restriction / Authorization
    136. 136. IS09 – User Access Revocation
    137. 137. IS10 – User Access Reviews
    138. 138. IS11 – Training / Awareness
    139. 139. IS12 – Industry Knowledge / Benchmarking
    140. 140. IS13 – Roles / Responsibilities
    141. 141. IS14 – Management Oversight
    142. 142. IS15 – Segregation of Duties
    143. 143. IS16 – User Responsibility
    144. 144. IS17 – Workspace
    145. 145. IS18 – Encryption
    146. 146. IS19 – Encryption Key Management
    147. 147. IS20 – Vulnerability / Patch Management
    148. 148. IS21 – Anti-Virus / Malicious Software
    149. 149. IS22 – Incident Management
    150. 150. IS23 – Incident Reporting
    151. 151. IS24 – Incident Response Legal Preparation
    152. 152. IS25 – Incident Response Metrics
    153. 153. IS26 – Acceptable Use
    154. 154. IS27 – Asset Returns
    155. 155. IS28 – eCommerce Transactions
    156. 156. IS29 – Audit Tools Access
    157. 157. IS30 – Diagnostic / Configuration Ports Access
    158. 158. IS31 – Network Services
    159. 159. IS32 – Portable / Mobile Devices
    160. 160. IS33 – Source Code Access Restriction
    161. 161. IS34 – Utility Programs Access</li></li></ul><li>Consensus Assessment Initiative<br />
    162. 162. Consensus Assessment Initiative<br />Research tools and processes to perform shared assessments of cloud providers<br />Lightweight “common assessment criteria” concept<br />Integrated with Controls Matrix<br />Ver 1 CAI Questionnaire released Oct 2010, approx 140 provider questions to identify presence of security controls or practices<br />
    163. 163. Consensus Assessment InitiativeTeam<br />Contributors<br /><ul><li>Matthew Becker – Bank of America
    164. 164. Aaron Benson – Novell
    165. 165. Ken Biery – Verizon Business
    166. 166. Kristopher Fador – Bank of America
    167. 167. David Gochenaur – Aon Corporation
    168. 168. Jesus Molina – Fujitsu
    169. 169. John Nootens – AMA Association
    170. 170. HemmaPrafullchandra – Hytrust
    171. 171. GorkaSadowski – Log Logic
    172. 172. Richard Schimmel – Bank of America
    173. 173. Patrick Vowles – RSA
    174. 174. Kenneth Zoline – IBM</li></ul>Leaders<br /><ul><li>Laura Posey – Microsoft
    175. 175. Jason Witty – Bank of America
    176. 176. Marlin Pohlman – EMC, RSA
    177. 177. Earle Humphreys – ITEEx</li></ul>Editor<br /><ul><li>Christofer Hoff – Cisco</li></li></ul><li>Consensus Assessment InitiativeApproach<br /><ul><li>Build “cloud-specific” question-set
    178. 178. CSA guidance
    179. 179. Industry experts
    180. 180. Align questions with the CSA Cloud Controls Matrix
    181. 181. Release 1.0 question-set publically
    182. 182. Integrate into CloudAudit.org framework
    183. 183. Post to CloudSecurityAlliance.org </li></li></ul><li>Consensus Assessment Initiative Questionnaire (CAIQ) – 148 Qs<br />
    184. 184. CloudAudit<br />
    185. 185. CloudAudit<br />Provide a common interface and namespace that allows cloud computing providers to automate the Audit, Assertion, Assessment, and Assurance (A6) of their environments<br />Allow authorized consumers of services to do likewise via an open, extensible and secure interface and methodology.<br />
    186. 186. CloudAuditObjective<br />A structure for organizing assertions and supporting documentation for specific controls across different compliance frameworks in a way that simplifies discovery by humans and tools.<br />Define a namespace that can support diverse frameworks<br />Express five critical compliance frameworks in that namespace<br />Define the mechanisms for requesting and responding to queries relating to specific controls<br />Integrate with portals and AAA systems<br />
    187. 187. CloudAuditAligned to Cloud Controls Matrix<br />First efforts aligned to compliance frameworks as established by CSA Control Matrix:<br />PCI DSS<br />HIPAA<br />COBIT<br />ISO/IEC 27001-2005<br />NISTSP800-53<br />Incorporate CSA’s CAI and additional CompliancePacks<br />Expand alignment to “infrastructure” and “operations” -centric views also<br />
    188. 188. CloudAuditSample Implementation<br />CSA Compliance Pack<br />
    189. 189. CloudAuditSample Implementation (cont.)<br />CSA Compliance Pack<br />
    190. 190. CloudAuditSample Implementation (cont.)<br />CSA Compliance Pack<br />
    191. 191. CloudAuditRelease Deliverables<br />Contains all Compliance Packs, documentation and scripts needed to begin implementation of CloudAudit<br />Working with Service Providers and Tool Vendors for Adoption<br />Officially folded CloudAudit under the Cloud Security Alliance in October, 2010<br />http://www.cloudaudit.org/CloudAudit_Distribution_20100815.zip<br />
    192. 192. CloudAuditRelease Deliverables (cont.)<br />Request Flow for Users & Tools<br />
    193. 193. CloudAuditRelease Deliverables (cont.)<br />index.html/default.jsp/etc.<br />Index.html is for dumb browser consumptions<br />Typically, the direct human user use case<br />It can be omitted if directory browsing is enabled<br />It contains JavaScript to look for the manifest.xml file, parse it, and display it as HTML.<br />If no manifest.xml exists, it should list the directory contents relevant to the control in question<br />
    194. 194. CloudAuditRelease Deliverables (cont.)<br />manifest.xml<br />Structured listing of control endpoints contents<br />Can be extended to provide contextual information<br />Primarily aimed at tool consumption<br />In Atom format<br />
    195. 195. CSA GRC Stack<br />
    196. 196. CSA GRC Stack<br />Bringing it all together to peel back the layers of control ownership and address concerns for trusted Cloud adoption.<br />Provider Assertions<br />Private, Community & Public Clouds<br />Control Requirements<br />
    197. 197. CSA GRC Stack<br /><ul><li>Whether implementing private, public or hybrid clouds, the shift to compute as a service presents new challenges across the spectrum of Governance, Risk Management and Compliance (GRC) requirements – success dependent upon:
    198. 198. Appropriate assessment criteria; and
    199. 199. Relevant control objectives and timely access to necessary supporting data.
    200. 200. CSA GRC Stack provides a toolkit for enterprises, cloud providers, security solution providers, IT auditors and other key stakeholders to instrument and assess both private and public clouds against industry established best practices, standards and critical compliance requirements.
    201. 201. Integrated suite of 3 CSA initiatives: CloudAudit, Cloud Controls Matrix (CCM) and Consensus Assessments Initiative Questionnaire (CAIQ).
    202. 202. Available now for free download at: www.cloudsecurityalliance.org/grcstack.zip</li></li></ul><li>CSA GRC StackBringing it all together…<br />
    203. 203. CSA GRC StackIndustry Collaboration & Support<br /><ul><li>International Organization for Standards (ISO)
    204. 204. ISO/IEC JTC 1 SC 27 (“SC 27”) WG 1, 4 and 5 in Study Period in the area of Cloud Computing Security and Privacy with active CSA representation
    205. 205. European Network and Information Security Agency (ENISA)
    206. 206. Common Assurance Maturity Model (CAMM)
    207. 207. American Institute of Certified Public Accountants (AICPA)
    208. 208. Statement on Standards for Attestation Engagements (SSAE) No. 16 SOC 2 – Service Organization Controls over Security, Confidentiality, Processing Integrity, Availability, and Privacy
    209. 209. National Institute of Standards and Technology (NIST)
    210. 210. Consolidated feedback on Federal Risk and Authorization Management Program (FedRAMP)</li></li></ul><li>CSA GRC StackIndustry Collaboration & Support (cont.)<br /><ul><li>Inverse Control Framework Mappings
    211. 211. Health Information Trust Alliance (HITRUST)
    212. 212. Unified Compliance Framework (UCF)
    213. 213. Information Systems Audit and Control Association (ISACA)
    214. 214. BITS Shared Assessments SIG/AUP + TG Participation
    215. 215. Information Security Forum (ISF)</li></li></ul><li>About the Cloud Security Alliance<br />
    216. 216. About the Cloud Security Alliance<br />Global, not-for-profit organization<br />Almost 18,000 individual members, 80 corporate members<br />Building best practices and a trusted cloud ecosystem<br />Agile philosophy, rapid development of applied research<br />GRC: Balance compliance with risk management<br />Reference models: build using existing standards<br />Identity: a key foundation of a functioning cloud economy<br />Champion interoperability<br />Advocacy of prudent public policy<br />“To promote the use of best practices for providing security assurance within Cloud Computing, and provide education on the uses of Cloud Computing to help secure all other forms of computing.”<br />
    217. 217. Contact<br />Help us secure cloud computing<br />www.cloudsecurityalliance.org<br />info@cloudsecurityalliance.org<br />LinkedIn: www.linkedin.com/groups?gid=1864210<br />Twitter: @cloudsa<br />
    218. 218. Thank You<br />
    1. A particular slide catching your eye?

      Clipping is a handy way to collect important slides you want to go back to later.

    ×