The document outlines an agenda for a presentation on tackling cloud computing security. The agenda includes: setting the stage; existing cloud standards; ISACA resources; a proposed approach to tackle cloud security; cloud assurance and contract considerations; and a conclusion. It then provides details on each section, outlining existing cloud standards and frameworks, ISACA tools for cloud security, approaches to governing cloud security based on risk management and extending current practices to third parties, and considerations for operating in the cloud securely.

1. Amalia Steiu, CRISC, CISM, CIPM, CIPT, PMP
Carlos Chalico, CISA,CISSP, CISM, CRISC, CGEIT, PbDA, ISO27001LA

2. © ISACA 2016.
All Rights Reserved.
#EUROCACS
@SteiINformed
@carloschalico
 Setting the stage
 Existing Cloud Standards
 ISACA Resources
 Our Proposed Approach to Tackle the Cloud (aka How to
tackle the Giants)
 Cloud Assurance and Contract considerations
 Ready…Set…Go!
Agenda

4. © ISACA 2016.
All Rights Reserved.
#EUROCACS
@SteiINformed
@carloschalico
Why Giants?
Image Source: Clash of Clans

5. © ISACA 2016.
All Rights Reserved.
#EUROCACS
@SteiINformed
@carloschalico
Why the Concern?
Source: Creating trust in the digital world: EY’s Global Information Security Survey 2015

7. © ISACA 2016.
All Rights Reserved.
#EUROCACS
@SteiINformed
@carloschalico
 ITU-T X.805 (ANSIS) – 8 dimensions Security Model
 ISO/ISEC 27001:2005 & 27002, PCI DSS
 ISO/IEC 2005: 2011 & ITU-T X.1055
 ISO 38500, ISO 31000
 ISO 27018, ISP 27017
 ITIL, ISO 20000
 COBIT 5
 SANS 27011, ISO 27001
 SANS 24762
 ISO 10181, ITU X1056
 NIST SP 800-39
 APEC, OECD, just to mention some
Standards and Frameworks

8. © ISACA 2016.
All Rights Reserved.
#EUROCACS
@SteiINformed
@carloschalico
(More) Standards and Frameworks

9. © ISACA 2016.
All Rights Reserved.
#EUROCACS
@SteiINformed
@carloschalico
(Even More) Standards and Frameworks

10. © ISACA 2016.
All Rights Reserved.
#EUROCACS
@SteiINformed
@carloschalico
How to Navigate all These?
 Understand risks and formulate objectives to be
achieved in line with IT Goals, Bus Goals, Risk
Appetite
 Have a clear understanding of laws and regulations
AND obligations to comply
 Ensure risks are managed in a cost-effective
manner
 Support you with your information security, privacy
and other regulatory requirements
 Demonstrate ongoing compliance

11. © ISACA 2016.
All Rights Reserved.
#EUROCACS
@SteiINformed
@carloschalico
 Guidance is directed at public cloud providers acting as processors of
PI
 Protection requirements: a) Legal, Regulatory and Contractual Obligations;
b) Risk – taking into account the organization’s overall business strategy and
objectives; ISO/IEC 29134 provides guidance on privacy impact assessment; c)
Corporate Policies and possible added requirements from a)
 PI Lifecycle requirements
 Information Security:
 IS , HR policies (incl. termination), Management Responsibilities,
Access/Identity Management: privileged and non-privileged access,
reviews and monitoring; System and application access control; PI
protection through Projects and Project Management
 Use of privileged utility programs; Application development and coding
practices; Access control to program source code; Cryptography; Physical
Environment Security…
ISO 27018

12. © ISACA 2016.
All Rights Reserved.
#EUROCACS
@SteiINformed
@carloschalico
 Use of privileged utility programs; Application development and coding
practices; Access control to program source code; Cryptography; Physical
Environment Security;
 Operations Security; Documenting Standards and Procedures; Change
Control; Capacity Management; Separating testing, dev and prod
environments, Protection of malware; Backup; Logging and monitoring;
Protection of logs; Technical vulnerability management; Information
systems audit considerations; Network Security Management; Information
transfer; Electronic messaging/other collaboration tools; Incident
Management, Business Continuity;
 Compliance; Security Audits
 Privacy Policy
 Enable the organization using the Cloud Provider to meet their Consent
and Choice, Access to their information for correction or removal;
 Purpose which does not exceed the agreed upon (in contract) scope for
processing
ISO 27018 cont’d

13. © ISACA 2016.
All Rights Reserved.
#EUROCACS
@SteiINformed
@carloschalico
 Respect the Organization’s data minimization requirements;
 Use, retention and disclosure limitation
 Accuracy and quality obligations
 Obligations to cooperate with regulators
 Individual participation and involvement
 Breach Notification and Management
 Dispute management and retention of administrative policies
 PI return, transfer and disposal
 Policies for creation and retention of hard copy PI information
 Confidentiality and non-disclosure agreements
 Training and Awareness
 Retention and Protection of data restoration logs
 Protection of all storage media, at any time
 Encryption of PI transmission over networks
 Records of authorized users; Unique IDs;
ISO 27018 cont’d

14. © ISACA 2016.
All Rights Reserved.
#EUROCACS
@SteiINformed
@carloschalico
 Geographic location of PI;
 Intended destination of PI;
 NIST SP 800-53 rev4, DRAFT Security and Privacy Controls for Federal Information Systems
and Organizations (Initial Public Draft), February 2012
(http://csrc.nist.gov/publications/drafts/800-53-rev4/sp800-53-rev4-ipd.pdf).
 [16] NIST SP 800-122, Guide to Protecting the Confidentiality of Personally Identifiable
Information (PII), April 2010 (http://csrc.nist.gov/publications/nistpubs/800-122/sp800-
122.pdf).
 [17] NIST SP 800-144, Guidelines on Security and Privacy in Public Cloud Computing,
December 2011 (http://csrc.nist.gov/publications/nistpubs/800-144/SP800-144.pdf).
ISO 27018 cont’d

15. © ISACA 2016.
All Rights Reserved.
#EUROCACS
@SteiINformed
@carloschalico
 CSA is the leading organization dedicated to defining and
raising awareness of best practices to help ensure a secure
cloud computing environment
 Operates the CSA Security, Trust & Assurance Registry
(STAR) program to certify cloud providers on security
 It supports the individual designation known as: Certificate of
Cloud Security Knowledge (CCSK)
 Corporate and individual members
 Chapters around the world
 Constantly generates related content
 Among this the “Security Guidance for Critical Areas of Focus
in Cloud Computing 3.0” was released
Cloud Security Alliance
Source: https://cloudsecurityalliance.org

16. © ISACA 2016.
All Rights Reserved.
#EUROCACS
@SteiINformed
@carloschalico
 Document recognizes that cloud computing market is
maturing
 Originally released in 2009
 Considering this, information security, privacy and related
risks become relevant
 Controls are crucial
 Document focuses in best practices delivery based on
comments from seventy industry experts distributed worldwide
 Progress is recognized
 Information security professionals from around the world are
working to secure the future on the cloud
Security Guidance

17. © ISACA 2016.
All Rights Reserved.
#EUROCACS
@SteiINformed
@carloschalico
1. Cloud Computing Architectural Framework
2. Governance and Enterprise Risk Management
3. Legal Issues: Contracts and Electronic Discovery
4. Compliance and Audit Management
5. Information Management and Data Security
6. Interoperability and Portability
7. Traditional Security, Business Continuity and Disaster Recovery
8. Data Centre Operations
9. Incident Response
10. Application Security
11. Encryption and Key Management
12. Identity, Entitlement and Access Management
13. Virtualization
14. Security as a Service
Document Structure
Cloud
Architecture
Governing in
the Cloud
Operating in the
Cloud
Sections (I-III)

18. © ISACA 2016.
All Rights Reserved.
#EUROCACS
@SteiINformed
@carloschalico
 Risk tolerance is considered to be key when thinking of going
to the cloud
 Understanding the right combination of deployment and
services model for the organization is crucial
 Identification of sensitive information is mandatory
 Potential exposure points should be identified
 Weaknesses in operations need to be pointed
 The value of the assets should influence the level of concern
 This is just the beginning when considering a potential
operation in the cloud
 Remember: Having a third party taking care of a portion of
your processes does not make you less responsible for them
To Keep in mind
“…the security of the
organization’s
information and
information processing
facilities should not be
reduced by the
introduction of external
party products or
services…”
ISO/IEC 27002, section 6.2

19. © ISACA 2016.
All Rights Reserved.
#EUROCACS
@SteiINformed
@carloschalico
Visual Model
Cloud
Architecture
Governing in
the Cloud
Operating in the
Cloud
Sections (I-III)
Source: Security Guidance for Critical Areas of Focus in Cloud Computing 3.0; CSA

20. © ISACA 2016.
All Rights Reserved.
#EUROCACS
@SteiINformed
@carloschalico
Classic
 SaaS
 PaaS
 IaaS
 DaaS
Service Models (Extended)
Emerg
 DaaS
 SecaaS
 DRaaS
 IDaaS
 BDaaS
 InfoaaS
 IPaaS
 FRaaS
 HkaaS
Cloud Deployment Models (aka “The Giants”)
ed
ing

21. © ISACA 2016.
All Rights Reserved.
#EUROCACS
@SteiINformed
@carloschalico
Shall we consider for
Cloud Computing the
same controls as in
traditional
environments?
Cloud
Architecture
Governing in
the Cloud
Operating in the
Cloud
Sections (I-III)

22. © ISACA 2016.
All Rights Reserved.
#EUROCACS
@SteiINformed
@carloschalico
Cloud
Architecture
Governing in
the Cloud
Operating in the
Cloud
Sections (I-III)
Source: Ernst & Young
Extended Organization

23. © ISACA 2016.
All Rights Reserved.
#EUROCACS
@SteiINformed
@carloschalico
Cloud
Architecture
Governing in
the Cloud
Operating in the
Cloud
Sections (I-III)
Cloud Controls Matrix
Source: Security Guidance for Critical Areas of Focus in Cloud Computing 3.0; CSA

24. © ISACA 2016.
All Rights Reserved.
#EUROCACS
@SteiINformed
@carloschalico
 You have heard about this concept: Processes, technology,
customs, policies, laws, and institutions affecting the way the
enterprise is directed, administered or controlled
 Five basic principles:
 Auditing Supply Chains
 Board and Management Structure and Process
 Corporate Responsibility and Compliance
 Financial Transparency and Information Disclosure
 Ownership Structure and Exercise of Control Rights
Cloud
Architecture
Governing in
the Cloud
Operating in the
Cloud
Sections (I-III)
Corporate Governance
Source: Security Guidance for Critical Areas of Focus in Cloud Computing 3.0; CSA

25. © ISACA 2016.
All Rights Reserved.
#EUROCACS
@SteiINformed
@carloschalico
Cloud
Architecture
Governing in
the Cloud
Operating in the
Cloud
Sections (I-III)
Enterprise Risk Management

26. © ISACA 2016.
All Rights Reserved.
#EUROCACS
@SteiINformed
@carloschalico
1. Choice and consent
2. Legitimate purpose specification and use limitation
3. Personal information and sensitive information lifecycle
4. Accuracy and quality
5. Openness, transparency and notice
6. Individual participation
7. Accountability
8. Security safeguards
9. Monitoring, measuring and reporting
10. Preventing harm
11. Third party/vendor management
12. Breach management
13. Security and privacy by design
14. Free flow of information and legitimate restriction
Cloud
Architecture
Governing in
the Cloud
Operating in the
Cloud
Sections (I-III)
Legal Concerns – Privacy, Contracts
Source: : ISACA Privacy Principles and Program Management Guide

27. © ISACA 2016.
All Rights Reserved.
#EUROCACS
@SteiINformed
@carloschalico
 Compliance and Audit
Management
 Information Management and
Data Security
 Interoperability and Portability
Cloud
Architecture
Governing in
the Cloud
Operating in the
Cloud
Sections (I-III)
Governing the Cloud
GRC Value Ecosystem
Data Lifecycle
Source: Security Guidance for Critical Areas of Focus in Cloud Computing 3.0; CSA

28. © ISACA 2016.
All Rights Reserved.
#EUROCACS
@SteiINformed
@carloschalico
 Business continuity management
 Operations
 Responding to the unexpected
 Protecting a critical tier: The application
 Securing the SDLC
 Encryption and key management
 Identity, entitlement and access management
 Virtualization
 Security as a Service (SecaaS)
Cloud
Architecture
Governing in
the Cloud
Operating in the
Cloud
Sections (I-III)
Operating in the Cloud
Source: Security Guidance for Critical Areas of Focus in Cloud Computing 3.0; CSA

30. © ISACA 2016.
All Rights Reserved.
#EUROCACS
@SteiINformed
@carloschalico
ISACA has created a number of “tools” to help organizations
understand the Cloud:
 Vendor Management Using COBIT 5
 COBIT 5 for Risk
 Controls and Assurance in the Cloud using COBIT 5
 Privacy Principles and Program Management Guide
 Publications discussing Governance, Risk and Security
matters
ISACA Resources

32. © ISACA 2016.
All Rights Reserved.
#EUROCACS
@SteiINformed
@carloschalico
 Treat your relationship with the cloud provide the way you
would if extending your Data Center
 Add all the necessary due diligence for a Third-Party
 What are you reporting on? What KPIs, KCIs etc
 This will drive your requirements for:
a) setting up the relationship in with IT Goals in mind and using
a risk-cost based approach;
b) managing the relationship;
c) the contract
Our Proposed Approach to Cloud (How to
tackle the Giants?)

33. © ISACA 2016.
All Rights Reserved.
#EUROCACS
@SteiINformed
@carloschalico
Governance of your “Total” Enterprise IT
Total Data Center
Total IT - Business
Goals RISK = Cloud
Risk + Third Party Risk
+ IT Risk
Giants
Governance of Total Enterprise IT
Controls and Assurance (incl. Cloud)
Our Proposed Approach to Cloud… cont’d

34. © ISACA 2016.
All Rights Reserved.
#EUROCACS
@SteiINformed
@carloschalico
Includes:
 Governance model, Policy, IT Strategy
 IT-Business Goals
 Stakeholders Needs Analysis (see matrix)
 GRC in the Data Center (what other obligations: PCI DSS,
others?)
 Third Party risks and analysis
 Internal Standards and Controls, KCIs, KRIs
 Internal Service Delivery metrics
 Data Localization, Privacy Laws
Our Proposed Approach to Cloud… cont’d

35. © ISACA 2016.
All Rights Reserved.
#EUROCACS
@SteiINformed
@carloschalico
“The CIO needs to manage the Total Enterprise IT (incl. Cloud) as a service value chain.
With cloud computing, the CIO must weave together and optimize this value chain to best
support various business partners, customers and enable the enterprise’s business”
Management and Governance of Enterprise IT includes:
 Manage increasing risk effectively, including security, compliance, privacy,
projects and business partners (stakeholders)
 Ensure continuity of services that are now in the “extended” data center
 Clearly communicate the enterprise objectives to the internal IT organization as
well as third parties (through contracts)
 Build Agility in: remain flexible and adaptable to harvest new value (enable new
business processes/practices) and opportunities and reduce costs
 Facilitate continuity of IT knowledge through adaptive learning and awareness
models
 Be prepared to handle a myriad of industry and country regulations and laws
Our Proposed Approach to Cloud… cont’d

36. © ISACA 2016.
All Rights Reserved.
#EUROCACS
@SteiINformed
@carloschalico
Our Proposed Approach to Cloud… cont’d

37. © ISACA 2016.
All Rights Reserved.
#EUROCACS
@SteiINformed
@carloschalico
Our Proposed Approach to Cloud… cont’d

38. © ISACA 2016.
All Rights Reserved.
#EUROCACS
@SteiINformed
@carloschalico
 Total Data Center
Our Proposed Approach to Cloud… cont’d

39. © ISACA 2016.
All Rights Reserved.
#EUROCACS
@SteiINformed
@carloschalico
GRC in the Total Data Center
Our Proposed Approach to Cloud… cont’d

40. © ISACA 2016.
All Rights Reserved.
#EUROCACS
@SteiINformed
@carloschalico
 Executive Oversight= Compliance
function( to provide regulatory and other
compliance requirements specific to third
party risk management) + IT Risk &
Control Function (risk level based on the
nature of access/data sensitivity shared
with the third parties) + Contract
Governance Function (adequately
addressing security/privacy/other
obligations)
 Vendors and contracts database
 Trust level (as a good practice, areas
of assessment could be drawn from ISO
27001, COBIT, OWASP combined with
specific compliance requirements (e.g.
[PCI DSS]) as applicable)
 Validate Trust Level
 Monitor and Report
Our Proposed Approach to Cloud… cont’d

41. © ISACA 2016.
All Rights Reserved.
#EUROCACS
@SteiINformed
@carloschalico
 Cloud Risk –Framework for Assessment (ISACA)
 Others: CSA Cloud Security Matrix, ENISA, NIST, ISO/IEC
9126, AICPA SOC1, AICPA SysTrust, FedRAMP, HITRUST,
BITS Shared Assessment Program, Jericho Forum SAS etc.
 Top Risk Ranking offered by CSA, OWASP and ENISA
 Risk Mapping according to ISA 9126 (Information Technology
– Software product evaluation – Quality characteristics and
guidelines for their use) – useful for SaaS, PaaS, IaaS
 Security related risk based on COBIT 5 DS5
 4 Guiding Principles for the Cloud:
 Vision
 Visibility
 Accountability
 Sustainability
Our Proposed Approach to Cloud… cont’d

42. © ISACA 2016.
All Rights Reserved.
#EUROCACS
@SteiINformed
@carloschalico
Our Proposed Approach to Cloud… cont’d

43. © ISACA 2016.
All Rights Reserved.
#EUROCACS
@SteiINformed
@carloschalico
Our Proposed Approach to Cloud… cont’d

44. © ISACA 2016.
All Rights Reserved.
#EUROCACS
@SteiINformed
@carloschalico
Our Proposed Approach to Cloud… cont’d

45. © ISACA 2016.
All Rights Reserved.
#EUROCACS
@SteiINformed
@carloschalico
Our Proposed Approach to Cloud… cont’d

46. © ISACA 2016.
All Rights Reserved.
#EUROCACS
@SteiINformed
@carloschalico
Our Proposed Approach to Cloud… cont’d

47. © ISACA 2016.
All Rights Reserved.
#EUROCACS
@SteiINformed
@carloschalico
Our Proposed Approach to Cloud… cont’d

48. © ISACA 2016.
All Rights Reserved.
#EUROCACS
@SteiINformed
@carloschalico
Privacy compliance
Our Proposed Approach to Cloud… cont’d

49. © ISACA 2016.
All Rights Reserved.
#EUROCACS
@SteiINformed
@carloschalico
COBIT 5 for Risk
 Evolution of Risk IT (released to support COBIT 4.1)
Our Proposed Approach to Cloud… cont’d
Source: COBIT 5 for Risk; ISACA

50. © ISACA 2016.
All Rights Reserved.
#EUROCACS
@SteiINformed
@carloschalico
Principles
Our Proposed Approach to Cloud… cont’d
Source: COBIT 5 for Risk; ISACA

51. © ISACA 2016.
All Rights Reserved.
#EUROCACS
@SteiINformed
@carloschalico
COBIT 5 Risk Support
Our Proposed Approach to Cloud… cont’d
Source: COBIT 5 for Risk; ISACA

52. © ISACA 2016.
All Rights Reserved.
#EUROCACS
@SteiINformed
@carloschalico
Defending
Our Proposed Approach to Cloud… cont’d
Source: COBIT 5 for Risk; ISACA

53. © ISACA 2016.
All Rights Reserved.
#EUROCACS
@SteiINformed
@carloschalico
Understanding
Our Proposed Approach to Cloud… cont’d
Source: COBIT 5 for Risk; ISACA
Service
Deployment
IaaS
PaaS
SaaS
Private
Community
Hybrid Public

54. © ISACA 2016.
All Rights Reserved.
#EUROCACS
@SteiINformed
@carloschalico
Understanding
Our Proposed Approach to Cloud… cont’d
Source: COBIT 5 for Risk; ISACA

55. © ISACA 2016.
All Rights Reserved.
#EUROCACS
@SteiINformed
@carloschalico
Vendor Management Using COBIT 5
 Recognizes relevance of third parties and considers cloud
 Reinforces process APO10 “Manage Suppliers” in COBIT 5
 Focuses on IT related services
 Chapter 6 focuses on Cloud Vendor Management
 Definition:
 A vendor is a third party that supplies products or services to an
enterprise. These products or services may be outsourcing,
hardware, software, services, commodities, etc. Vendor
management is a strategic process that is dedicated to the
sourcing and management of vendor relationships so that value
creation is maximized and risk to the enterprise is minimized.
This process requires dedicated effort from the enterprise and
the vendor and varies based on the relationship and the scope of
services and products.
Our Proposed Approach to Cloud… cont’d
Source: Vendor Management Using COBIT 5; ISACA

56. © ISACA 2016.
All Rights Reserved.
#EUROCACS
@SteiINformed
@carloschalico
Risk Factors by Service Model
Our Proposed Approach to Cloud… cont’d
Source: Controls and Assurance in the Cloud Using COBIT 5; ISACA

57. © ISACA 2016.
All Rights Reserved.
#EUROCACS
@SteiINformed
@carloschalico
Risk Factors by Deployment Model
Our Proposed Approach to Cloud… cont’d
Source: Controls and Assurance in the Cloud Using COBIT 5; ISACA

58. © ISACA 2016.
All Rights Reserved.
#EUROCACS
@SteiINformed
@carloschalico
Satisfying Stakeholders
Our Proposed Approach to Cloud… cont’d
Source: Controls and Assurance in the Cloud Using COBIT 5; ISACA

60. © ISACA 2016.
All Rights Reserved.
#EUROCACS
@SteiINformed
@carloschalico
Controls and Assurance in the Cloud
Stakeholder
Needs
Stakeholder value of
business investments
Managed business
risk (safeguarding
assets and
business value)
Compliance with
external laws and
regulations
Agile response to an
ever changing business
environment
Optimization of
service delivery
costs
IT Goals
Client
Responsibilities
Cloud Service
Provider (CSP)
Responsibilities
Cloud Assurance and Contract Considerations
Source: Controls and Assurance in the Cloud Using COBIT 5; ISACA

61. © ISACA 2016.
All Rights Reserved.
#EUROCACS
@SteiINformed
@carloschalico
Controls in the Cloud
Client
Governance and Enterprise Risk
Management:
• Governance Framework
• Risk & Resources Optimization;
• Manage Cloud Strategy
• Manage/Communicate Desired Outcomes
• Manage suppliers
• Manage Service Agreements
• Monitor Compliance
Legal and Electronic Discovery
• Define & Communicate requirements
• Document requirements in contracts and
SLAs
• Monitor Compliance
CSP
Governance and Enterprise Risk
Management :
n/a
Legal and Electronic Discovery
• Meet requirements for data retention
• Meet requirements for evidence protection
• Provide data as needed for e-discovery and
legal procedures
Source: Controls and Assurance in the Cloud Using COBIT 5; ISACA
Cloud Assurance and Contract Considerations

62. © ISACA 2016.
All Rights Reserved.
#EUROCACS
@SteiINformed
@carloschalico
Controls in the Cloud
Client
Compliance and Audit
• Define & Communicate requirements
• Document requirements in Agreements, SLAs
• Identify changes in external compliance
requirements
• Optimize response to external requirements
• Confirm external compliance
• Obtain assurance of external compliance
requirements
• Request proof of independent reviews
Information Lifecycle Management
• Identify assets
• Classify assets
• Define & Communicate requirements
• Monitor Compliance
CSP
Compliance and Audit
• Establish a monitoring approach
• Set performance and conformance targets
• Collect and process performance and conformance
data
• Analyze and report performance
• Ensure the implementation of corrective actions
• Monitor internal controls
• Review business process control effectiveness
• Perform control self-assessment
• Identify and report control deficiencies
• Ensure that assurance providers are independent and
qualified
• Plan assurance initiatives
• Scope assurance initiatives
• Execute assurance initiatives
Information Lifecycle Management
• Meet data management requirements
• Implement adequate processes to dispose of data and
storage media/devices
• Return data to client when contract expires/severed
Source: Controls and Assurance in the Cloud Using COBIT 5; ISACA
Cloud Assurance and Contract Considerations

63. © ISACA 2016.
All Rights Reserved.
#EUROCACS
@SteiINformed
@carloschalico
Controls in the Cloud
 Portability and Interoperability
 Security, Business Continuity and Disaster Recovery
 Incident Response, Notification and Remediation
 Data Center Operations
 Application Security
 Encryption and Key Management
 Identity and Access Management
 Virtualization
 Infrastructure
Source: Controls and Assurance in the Cloud Using COBIT 5; ISACA
Cloud Assurance and Contract Considerations

64. © ISACA 2016.
All Rights Reserved.
#EUROCACS
@SteiINformed
@carloschalico
Enterprise Goals IT Goals
EG01 – Stakeholder value of business
investments
ITG05, 07, 11, AP009(Manage Service
Agreements)
ITG05 – Realized benefits from IT-enabled
investments and services portfolio
EG03 – Managed business risk ITG04, 10, AP010, 012, 013, DSS05, MEA03
ITG04 – Manage IT-related business risk
EG04 – Compliance with external laws and
regulations
ITG02, ITG10, AP012, 013, DSS05, MEA03
ITG02 – IT compliance and support with
external laws and regulations
ITG10 – Security of information, processing
infrastructure and applications
EG08- Agile response to an ever changing
business environment
ITG07, 09, AP010
ITG07 – Delivery of IT Services in line with
business requirements
EG10 – Optimization of service delivery costs ITG04, 11, AP010, 012, 013, DSS05, MEA03
ITG04 – Manage IT-related business risk
Assurance in the Cloud
Source: Controls and Assurance in the Cloud Using COBIT 5; ISACA
Cloud Assurance and Contract Considerations

65. © ISACA 2016.
All Rights Reserved.
#EUROCACS
@SteiINformed
@carloschalico
Contract Requirements
 Access to information (logical)
 Meeting the “Access” principle
in Privacy
 Data Protection = Lifecycle
(extended) -Encryption
 Anonymization/Pseudo
 Right to be Forgotten/Correction
 Logs
 Security Incidents
 Privacy breaches
 Secure disposal /Retention
periods monitoring
 Business Continuity & testing
 Data Quality/Integrity
 Enterprise Risk
Assessment (Security,
Privacy)
 Connectivity
(availability)
 Regulatory
Investigations to the
cloud (Data)
 Disaster declaration
 Customer Notification
 Changes in Cloud
Ownership
 E-Discovery
 Application Security
 Business Impact
Analysis (interruptions)
 Managing Changes of
contract
 New applications*
 Rqrmt’s for changes
in functionality
 KRIs, KCIs, KPIs –
monitoring and
reporting
 Severing the
relationship
 Security Technical
Safeguards
(virtualization,
networks etc.)
 PCI DSS compliance
 Data transfer cross-
borders
Source: Controls and Assurance in the Cloud Using COBIT 5; ISACA
Cloud Assurance and Contract Considerations

66. © ISACA 2016.
All Rights Reserved.
#EUROCACS
@SteiINformed
@carloschalico
Contract Requirements:
Your Organizational Standards
and Controls
 Identity Management
 Access Management (for the cloud
environment;(Access Standards:
User vs/ Privileged)
 Identity Management
 Retention and Destruction Standard
 PI (PII) Protection Standards
 Data Flows/Inventory
 Data Classification Policy
 DLP implications
 Data processing compliance
 IT Change Control and
Configuration Management
Source: Controls and Assurance in the Cloud Using COBIT 5; ISACA
Cloud Assurance and Contract Considerations

67. © ISACA 2016.
All Rights Reserved.
#EUROCACS
@SteiINformed
@carloschalico
Contract Requirements cont’d
 Term and Termination
 Cloud staff “segregation” of duties and
“need to know”
 Cloud staff background checks
 Cloud staff training
 Alignment of password requirements with
internal standards
 Cloud staff Confidentiality Agreements
 Cloud Services annual certification
(SOC1/2 or equivalent)
 Third party subcontracting to a vendor
 Crisis Management
 Incident Response
 Value Generation
ISO 27017, 27018, NIST
Source: Controls and Assurance in the Cloud Using COBIT 5; ISACA
Cloud Assurance and Contract Considerations

69. © ISACA 2016.
All Rights Reserved.
#EUROCACS
@SteiINformed
@carloschalico
Ready…Set….GO!!!
“Bringing value to the organization, enabling transformation while minimizing risk and without
compromising privacy”
Appropriate Governance (End to End GEIT)
Risk to Business Objectives : IT Risk + Bus Risk + Third
Party Risk (SLAs, Legal/Regulatory, Security, Privacy, etc.)
Total Data Center Security (&
Privacy) requirements
Controls & Assurance in the
Cloud
Internal Policies,
Standards etc.
Contract
Requirements
Source: Controls and Assurance in the Cloud Using COBIT 5; ISACA

70. © ISACA 2016.
All Rights Reserved.
#EUROCACS
@SteiINformed
@carloschalico
What’s This?
Source: Status of the Cloud Report; RightScale; 2016;
http://assets.rightscale.com/uploads/pdfs/RightScale-2016-State-of-the-Cloud-Report.pdf

71. © ISACA 2016.
All Rights Reserved.
#EUROCACS
@SteiINformed
@carloschalico
What’s This?
Source: Status of the Cloud Report; RightScale; 2016;
http://assets.rightscale.com/uploads/pdfs/RightScale-2016-State-of-the-Cloud-Report.pdf

72. © ISACA 2016.
All Rights Reserved.
#EUROCACS
@SteiINformed
@carloschalico
 https://www.cloudlock.com/wp-content/uploads/2015/07/ISO-IEC-Compliance-Guide-
CloudLock.pdf
 https://www.itsc.org.sg/userfiles/files/content/Item_7_-
_Wong_Onn_Chee_Presentation_Slides_Overview_of_Cloud_Security.pdf
 Volume 3, 2015 “Governance and Management of Enterprise IT (CGEIT)”, see Article
“Toward a secure data center model”
 Volume 4, 2015 “Regulations and Compliance“, see Article “Vendor Risk Management
Demystified”
 ISACA Volume 5, 2012 “Privacy and the Cloud”, see Article “Meeting PCI DSS when using a
Cloud Service Provider”
 ISACA Volume 5, 2012
 ISACA “Controls and Assurance in the Cloud using COBIT 5”
 ISACA “COBIT 5 for Risk”
 ISACA “Vendor Management Using COBIT 5”
 Security Guidance for Critical Areas of Focus in Cloud Computing
https://cloudsecurityalliance.org/guidance/csaguide.v3.0.pdf
 Status of the Cloud Report; RightScale; 2016;
http://assets.rightscale.com/uploads/pdfs/RightScale-2016-State-of-the-Cloud-Report.pdf
Resources

73. © ISACA 2016.
All Rights Reserved.
#EUROCACS
@SteiINformed
@carloschalico
Questions?
Amalia Steiu
CRISC, CISM, CIPM, CIPT, PMP
Privacy Solutions Advisor
Nymity Inc.
+1(416)433-6406
amalia.steiu@nymity.com
Carlos Chalico
CISA, CISSP, CISM, CGEIT, CRISC, PbDA, ISO27001LA
Director, Strategic Alliance
Nymity Inc.
+1(647)406-7785
carlos.chalico@nymity.com