How users can take advantage of the cloud computing environment’s benefits without experiencing excessive security risks or new legal or regulatory compliance challenges.
This Slideshare presentation is a partial preview of the full business document. To view and download the full document, please go here:
http://flevy.com/browse/business-document/it-security-and-governance-template-312
This Word Document provides a template for an IT Security & Governance Policy and is easily customisable. Areas cover are: Security, Data Back-Up, Virus Protection, Internet & Email usage, Remote & 3rd Party Network Access, User-Account Management, Procurement, Asset Management and IS Service Continuity Planning
Information Security assessment of companies in Germany, Austria and Switzerland, February 2015.
Every day critical security incidents show the drastic extent of "successful" cyber attacks for organizations in terms of monetary and material loss. With increasing use of digital technologies and the growing spread of mobile and IoT cyber security is becoming a key factor for companies’ successful digital transformation. To analyze current challenges, trends and maturity of companies state of information security, Capgemini Consulting DACH conducted a survey in Germany, Austria and Switzerland. The 2014 Information Security Benchmarking Study shows that information security is insufficiently embedded in most companies‘ business strategy and operations to effectively safeguard organizations against current cyber threats.
https://www.de.capgemini-consulting.com/resources/information-security-benchmarking
This Slideshare presentation is a partial preview of the full business document. To view and download the full document, please go here:
http://flevy.com/browse/business-document/it-security-and-governance-template-312
This Word Document provides a template for an IT Security & Governance Policy and is easily customisable. Areas cover are: Security, Data Back-Up, Virus Protection, Internet & Email usage, Remote & 3rd Party Network Access, User-Account Management, Procurement, Asset Management and IS Service Continuity Planning
Information Security assessment of companies in Germany, Austria and Switzerland, February 2015.
Every day critical security incidents show the drastic extent of "successful" cyber attacks for organizations in terms of monetary and material loss. With increasing use of digital technologies and the growing spread of mobile and IoT cyber security is becoming a key factor for companies’ successful digital transformation. To analyze current challenges, trends and maturity of companies state of information security, Capgemini Consulting DACH conducted a survey in Germany, Austria and Switzerland. The 2014 Information Security Benchmarking Study shows that information security is insufficiently embedded in most companies‘ business strategy and operations to effectively safeguard organizations against current cyber threats.
https://www.de.capgemini-consulting.com/resources/information-security-benchmarking
Information security focuses on protecting valuable information that will help businesses to succeed in their strategies. Confidentiality, integrity and availability are the three basic objectives of Information Security.
For more such innovative content on management studies, join WeSchool PGDM-DLP Program: http://bit.ly/ZEcPAc
Developing Metrics for Information Security Governancedigitallibrary
Information security has become a critical issue within organizations, and a key success factor for businesses. To effectively maintain the integrity and security of an organization's information infrastructure effective security metrics and measures must be developed, implemented and monitored. Learn about enterprise security metrics and the concepts that must be considered when developing, implementing, and monitoring them. Understand how to identify measurable points and activities, develop meaningful metrics and measures and monitor concepts. Case studies and scenarios demonstrate operational scenarios for the benefits and challenges of securing information.
Presented by Sarwono Sutikno, Dr.Eng.,CISA,CISSP,CISM in Panel Uji Publik RPM Tata Kelola Keamanan Informasi Indonesia Information Security Forum, 10 Oktober 2012
This white paper provides guidance for how to adopt an Intelligence-Driven Security strategy that delivers three essential capabilities: visibility, analysis, and action.
This Special Report from the Security for Business Innovation Council identifies four technology trends -- cloud computing, social media, big data, and mobile devices -- as game-changers for 2013 and offers concrete guidance on how security teams can meet these requirements.
Strategic Information Management Through Data ClassificationBooz Allen Hamilton
This white paper presents a comprehensive approach to information management programs. It outlines how data growth directly affects the risk posture of critical corporate information assets. In addition, it defines common problems caused by gaps in information management programs as well as consequences associated with immature methodologies.
Risk-driven and Business-outcome-focused Enterprise Security Architecture Fra...Craig Martin
Ana Kukec, Lead Enterprise Security Consultant, Enterprise Architects, Australia
The Open Group Architecture Forum and Security Forum agree that the coverage of security in TOGAF should be updated and improved. The understanding and focus of security architecture has moved from a threat-driven approach of addressing non-normative flaws through systems and applications to a risk-driven and business outcome-focused methodology of enabling a business strategy.
Following this trend, we defined fundamental characteristics of effective security architecture. 1) Capabilities are primary assets at risk, while information systems and technology components are secondary assets at risk supporting the primary assets. 2) Security requirements include the business aspects and not only the technology aspects of confidentiality, integrity and availability. 3) IT risk management is business-opportunity-driven. It requires understanding of risk appetite across business, information systems and technology architecture to manage security risks of vulnerabilities and compliance issues, which may arise at any layer of enterprise architecture in a business-outcome-focused way. 4) Security services are aligned to business drivers, goals and objectives, and managed in a risk-driven way.
Yet, there is no single security architecture development methodology to deliver these characteristics. We believe that existing information security standards and frameworks in a combination with the TOGAF are sufficient to meet the aforementioned fundamental characteristics of effective security architecture. However the challenge is in their integration. Our Enterprise Security Architecture Framework integrates key industry standards and best practices for information security and risk management, such as COBIT 5 for Information Security, ITILv3 Security Service Management, ISO/IEC 27000 and ISO/IEC 31000 families of standards, using the TOGAF Architecture Development Method and Content Meta-model as the key integrators. It is a pragmatic security architecture framework which establishes a common language between IT, security, risk and business organisations within an enterprise and ensures effective and efficient support of long-term security needs of both business and IT, with a risk-driven enterprise as a final outcome.
We will present a case study of the implementation of the aforementioned business-outcome-focused and risk-driven Enterprise Security Architecture Framework at the University of New South Wales.
Key takeaways:
-- Overview of a risk-driven and business-outcome-focused security architecture methodology seamlessly integrated with the TOGAF
-> Security strategic planning
-> Enterprise-wide compliance, internal (policies and standards) and external (laws and regulations
-> Business-opportunity driven management of security risk of threats, vulnerabilities and compliance issues across business, information systems and technology architecture
Christopher Getner - Integration of Information Governance With Security - Th...ARMA International
Security Is Essential To Information Governance:
-Don’t Let Software Vendors Drive The Discussion
-Control Is At The Core Of Governance & Security
-Cloud Adoption Is An Opportunity To Re-Baseline
-Good Governance Eases Burden On Security
Information security focuses on protecting valuable information that will help businesses to succeed in their strategies. Confidentiality, integrity and availability are the three basic objectives of Information Security.
For more such innovative content on management studies, join WeSchool PGDM-DLP Program: http://bit.ly/ZEcPAc
Developing Metrics for Information Security Governancedigitallibrary
Information security has become a critical issue within organizations, and a key success factor for businesses. To effectively maintain the integrity and security of an organization's information infrastructure effective security metrics and measures must be developed, implemented and monitored. Learn about enterprise security metrics and the concepts that must be considered when developing, implementing, and monitoring them. Understand how to identify measurable points and activities, develop meaningful metrics and measures and monitor concepts. Case studies and scenarios demonstrate operational scenarios for the benefits and challenges of securing information.
Presented by Sarwono Sutikno, Dr.Eng.,CISA,CISSP,CISM in Panel Uji Publik RPM Tata Kelola Keamanan Informasi Indonesia Information Security Forum, 10 Oktober 2012
This white paper provides guidance for how to adopt an Intelligence-Driven Security strategy that delivers three essential capabilities: visibility, analysis, and action.
This Special Report from the Security for Business Innovation Council identifies four technology trends -- cloud computing, social media, big data, and mobile devices -- as game-changers for 2013 and offers concrete guidance on how security teams can meet these requirements.
Strategic Information Management Through Data ClassificationBooz Allen Hamilton
This white paper presents a comprehensive approach to information management programs. It outlines how data growth directly affects the risk posture of critical corporate information assets. In addition, it defines common problems caused by gaps in information management programs as well as consequences associated with immature methodologies.
Risk-driven and Business-outcome-focused Enterprise Security Architecture Fra...Craig Martin
Ana Kukec, Lead Enterprise Security Consultant, Enterprise Architects, Australia
The Open Group Architecture Forum and Security Forum agree that the coverage of security in TOGAF should be updated and improved. The understanding and focus of security architecture has moved from a threat-driven approach of addressing non-normative flaws through systems and applications to a risk-driven and business outcome-focused methodology of enabling a business strategy.
Following this trend, we defined fundamental characteristics of effective security architecture. 1) Capabilities are primary assets at risk, while information systems and technology components are secondary assets at risk supporting the primary assets. 2) Security requirements include the business aspects and not only the technology aspects of confidentiality, integrity and availability. 3) IT risk management is business-opportunity-driven. It requires understanding of risk appetite across business, information systems and technology architecture to manage security risks of vulnerabilities and compliance issues, which may arise at any layer of enterprise architecture in a business-outcome-focused way. 4) Security services are aligned to business drivers, goals and objectives, and managed in a risk-driven way.
Yet, there is no single security architecture development methodology to deliver these characteristics. We believe that existing information security standards and frameworks in a combination with the TOGAF are sufficient to meet the aforementioned fundamental characteristics of effective security architecture. However the challenge is in their integration. Our Enterprise Security Architecture Framework integrates key industry standards and best practices for information security and risk management, such as COBIT 5 for Information Security, ITILv3 Security Service Management, ISO/IEC 27000 and ISO/IEC 31000 families of standards, using the TOGAF Architecture Development Method and Content Meta-model as the key integrators. It is a pragmatic security architecture framework which establishes a common language between IT, security, risk and business organisations within an enterprise and ensures effective and efficient support of long-term security needs of both business and IT, with a risk-driven enterprise as a final outcome.
We will present a case study of the implementation of the aforementioned business-outcome-focused and risk-driven Enterprise Security Architecture Framework at the University of New South Wales.
Key takeaways:
-- Overview of a risk-driven and business-outcome-focused security architecture methodology seamlessly integrated with the TOGAF
-> Security strategic planning
-> Enterprise-wide compliance, internal (policies and standards) and external (laws and regulations
-> Business-opportunity driven management of security risk of threats, vulnerabilities and compliance issues across business, information systems and technology architecture
Christopher Getner - Integration of Information Governance With Security - Th...ARMA International
Security Is Essential To Information Governance:
-Don’t Let Software Vendors Drive The Discussion
-Control Is At The Core Of Governance & Security
-Cloud Adoption Is An Opportunity To Re-Baseline
-Good Governance Eases Burden On Security
Real-World DG Webinar: A Data Governance Framework for Success DATAVERSITY
A Data Governance Framework must include best practices, a practical set of roles & responsibilities for Data Governance built specifically for your organization, a plan for communicating with the entire organization and an action plan for applying governance in effective and measurable ways.
Join Bob Seiner for this Real-World Data Governance webinar as he discusses how to stay practical and work within the culture of your organization to develop and deliver a Data Governance Framework to meet your specifications and the business’ expectations.
This session will focus on:
Defining a Non-Invasive Operating Model of Roles & Responsibilities
Clearly Stating the Difference between Executive, Strategic, Tactical, Operational & Supporting Roles
Defining Data Stewards, Data Stewardship and How to Steward the Data
Recognizing & Identifying People into Roles Rather than Handing them to People as New Responsibilities
Leveraging the Framework to Implement a Successful Data Governance Program
Information Security between Best Practices and ISO StandardsPECB
Main points covered:
• Information Security best practices (ESA, COBIT, ITIL, Resilia)
• NIST security publications (NIST 800-53)
• ISO standards for information security (ISO 20000 and ISO 27000 series)
- Information Security Management in ISO 20000
- ISO 27001, ISO 27002 and ISO 27005
• What is best for me: Information Security Best Practices or ISO standards?
Presenter:
This webinar was presented by Mohamed Gohar. Mr.Gohar has more than 10 years of experience in ISM/ITSM Training and Consultation. He is one of the expert reviewers of CISA RM 26th edition (2016), ISM Senior Trainer/Consultant at EGYBYTE.
Link of the recorded session published on YouTube: https://youtu.be/eKYR2BG_MYU
ISO 27004 provides guidance and describes a set of best practices for measuring the result of ISMS in an organization. The standard specifies how to set up a measurement program, what parameters to measure, when to measure, how to measure and helps organizations to decide on how to set performance targets and success criteria.
COBIT 5 IT Governance Model: an Introductionaqel aqel
This lecture provides quick and direct insight about Information technologies governance using COBIT 5 framework. COBIT 5 in its fifth edition released by information systems audit and control association (www.isaca.org) in 2012 to supersede the version 4.1 / 2007. It also included ISACA’s VAL-IT model that aimed to manage the financial perspective of IT as well as RISK-IT framework.
The lecture was part of ISACA- Riyadh chapter activities in April 2015 under the sponsorship of Al-Fisal University.
Enterprise Architecture and Information SecurityJohn Macasio
A thinking tool to ask and describe the alignment requirements of business, information, technology and security to improve and secure the management of process, data, application and infrastructure of performance.
Top 10 Essentials for Building a Powerful Security DashboardTripwire
Security dashboards are a valuable tool that can help give an “at a glance” picture of the overall health of your ecosystem, demonstrating leadership, achievements and an effective way to measure progress towards your goals. See what industry experts recommend your dashboard must have.
Read more: http://tripwire.me/1LODVJq
How to Build & Sustain a Data Governance Operating Model DATUM LLC
Learn how to execute a data governance strategy through creation of a successful business case and operating model.
Originally presented to an audience of 400+ at the Master Data Management & Data Governance Summit.
Visit www.datumstrategy.com for more!
Introduction to Data Governance
Seminar hosted by Embarcadero technologies, where Christopher Bradley presented a session on Data Governance.
Drivers for Data Governance & Benefits
Data Governance Framework
Organization & Structures
Roles & responsibilities
Policies & Processes
Programme & Implementation
Reporting & Assurance
Cloud Computing Security: Government Acquisition Considerations for the Cloud...Booz Allen Hamilton
This study provides insight into information assurance and mission assurance challenges posed by public cloud computing environments (CCE), and how accounting for those risks through acquisition security measures affect public CCE options.
Security Authorization: An Approach for Community Cloud Computing EnvironmentsBooz Allen Hamilton
White paper explores some of the challenges encountered when attempting to perform traditional security authorization or certification and authentication processes for cloud computing environments (CCEs).
A breakdown of the top misconceptions enterprises are facing when assessing the security levels of cloud computing environments, and the realities behind them
Navigating the Cloud: Trends and Technologies Shaping Security and ComplianceUrolime Technologies
Explore the dynamic realm of cloud security and compliance with a focus on AWS Consulting Services. Stay ahead of the curve as we delve into the latest trends and technologies shaping the landscape, ensuring your organization harnesses the full potential of AWS while maintaining robust security and compliance measures.
A Comprehensive Review on Data Security and Threats for Data Management in Cl...AJASTJournal
The cloud is a network of virtual computers that are linked together and may exhibit and offer computational capabilities continuously depending on certain Service Level Agreements (SLAs) that have been agreed between the parties to a contract between the clients and the internet provider. Cloud computing has several benefits, including endless computational resources, cheap cost, security controls, hypervisor protection, instantaneous elasticity, high throughput, and fault-tolerant solutions with increased performance. Since cloud computing is a comparatively recent computing model, there exists a lot of uncertainty about how well confidentiality of all levels, including host, network, data levels, and implementation, can be achieved. As a result, there still are important obstacles to cloud computing adoption. These constraints include security issues concerning privacy, compliance, and legal issues. When databases and software applications are moved from the cloud to large data centers, data management becomes a major challenge. Numerous security issues may develop while using cloud computing, including issues with privacy and control, virtualization and accessibility issues, confidentiality, management of credentials and identities, authentication of responding devices, and authenticity. In this paper, an effort is made to offer a comprehensive review of data security and threats in cloud computing.
A Comprehensive Review on Data Security and Threats for Data Management in Cl...AJASTJournal
The cloud is a network of virtual computers that are linked together and may exhibit and offer computational capabilities continuously depending on certain Service Level Agreements (SLAs) that have been agreed between the parties to a contract between the clients and the internet provider. Cloud computing has several benefits, including endless computational resources, cheap cost, security controls, hypervisor protection, instantaneous elasticity, high throughput, and fault-tolerant solutions with increased performance. Since cloud computing is a comparatively recent computing model, there exists a lot of uncertainty about how well confidentiality of all levels, including host, network, data levels, and implementation, can be achieved. As a result, there still are important obstacles to cloud computing adoption. These constraints include security issues concerning privacy, compliance, and legal issues. When databases and software applications are moved from the cloud to large data centers, data management becomes a major challenge. Numerous security issues may develop while using cloud computing, including issues with privacy and control, virtualization and accessibility issues, confidentiality, management of credentials and identities, authentication of responding devices, and authenticity. In this paper, an effort is made to offer a comprehensive review of data security and threats in cloud computing.
The security measures discussed in this IBM Redpapers™ publication represent best practice implementations for cloud security. In this paper, we presented guidance on cloud computing security. We examined the major security challenges for cloud providers and their clients, and we discussed concrete guidelines for the implementation of cloud security
Cloud deployment describes the way a cloud platform is implemented, how it’s hosted, and who has access to it
All cloud computing deployments operate on the same principle by virtualizing the computing power of servers into segmented, software-driven applications that provide processing and storage capabilities
Types are
Public
Private
Hybrid
Community
A traditional computing environment requires a costly
infrastructure to offer a better service to users. The introduction
of cloud computing has changed the working environment from
traditional to virtual. A larger number of IT companies are
utilizing the cloud. On the one hand, the cloud attracts more
number of consumers by offering services with minimized
capital cost and virtual infrastructure. On the other hand, there
are a risk and security challenges in cloud computing that
makes the user not to move completely towards it. The cloud
environment is more vulnerable to security breaches and data
theft. Moreover, insider attacks are more frequent in larger
enterprises. An unauthenticated user can cause more damage
to company reputation. The cloud service providers are trying
to provide a secure work environment for users. However,
there is a lack of global standards and policies to invoke
security measures in cloud computing. This study aims to
highlight and classify security challenges and trust issues in the
cloud environment.
The survey was conducted in various institutions and
governmental organizations in Saudi Arabia to study the
opinions of stakeholders on cloud computing security
challenges and risks.
Links:
http://sites.google.com/site/ijcsis/
https://google.academia.edu/JournalofComputerScience
https://www.linkedin.com/in/ijcsis-research-publications-8b916516/
http://www.researcherid.com/rid/E-1319-2016
Similar to Information Security Governance: Government Considerations for the Cloud Computing Environment (20)
You Can Hack That: How to Use Hackathons to Solve Your Toughest ChallengesBooz Allen Hamilton
“Hackathon” has become a trendy word in today’s business vernacular, and for good reason. The word “hackathon” comes from both “hack” and “marathon.” If you think of a “hack” as a creative solution and “marathon” as a continuous, often competitive event, you’re at the heart of what a hackathon is about. Hackathons enable creative problem solving through an innovative and often competitive structure that engages stakeholders to come up with unconventional solutions to pressing challenges. Hackathons can be used to develop new processes, products, ways of thinking, or ways of engaging stakeholders and partners, with benefits ranging from solving tough problems to broader cultural and organizational improvements.
This playbook was designed to make hackathons accessible to everyone. That means not only can all kinds of organizations benefit from hackathons, but that all kinds of employees inside those groups—executives, project managers, designers, or engineers—should participate and can benefit, too. Use this playbook as a reference and allow the best practices we outline to guide you in designing a hackathon structure that works for you and enables your organization to achieve its desired outcomes. Give yourself anywhere from six weeks to a few months to plan your hackathon, depending on the components, approach, number of participants, and desired outcomes.
Contact Director Brian MacCarthy at MacCarthy_Brian2@bah.com for more information about Booz Allen’s hackathon offering.
Booz Allen's U.S. Commercial Leader and Executive Vice President, Bill Phelps, recently released his list of 10 Cyber Priorities for Boards of Directors. As we peer into how business, technology, regulatory, and cyber threat realities are evolving in the coming year, here is a reference guide for board members to use in validating their company's cybersecurity approach.
We looked at the data. Here’s a breakdown of some key statistics about the nation’s incoming presidents’ addresses, how long they spoke, how well, and more.
Our Military Spouse Forum built a roadmap to help you navigate your career between deployments, moves, and the unpredictable. Interested in how Booz Allen can help you navigate your career? Check out our opportunities at www.boozallen.com/careers
In August 2016, Booz Allen partnered with Market Connections to conduct a survey of National Security Leaders and the General Public to understand their perspectives on the current threats. Fifteen years after the September 11 attacks, we wanted to know what keeps them up at night today, and what they will be worried about in 15 years. This infographic provides the high-level results of our survey and we will be releasing a more detailed report later in the month of September – so stay tuned. #NationalSecurity2031
Booz Allen convened some of the smartest minds to explore making healthcare more accessible. This report shares the latest healthcare payment trends and what policy experts discovered when planning for different health reform scenarios.
An interactive workshop that guides you through the many relationships that exist in an agile team, with a business value emphasis. Team members gain empathy, discover expectations of others and the importance of these agile team relationships.
An immersive environment allows students to be completely “immersed” in a self-contained simulated or artificial environment while experiencing it as real. With immersive learning, you can show realistic visual and training environments to teach complex tasks and concepts.
Nuclear Promise: Reducing Cost While Improving PerformanceBooz Allen Hamilton
To remain competitive, nuclear operators must take aim at all addressable costs, ensuring maintenance is optimized, taking proactive steps to minimize unplanned outages and, where possible, reducing administrative and other overhead costs. There are multiple opportunities to reduce capital and operational spending, while improving safety and reliability.
General Motors and Lyft; Target and Walmart; Netflix and Amazon - we call these “frenemies”. A strange trend is emerging as unlikely partner companies join forces, and they’re transforming industries around the world. Understanding what's driving the frenemies trend, knowing what options best fit your needs, and making yourself an effective partner are all critical to success.
Threats to industrial control systems are on the rise. This briefing explores potential threats and vulnerabilities as well as what organizations can do to guard against them.
Booz Allen Hamilton and Market Connections: C4ISR Survey ReportBooz Allen Hamilton
Booz Allen Hamilton partnered with government market research firm Market Connections, Inc. to conduct the survey of military decision-makers. The research examined the main features of Integrated C4ISR through Enterprise Integration: engineering, operations and acquisition. Two-thirds of respondents (65 percent) agree agile incremental delivery of modular systems with integrated capabilities can enable rapid insertion of new technologies.
Modern C4ISR Integrates, Innovates and Secures Military NetworksBooz Allen Hamilton
A majority of the military believe Integrated C4ISR through Enterprise Integration would provide utility to their organization. Check out other key findings from our study in this infographic http://bit.ly/1OZOjG2
Agile and Open C4ISR Systems - Helping the Military Integrate, Innovate and S...Booz Allen Hamilton
Integrated C4ISR is a force multiplier that significantly improves situational awareness and decision making to give warfighters a decisive battlefield advantage. This advantage stems from Booz Allen Hamilton’s Enterprise Integration approach http://bit.ly/25nDBRg: bringing together three disciplines and their communities—engineering, operations, and acquisition.
Booz Allen Hamilton created the Field Guide to Data Science to help organizations and missions understand how to make use of data as a resource. The Second Edition of the Field Guide, updated with new features and content, delivers our latest insights in a fast-changing field. http://bit.ly/1O78U42
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Welcome to the first live UiPath Community Day Dubai! Join us for this unique occasion to meet our local and global UiPath Community and leaders. You will get a full view of the MEA region's automation landscape and the AI Powered automation technology capabilities of UiPath. Also, hosted by our local partners Marc Ellis, you will enjoy a half-day packed with industry insights and automation peers networking.
📕 Curious on our agenda? Wait no more!
10:00 Welcome note - UiPath Community in Dubai
Lovely Sinha, UiPath Community Chapter Leader, UiPath MVPx3, Hyper-automation Consultant, First Abu Dhabi Bank
10:20 A UiPath cross-region MEA overview
Ashraf El Zarka, VP and Managing Director MEA, UiPath
10:35: Customer Success Journey
Deepthi Deepak, Head of Intelligent Automation CoE, First Abu Dhabi Bank
11:15 The UiPath approach to GenAI with our three principles: improve accuracy, supercharge productivity, and automate more
Boris Krumrey, Global VP, Automation Innovation, UiPath
12:15 To discover how Marc Ellis leverages tech-driven solutions in recruitment and managed services.
Brendan Lingam, Director of Sales and Business Development, Marc Ellis
Essentials of Automations: The Art of Triggers and Actions in FMESafe Software
In this second installment of our Essentials of Automations webinar series, we’ll explore the landscape of triggers and actions, guiding you through the nuances of authoring and adapting workspaces for seamless automations. Gain an understanding of the full spectrum of triggers and actions available in FME, empowering you to enhance your workspaces for efficient automation.
We’ll kick things off by showcasing the most commonly used event-based triggers, introducing you to various automation workflows like manual triggers, schedules, directory watchers, and more. Plus, see how these elements play out in real scenarios.
Whether you’re tweaking your current setup or building from the ground up, this session will arm you with the tools and insights needed to transform your FME usage into a powerhouse of productivity. Join us to discover effective strategies that simplify complex processes, enhancing your productivity and transforming your data management practices with FME. Let’s turn complexity into clarity and make your workspaces work wonders!
The Metaverse and AI: how can decision-makers harness the Metaverse for their...Jen Stirrup
The Metaverse is popularized in science fiction, and now it is becoming closer to being a part of our daily lives through the use of social media and shopping companies. How can businesses survive in a world where Artificial Intelligence is becoming the present as well as the future of technology, and how does the Metaverse fit into business strategy when futurist ideas are developing into reality at accelerated rates? How do we do this when our data isn't up to scratch? How can we move towards success with our data so we are set up for the Metaverse when it arrives?
How can you help your company evolve, adapt, and succeed using Artificial Intelligence and the Metaverse to stay ahead of the competition? What are the potential issues, complications, and benefits that these technologies could bring to us and our organizations? In this session, Jen Stirrup will explain how to start thinking about these technologies as an organisation.
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
A tale of scale & speed: How the US Navy is enabling software delivery from l...sonjaschweigert1
Rapid and secure feature delivery is a goal across every application team and every branch of the DoD. The Navy’s DevSecOps platform, Party Barge, has achieved:
- Reduction in onboarding time from 5 weeks to 1 day
- Improved developer experience and productivity through actionable findings and reduction of false positives
- Maintenance of superior security standards and inherent policy enforcement with Authorization to Operate (ATO)
Development teams can ship efficiently and ensure applications are cyber ready for Navy Authorizing Officials (AOs). In this webinar, Sigma Defense and Anchore will give attendees a look behind the scenes and demo secure pipeline automation and security artifacts that speed up application ATO and time to production.
We will cover:
- How to remove silos in DevSecOps
- How to build efficient development pipeline roles and component templates
- How to deliver security artifacts that matter for ATO’s (SBOMs, vulnerability reports, and policy evidence)
- How to streamline operations with automated policy checks on container images
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionAggregage
Join Maher Hanafi, VP of Engineering at Betterworks, in this new session where he'll share a practical framework to transform Gen AI prototypes into impactful products! He'll delve into the complexities of data collection and management, model selection and optimization, and ensuring security, scalability, and responsible use.
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex ProofsAlex Pruden
This paper presents Reef, a system for generating publicly verifiable succinct non-interactive zero-knowledge proofs that a committed document matches or does not match a regular expression. We describe applications such as proving the strength of passwords, the provenance of email despite redactions, the validity of oblivious DNS queries, and the existence of mutations in DNA. Reef supports the Perl Compatible Regular Expression syntax, including wildcards, alternation, ranges, capture groups, Kleene star, negations, and lookarounds. Reef introduces a new type of automata, Skipping Alternating Finite Automata (SAFA), that skips irrelevant parts of a document when producing proofs without undermining soundness, and instantiates SAFA with a lookup argument. Our experimental evaluation confirms that Reef can generate proofs for documents with 32M characters; the proofs are small and cheap to verify (under a second).
Paper: https://eprint.iacr.org/2023/1886
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
Pushing the limits of ePRTC: 100ns holdover for 100 daysAdtran
At WSTS 2024, Alon Stern explored the topic of parametric holdover and explained how recent research findings can be implemented in real-world PNT networks to achieve 100 nanoseconds of accuracy for up to 100 days.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
PHP Frameworks: I want to break free (IPC Berlin 2024)Ralf Eggert
In this presentation, we examine the challenges and limitations of relying too heavily on PHP frameworks in web development. We discuss the history of PHP and its frameworks to understand how this dependence has evolved. The focus will be on providing concrete tips and strategies to reduce reliance on these frameworks, based on real-world examples and practical considerations. The goal is to equip developers with the skills and knowledge to create more flexible and future-proof web applications. We'll explore the importance of maintaining autonomy in a rapidly changing tech landscape and how to make informed decisions in PHP development.
This talk is aimed at encouraging a more independent approach to using PHP frameworks, moving towards a more flexible and future-proof approach to PHP development.
Enhancing Performance with Globus and the Science DMZGlobus
ESnet has led the way in helping national facilities—and many other institutions in the research community—configure Science DMZs and troubleshoot network issues to maximize data transfer performance. In this talk we will present a summary of approaches and tips for getting the most out of your network infrastructure using Globus Connect Server.
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™UiPathCommunity
In questo evento online gratuito, organizzato dalla Community Italiana di UiPath, potrai esplorare le nuove funzionalità di Autopilot, il tool che integra l'Intelligenza Artificiale nei processi di sviluppo e utilizzo delle Automazioni.
📕 Vedremo insieme alcuni esempi dell'utilizzo di Autopilot in diversi tool della Suite UiPath:
Autopilot per Studio Web
Autopilot per Studio
Autopilot per Apps
Clipboard AI
GenAI applicata alla Document Understanding
👨🏫👨💻 Speakers:
Stefano Negro, UiPath MVPx3, RPA Tech Lead @ BSP Consultant
Flavio Martinelli, UiPath MVP 2023, Technical Account Manager @UiPath
Andrei Tasca, RPA Solutions Team Lead @NTT Data
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™
Information Security Governance: Government Considerations for the Cloud Computing Environment
1. Information Security Governance
Government Considerations for the Cloud Computing Environment
by
Jamie Miller
miller_jamie@bah.com
Larry Candler
candler_larry@bah.com
Hannah Wald
wald_hannah@bah.com
2.
3. Table of Contents
Introduction ....................................................................................................................... 1
Public Clouds .................................................................................................................... 2
Private Clouds ................................................................................................................... 2
Community Clouds ............................................................................................................ 3
Hybrid Clouds ................................................................................................................... 4
Information Security Management and Governance Framework ............................................. 4
Architecting and Establishing the Information Security Program (PLAN) ................................... 5
Representative CCE–Related Artifacts of the Plan Phase ....................................................... 9
Implementing and Operating the Information Security Program (DO) ....................................... 9
Monitoring and Measuring the Information Security Program (CHECK) .................................. 10
Managing and Improving the Information Security Program (ACT) .......................................... 11
Representing CCE–Related Artifacts of the Check and Act Phases ....................................... 12
Summary and Conclusions ................................................................................................ 13
Glossary of Acronyms ....................................................................................................... 13
Glossary of Terms ............................................................................................................ 14
About Booz Allen .............................................................................................................. 16
Principal Offices ............................................................................................................... 17
4. Information Security Governance
Government Considerations for the Cloud Computing Environment
Introduction
“Cloud computing is a model for enabling convenient, Outcomes of Effective Information
on-demand network access to a shared pool of configurable Security Governance in a CCE
computing resources (e.g., networks, servers, storage,
• Strategic Alignment—Information security
applications, and services) that can be rapidly provisioned
practices aligned with the agency’s
and released with minimal management effort or service
enterprise strategy and agreed-upon risk
provider interaction.” 1
profile
Moving information assets to a cloud computing
• Value Delivery—A standard set of
environment (CCE) offers the cloud user the potential
information to effectively manage and
for reduced costs, on-demand self-service, ubiquitous
monitor cloud provider security controls
network access, location-independent resource
pooling, rapid elasticity, and measured service. CCEs • Risk Management—An understanding of
are offered in a variety of deployment and service accepted risk exposure
models, as this paper describes, each with its own
• Performance Measurement—A
characteristics for cost/benefit, efficiency, flexibility,
measurement process with feedback on
risk, and cloud consumer control. Although the
progress made
potential cost savings and flexibility advantages of
operating in the cloud are compelling, cloud users
need to understand the security risks, compliance
complications, and potential legal issues inherent in
the CCE. Federal agencies desiring to take advantage relevant to that framework to help inform agency
of cloud computing benefits will need to invest in leaders, information security professionals, and
proactive and strategic management of the new information security governance participants on how
environment. To do so, they must implement or to take advantage of the benefits of the CCE without
modify information security management systems and exposing their mission to excessive information
governance programs to mitigate security risks and security risk or potential legal and regulatory
comply with their legal, regulatory, and contractual compliance failures.
security requirements.
Information security governance is the mechanism
As with the adoption of other new technologies and through which organizations can ensure effective
service offerings, transition to the CCE will likely be management of information security. Booz Allen
evolutionary, not revolutionary. Many organizations, Hamilton developed the information security
particularly federal agencies, will migrate some management and governance framework presented
capabilities to the cloud while maintaining existing in this paper. We have also customized it for—and
computing environments for other capabilities, thus implemented it in—several government and commercial
operating in a hybrid mode for the foreseeable future.2 client environments. The focus of this paper is the
The goal of this paper is to present an information adaptation of our information security governance
security governance framework and key considerations model for federal government entities planning to
1Please see http://csrc.nist.gov/groups/SNS/cloud-computing/index.html.
2Cloud Computing User Transition Framework (C3F), Booz Allen Hamilton, 2009.
1
5. become users of cloud computing services. Potential cloud consumers from effectively measuring or
cloud service providers to the Government will require demonstrating compliance with any kind of security
a somewhat different adaptation of the information requirements. In the future, providers of public services
security management and governance framework, but will probably adapt their offerings and increase the
this will be the topic of a separate white paper. flexibility of SLAs and contracts to better accommodate
the unique legal, regulatory, and contractual
Before we present our proposed information security
information security compliance requirements of
governance framework, it is first necessary to review
the federal government environment. Some positive
the challenges and risks associated with each of the
signs of movement in this direction are beginning
four existing cloud computing deployment models. To
to appear in the market, as evidenced by Amazon’s
that effect, we offer a high-level description of each
recent introduction of optional “virtual private cloud”
deployment model, including graphical depictions.
services that combine the outsourcing advantages of
public clouds with increased customer visibility, control,
Public Clouds and service tailoring. Organizations should limit public
The most common type of CCE is the public cloud. In
cloud deployment to public information and systems
this construct, the cloud infrastructure is owned and
with acceptable risk profiles and no legal or regulatory
operated by an organization that provides services to
security requirements until service providers adapt to
multiple enterprises and individuals on a utility basis
meet the user community’s security, compliance, and
(consumers are often referred to as “tenants”) (see
liability needs.4
Exhibit 1). Public clouds present the highest security
risk to federal agency cloud consumers because of the
lack of direct control over information security control
Private Clouds
In sharp contrast to the public cloud is the private
implementation and monitoring, global multi-tenancy
CCE. In the private cloud, the cloud infrastructure is
with other users, virtualization and data location
owned/leased and operated by a single organization
management, limited service-level agreement (SLA)
solely for the user community of that organization (see
flexibility, contractual liability limitations, and the
Exhibit 2). An example in the Federal Government is an
lack of common legal and regulatory environments
agency-wide cloud that offers services to all entities
between cloud providers and cloud consumers.3 Lack
within that agency. Cost efficiencies and economies
of visibility compounds these issues and prevents
of scale are likely to be more limited in private clouds
Exhibit 1 | Public Cloud Illustration
Many, Many Organizations
e.g.
Google
Internet Microsoft
Amazon
Core Network Public Clouds
Source: Booz Allen Hamilton
3This specific issue is addressed in depth by the Booz Allen Cloud Computing White 4Cloud Computing Security Report, Security Considerations for Public Cloud Service
Paper, June 2, 2008, and Booz Allen’s Cloud Computing Basics: Cloud Computing 101 Acquisition, Booz Allen Hamilton, August 2009.
(White Paper).
2
6. Exhibit 2 | Private Cloud Illustration
Organization’s Private Network
Internet
Core Network Private Cloud
Source: Booz Allen Hamilton
than public clouds, but information security risk and independent service provider with experience in
governance issues are minimized largely because of the community and knowledge of the specific user
the shared mission goals and legal/regulatory security community’s characteristics. Two examples in the
requirements between the cloud service provider and Federal Government are the Defense Information
the cloud consumers. Systems Agency (DISA) Rapid Access Computing
Environment (RACE) and the National Aeronautics and
Community Clouds Space Administration’s (NASA) Nebula (both are still in
In a community CCE, multiple tenant organizations with the early stages of development). Community clouds
many common characteristics (e.g., mission goals, represent a lower information security risk profile
legal and regulatory security requirements, compliance than a public cloud environment and fewer legal and
considerations) share the cloud infrastructure, thus regulatory compliance issues, but they carry certain
forming a “community” (see Exhibit 3). The cloud risks associated with multi-tenancy.
owner may be a member of the community or an
Exhibit 3 | Community Cloud Illustration
Internet
Organization #1 Private Network Organization #2 Private Network
Community Cloud
Source: Booz Allen Hamilton
3
7. Hybrid Clouds Information Security Management and
Hybrid CCEs represent a combination of two or Governance Framework
more cloud deployment models (e.g., two public Booz Allen developed the information security
clouds, one public and one community cloud) that management and governance framework and has
remain unique entities but are bound together by customized and deployed it in a variety of client
standardized or proprietary technology that enables environments. This framework is a system of
data and application portability throughout the hybrid management and functional processes implemented
environment (see Exhibit 4). As a result, hybrid clouds in a standard quality management (or Plan, Do, Check,
present a combination of the information security risks Act) cycle of continuous improvement. The framework
and governance challenges inherent in the deployment is based on evolving international standards5 and
models they combine. A combination of private and planned evolution of the National Institute of Standards
community clouds represents the lowest risk; a and Technology (NIST) Risk Management Framework.6
combination of multiple public cloud environments Seven management processes—strategy and planning,
presents the greatest information security risks and policy portfolio management, risk management,
challenges to legal and regulatory compliance. awareness and training, communication and outreach,
compliance and performance management, and
Each CCE presents a different profile of benefits and
management oversight—comprise this framework and
risks that organizations should carefully consider
support the functional processes of the Do phase (see
before cloud adoption. Organizations should use a
Exhibit 5).
suitable framework that helps them address risks
and ensures their requirements are met. Although Although the purpose of each of the seven framework
the information security management and governance processes will not change when applied to a CCE,
model we describe in the next section can be adapted many of the process considerations and required
to any of the cloud computing deployment models, we actions will need to be modified to effectively plan,
focus our discussion primarily on information security manage, and govern information security in a CCE.
governance within the community cloud environment In all cases, it will be necessary to clarify specific
because we believe the community CCE is the most roles, responsibilities, and accountability for each
likely near-term adoption and migration strategy for major process step. Some steps may be points for
federal government agencies.
Exhibit 4 | Hybrid Cloud Illustration
Organization’s Private Network “Spill Over”
Internet Capacity as
Needed
Core Network Private Cloud
Public or Community Cloud
Source: Booz Allen Hamilton
5ISO/IEC 27001 Information Technology – Security Techniques – Information Security
Management Systems – Requirements.
6NIST SP 800-39 Managing Risk from Information Systems.
4
8. Exhibit 5 | Information Security Governance Framework
Architect and Establish (Plan) Implement and Operate (Do) Monitor and Review (Check, Act)
Management Processes Functional Processes Management Processes
Strategy and Human Communications
Asset
Planning Management Resources and Outreach
Security
Physical and Comms and
Environmental Operations
Security Management
Compliance and
Policy Portfolio Performance
Management Identity and Information Management
Access Systems
Management Acquisition
Incident Business
Risk Management Continuity Awareness and
Management Management
Training
Management
Oversight
Source: Booz Allen Hamilton
negotiation with prospective cloud service providers for These processes comprise the Plan phase of the
inclusion in SLAs and contracts. continual improvement process.
Our assumption in the following discussion is that
Strategy and Planning Process
management and governance processes are primarily
Strategy and planning are essential to an effective
the responsibility of a centralized information security
information security management and governance
function (such as the office of the Chief Information
program. The primary purposes of the strategy and
Security Officer [CISO]) for an agency or large
planning process are to—
government entity, with considerable participation by
information technology management (such as the • Establish information security program direction
office of the Chief Information Officer [CIO]). This and guide activities
centralized security and technology group would
• Ensure alignment of the information security
perform the cloud provider acquisition function
program with mission goals and objectives
and manage the service provider relationship over
the duration of the agreement. This group would • Define the information security program vision,
also provide the information, policy, and guidelines goals, requirements, and scope
necessary for users to follow when implementing cloud
computing-based services.
Architect and Establish (Plan) Implement and Operate (Do) Monitor and Review (Check, Act)
Management Processes Functional Processes Management Processes
Architecting and Establishing the Strategy and
Planning Asset Human Communications
and Outreach
Information Security Program (PLAN)
Management Resources
Security
Physical and Comms and
Environmental Operations
Designing and planning for an effective information Policy Portfolio
Security Management
Compliance and
Performance
Management Identity and Information Management
security governance structure occurs through three Access
Management
Systems
Acquisition
major management processes: strategy and planning, Incident Business
Risk Management Continuity Awareness and
Management Management
Training
policy portfolio management, and risk management.
Management
Oversight
5
9. • Ensure consistency with the enterprise information Policy Portfolio Management Process
security architecture
Architect and Establish (Plan) Implement and Operate (Do) Monitor and Review (Check, Act)
• Proactively plan activities to achieve goals and Management Processes Functional Processes Management Processes
meet requirements Strategy and
Planning Asset
Management
Human
Resources
Security
Communications
and Outreach
Physical and Comms and
• Determine the operating model to enable Environmental Operations
Security Management
Compliance and
Policy Portfolio Performance
Management Identity and Information Management
enterprise program efficiency. Access
Management
Systems
Acquisition
Incident Business
Risk Continuity Awareness and
The process is performed in collaboration with the
Management
Management Management
Training
risk management and policy portfolio management Management
Oversight
processes to ensure plans effectively communicate
management intent, clearly define roles and The major purposes of the security policy portfolio
responsibilities, sufficiently identify and address management process are to—
information security risks, and provide management
• Define and communicate management
clear choices for resource allocation and optimization.
expectations of information security
The activities of the strategy and planning process
• Translate goals and requirements into actionable
will not change significantly to accommodate the
mandates
use of cloud computing services, but additional
knowledge and understanding of the information • Establish clearly defined roles and responsibilities
security risks and issues related to compliance and for information security
performance management in varying cloud computing
• Inform compliance measurement
deployment and service models will be required.
The major impact of the CCE on the strategy and • Facilitate efficient and consistent implementations
planning process will be the development of CCE- with supporting standards, guidelines, and
based cost/benefit analyses that include the cost procedures.
of effective governance to manage risk and ensure
These purposes will not materially change when
legal, regulatory, and contractual compliance. In
applied to a CCE. However, the policy portfolio will
conjunction with the risk management process, the
require additional policies, guidelines, standards, and
strategy and planning process will define information
procedures to effectively communicate and govern
security implementations that are allowable for each
information security in a CCE. An overall policy on
cloud computing service model (refer to the Risk
rules governing agency acquisition and use of cloud
Management Process section) based on the relative
computing services will be needed to communicate
risk rating of the information and systems migrating
agency leadership intentions for the safe use of
to the cloud (e.g., cloud services allowed by system
cloud computing, as well as the authorization process
categorization). In addition, the process will clarify
required to initiate such use. Agencies will also need
roles, responsibilities, and accountability for baseline
to document guidelines for the appropriate evaluation
information security capabilities in each environment
and acquisition of cloud computing service providers,
allowed. The planning process will also determine
along with environments that meet information and
the cloud service provider contractual requirements
system risk and compliance requirements. Also, the
and negotiations and will include the long-term
policy portfolio management process (in coordination
management of the provider relationship.
with the strategy and planning and risk management
processes [Plan phase] and with the approval and
authority of the management oversight process [Act
6
10. phase]) will need to provide guidance on the minimum Architect and Establish (Plan) Implement and Operate (Do) Monitor and Review (Check, Act)
information security and compliance management Management Processes Functional Processes Management Processes
requirements to be included in SLAs and contracts with Strategy and
Planning Asset
Management
Human
Resources
Security
Communications
and Outreach
prospective cloud service providers. Physical and
Environmental
Comms and
Operations
Management
Security
Compliance and
Policy Portfolio Performance
Management Identity and Information Management
A review of all agency security policies must occur to Access
Management
Systems
Acquisition
determine the changes required to ensure effective Risk
Management
Incident
Management
Business
Continuity
Management
Awareness and
Training
governance in a cloud environment. Each policy should
be tailored to reflect the unique cloud deployment
Management
Oversight
model and account for the information and information
systems authorized for cloud migration. Additional policy • Enable better optimization of security expenditures,
and supporting guidance, standards, and procedures resources, and activities
will be necessary to effectively manage the functional • Inform security priorities and planning
control processes when operating in a CCE (e.g.,
configuration and change management guidelines, • Provide the basis for measuring information
incident management, chain of evidence and e-discovery, security program efficiency and effectiveness.
mission continuity of cloud services, the monitoring Risk management methodologies will require
and reporting of cloud service compliance, system and modification to effectively consider, treat, or accept
data life-cycle assurance, and compliance testing and the risks inherent in migrating agency information
assurance of cloud-based services). Guidelines may also and systems to a CCE. For practical reasons, we limit
be developed to specify mandatory and recommended our discussion to the use of private, community, or
tools for use in the monitoring and evaluation of cloud a hybrid of both CCEs as the most likely evolution of
service compliance and performance (e.g., certification federal agency CCE transition. As noted earlier, until
and accreditation [C&A] tools, technical compliance tools the providers of public cloud services make significant
such as Layer7). Policy decisions regarding each of the changes to their current offerings and SLAs, the use
functional control processes must account for the level of of those services by the Federal Government will
control each organization is willing to transfer to the cloud need to be limited to public information and systems
provider while ensuring the goals and requirements of the with minimal risk and no legal or regulatory security
information security program are met. requirements.
Risk Management Process Limiting our discussion to the use of private,
The risk management process will require modification community, or combined hybrid cloud services will
and significant additional variable considerations to still require the consideration and inclusion of
securely migrate agency services to a CCE. The primary additional risk factors related to the relative degrees
purposes of the risk management process include— of agency control over the service models adopted.
The risk methodology will also need to determine risk
• Enable information asset-based protection and mitigations and the residual risks of each service
mitigation planning model for the hierarchy of risk profiles associated
• Enhance the organization’s ability to select and with agency information assets and systems. For
apply protection based on the specific risks and example, agencies will need to modify their current
threats affecting an asset risk calculations that focus on system categorization,
privacy, and regulation to appropriately assess changes
• Ensure consistent information security risk to the risks of these systems when migrating to a CCE
assessment methodologies are used throughout utilizing one or more of the three cloud service models.
the organization
7
11. Exhibit 6 summarizes the models and their relative and SaaS builds on both IaaS and PaaS, resulting
risk. These example risk ratings may be modified to fit in an increasing assumption of control by the cloud
with agency-specific risk assessment methodologies, provider and therefore greater security risk to the cloud
but in general they are consistent with the degree consumer).
of direct agency control represented by each service
New risk analysis methodologies should be closely
model. Each cloud service model can be assessed as
monitored during the compliance and performance
an information service asset with unique risk ratings
management process (Check phase) and modified
and resultant control selection for risk mitigation (e.g.,
as necessary to reduce overall information security
contract terms, SLA content, compliance, monitoring
risk over time. In all cases, the modified risk analysis
tools).
methodologies and resulting risk rankings must be
The relative risk ratings increase as the cloud reviewed during the management oversight process
consumer moves from IaaS to PaaS and finally to (Act phase) to ensure management participation,
SaaS. The service models build on one another, risk awareness, review, and acceptance of both risk
resulting in cumulative risk as the cloud provider treatment options and resultant residual risks.
assumes more direct control (i.e., PaaS builds on IaaS,
Exhibit 6 | Service Model Risk Characteristics
Service Model Risk Characteristics Relative Additional
Risk
The capability provided to the cloud consumer is to rent processing,
storage, networks, and other fundamental computing resources and
Infrastructure
to deploy and run arbitrary software, which can include operating
as a service
systems and applications. The consumer does not manage or control Medium
(IaaS)
the underlying cloud infrastructure but has control over operating
systems, storage, deployed applications, and possibly select networking
components (e.g., firewalls, load balancers).
The capability provided to the consumer is to deploy consumer-
created applications onto the cloud infrastructure using programming
Platform as a
languages and tools supported by the provider (e.g., Java, Python,
Service (PaaS)
.Net). The consumer does not manage or control the underlying cloud High
infrastructure, network, servers, operating systems, or storage, but
the consumer has control over the deployed applications and possibly
application hosting environment configurations.
The capability provided to the consumer is to use the provider’s
applications running on a cloud infrastructure and accessible from
various client devices through a thin client interface, such as a web
Software as a browser (e.g., web-based e-mail). The consumer does not manage or Very High
Service (SaaS) control the underlying cloud infrastructure, network, servers, operating
systems, storage, or individual application capabilities, with the possible
exception of limited user-specific application configuration settings.
Source: Booz Allen Hamilton
8
12. Representative CCE-Related Artifacts of the Implementing and Operating the Information
Plan Phase Security Program (DO)
The three management processes of the information Because this paper focuses on information security
security governance framework’s Plan phase will governance, we will not discuss in detail the functional
produce several documents to inform and guide users processes that constitute the Do phase of the
in the effective and appropriate use of cloud computing Plan, Do, Check, Act cycle. The implementation and
services. Some specific examples are included in operation of information security controls contained
each process description, but Exhibit 7 summarizes in each of the functional process areas will vary
artifacts that are typical outputs of the governance
Architect and Establish (Plan) Implement and Operate (Do) Monitor and Review (Check, Act)
model and that will likely have specific references to
Management Processes Functional Processes Management Processes
operating in a CCE. In some cases, the cloud provider Strategy and
Planning Asset Human Communications
and Outreach
Management Resources
may be partially or completely responsible for these
Security
Physical and Comms and
Environmental Operations
artifacts, depending on the final agreements between Policy Portfolio
Security Management
Compliance and
Performance
Management Identity and Information Management
the cloud consumer and the cloud provider. Access
Management
Systems
Acquisition
Incident Business
Risk Management Continuity Awareness and
Management Management
Training
Management
Oversight
Exhibit 7 | Plan Phase Artifacts
Management Example Artifact Contract/SLA Implications
Process
• Security Strategic Plan • Goal Performance
• Consolidated Security Requirements • Requirements Compliance
• Organization Model Modifications • Relationship Management
Strategy &
• Roles & Responsibilities Charts • Consumer/Provider
Planning
• CCE Implementation Plans • None
• Budget & Resource Requirements • None
• CCE Contract & SLA • Terms & Conditions
• CCE Security Policy • Terms & Conditions
• CCE Acquisition Policy • Terms & Conditions
• CCE Authorization Procedure • None
Policy Portfolio • CCE Standards/Guidelines • None
Management • CCE Monitoring/Compliance Tools • Terms & Conditions
• CCE Configuration Guidelines • Technical Compliance
• CCE-Specific Processes • Terms & Conditions
• Risk Management Procedure • None
• Risk Methodology Modifications • None
• Service Model Risks • None
Risk
• Risk Assessment Reports • None
Management
• CCE Controls & Risk Treatments • Terms/Responsibilities
• Systems/Assets Allowed in CCE • None
Source: Booz Allen Hamilton
9
13. significantly depending on CCE deployment and the • Clarify roles and responsibilities
service models employed. However, other Booz Allen
• Drive the ongoing competency of information
papers address the implementation and operation of
security staff.
information security functional processes and controls,
and this topic is not essential to discussions related Execution of these important management processes
to the effective management and governance of will not vary as a result of the introduction of a CCE.
information security in a cloud environment. However, the processes will need to include formal
awareness, training, communication, and outreach
Monitoring and Measuring the Information to inform all relevant agency users of the new
Security Program (CHECK) policies, guidelines, standards, procedures, risks,
Three management processes are included in the and compliance issues related to the migration of
Check phase of the information security management information services to a CCE.
and governance framework: awareness and training,
communication and outreach, and compliance and Compliance and Performance Management Process
performance management. Of these three, the
Architect and Establish (Plan) Implement and Operate (Do) Monitor and Review (Check, Act)
compliance and performance management process Management Processes Functional Processes Management Processes
represents the area with the most significant issues Strategy and
Planning Asset
Management
Human
Resources
Communications
and Outreach
Security
for consideration when migrating services to a CCE. Physical and
Environmental
Comms and
Operations
Security Management
Compliance and
Policy Portfolio Performance
Management Identity and Information Management
Access Systems
Awareness and Training and Communication and Management Acquisition
Incident Business
Outreach Processes Risk Management Continuity Awareness and
Management Management
Training
Architect and Establish (Plan) Implement and Operate (Do) Monitor and Review (Check, Act) Management
Oversight
Management Processes Functional Processes Management Processes
Strategy and
Planning Asset
Management
Human
Resources
Security
Communications
and Outreach Compliance and performance management is the key
Physical and
Environmental
Comms and
Operations
process in the Check phase of the framework. The
Security Management
primary purposes of the process include—
Compliance and
Policy Portfolio Performance
Management Identity and Information Management
Access Systems
Management Acquisition
Risk
Management
Incident
Management
Business
Continuity
Management Awareness and • Create regular measurement and reporting of
Training
progress and issues
Management
Oversight
• Inform and prioritize program improvements
The major purposes of these management processes
• Record progress toward achieving strategic goals
are complementary and similar. The purposes
and compliance with requirements
include—
• Drive continuous improvement of the information
• Consistently communicate the importance of
security program
information security throughout the organization
• Minimize potential for recurrence of systemic
• Educate staff on required actions related to
issues
changes in regulatory, legislative, and other
mandates • Optimize consistency and efficiency of security
implementations
• Broaden and deepen the security awareness of the
organization • Inform modifications to risk analyses and risk
mitigations
• Enhance compliance through better understanding
and knowledge
10
14. • Measure and report on compliance with legal, the cloud consumer); and clearly define accountability
regulatory, and contractual requirements; internal for legal liability related to an information security
policies; and technical guidelines and standards. breach in the cloud.
The purposes of the compliance and performance Measurement and monitoring reports should be
management process remain unchanged in a CCE, but presented in periodic management reviews of the
the execution of the process will require significant overall information security program to the information
modification to effectively monitor and measure security governance body, along with recommendations
compliance and performance in the cloud. Focusing for corrective and preventive actions.
again on agency use of private clouds, community
clouds, or hybrid combinations will lead to enhanced Managing and Improving the Information
information security compliance and performance in a Security Program (ACT)
public cloud environment. Participation by management representing all agency
stakeholder organizations is essential to the effective
Compliance includes legal, regulatory, and contractual
management and oversight of any information security
security compliance; compliance with internal policies,
management system. The process and the governance
guidelines, standards, and procedures; and technical
bodies that execute it form the governance program
compliance checking. All compliance and performance
and represent the Act phase of the continuous
checking is dependent on a comprehensive
improvement model.
measurement and management reporting system
covering each area of compliance, as well as the
Management Oversight Process
information security program’s effectiveness in meeting
An information security governance body conducts the
goals, objectives, and requirements. Compliance and
functions of the management oversight process. This
performance measurement and reporting will require
body consists of senior leadership and representatives
detailed specification in the SLAs and contracts with
from each functional area of the organization to—
the cloud service provider covering each service model
allowed in the agreements. • Ensure ongoing management involvement in
program direction and priorities
In the case of private or community cloud service
providers, there will be a greater level of trust, • Establish enterprise information security
understanding, and flexibility in the agreement governance
negotiations because of the shared mission goals and
• Ensure the information security program supports
common legal and regulatory compliance requirements
mission goals and objectives
between the cloud provider and the cloud consumer.
Based on the cloud service risk profiles; strategic • Reinforce the importance of information security
planning of the cloud service; and CCE-specific throughout the organization
policies, guidelines, standards, and procedures defined
• Oversee risk management to balance mission
in the Plan phase, federal agency cloud consumers
goals and information security costs
can determine their minimum information security
requirements and controls for each level of cloud • Track and optimize information security resource
service and drive the SLA and contract negotiations allocation
to a satisfactory agreement. SLAs and contracts must
• Authorize improvements to the information security
minimize security risks; enable effective monitoring
program on a continuing basis.
and measuring of all legal, regulatory, and contractual
security requirements (by either the service provider or
11
15. These management oversight objectives are valid sponsors and monitors the effectiveness of cloud-
regardless of the information security operating specific awareness, training and communication, and
environments deployed. However, the governance outreach programs to ensure broad awareness of
body will need to actively participate in the review, agency policy and guidelines by all responsible users.
authorization, and communication of all information Finally, management must be vigilant in its review of
security plans, policies and supporting documentation, compliance and monitoring of cloud services and must
risks, and compliance issues related to the use of drive continuous improvement in the overall information
cloud-based services. Therefore, the governance body security program, including all cloud-based services.
will need to include or consult with cloud computing
information technology and information security subject Representative CCE-Related Artifacts of the
matter experts. The group should also include or Check and Act Phases
consult with agency counsel to ensure a complete The four management processes of the Check and Act
understanding and inclusion of legal and liability issues phases of the information security management and
specific to a CCE and to verify sufficient coverage of governance framework will result in several documents
all issues in the negotiated SLAs and contracts for and reports to inform and guide users in the effective
cloud-based services. It is imperative that management and appropriate use of cloud computing services and
Exhibit 8 | Act Phase Artifacts
Management Example Artifact Contract/SLA Implications
Process
• User Security Awareness • Provider Participation?
– CCE Policy – Yes
Awareness
– CCE Authorization – No
& Training;
– CCE Guidelines/Standards – Sometimes
Communication
– CCE Procedures – Sometimes
& Outreach
• CCE Security Technical Training – No
• Awareness Tests & Records – No
• Compliance/Performance Measures • Terms & Conditions
• Legal, Regulatory Compliance • Roles, Responsibilities
• Policy Portfolio Compliance • Roles, Responsibilities
Compliance & • Privacy Compliance • Roles, Responsibilities
Performance • Technical Compliance • Roles, Responsibilities
Management • Log Monitoring Reports • Roles, Responsibilities
• Incident Management Reporting • Roles, Responsibilities
• Internal Compliance Audits • Terms, Responsibilities
• Performance Measurement Reports • Terms, Responsibilities
• Technical Controls Testing • Terms, Responsibilities
• SLA Reporting • Terms & Conditions
• Recommended Improvement Plans • Negotiation
Risk • CCE Management Review Reports • None
Management • Authorized Improvement Plans • Negotiation
Source: Booz Allen Hamilton
12
16. to report on the compliance and performance of cloud- An organization’s mission and risk profile must drive
based systems. Some specific examples are included the implementation of the management processes
in each process description, but Exhibit 8 summarizes described in this paper, as well as the artifacts they
artifacts that are typical outputs of the governance produce. It is also vital to treat the management
model and that are likely to have specific references to processes as integrated components of a larger
operating in a CCE. In some cases, the cloud provider information security governance framework rather
may be partially or completely responsible for these than as individual silos. Using this framework to guide
artifacts, depending on the final agreements between the transition to and ongoing operations in the CCE
the cloud consumer and the cloud provider. will ultimately enable an organization to maximize its
benefits in the cloud while sensibly and cost-effectively
Summary and Conclusions addressing the cloud’s inherent risks.
Cloud computing takes advantage of economies of
scale to offer compelling cost benefits to federal Glossary of Acronyms
agencies for information services performed in support C&A Certification and Accreditation
of their mission. Migration of agency information
C3F Booz Allen’s Cloud Computing User Transition
assets and systems to a CCE can also provide
Framework
impressive benefits related to deployment flexibility
and service on demand and can enable capabilities not CCE Cloud Computing Environment
feasible in many enterprise computing environments,
CIO Chief Information Officer
such as massive data analysis and intelligence
analysis.7 However, the nature of cloud deployment CISO Chief Information Security Officer
and service models presents new information security
DISA Defense Information Systems Agency, part of
risks and introduces complications to compliance with
the Department of Defense
legal, regulatory, and contractual security requirements
for cloud consumers. Some complications have serious IaaS Infrastructure as a Service
legal liability implications.
NIST National Institute of Standards and Technology.
Key to the successful adoption and transition of NIST guidelines on information security
information systems to a CCE is the implementation/ are officially standard practice for federal
modification of a strategic proactive information information technology and are codified in
security management and governance framework. At information security regulations
Booz Allen, we have developed a framework that we
PaaS Platform as a Service
have successfully implemented in several commercial
and federal government client environments. Our model RACE Rapid Access Computing Environment. This
consists of a set of management processes that refers to a working prototype cloud developed
interact in a Plan, Do, Check, Act cycle of continuous by DISA. As of this writing, it is being used for
improvement to effectively manage and govern open-source software development, and many
enterprise information security. The management additional functions are in the works
processes of the governance model require some
SaaS Software as a Service
modifications to the major steps in their execution to
effectively manage the risk and compliance issues SLA Service-Level Agreement. In this case, this
inherent in a CCE. refers to a contract between the cloud
computing provider and client(s)
Information security governance is a critical
component of a successful transition to the cloud. SP Special Publication
7Massive Data Analytics and the Cloud—A Revolution in Intelligence Analysis, Drew Cohen and
Joshua D. Sullivan, 2009.
13
17. Glossary of Terms
Cloud The “cloud” consists of computing resources (software, operating platform, memory, and
processors) that are abstracted from the user by some form of virtualization and (often)
physical separation between the user and the infrastructure on which the services are
supported. “Cloud computing” means the use of a cloud for IT functions.
Cloud The capability provided to the consumer is to provision processing, storage, networks, and
Infrastructure as other fundamental computing resources where the consumer is able to deploy and run
a Service (IaaS) arbitrary software, which can include operating systems and applications. The consumer
does not manage or control the underlying cloud infrastructure but has control over operating
systems; storage, deployed applications, and possibly limited control of select networking
components (e.g., host firewalls).
Cloud Platform The capability provided to the consumer is to deploy onto the cloud infrastructure consumer-
as a Service created or acquired applications created using programming languages and tools supported
(PaaS) by the provider. The consumer does not manage or control the underlying cloud infrastructure
including network, servers, operating systems, or storage, but has control over the deployed
applications and possibly application hosting environment configurations.
Cloud Software The capability provided to the consumer is to use the provider’s applications running on a
as a Service cloud infrastructure. The applications are accessible from various client devices through a
(SaaS) thin client interface such as a web browser (e.g., web-based email). The consumer does not
manage or control the underlying cloud infrastructure including network, servers, operating
systems, storage, or even individual application capabilities, with the possible exception of
limited user-specific application configuration settings.
Community The cloud infrastructure is shared by several organizations and supports a specific community
Cloud that has shared concerns (e.g., mission, security requirements, policy, and compliance
considerations). It may be managed by the organizations or a third party and may exist on
premise or off premise.
Hybrid Cloud The cloud infrastructure is a composition of two or more clouds (private, community, or public)
that remain unique entities but are bound together by standardized or proprietary technology
that enables data and application portability (e.g., cloud bursting for load-balancing between
clouds).
Multi-tenancy Property of a cloud environment used by multiple customers (“tenants”). Contrast with the
“single-tenancy” private cloud, which is used by only one customer.
Private Cloud The cloud infrastructure is operated solely for an organization. It may be managed by the
organization or a third party and may exist on premise or off premise.
Public Cloud The cloud infrastructure is made available to the general public or a large industry group and
is owned by an organization selling cloud services.
Service Model Refers to the ownership of the cloud infrastructure. See the Introduction for descriptions of
different service models.
14
19. About Booz Allen
Booz Allen Hamilton has been at the forefront of technology, systems engineering, and program
strategy and technology consulting for 95 years. Every management, Booz Allen is committed to delivering
day, government agencies, institutions, corporations, results that endure.
and not-for-profit organizations rely on the firm’s
With more than 22,000 people and $4.5 billion in
expertise and objectivity, and on the combined
annual revenue, Booz Allen is continually recognized for
capabilities and dedication of our exceptional people
its quality work and corporate culture. In 2009, for the
to find solutions and seize opportunities. We combine
fifth consecutive year, Fortune magazine named Booz
a consultant’s unique problem-solving orientation with
Allen one of “The 100 Best Companies to Work For,”
deep technical knowledge and strong execution to help
and Working Mother magazine has ranked the firm
clients achieve success in their most critical missions.
among its “100 Best Companies for Working Mothers”
Providing a broad range of services in strategy,
annually since 1999.
operations, organization and change, information
Contact Information:
Jamie Miller Larry Candler Hannah Wald
Associate Associate Consultant
miller_jamie@bah.com candler_larry@bah.com wald_hannah@bah.com
703/377-1274 703/377-4534 703/377-6646
To learn more about the firm and to download digital versions of this article and other Booz Allen Hamilton
publications, visit www.boozallen.com.
16