This document discusses cloud compliance auditing. It begins with definitions of cloud computing, compliance, and auditing. It discusses how legislation and regulations create compliance requirements that businesses and auditors must adhere to. Service level agreements are important for defining compliance needs. The document then examines a customer relationship management use case and challenges of ensuring compliance for data accessibility, retention, and geo-locality in cloud environments. It presents a logical architecture for cloud compliance auditing consisting of distributed event source, processing, and storage layers to help address these challenges.
There is an increasing trend witnessed in the cloud computing technology which has led to a lot of risks in preserving the Confidentiality, Integrity and Availability of data. The Cloud is now facing a lot of compliance requirements due to the sensitivity of the data that is being stored. View this presentation to understand the Cloud Compliance Requirements, Risks, Audit Processes and Methodologies involved in providing assurance.
This presentation was given by CA Anand Prakash Jangid at the Conference on Cloud Computing conducted by the Committee on Information Technology of the Institute of Chartered Accountants of India on 11th January 2014.
Cloud computing is a paradigm evolution that benefits from virtualisation technologies and introduces “everything-as-a-service” as a technical and business concept supported by pay-per-use pricing models. Whilst the on-demand characteristics of this novel paradigm provide revolutionary advances in technical ability, the changes while incorporating this into an IT infrastructure raise many complex problems and risks with regards to auditing. Auditing is the process of tracing and logging significant events the take place during the system run-time for analysis, and can be seen as a vital tool in validating and securing systems.
This presentation provides information and tips to assist accountants and audits in introducing cloud technologies into their business. Auditflow - www.auditflow.com - offers a range of innovative audit compliance solutions. Mediasphere - www.mediasphere.com.au - builds websites and client portals for accountants and auditors globally.
Contact Tony Carrucan on tonyc@mediasphere.com.au for more information
Data Loss Prevention (DLP) - Fundamental Concept - ErykEryk Budi Pratama
Presented at APTIKNAS (Indonesia ICT Business Association) DKI Jakarta regular webinar.
Title:Data Loss Prevention: Fundamental Concept in Enabling DLP System
2 July 2020
In this work we highlighted some of the concepts of data privacy, techniques used in data privacy, and some techniques used in data privacy in the cloud plus some new research trends.
There is an increasing trend witnessed in the cloud computing technology which has led to a lot of risks in preserving the Confidentiality, Integrity and Availability of data. The Cloud is now facing a lot of compliance requirements due to the sensitivity of the data that is being stored. View this presentation to understand the Cloud Compliance Requirements, Risks, Audit Processes and Methodologies involved in providing assurance.
This presentation was given by CA Anand Prakash Jangid at the Conference on Cloud Computing conducted by the Committee on Information Technology of the Institute of Chartered Accountants of India on 11th January 2014.
Cloud computing is a paradigm evolution that benefits from virtualisation technologies and introduces “everything-as-a-service” as a technical and business concept supported by pay-per-use pricing models. Whilst the on-demand characteristics of this novel paradigm provide revolutionary advances in technical ability, the changes while incorporating this into an IT infrastructure raise many complex problems and risks with regards to auditing. Auditing is the process of tracing and logging significant events the take place during the system run-time for analysis, and can be seen as a vital tool in validating and securing systems.
This presentation provides information and tips to assist accountants and audits in introducing cloud technologies into their business. Auditflow - www.auditflow.com - offers a range of innovative audit compliance solutions. Mediasphere - www.mediasphere.com.au - builds websites and client portals for accountants and auditors globally.
Contact Tony Carrucan on tonyc@mediasphere.com.au for more information
Data Loss Prevention (DLP) - Fundamental Concept - ErykEryk Budi Pratama
Presented at APTIKNAS (Indonesia ICT Business Association) DKI Jakarta regular webinar.
Title:Data Loss Prevention: Fundamental Concept in Enabling DLP System
2 July 2020
In this work we highlighted some of the concepts of data privacy, techniques used in data privacy, and some techniques used in data privacy in the cloud plus some new research trends.
Data Protection Indonesia: Basic Regulation and Technical Aspects_ErykEryk Budi Pratama
Presented at Orang Siber Indonesia webinar.
11 July 2020
Topic: Data Protection: Basic Regulation and Technical Aspects
This presentation covers:
> Indonesia Data Protection Bill
> Data Masking
> Identity & Access Management
> Data Loss Prevention
Join us (for Indonesian):
t.me/orangsiber
t.me/dataprotectionid
Presented at ISACA Indonesia Monthly Technical Meeting, 11 Dec 2019 at Telkom Landmark.
Key takeaways from my presentation:
1. Cloud customers have to understand the share responsibilities between customer and cloud provider
2. Different cloud service model (IaaS, PaaS, SaaS) has different audit methodology
3. Customer’s IT Auditor have to be trained to have the skills needed to audit the cloud service
4. Understanding IAM in Cloud is very important. Each Cloud Service Provider has different IAM mechanism
5. Understanding different type of audit logs in cloud platform is important for IT Auditor
This material was presented at Orang Siber Indonesia regular webinar.
Content:
> Understanding privacy management
> Global privacy news
> Understanding privacy regulations and frameworks
> Data Privacy Program Management practices
Presented at National Webinar of ISACA Student Group, Universitas Kristen Satya Wacana, indonesia.
Title: Cyber Resilience: Post COVID-19 - Welcoming New Normal
2 July 2020
California Consumer Protection Act (CCPA) is
one such law that empowers the residents of
California, United States to have enhanced
privacy rights & consumer protection. It is the
most comprehensive US state privacy law to
date.
Malicious or accidental disclosure of confidential information by trusted insiders is a threat to any organization. Insiders include employees, contractors, consultants and business partners that have access to your sensitive information. Since relationships don't last forever, a trusted person today may be a competitor tomorrow. See how Fasoo customers protect sensitive information by controlling access and use at the data level through continuous encryption and persistent security policies.
From reactive to automated reducing costs through mature security processes i...NetIQ
Addressing Human Vulnerabilities that Bedevil IT Security:
All systems are susceptible to the social engineering techniques that lie at the root of some or all the well publicized security incidents. But why can’t the industry do more to design out the human vulnerabilities that continue to bedevil even the best security systems?
It is important to understand that good security is ultimately a people issue and that while updating rules in technology to keep pace with threats is reasonably easy, changing human behaviour – and thus reducing the risks of social engineering – is much more difficult to do and maintain consistently.
Automated intelligence and control is the logical next step for how security management solutions solve problems in more complex, fast moving environments. The urgency to make business exception management and end-user policy management more fit for purpose is driven by how regulators are becoming more proactive and demanding.
Cloud computing - Assessing the Security Risks - Jared Carstensenjaredcarst
This is the presentation I recently gave regarding cloud computing and the risks which are often not thought through.
Looks at the cloud from an Information Security and compliance aspect which is often forgotten.
Best wishes,
Jared Carstensen
Data Protection Indonesia: Basic Regulation and Technical Aspects_ErykEryk Budi Pratama
Presented at Orang Siber Indonesia webinar.
11 July 2020
Topic: Data Protection: Basic Regulation and Technical Aspects
This presentation covers:
> Indonesia Data Protection Bill
> Data Masking
> Identity & Access Management
> Data Loss Prevention
Join us (for Indonesian):
t.me/orangsiber
t.me/dataprotectionid
Presented at ISACA Indonesia Monthly Technical Meeting, 11 Dec 2019 at Telkom Landmark.
Key takeaways from my presentation:
1. Cloud customers have to understand the share responsibilities between customer and cloud provider
2. Different cloud service model (IaaS, PaaS, SaaS) has different audit methodology
3. Customer’s IT Auditor have to be trained to have the skills needed to audit the cloud service
4. Understanding IAM in Cloud is very important. Each Cloud Service Provider has different IAM mechanism
5. Understanding different type of audit logs in cloud platform is important for IT Auditor
This material was presented at Orang Siber Indonesia regular webinar.
Content:
> Understanding privacy management
> Global privacy news
> Understanding privacy regulations and frameworks
> Data Privacy Program Management practices
Presented at National Webinar of ISACA Student Group, Universitas Kristen Satya Wacana, indonesia.
Title: Cyber Resilience: Post COVID-19 - Welcoming New Normal
2 July 2020
California Consumer Protection Act (CCPA) is
one such law that empowers the residents of
California, United States to have enhanced
privacy rights & consumer protection. It is the
most comprehensive US state privacy law to
date.
Malicious or accidental disclosure of confidential information by trusted insiders is a threat to any organization. Insiders include employees, contractors, consultants and business partners that have access to your sensitive information. Since relationships don't last forever, a trusted person today may be a competitor tomorrow. See how Fasoo customers protect sensitive information by controlling access and use at the data level through continuous encryption and persistent security policies.
From reactive to automated reducing costs through mature security processes i...NetIQ
Addressing Human Vulnerabilities that Bedevil IT Security:
All systems are susceptible to the social engineering techniques that lie at the root of some or all the well publicized security incidents. But why can’t the industry do more to design out the human vulnerabilities that continue to bedevil even the best security systems?
It is important to understand that good security is ultimately a people issue and that while updating rules in technology to keep pace with threats is reasonably easy, changing human behaviour – and thus reducing the risks of social engineering – is much more difficult to do and maintain consistently.
Automated intelligence and control is the logical next step for how security management solutions solve problems in more complex, fast moving environments. The urgency to make business exception management and end-user policy management more fit for purpose is driven by how regulators are becoming more proactive and demanding.
Cloud computing - Assessing the Security Risks - Jared Carstensenjaredcarst
This is the presentation I recently gave regarding cloud computing and the risks which are often not thought through.
Looks at the cloud from an Information Security and compliance aspect which is often forgotten.
Best wishes,
Jared Carstensen
Authenticated and unrestricted auditing of big data space on cloud through v...IJMER
Cloud unlocks a different era in Information technology where it has the capability of providing the customers with a variety of scalable and flexible services. Cloud provides these services through a prepaid system, which helps the customers cut down on large investments on IT hardware
and other infrastructure. Also according to the Cloud viewpoint, customers don’t have control on their
respective data. Hence security of data is a big issue of using a Cloud service. Present work shows that
the data auditing can be done by any third party agent who is trusted and known as auditor. The auditor can verify the integrity of the data without having the ownership of the actual data. There are many disadvantages for the above approach. One of them is the absence of a required verification procedure among the auditor and service provider which means any person can ask for the verification of the file which puts this auditing at certain risk. Also in the existing scheme the data updates can be
done only for coarse granular updates i.e. blocks with the uneven size. And hence resulting in repeated communication and updating of auditor for a whole file block causing higher communication costs and
requires more storage space. In this paper, the emphasis is to give a proper breakdown for types of
fixed granular updates and put forward a design that will be capable to maintain authenticated and unrestricted auditing. Based on this system, there is also an approach for remarkably decreasing the communication costs for auditing little updates
the_role_of_resilience_data_in_ensuring_cloud_security.pptxsarah david
Enhance data security with our Data Resilience Cloud. No software/hardware; solve security challenges. Scale resources dynamically. Achieve resilience, efficiency, compliance. Partner with Cuneiform for seamless cloud data protection.
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 3. In this session, we will cover desktop automation along with UI automation.
Topics covered:
UI automation Introduction,
UI automation Sample
Desktop automation flow
Pradeep Chinnala, Senior Consultant Automation Developer @WonderBotz and UiPath MVP
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
A tale of scale & speed: How the US Navy is enabling software delivery from l...sonjaschweigert1
Rapid and secure feature delivery is a goal across every application team and every branch of the DoD. The Navy’s DevSecOps platform, Party Barge, has achieved:
- Reduction in onboarding time from 5 weeks to 1 day
- Improved developer experience and productivity through actionable findings and reduction of false positives
- Maintenance of superior security standards and inherent policy enforcement with Authorization to Operate (ATO)
Development teams can ship efficiently and ensure applications are cyber ready for Navy Authorizing Officials (AOs). In this webinar, Sigma Defense and Anchore will give attendees a look behind the scenes and demo secure pipeline automation and security artifacts that speed up application ATO and time to production.
We will cover:
- How to remove silos in DevSecOps
- How to build efficient development pipeline roles and component templates
- How to deliver security artifacts that matter for ATO’s (SBOMs, vulnerability reports, and policy evidence)
- How to streamline operations with automated policy checks on container images
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
2. Agenda Fundamentals of Cloud, Compliance and Auditing Use Case: Customer Relationship Management Cloud Compliance Challenges Compliance Auditing Conclusions
3. Fundamentals Cloud, Compliance and Auditing “An undefined problem has an infinite number of solutions” Robert A. Humphrey
4. FundamentalsDefinitions Compliance Compliance is defined as being in accordance with relevant governmental or industrial laws, regulations and standards through governance processes. Cloud Computing Clouds are a large pool of easily usable and accessible virtualized resources that can be dynamically reconfigured to adjust to a variable load. Business Web Auditing A business model and technical framework that represents a marketplace allowing providers and consumers to negotiate the usage of products. The process of collecting and evaluating evidence to determine whether a computer system (information system) safeguards assets, maintains data integrity, achieves organizational goals effectively and consumes resources efficiently.
5. FundamentalsAuditing Legislation & Regulation creates creates creates creates Regulator Regulator Government Government Legislation Regulation Legislation Regulation Governance Governance Compliance Compliance have to comply with have to comply with have to comply with have to comply with Auditor Auditor store and are responsible for store and are responsible for use IT to improve operations use IT to improve operations Compliance Check Compliance Check Compliance Report Compliance Report IT Department IT Department Businesses Businesses Customer Data Customer Data
11. Use Case: Customer Relationship Management (CRM)Problem Identification Traditional Approach Due to increasing enforcement and financial penalties legislation requirements are seen as equally important as functional requirements. Application Heterogeneity Various applications perform differing tasks and integrate with CRM systems. Storage Redundancy Data redundancy occurs when customer data is collected, stored and processed by different systems within the same organisation Resource Utilization Periodic Processing causes elastic utilization Power Consumption Cost of power and consumption can varies with hardware and location
12. Cloud Compliance Challenges “The greatest challenge to any thinker is stating the problem in a way that will allow a solution.” Bertrand Russell
13. Cloud Compliance ChallengesGeo-Locality The locality of data is of key importance to adhere to legislation, but what are the implications: Cross-jurisdictional conflictions Difficulty in simultaneously complying with multiple laws. Performance and Availability Geographic placement may hinder performance. Disaster Recovery and Backup Legal restrictions may reduce the possibilities of providing an adequate disaster recovery solution.
14. Cloud Compliance ChallengesData Accessibility Company Multi-tenancy Different companies virtually co-located on same physical infrastructure Systems Multi-tenancy Same company co-locates different virtualized systems on same physical infrastructure Who can access data ? What data can be accessed ? How should data be accessed ?
With the advancement of web-based infrastructures it is perceived that computing resource will become the 5th utility after water, electricity, gas and telephony
The foundational infrastructure upon which I am investigating my research will focus on cloud computing which is currently the hype in distributed architectures.There is no single universal definition of an InformationSystems audit, though in this context I define it as:However, companies willing to leverage this new business model have to abide by the current state of legislation which hampers its adoption even thoughcloud offers benefits such as elasticity and rapid deployment, improving companies’ efficiencies in times of economic hardship. The risk and financial penalty associated with non-compliance is too great for businesses to ignore.
So what fundamental technologies exist that could help tackle this problem…..
Lets look at a typical government CRM setup to illustrate auditing issues for data governance when transitioning to a cloud-based environment.
Traditionally CRM systems are deployed on premise within the government’s control and jurisdiction.The government like enterprises are under increasing pressure to improve return on investment (ROI) whilst maintaining both legal and regulatory compliance.It is common for organisations may have several local sites across a country and consequently, multiple servers. IT infrastructure at locations are independently managed. With systems such as CRM, integration has the following problems:
Customer consumes services over the internet, therefore locality is not necessarily importantInfrastructure providers may choose the geographic placement of data centers based on environmental, economical or political factors such as energy.However the physical location of data being accessed, stored, processed or transferred is of critical importance to the applications of data protection legislation such as EUDirective.Geographic locality challenges audit and compliance in the following forms:
Data access is another point of contention with respect to compliance.Consumers must consider the compliance requirements of when deploying services in terms of:Who can access data? What data can be accessed? How should data be accessed?
The data and logs returned from various logical, physical or virtual components in the system. The source may be a sensor, application, messaging framework, business process, data store, client applications.Each source is authenticated and uses secure means of communication and verified using a system similar to trusted platform computing (TPC).An ESB controls how data is routed to the event processing engine, in a standardized format.Anomalous Filtering: Removes data that is not relevant to the compliance process.Temporal Filtering: Synchronizes time and event type inconsistencies and correlates events, aggregating dataCompliance Filtering: Event streams are compared and evaluated against business rules that have been derived from the legalizationThis enables us to process historic queries and results from event correlation which enable us in future works to provide predictive analysisQueries can be defined by the user and can be compared in run-time or on historic data.
Service Provider – Entities who create software components / elements of code, may compose multiple service offerings to provide a new offering.Cloud Provider – Unique type of service provider, that provides utility compute / storage resource.Service Consumer – The end user or company that procures the service, be it Software, Platform or Infrastructure as a ServiceService Aggregator – A specialised consumer who procures generic services and aggregate them with their own or others services to form a composite service.Service Broker – A service broker acts as an intermediary / marketplace to expose services from service / cloud providers, in essence it acts as an advertising, directory and delivery resource for services. The service delivery is managed by the broker when services are procured at run-time.Service Hoster – The deployment enabling intermediary between the service broker and infrastructure providers. The hoster allows various platform and infrastructure technologies to be exposed comparatively and matched with the technical need requested by the broker. The hoster enables services to be discovered and accessed for different purposes.Service Auditor – This is the main implementation of the proof of concept, the SA is a third-party that integrates with the current service deployment and runtime process, in order to enforce compliance.
Legal and regulatory compliance issues are seen as important by businesses. Despite heavy financial and incarceration penalties, processes for auditing compliance currently focus on periodic reporting. By addressing the cloud auditing constraints, businesses can: