SlideShare a Scribd company logo

HiNZ Cyber17 - Chris Blackford

Download as PPTX, PDF
Health Informatics New Zealand
Health Informatics New Zealand

Speaker at HiNZ Cybersecurity in Health event 1 August 2017

Healthcare
1 of 11
Department of Internal Affairs Government guidance on cloud risk Chris Blackford Manager ICT Operations Assurance, GCIO
Department of Internal Affairs Cloud First In 2012 Cabinet announced a “Cloud First” and “All of Government” (AoG) approach to utilising and developing IT services. Recognising the risks of cloud, Cabinet also instructed the GCIO to develop a risk management framework around cloud adoption. 2012 was also the ‘Year of the Breach’ for a number of NZ Government agencies. In 2013 Cabinet directed agencies to adopt AoG cloud solutions (where they exist) and to follow the Cloud Computing Information Security and Privacy Considerations guidance document. The guidance contains 105 questions that agencies should consider about each cloud service.
3 Why a Cloud Risk Framework is Necessary • Information loss or compromise • Loss of IP ownership • Privacy and jurisdictional issues • Lack of availability of data • Ineffective incident management practices • Lack of archival, backup and disaster recovery capabilities • Cost of a data breach (lack of cybersecurity insurance) • Availability of THE INTERNET (IoT, DNS DDOS)  35 million users’ details hacked  Multiple spoof hacks spawned, resulting in new scams  2 suicides in Canada linked to data exposure  13,000 US Govt employees implicated  Users from 35 NZ Govt agency email domains registered  CAD$500,000 reward offered by the company owners  Multiple lawsuits and class actions pending C I A Confidentiality Integrity Availability
Department of Internal Affairs • Definition of a cloud service – Any IT service outside the direct control of the agency and outside the agency network boundary, where the agency’s information is stored or processed. • Intent: – Complete the initial 27 odd questions to determine the information value and risk. – Assess how deep the remaining questions need to be answered based on information classification and privacy impact for your agency or perhaps for your sector. Try not to take a compliance focus. – Try and embed the guidance steps in your C&A (Go live or SDLC) process • Check with GCIO – Has anyone else Risk Assessed the service? Reuse. • SRS Panel – If you don’t have the expertise or capacity : use the AoG Security and Related Services panel • Formal CE or delegated risk sign off to GCIO Cloud Risk Assessment Process Risk Based Assessment
Department of Internal Affairs Clarification of Requirement: • That you undertake an appropriately robust Risk Assessment • That the residual risks are formally accepted by the CE or delegate • That you send GCIO the completed Risk Assessment tool and CE sign off
Department of Internal Affairs Risk Authority and Cloud Risk Acceptance Risk Authority, Risk Escalation and Acceptance are related critical parts of the Risk Management Framework. It is important that these elements are understood by everyone making risk decisions. Risk Acceptance is “The formal process to acknowledge that DIA is prepared to manage the consequences if the risk occurs”. The chart below shows the levels at which risk can be formally accepted and how risk must be escalated. Strategic Risk DIA Outcomes Branch Outcomes Business Unit Outcomes Zone 1 ELT ELT DCE DCE Zone 2 ELT DCE 3rd Tier Responsible Manager 3rd Tier Responsible Manager Zone 3 ELT 3rd Tier Responsible Manager 3rd Tier Responsible Manager 4th Tier Responsible Manager Zone 4 ELT 3rd Tier Responsible Manager 4th Tier Responsible Manager 4th Tier Responsible Manager DIA Risk Acceptance and Risk Escalation Requirements that apply to each risk zone  All Strategic Risks reside under the authority of ELT irrespective of the level of the risk.  All DIA Outcome zone 1 risks must be reported to ELT. Only ELT has the authority to confirm acceptance of zone 1 Residual Risks.  All Branch Outcome zone 1 risks must be reported to the respective DCE. Only the DCE has the authority to confirm acceptance of zone 1 Residual Risks. DCE may also inform ELT.  All Business Unit level zone 1 risks must be reported to the respective DCE. Only the DCE has the authority to confirm acceptance of zone 1 Residual Risks. DCE may also inform ELT.  There is a formal sign off process for Risk Acceptance which must be followed.
Department of Internal Affairs A Big Cloud Myth If the SaaS is build on a Tier 1 (AWS, Azure, Salesforce or Google) infrastructure provider it must be secure! Wrong: Each layer has it’s own security needs: building it on a Tier 1 IaaS only reduces the security risks for those layers New SaaS Registry service • AWS will be responsible for ensuring that the infrastructure component of the cloud solution stack is secure • <App provider> will have the same responsibility for the application component of the solution stack • <DHB> will be responsible for user and application configuration security
Department of Internal Affairs • The need to share outweighs the need to know… – HSIF rather than NZISM. • You operate in a complex sector… – The use cases for a cloud application must be understood. – What may be appropriate for tertiary health may not be for primary health… – Privacy considerations remain a key consideration. – Business Continuity Planning is a vital part of considering any service. • Cyber Crime. – A health record is worth 3 or 4 times the value of a standard personal record on the black market. Health considerations
Some Centralised Security Certifications 1. DIA is taking a Lead Agency role in certifying some key Cloud Services 2. These will be risk assessed, certified and provided to agencies to allow them to do a gap analysis, perform further work as required to fit their own usage requirements, and accredit. Office 365 / Azure AD - Done AWS – Done Google GSuite – Underway Oracle - Planned Sales Force - Planned SAP HR - Planned
Resources available on Ict.govt.nz • Assessing the Risk assess-the-risks-of-cloud-services - risk assessments - social license - jurisdictional risk • Office Productivity Guidance security-controls-for-cloud-services • AoG common capabilities aog services • Early Adopter Case Studies case-studies-and-benchmarking • Cloud Centre of Excellence group: contact Chris.Buxton@statistics.govt.nz • Coming soon: Shadow Cloud assessment guidance • Coming soon: Public Cloud Marketplace
Department of Internal Affairs Contact us any time at ICTAssurance@dia.govt.nz

Recommended

The Austin Health Diabetes Discovery Initiative: Using technology to support ...
The Austin Health Diabetes Discovery Initiative: Using technology to support ...The Austin Health Diabetes Discovery Initiative: Using technology to support ...
The Austin Health Diabetes Discovery Initiative: Using technology to support ...Health Informatics New Zealand
 
Shaping Informatics for Allied Health - Refining our voice
Shaping Informatics for Allied Health - Refining our voiceShaping Informatics for Allied Health - Refining our voice
Shaping Informatics for Allied Health - Refining our voiceHealth Informatics New Zealand
 
Surveillance of social media: Big data analytics
Surveillance of social media: Big data analyticsSurveillance of social media: Big data analytics
Surveillance of social media: Big data analyticsHealth Informatics New Zealand
 
The Power of Surface Modelling
The Power of Surface ModellingThe Power of Surface Modelling
The Power of Surface ModellingHealth Informatics New Zealand
 
Laptop computers enhancing clinical care in community allied health service
Laptop computers enhancing clinical care in community allied health serviceLaptop computers enhancing clinical care in community allied health service
Laptop computers enhancing clinical care in community allied health serviceHealth Informatics New Zealand
 
Making surgical practice improvement easy
Making surgical practice improvement easyMaking surgical practice improvement easy
Making surgical practice improvement easyHealth Informatics New Zealand
 
Safe IT Practices: making it easy to do the right thing
Safe IT Practices: making it easy to do the right thingSafe IT Practices: making it easy to do the right thing
Safe IT Practices: making it easy to do the right thingHealth Informatics New Zealand
 
Beyond EMR - so you've got an EMR - what next?
Beyond EMR - so you've got an EMR - what next?Beyond EMR - so you've got an EMR - what next?
Beyond EMR - so you've got an EMR - what next?Health Informatics New Zealand
 

Recommended

The Austin Health Diabetes Discovery Initiative: Using technology to support ...
The Austin Health Diabetes Discovery Initiative: Using technology to support ...The Austin Health Diabetes Discovery Initiative: Using technology to support ...
The Austin Health Diabetes Discovery Initiative: Using technology to support ...Health Informatics New Zealand
 
Shaping Informatics for Allied Health - Refining our voice
Shaping Informatics for Allied Health - Refining our voiceShaping Informatics for Allied Health - Refining our voice
Shaping Informatics for Allied Health - Refining our voiceHealth Informatics New Zealand
 
Surveillance of social media: Big data analytics
Surveillance of social media: Big data analyticsSurveillance of social media: Big data analytics
Surveillance of social media: Big data analyticsHealth Informatics New Zealand
 
The Power of Surface Modelling
The Power of Surface ModellingThe Power of Surface Modelling
The Power of Surface ModellingHealth Informatics New Zealand
 
Laptop computers enhancing clinical care in community allied health service
Laptop computers enhancing clinical care in community allied health serviceLaptop computers enhancing clinical care in community allied health service
Laptop computers enhancing clinical care in community allied health serviceHealth Informatics New Zealand
 
Making surgical practice improvement easy
Making surgical practice improvement easyMaking surgical practice improvement easy
Making surgical practice improvement easyHealth Informatics New Zealand
 
Safe IT Practices: making it easy to do the right thing
Safe IT Practices: making it easy to do the right thingSafe IT Practices: making it easy to do the right thing
Safe IT Practices: making it easy to do the right thingHealth Informatics New Zealand
 
Beyond EMR - so you've got an EMR - what next?
Beyond EMR - so you've got an EMR - what next?Beyond EMR - so you've got an EMR - what next?
Beyond EMR - so you've got an EMR - what next?Health Informatics New Zealand
 
Empowered Health
Empowered HealthEmpowered Health
Empowered HealthHealth Informatics New Zealand
 
Reducing hospitalisations and arrests of mental health patients through the u...
Reducing hospitalisations and arrests of mental health patients through the u...Reducing hospitalisations and arrests of mental health patients through the u...
Reducing hospitalisations and arrests of mental health patients through the u...Health Informatics New Zealand
 
Using the EMR in early recognition and management of sepsis
Using the EMR in early recognition and management of sepsisUsing the EMR in early recognition and management of sepsis
Using the EMR in early recognition and management of sepsisHealth Informatics New Zealand
 
Allied Health and informatics: Identifying our voice - can you hear us?
Allied Health and informatics: Identifying our voice - can you hear us?Allied Health and informatics: Identifying our voice - can you hear us?
Allied Health and informatics: Identifying our voice - can you hear us?Health Informatics New Zealand
 
Change in the data collection landscape: opportunity, possibilities and poten...
Change in the data collection landscape: opportunity, possibilities and poten...Change in the data collection landscape: opportunity, possibilities and poten...
Change in the data collection landscape: opportunity, possibilities and poten...Health Informatics New Zealand
 
Overview of the New Zealand Maternity Clinical Information System
Overview of the New Zealand Maternity Clinical Information SystemOverview of the New Zealand Maternity Clinical Information System
Overview of the New Zealand Maternity Clinical Information SystemHealth Informatics New Zealand
 
Nhitb wednesday 9am plenary (sadhana first)
Nhitb wednesday 9am plenary (sadhana first)Nhitb wednesday 9am plenary (sadhana first)
Nhitb wednesday 9am plenary (sadhana first)Health Informatics New Zealand
 
Oncology treatment patterns in the South Island
Oncology treatment patterns in the South IslandOncology treatment patterns in the South Island
Oncology treatment patterns in the South IslandHealth Informatics New Zealand
 
Electronic prescribing system medication errors: Identification, classificati...
Electronic prescribing system medication errors: Identification, classificati...Electronic prescribing system medication errors: Identification, classificati...
Electronic prescribing system medication errors: Identification, classificati...Health Informatics New Zealand
 
Global trends in technology for retailers and how they are impacting the phar...
Global trends in technology for retailers and how they are impacting the phar...Global trends in technology for retailers and how they are impacting the phar...
Global trends in technology for retailers and how they are impacting the phar...Health Informatics New Zealand
 
"Not flying under the radar": Developing an App for Patient-led Management of...
"Not flying under the radar": Developing an App for Patient-led Management of..."Not flying under the radar": Developing an App for Patient-led Management of...
"Not flying under the radar": Developing an App for Patient-led Management of...Health Informatics New Zealand
 
The quantified self: Does personalised monitoring change everything?
The quantified self: Does personalised monitoring change everything?The quantified self: Does personalised monitoring change everything?
The quantified self: Does personalised monitoring change everything?Health Informatics New Zealand
 
1115 wyatt wheres the science in hi for christchurch nz oct 2015
1115 wyatt wheres the science in hi for christchurch nz oct 20151115 wyatt wheres the science in hi for christchurch nz oct 2015
1115 wyatt wheres the science in hi for christchurch nz oct 2015Health Informatics New Zealand
 
Visualizing Healthcare: You have the data, but can you see the story?
Visualizing Healthcare: You have the data, but can you see the story?Visualizing Healthcare: You have the data, but can you see the story?
Visualizing Healthcare: You have the data, but can you see the story?Health Informatics New Zealand
 
The power of information: Achieving a national infection management system
The power of information: Achieving a national infection management systemThe power of information: Achieving a national infection management system
The power of information: Achieving a national infection management systemHealth Informatics New Zealand
 
Clinical Decision Support
Clinical Decision SupportClinical Decision Support
Clinical Decision SupportHealth Informatics New Zealand
 
1630 garrett nacims hinz slide
1630 garrett nacims hinz slide1630 garrett nacims hinz slide
1630 garrett nacims hinz slideHealth Informatics New Zealand
 
The Health Information Governance Framework
The Health Information Governance FrameworkThe Health Information Governance Framework
The Health Information Governance FrameworkHealth Informatics New Zealand
 
The Democratisation of Information
The Democratisation of InformationThe Democratisation of Information
The Democratisation of InformationHealth Informatics New Zealand
 
Removing the collaboration barriers for connected healthcare
Removing the collaboration barriers for connected healthcareRemoving the collaboration barriers for connected healthcare
Removing the collaboration barriers for connected healthcareHealth Informatics New Zealand
 
Low Rate Call Girls In Bommanahalli Just Call 7001305949
Low Rate Call Girls In Bommanahalli Just Call 7001305949Low Rate Call Girls In Bommanahalli Just Call 7001305949
Low Rate Call Girls In Bommanahalli Just Call 7001305949ps5894268
 
Call Girls LB Nagar 7001305949 all area service COD available Any Time
Call Girls LB Nagar 7001305949 all area service COD available Any TimeCall Girls LB Nagar 7001305949 all area service COD available Any Time
Call Girls LB Nagar 7001305949 all area service COD available Any Timedelhimodelshub1
 

More Related Content

More from Health Informatics New Zealand

Reducing hospitalisations and arrests of mental health patients through the u...
Reducing hospitalisations and arrests of mental health patients through the u...Reducing hospitalisations and arrests of mental health patients through the u...
Reducing hospitalisations and arrests of mental health patients through the u...Health Informatics New Zealand
 
Using the EMR in early recognition and management of sepsis
Using the EMR in early recognition and management of sepsisUsing the EMR in early recognition and management of sepsis
Using the EMR in early recognition and management of sepsisHealth Informatics New Zealand
 
Allied Health and informatics: Identifying our voice - can you hear us?
Allied Health and informatics: Identifying our voice - can you hear us?Allied Health and informatics: Identifying our voice - can you hear us?
Allied Health and informatics: Identifying our voice - can you hear us?Health Informatics New Zealand
 
Change in the data collection landscape: opportunity, possibilities and poten...
Change in the data collection landscape: opportunity, possibilities and poten...Change in the data collection landscape: opportunity, possibilities and poten...
Change in the data collection landscape: opportunity, possibilities and poten...Health Informatics New Zealand
 
Overview of the New Zealand Maternity Clinical Information System
Overview of the New Zealand Maternity Clinical Information SystemOverview of the New Zealand Maternity Clinical Information System
Overview of the New Zealand Maternity Clinical Information SystemHealth Informatics New Zealand
 
Electronic prescribing system medication errors: Identification, classificati...
Electronic prescribing system medication errors: Identification, classificati...Electronic prescribing system medication errors: Identification, classificati...
Electronic prescribing system medication errors: Identification, classificati...Health Informatics New Zealand
 
Global trends in technology for retailers and how they are impacting the phar...
Global trends in technology for retailers and how they are impacting the phar...Global trends in technology for retailers and how they are impacting the phar...
Global trends in technology for retailers and how they are impacting the phar...Health Informatics New Zealand
 
"Not flying under the radar": Developing an App for Patient-led Management of...
"Not flying under the radar": Developing an App for Patient-led Management of..."Not flying under the radar": Developing an App for Patient-led Management of...
"Not flying under the radar": Developing an App for Patient-led Management of...Health Informatics New Zealand
 
The quantified self: Does personalised monitoring change everything?
The quantified self: Does personalised monitoring change everything?The quantified self: Does personalised monitoring change everything?
The quantified self: Does personalised monitoring change everything?Health Informatics New Zealand
 
1115 wyatt wheres the science in hi for christchurch nz oct 2015
1115 wyatt wheres the science in hi for christchurch nz oct 20151115 wyatt wheres the science in hi for christchurch nz oct 2015
1115 wyatt wheres the science in hi for christchurch nz oct 2015Health Informatics New Zealand
 
Visualizing Healthcare: You have the data, but can you see the story?
Visualizing Healthcare: You have the data, but can you see the story?Visualizing Healthcare: You have the data, but can you see the story?
Visualizing Healthcare: You have the data, but can you see the story?Health Informatics New Zealand
 
The power of information: Achieving a national infection management system
The power of information: Achieving a national infection management systemThe power of information: Achieving a national infection management system
The power of information: Achieving a national infection management systemHealth Informatics New Zealand
 
Removing the collaboration barriers for connected healthcare
Removing the collaboration barriers for connected healthcareRemoving the collaboration barriers for connected healthcare
Removing the collaboration barriers for connected healthcareHealth Informatics New Zealand
 

More from Health Informatics New Zealand (20)

Empowered Health
Empowered HealthEmpowered Health
Empowered Health
 
Reducing hospitalisations and arrests of mental health patients through the u...
Reducing hospitalisations and arrests of mental health patients through the u...Reducing hospitalisations and arrests of mental health patients through the u...
Reducing hospitalisations and arrests of mental health patients through the u...
 
Using the EMR in early recognition and management of sepsis
Using the EMR in early recognition and management of sepsisUsing the EMR in early recognition and management of sepsis
Using the EMR in early recognition and management of sepsis
 
Allied Health and informatics: Identifying our voice - can you hear us?
Allied Health and informatics: Identifying our voice - can you hear us?Allied Health and informatics: Identifying our voice - can you hear us?
Allied Health and informatics: Identifying our voice - can you hear us?
 
Change in the data collection landscape: opportunity, possibilities and poten...
Change in the data collection landscape: opportunity, possibilities and poten...Change in the data collection landscape: opportunity, possibilities and poten...
Change in the data collection landscape: opportunity, possibilities and poten...
 
Overview of the New Zealand Maternity Clinical Information System
Overview of the New Zealand Maternity Clinical Information SystemOverview of the New Zealand Maternity Clinical Information System
Overview of the New Zealand Maternity Clinical Information System
 
Nhitb wednesday 9am plenary (sadhana first)
Nhitb wednesday 9am plenary (sadhana first)Nhitb wednesday 9am plenary (sadhana first)
Nhitb wednesday 9am plenary (sadhana first)
 
Oncology treatment patterns in the South Island
Oncology treatment patterns in the South IslandOncology treatment patterns in the South Island
Oncology treatment patterns in the South Island
 
Electronic prescribing system medication errors: Identification, classificati...
Electronic prescribing system medication errors: Identification, classificati...Electronic prescribing system medication errors: Identification, classificati...
Electronic prescribing system medication errors: Identification, classificati...
 
Global trends in technology for retailers and how they are impacting the phar...
Global trends in technology for retailers and how they are impacting the phar...Global trends in technology for retailers and how they are impacting the phar...
Global trends in technology for retailers and how they are impacting the phar...
 
"Not flying under the radar": Developing an App for Patient-led Management of...
"Not flying under the radar": Developing an App for Patient-led Management of..."Not flying under the radar": Developing an App for Patient-led Management of...
"Not flying under the radar": Developing an App for Patient-led Management of...
 
The quantified self: Does personalised monitoring change everything?
The quantified self: Does personalised monitoring change everything?The quantified self: Does personalised monitoring change everything?
The quantified self: Does personalised monitoring change everything?
 
1115 wyatt wheres the science in hi for christchurch nz oct 2015
1115 wyatt wheres the science in hi for christchurch nz oct 20151115 wyatt wheres the science in hi for christchurch nz oct 2015
1115 wyatt wheres the science in hi for christchurch nz oct 2015
 
Visualizing Healthcare: You have the data, but can you see the story?
Visualizing Healthcare: You have the data, but can you see the story?Visualizing Healthcare: You have the data, but can you see the story?
Visualizing Healthcare: You have the data, but can you see the story?
 
The power of information: Achieving a national infection management system
The power of information: Achieving a national infection management systemThe power of information: Achieving a national infection management system
The power of information: Achieving a national infection management system
 
Clinical Decision Support
Clinical Decision SupportClinical Decision Support
Clinical Decision Support
 
1630 garrett nacims hinz slide
1630 garrett nacims hinz slide1630 garrett nacims hinz slide
1630 garrett nacims hinz slide
 
The Health Information Governance Framework
The Health Information Governance FrameworkThe Health Information Governance Framework
The Health Information Governance Framework
 
The Democratisation of Information
The Democratisation of InformationThe Democratisation of Information
The Democratisation of Information
 
Removing the collaboration barriers for connected healthcare
Removing the collaboration barriers for connected healthcareRemoving the collaboration barriers for connected healthcare
Removing the collaboration barriers for connected healthcare
 

Recently uploaded

Low Rate Call Girls In Bommanahalli Just Call 7001305949
Low Rate Call Girls In Bommanahalli Just Call 7001305949Low Rate Call Girls In Bommanahalli Just Call 7001305949
Low Rate Call Girls In Bommanahalli Just Call 7001305949ps5894268
 
Call Girls LB Nagar 7001305949 all area service COD available Any Time
Call Girls LB Nagar 7001305949 all area service COD available Any TimeCall Girls LB Nagar 7001305949 all area service COD available Any Time
Call Girls LB Nagar 7001305949 all area service COD available Any Timedelhimodelshub1
 
Call Girls Service Bommasandra - Call 7001305949 Rs-3500 with A/C Room Cash o...
Call Girls Service Bommasandra - Call 7001305949 Rs-3500 with A/C Room Cash o...Call Girls Service Bommasandra - Call 7001305949 Rs-3500 with A/C Room Cash o...
Call Girls Service Bommasandra - Call 7001305949 Rs-3500 with A/C Room Cash o...narwatsonia7
 
Call Girls in Adil Nagar 7001305949 Free Delivery at Your Door Model
Call Girls in Adil Nagar 7001305949 Free Delivery at Your Door ModelCall Girls in Adil Nagar 7001305949 Free Delivery at Your Door Model
Call Girls in Adil Nagar 7001305949 Free Delivery at Your Door ModelCall Girls Lucknow
 
Book Call Girls in Noida Pick Up Drop With Cash Payment 9711199171 Call Girls
Book Call Girls in Noida Pick Up Drop With Cash Payment 9711199171 Call GirlsBook Call Girls in Noida Pick Up Drop With Cash Payment 9711199171 Call Girls
Book Call Girls in Noida Pick Up Drop With Cash Payment 9711199171 Call GirlsCall Girls Noida
 
Gurgaon Sector 90 Call Girls ( 9873940964 ) Book Hot And Sexy Girls In A Few ...
Gurgaon Sector 90 Call Girls ( 9873940964 ) Book Hot And Sexy Girls In A Few ...Gurgaon Sector 90 Call Girls ( 9873940964 ) Book Hot And Sexy Girls In A Few ...
Gurgaon Sector 90 Call Girls ( 9873940964 ) Book Hot And Sexy Girls In A Few ...ggsonu500
 
EMS and Extrication: Coordinating Critical Care
EMS and Extrication: Coordinating Critical CareEMS and Extrication: Coordinating Critical Care
EMS and Extrication: Coordinating Critical CareRommie Duckworth
 
Housewife Call Girls Nandini Layout - Phone No 7001305949 For Ultimate Sexual...
Housewife Call Girls Nandini Layout - Phone No 7001305949 For Ultimate Sexual...Housewife Call Girls Nandini Layout - Phone No 7001305949 For Ultimate Sexual...
Housewife Call Girls Nandini Layout - Phone No 7001305949 For Ultimate Sexual...narwatsonia7
 
Gurgaon iffco chowk 🔝 Call Girls Service 🔝 ( 8264348440 ) unlimited hard sex ...
Gurgaon iffco chowk 🔝 Call Girls Service 🔝 ( 8264348440 ) unlimited hard sex ...Gurgaon iffco chowk 🔝 Call Girls Service 🔝 ( 8264348440 ) unlimited hard sex ...
Gurgaon iffco chowk 🔝 Call Girls Service 🔝 ( 8264348440 ) unlimited hard sex ...soniya singh
 
College Call Girls Hyderabad Sakshi 9907093804 Independent Escort Service Hyd...
College Call Girls Hyderabad Sakshi 9907093804 Independent Escort Service Hyd...College Call Girls Hyderabad Sakshi 9907093804 Independent Escort Service Hyd...
College Call Girls Hyderabad Sakshi 9907093804 Independent Escort Service Hyd...delhimodelshub1
 
Call Girls Hyderabad Krisha 9907093804 Independent Escort Service Hyderabad
Call Girls Hyderabad Krisha 9907093804 Independent Escort Service HyderabadCall Girls Hyderabad Krisha 9907093804 Independent Escort Service Hyderabad
Call Girls Hyderabad Krisha 9907093804 Independent Escort Service Hyderabaddelhimodelshub1
 
Basics of Anatomy- Language of Anatomy.pptx
Basics of Anatomy- Language of Anatomy.pptxBasics of Anatomy- Language of Anatomy.pptx
Basics of Anatomy- Language of Anatomy.pptxAyush Gupta
 
Gurgaon Sector 68 Call Girls ( 9873940964 ) Book Hot And Sexy Girls In A Few ...
Gurgaon Sector 68 Call Girls ( 9873940964 ) Book Hot And Sexy Girls In A Few ...Gurgaon Sector 68 Call Girls ( 9873940964 ) Book Hot And Sexy Girls In A Few ...
Gurgaon Sector 68 Call Girls ( 9873940964 ) Book Hot And Sexy Girls In A Few ...ggsonu500
 
Call Girl Gurgaon Saloni 9711199012 Independent Escort Service Gurgaon
Call Girl Gurgaon Saloni 9711199012 Independent Escort Service GurgaonCall Girl Gurgaon Saloni 9711199012 Independent Escort Service Gurgaon
Call Girl Gurgaon Saloni 9711199012 Independent Escort Service GurgaonCall Girls Service Gurgaon
 
Call Girls Secunderabad 7001305949 all area service COD available Any Time
Call Girls Secunderabad 7001305949 all area service COD available Any TimeCall Girls Secunderabad 7001305949 all area service COD available Any Time
Call Girls Secunderabad 7001305949 all area service COD available Any Timedelhimodelshub1
 
Call Girls Hyderabad Kirti 9907093804 Independent Escort Service Hyderabad
Call Girls Hyderabad Kirti 9907093804 Independent Escort Service HyderabadCall Girls Hyderabad Kirti 9907093804 Independent Escort Service Hyderabad
Call Girls Hyderabad Kirti 9907093804 Independent Escort Service Hyderabaddelhimodelshub1
 

Recently uploaded (20)

Low Rate Call Girls In Bommanahalli Just Call 7001305949
Low Rate Call Girls In Bommanahalli Just Call 7001305949Low Rate Call Girls In Bommanahalli Just Call 7001305949
Low Rate Call Girls In Bommanahalli Just Call 7001305949
 
Call Girls LB Nagar 7001305949 all area service COD available Any Time
Call Girls LB Nagar 7001305949 all area service COD available Any TimeCall Girls LB Nagar 7001305949 all area service COD available Any Time
Call Girls LB Nagar 7001305949 all area service COD available Any Time
 
Call Girls Service Bommasandra - Call 7001305949 Rs-3500 with A/C Room Cash o...
Call Girls Service Bommasandra - Call 7001305949 Rs-3500 with A/C Room Cash o...Call Girls Service Bommasandra - Call 7001305949 Rs-3500 with A/C Room Cash o...
Call Girls Service Bommasandra - Call 7001305949 Rs-3500 with A/C Room Cash o...
 
Call Girls in Lucknow Esha 🔝 8923113531 🔝 🎶 Independent Escort Service Lucknow
Call Girls in Lucknow Esha 🔝 8923113531 🔝 🎶 Independent Escort Service LucknowCall Girls in Lucknow Esha 🔝 8923113531 🔝 🎶 Independent Escort Service Lucknow
Call Girls in Lucknow Esha 🔝 8923113531 🔝 🎶 Independent Escort Service Lucknow
 
Call Girls in Adil Nagar 7001305949 Free Delivery at Your Door Model
Call Girls in Adil Nagar 7001305949 Free Delivery at Your Door ModelCall Girls in Adil Nagar 7001305949 Free Delivery at Your Door Model
Call Girls in Adil Nagar 7001305949 Free Delivery at Your Door Model
 
Book Call Girls in Noida Pick Up Drop With Cash Payment 9711199171 Call Girls
Book Call Girls in Noida Pick Up Drop With Cash Payment 9711199171 Call GirlsBook Call Girls in Noida Pick Up Drop With Cash Payment 9711199171 Call Girls
Book Call Girls in Noida Pick Up Drop With Cash Payment 9711199171 Call Girls
 
Gurgaon Sector 90 Call Girls ( 9873940964 ) Book Hot And Sexy Girls In A Few ...
Gurgaon Sector 90 Call Girls ( 9873940964 ) Book Hot And Sexy Girls In A Few ...Gurgaon Sector 90 Call Girls ( 9873940964 ) Book Hot And Sexy Girls In A Few ...
Gurgaon Sector 90 Call Girls ( 9873940964 ) Book Hot And Sexy Girls In A Few ...
 
EMS and Extrication: Coordinating Critical Care
EMS and Extrication: Coordinating Critical CareEMS and Extrication: Coordinating Critical Care
EMS and Extrication: Coordinating Critical Care
 
Housewife Call Girls Nandini Layout - Phone No 7001305949 For Ultimate Sexual...
Housewife Call Girls Nandini Layout - Phone No 7001305949 For Ultimate Sexual...Housewife Call Girls Nandini Layout - Phone No 7001305949 For Ultimate Sexual...
Housewife Call Girls Nandini Layout - Phone No 7001305949 For Ultimate Sexual...
 
Gurgaon iffco chowk 🔝 Call Girls Service 🔝 ( 8264348440 ) unlimited hard sex ...
Gurgaon iffco chowk 🔝 Call Girls Service 🔝 ( 8264348440 ) unlimited hard sex ...Gurgaon iffco chowk 🔝 Call Girls Service 🔝 ( 8264348440 ) unlimited hard sex ...
Gurgaon iffco chowk 🔝 Call Girls Service 🔝 ( 8264348440 ) unlimited hard sex ...
 
College Call Girls Hyderabad Sakshi 9907093804 Independent Escort Service Hyd...
College Call Girls Hyderabad Sakshi 9907093804 Independent Escort Service Hyd...College Call Girls Hyderabad Sakshi 9907093804 Independent Escort Service Hyd...
College Call Girls Hyderabad Sakshi 9907093804 Independent Escort Service Hyd...
 
Call Girl Guwahati Aashi 👉 7001305949 👈 🔝 Independent Escort Service Guwahati
Call Girl Guwahati Aashi 👉 7001305949 👈 🔝 Independent Escort Service GuwahatiCall Girl Guwahati Aashi 👉 7001305949 👈 🔝 Independent Escort Service Guwahati
Call Girl Guwahati Aashi 👉 7001305949 👈 🔝 Independent Escort Service Guwahati
 
Call Girl Lucknow Gauri 🔝 8923113531 🔝 🎶 Independent Escort Service Lucknow
Call Girl Lucknow Gauri 🔝 8923113531 🔝 🎶 Independent Escort Service LucknowCall Girl Lucknow Gauri 🔝 8923113531 🔝 🎶 Independent Escort Service Lucknow
Call Girl Lucknow Gauri 🔝 8923113531 🔝 🎶 Independent Escort Service Lucknow
 
Model Call Girl in Subhash Nagar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Subhash Nagar Delhi reach out to us at 🔝9953056974🔝Model Call Girl in Subhash Nagar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Subhash Nagar Delhi reach out to us at 🔝9953056974🔝
 
Call Girls Hyderabad Krisha 9907093804 Independent Escort Service Hyderabad
Call Girls Hyderabad Krisha 9907093804 Independent Escort Service HyderabadCall Girls Hyderabad Krisha 9907093804 Independent Escort Service Hyderabad
Call Girls Hyderabad Krisha 9907093804 Independent Escort Service Hyderabad
 
Basics of Anatomy- Language of Anatomy.pptx
Basics of Anatomy- Language of Anatomy.pptxBasics of Anatomy- Language of Anatomy.pptx
Basics of Anatomy- Language of Anatomy.pptx
 
Gurgaon Sector 68 Call Girls ( 9873940964 ) Book Hot And Sexy Girls In A Few ...
Gurgaon Sector 68 Call Girls ( 9873940964 ) Book Hot And Sexy Girls In A Few ...Gurgaon Sector 68 Call Girls ( 9873940964 ) Book Hot And Sexy Girls In A Few ...
Gurgaon Sector 68 Call Girls ( 9873940964 ) Book Hot And Sexy Girls In A Few ...
 
Call Girl Gurgaon Saloni 9711199012 Independent Escort Service Gurgaon
Call Girl Gurgaon Saloni 9711199012 Independent Escort Service GurgaonCall Girl Gurgaon Saloni 9711199012 Independent Escort Service Gurgaon
Call Girl Gurgaon Saloni 9711199012 Independent Escort Service Gurgaon
 
Call Girls Secunderabad 7001305949 all area service COD available Any Time
Call Girls Secunderabad 7001305949 all area service COD available Any TimeCall Girls Secunderabad 7001305949 all area service COD available Any Time
Call Girls Secunderabad 7001305949 all area service COD available Any Time
 
Call Girls Hyderabad Kirti 9907093804 Independent Escort Service Hyderabad
Call Girls Hyderabad Kirti 9907093804 Independent Escort Service HyderabadCall Girls Hyderabad Kirti 9907093804 Independent Escort Service Hyderabad
Call Girls Hyderabad Kirti 9907093804 Independent Escort Service Hyderabad
 

HiNZ Cyber17 - Chris Blackford

  • 1. Department of Internal Affairs Government guidance on cloud risk Chris Blackford Manager ICT Operations Assurance, GCIO
  • 2. Department of Internal Affairs Cloud First In 2012 Cabinet announced a “Cloud First” and “All of Government” (AoG) approach to utilising and developing IT services. Recognising the risks of cloud, Cabinet also instructed the GCIO to develop a risk management framework around cloud adoption. 2012 was also the ‘Year of the Breach’ for a number of NZ Government agencies. In 2013 Cabinet directed agencies to adopt AoG cloud solutions (where they exist) and to follow the Cloud Computing Information Security and Privacy Considerations guidance document. The guidance contains 105 questions that agencies should consider about each cloud service.
  • 3. 3 Why a Cloud Risk Framework is Necessary • Information loss or compromise • Loss of IP ownership • Privacy and jurisdictional issues • Lack of availability of data • Ineffective incident management practices • Lack of archival, backup and disaster recovery capabilities • Cost of a data breach (lack of cybersecurity insurance) • Availability of THE INTERNET (IoT, DNS DDOS)  35 million users’ details hacked  Multiple spoof hacks spawned, resulting in new scams  2 suicides in Canada linked to data exposure  13,000 US Govt employees implicated  Users from 35 NZ Govt agency email domains registered  CAD$500,000 reward offered by the company owners  Multiple lawsuits and class actions pending C I A Confidentiality Integrity Availability
  • 4. Department of Internal Affairs • Definition of a cloud service – Any IT service outside the direct control of the agency and outside the agency network boundary, where the agency’s information is stored or processed. • Intent: – Complete the initial 27 odd questions to determine the information value and risk. – Assess how deep the remaining questions need to be answered based on information classification and privacy impact for your agency or perhaps for your sector. Try not to take a compliance focus. – Try and embed the guidance steps in your C&A (Go live or SDLC) process • Check with GCIO – Has anyone else Risk Assessed the service? Reuse. • SRS Panel – If you don’t have the expertise or capacity : use the AoG Security and Related Services panel • Formal CE or delegated risk sign off to GCIO Cloud Risk Assessment Process Risk Based Assessment
  • 5. Department of Internal Affairs Clarification of Requirement: • That you undertake an appropriately robust Risk Assessment • That the residual risks are formally accepted by the CE or delegate • That you send GCIO the completed Risk Assessment tool and CE sign off
  • 6. Department of Internal Affairs Risk Authority and Cloud Risk Acceptance Risk Authority, Risk Escalation and Acceptance are related critical parts of the Risk Management Framework. It is important that these elements are understood by everyone making risk decisions. Risk Acceptance is “The formal process to acknowledge that DIA is prepared to manage the consequences if the risk occurs”. The chart below shows the levels at which risk can be formally accepted and how risk must be escalated. Strategic Risk DIA Outcomes Branch Outcomes Business Unit Outcomes Zone 1 ELT ELT DCE DCE Zone 2 ELT DCE 3rd Tier Responsible Manager 3rd Tier Responsible Manager Zone 3 ELT 3rd Tier Responsible Manager 3rd Tier Responsible Manager 4th Tier Responsible Manager Zone 4 ELT 3rd Tier Responsible Manager 4th Tier Responsible Manager 4th Tier Responsible Manager DIA Risk Acceptance and Risk Escalation Requirements that apply to each risk zone  All Strategic Risks reside under the authority of ELT irrespective of the level of the risk.  All DIA Outcome zone 1 risks must be reported to ELT. Only ELT has the authority to confirm acceptance of zone 1 Residual Risks.  All Branch Outcome zone 1 risks must be reported to the respective DCE. Only the DCE has the authority to confirm acceptance of zone 1 Residual Risks. DCE may also inform ELT.  All Business Unit level zone 1 risks must be reported to the respective DCE. Only the DCE has the authority to confirm acceptance of zone 1 Residual Risks. DCE may also inform ELT.  There is a formal sign off process for Risk Acceptance which must be followed.
  • 7. Department of Internal Affairs A Big Cloud Myth If the SaaS is build on a Tier 1 (AWS, Azure, Salesforce or Google) infrastructure provider it must be secure! Wrong: Each layer has it’s own security needs: building it on a Tier 1 IaaS only reduces the security risks for those layers New SaaS Registry service • AWS will be responsible for ensuring that the infrastructure component of the cloud solution stack is secure • <App provider> will have the same responsibility for the application component of the solution stack • <DHB> will be responsible for user and application configuration security
  • 8. Department of Internal Affairs • The need to share outweighs the need to know… – HSIF rather than NZISM. • You operate in a complex sector… – The use cases for a cloud application must be understood. – What may be appropriate for tertiary health may not be for primary health… – Privacy considerations remain a key consideration. – Business Continuity Planning is a vital part of considering any service. • Cyber Crime. – A health record is worth 3 or 4 times the value of a standard personal record on the black market. Health considerations
  • 9. Some Centralised Security Certifications 1. DIA is taking a Lead Agency role in certifying some key Cloud Services 2. These will be risk assessed, certified and provided to agencies to allow them to do a gap analysis, perform further work as required to fit their own usage requirements, and accredit. Office 365 / Azure AD - Done AWS – Done Google GSuite – Underway Oracle - Planned Sales Force - Planned SAP HR - Planned
  • 10. Resources available on Ict.govt.nz • Assessing the Risk assess-the-risks-of-cloud-services - risk assessments - social license - jurisdictional risk • Office Productivity Guidance security-controls-for-cloud-services • AoG common capabilities aog services • Early Adopter Case Studies case-studies-and-benchmarking • Cloud Centre of Excellence group: contact Chris.Buxton@statistics.govt.nz • Coming soon: Shadow Cloud assessment guidance • Coming soon: Public Cloud Marketplace
  • 11. Department of Internal Affairs Contact us any time at ICTAssurance@dia.govt.nz

Editor's Notes

  1. So what? Just be careful. But Government is made up of a very wide variety of agencies. Large, medium and small. Ranging from wide mandates with many staff and complex deliverables to small policy shops with a few dozen people, but as govt inc. we are as strong as our weakest link. With the rapid onset of cloud solutions being consumed in our personal lives, we risk losing control of the data that we were able to protect through our traditional, physical firewall. Many of us are still getting used to the idea of Mobility Risk let alone Cloud risk. Public trust in government’s ability to be a competent trustee of personal information is our only tool that allows us a degree of social license, but its only as good as its last failure.
  2. We get questions about what is a cloud service. One size does not fit all. Feedback from several Security bloggers have commented that the risk guidance is practical and flexible enough to be usable, yet thorough enough to be effective. Common misunderstandings: Aside from the Lead agency risk assessments that we have agreed to do, DIA does not endorse all cloud risk applications. There is no list of DIA approved applications for Cloud. We DO have a list of applications that agencies are or have risk assessed so you can leverage of each others work..but that is only as good as the advices given to us. DIA does not require you to fill out all of the Cloud 105 questions…we require you to undertake a suitable risk assessment and understand what risks you are signing off, the cloud 105 is a tool to help with that. DIA DOES require evidence that your CE has accepted the residual risks - and this may be via a delegated authority as defined by your agency’s risk framework.
  3. Choose the slides you want to use, and delete the rest.
  4. On premise, IaaS, PaaS, SaaS – the solution stacks are fundamentally the same,
  5. We get questions about what is a cloud service. One size does not fit all. Feedback from several Security bloggers have commented that the risk guidance is practical and flexible enough to be usable, yet thorough enough to be effective. Common misunderstandings: Aside from the Lead agency risk assessments that we have agreed to do, DIA does not endorse all cloud risk applications. There is no list of DIA approved applications for Cloud. We DO have a list of applications that agencies are or have risk assessed so you can leverage of each others work..but that is only as good as the advices given to us. DIA does not require you to fill out all of the Cloud 105 questions…we require you to undertake a suitable risk assessment and understand what risks you are signing off, the cloud 105 is a tool to help with that. DIA DOES require evidence that your CE has accepted the residual risks - and this may be via a delegated authority as defined by your agency’s risk framework.
  6. but current
  7. WP 4.1: Secure Use of Public Cloud Guidance Clarification of NZISM security control requirements for off-shore hosted office productivity services. (Email, word processing, spreadsheets, presentations, collaboration tools (such as shared workspaces), and video conferencing). Specific controls and good security practice guidance for Office 365, and Google Apps for Business & Education (with vendors) NZ Govt approved Cloud Reference Architecture and Standards Generic Cloud Services architecture principles and guidance
  8. WP 4.1: Secure Use of Public Cloud Guidance Clarification of NZISM security control requirements for off-shore hosted office productivity services. (Email, word processing, spreadsheets, presentations, collaboration tools (such as shared workspaces), and video conferencing). Specific controls and good security practice guidance for Office 365, and Google Apps for Business & Education (with vendors) NZ Govt approved Cloud Reference Architecture and Standards Generic Cloud Services architecture principles and guidance
  9. WP 4.1: Secure Use of Public Cloud Guidance Clarification of NZISM security control requirements for off-shore hosted office productivity services. (Email, word processing, spreadsheets, presentations, collaboration tools (such as shared workspaces), and video conferencing). Specific controls and good security practice guidance for Office 365, and Google Apps for Business & Education (with vendors) NZ Govt approved Cloud Reference Architecture and Standards Generic Cloud Services architecture principles and guidance
  10. In today’s business world, a high percentage of business outcomes are reliant upon technology to deliver some aspect of critical information. It means that we cannot afford to treat the ICT department as a stand alone unit. The Review of Publically Accessible systems did a good job in raising the profile of risk and security at the Executive tables, and we have seen a fairly dramatic increase in the focus and capability in agencies relating to both Information and physical security and privacy. The Protective Security Requirements (including the NZ Information Security Manual) and the Privacy Maturity Assessment are two ongoing programmes that encourage agencies to walk a path of increasingly mature risk management programmes
  11. Another outcome from the Review of Publically accessible systems is the role of keeping the lights on. While there has been a focus on implementing controls and processes, there didn’t appear to be the level of maturity appearing at the organisational level to ensure that the controls are operating as designed, or that the money is being spent in the right areas… Last year the GCIO asked all of the agencies in its mandate to start to plan and formally document all of the assurance activities it conducts, linked to the business risks that threaten its outcomes.
  12. Overall we were pleased with the level of attention and result that was produced. This is not a one off exercise and we recognised that agencies were in different stages, and had different contexts to operate under.
  13. Choose the slides you want to use, and delete the rest.