SlideShare uma empresa Scribd logo

7 Steps to Developing a Secure Cloud Services Plan

Envision Technology Advisors
Envision Technology Advisors

The document outlines a 7-step process for developing a cloud security plan. The steps are: 1) Review business goals; 2) Maintain a risk management program; 3) Create a security plan that supports business goals; 4) Establish corporate-wide support; 5) Create security policies, procedures, and standards; 6) Audit and review often; 7) Continuously improve. Following these steps will help organizations develop effective security plans to take advantage of cloud services while meeting security and compliance needs.

TecnologiaNegócios
1 de 15
Baixar para ler offline
Whitepaper: 7 Steps to Developing a Cloud Security Plan
Executive Summary: 7 Steps to Developing a Cloud Security Plan Designing and implementing an enterprise security plan can be a daunting task for any business. To help facilitate this endeavor NaviSite has developed a manageable process and checklist that can be used by enterprise security, compliance, and IT professionals as a framework for crafting a successful cloud computing security plan. It defines seven steps— sequentially—that have been tested and refined through NaviSite’s experiences helping hundreds of companies secure enterprise resources according to best practices. This plan enables organizations to gain the economic advantages of secure and compliant managed cloud services.
Table of Contents INTRODUCTION …………………………………………………………………………………….…... 4 STEP 1: REVIEW YOUR BUSINESS GOALS …………………………………………………….…. 6 STEP 2: MAINTAIN A RISK MANAGEMENT PROGRAM …………………………………….……. 7 STEP 3: CREATE A SECURITY PLAN THAT SUPPORTS YOUR BUSINESS GOALS ………………………………………………....…… 9 STEP 4: ESTABLISH CORPORATE-WIDE SUPPORT ……………………………...………..…...10 STEP 5: CREATE SECURITY POLICIES, PROCEDURES, AND STANDARDS …………………………………………….…….....................11 STEP 6: AUDIT AND REVIEW OFTEN ..…………………………..………………………..…...….12 STEP 7: CONTINUOUSLY IMPROVE ………………………………..………………………………13 CONCLUSION ………………………………………………………………………..………………….14 APPENDIX A: 7 STEPS TO DEVELOPING A CLOUD SECURITY PLAN CHECKLIST ………………………………………………………..…. 15
Introduction Cloud computing provides compelling cost and strategic benefits, including: scalability with reduced capital expenditure; more efficient use of IT resources; and the ability for an organization to focus on their core competency. Many well established security technologies and procedures can be applied to cloud computing to provide enterprise-class security. In many cases the cloud provider can achieve better security in a virtualized environment than enterprises can achieve internally. Selecting a service provider with strong security procedures and services in cloud computing can be a strategic move, but enterprise organizations need to continue to take an active role in security and risk management. Working together, the cloud provider and the enterprise can ensure that existing security practices are being complemented and that enterprise resources are protected according to industry best practices. Cloud infrastructure services enable improved efficiencies for IT, allowing companies to reduce capital expenses even as resource demand increases. They also provide companies a competitive edge through greater scalability and flexibility to address business opportunities. Concerns around the security of cloud infrastructure have been viewed as a barrier to adoption, but there are seven tangible steps enterprises can take to gain the cost and business advantages of cloud services without compromising the security of enterprise applications. By following these steps the enterprise can rely on a proven methodology for cost-effectively and securely leveraging cloud services. NaviSite takes pride in ensuring its enterprise customers services are secure and reliable but encourages all businesses—no matter what provider they are partnering with— to take an active role in being sure their specific security and compliance requirements are met. 4 “…THERE ARE SEVEN TANGIBLE STEPS ENTERPRISES CAN TAKE TO GAIN THE COST AND BUSINESS ADVANTAGES OF CLOUD SERVICES WITHOUT COMPROMISING THE SECURITY OF ENTERPRISE APPLICATIONS.”
Secure cloud services plan breaks down into the following seven steps: By following these steps organizations can structure security and compliance programs to take advantage of the economic advantages of managed cloud services while meeting organizational security and compliance objectives. 5 FIGURE 1: 7 STEPS. STEP 6: Audit and Review Often STEP 2: Maintain a Risk Management Program STEP 3: Create a Security Plan that Supports Your Business Goals STEP 4: Secure Corporate- Wide Support STEP 5: Create Security Policies, Procedures, and Standards STEP 1: Review Your Business Goals STEP 7: Continuously Improve
6 SECURITY IS NOT A ONE-SIZE-FITS-ALL SCENARIO Step 1: REVIEW YOUR BUSINESS GOALS It is important that any cloud security plan begins with the basic understanding of your specific business goals. Security is not a one-size-fits-all scenario and should focus on enabling: • TECHNOLOGIES: Authentication and authorization, managing and monitoring, and reporting and auditing technologies should be leveraged to protect, monitor, and report on access to information resources • PROCESSES: Methodologies should be established that define clear processes for everything from provisioning and account establishment through incident management, problem management, change control, and acceptable use policies so that processes govern access to information • PEOPLE: Organizations need access to the proper skill sets and expertise to develop security plans that align with business goals Too often, organizations view internal security and compliance teams as inhibitors to advancing the goals of the business. Understanding the business objectives and providing long-term strategies to enable business growth, customer acquisition, and customer retention is essential to any successful security plan. The best way to do this is to develop cloud security policies based on cross- departmental input. A successful security program includes contribution from all stakeholders to ensure that policies are aligned and procedures are practical and pragmatic. The broader the input the more likely the final security plan will truly align with, and support corporate goals. Executive input is not only essential to ensure that assets are protected with the proper safeguards, but also to ensure that all parties understand the strategic goals. For example, if a company plans to double in size within a few years, security infrastructure needs to be designed to support scalability. CASE IN POINT: At NaviSite, we often see customers faced with the challenge of making major security and technology changes to address evolving corporate goals. For example, a customer that hosts multiple merchant sites had a Payment Card Industry (PCI)-compliant application, but when it was acquired, its parent company required stricter controls that conformed to the enterprise-wide PCI program. The acquired company came to us with a small company perspective, while the new parent company wanted to enforce even tighter security across its divisions. We worked with them to realign and bolster the goals of the acquired company’s security and compliance programs with the corporate goals of the parent company. By reviewing the business goals with the stakeholders from the parent company, the newly acquired company, and our security team, we were able to identify and document the objectives for the new compliance program and ensure that they were aligned with the over-arching PCI program.
7 AN EFFECTIVE CLOUD COMPUTING RISK MANAGEMENT PROGRAM IS IMPORTANT FOR REDUCING THE OVERALL RISK TO THE ORGANIZATION. Step 2: MAINTAIN A RISK MANAGEMENT PROGRAM It is naïve to think that your applications will never be breached, whether they are hosted in your data center or in a managed data center. Every organization needs to develop and maintain a risk management program, and it should be done centrally and viewed holistically. An effective cloud computing risk management program is important for reducing the overall risk to the organization. It is also essential for prioritizing the utilization of resources and for providing the business with a long-term strategy. If a growing organization can identify and reduce the risk of new products, technologies, processes, people, and vendors, it can better focus on revenue growth and improved profitability. It is only through a well-defined and carefully maintained risk management program that you can provide an aggregated view of the risk that a company is willing to accept. The generalized view is that you assess the value of the asset, assess the loss expectancy probability, and then quantify whether the organization is willing to accept the risk of loss or whether steps should be taken to mitigate the chances of that loss. Security professionals are encouraged to regularly conduct careful analysis to develop responsible programs and build in the necessary controls and auditing capabilities to mitigate threats and maintain a reasonable security program that protects organizational assets, given budgetary resources. The cloud computing risk assessment policy requires buy-in from the very top. This program should be audited, and policies defined that explicitly state who can accept risk on behalf of the organization. If you have a well-developed risk management program in place, then you have identified your critical assets and established appropriate levels of protection. By moving some or all of your business applications to the cloud, you gain the additional benefits of your providers business continuity planning and protection from unthinkable events, such as natural disasters. Seamless failover to a redundant data center thousands of miles away provides shareholders with increased comfort in knowing their business is protected and secure. At NaviSite, we continue to see disaster recovery and business continuity initiatives gaining increased corporate focus as a direct result of the migration of ERP applications to the cloud. For example, a publicly traded company outsourced its financial applications to NaviSite. However they did not have a business continuity and disaster recovery (BCDR) plan. As we worked with them on their risk management program - identifying risks, evaluating the value of the assets, and looking at annualized loss expectancies to build out the level of assurance they needed - they realized the economic argument and value for enabling seamless failover to a redundant site across the country. Management went back to the Board of Directors and quickly received approval. The company now has a solid disaster recovery program in place with annual testing to ensure business continuity. They did not initially understand the risk its shareholders were incurring until it developed a formal risk management program, and by quantifying that risk the company was able to take appropriate steps to mitigate and protect itself adequately while ensuring business continuity.
8 MANY OF THE NEEDS TO CHANGE SECURITY PLANS ARE NOT A RESULT OF CORPORATE STRATEGIES BUT EVOLUTIONS OF COMPLIANCE REQUIREMENTS. Step 3: CREATE A SECURITY PLAN THAT SUPPORTS YOUR BUSINESS GOALS Your cloud computing security plan should include goals with measurable results that are consistent with providing support for the growth and stability of the company. The plan should include compliance programs, technologies, and processes with very specific results. For example, a growing IT services company may pursue a data center compliance program, such as SSAE 16 (the successor to the SAS 70 standard) a service management framework which requires in-depth audits of control activities that include: security monitoring, change management, problem management, backup controls, physical and environmental safeguards, and logical access. Goals should include: • Specific date for completion • Verification of achievement, such as a Service Organization Controls (SOC) report • Measurable expected result, such as a reduction in reported incidents by five percent, improvement of risk mitigation by reduction of Annualized Loss Expectancy (ALE) by ten percent, or successful passing of customer audits increasing by twenty percent The security plan in many ways becomes a natural extension of the previous two steps. For example, if a U.S. company is planning for an IPO, becoming compliant with the Sarbanes- Oxley Act (SOX) requirement is essential. Section 404 of SOX explicitly requires management and the external auditor to report on the adequacy of the company's Internal Control on Financial Reporting (ICFR). Companies have to assure that the data is valid and has not been altered. It is primarily the responsibility of the IT group to ensure SOX compliance. Many of the needs to change security plans are not a result of corporate strategies but evolutions of compliance requirements. For example, at NaviSite, we help clients maintain compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The Health Information Technology for Economic and Clinical Health Act (HITECH) addresses the privacy and security concerns associated with the electronic transmission of health information and it extends the privacy and security provisions of HIPAA. By partnering with cloud providers, organizations are more nimble and can more easily modify their security plans to support evolving corporate strategies or regulatory requirements.
9 Step 4: ESTABLISH CORPORATE-WIDE SUPPORT & ALIGNMENT A key element of a successful cloud computing security plan is the involvement and support of the plan across the organization. Many security departments build out vast arrays of policies that are difficult to implement across the organization. Prioritizing these policies and ensuring that they are not in conflict with other policies from different departments is essential for establishing support and acceptance. A given security policy may not rely on the latest technology or provide the most secure results, but balancing ease of deployment and organizational acceptance with security is a necessary tradeoff. Organizations need to establish levels of security that meet business goals and comply with regulatory requirements and risk management policies, but that can be centrally managed and conveniently implemented across the organization with minimal negative impact to productivity. Recognize that it is impossible to completely eliminate risk, but it is prudent to mitigate it in a reasonable manner. At NaviSite, we have found that the key is to take time to gain a solid understanding of how a company develops its products and services and delivers them to its customers. The majority of your time spent building support for security policies should not be spent in writing those policies, but instead should be spent in learning how the business truly functions so that security can better contribute to its success, and not be viewed as a hindrance or a daily obstacle. For example, we have worked with manufacturing companies that were building highly sensitive products. In one company, the security team designed a security plan that was so restrictive the plant had to ignore the mandated controls to function productively. This led to the failure of the third-party audit and ultimately a recall of the product manufactured with the circumvented controls. We also worked with an insurance company that developed an application for estimating the cost of insurance that secured the data sources used by the application; they wrote security policies such that they restricted internal departments from viewing critical data needed to perform their jobs. Companies need to ensure that the security plan is not only aligned with the goals of the organization, but also with the goals of the major departments that will be implementing it. Gaining this acceptance streamlines adoption throughout the organization. GAINING ACCEPTANCE ON SECURITY POLICY AND PROCEDURE AHEAD OF TIME STREAMLINES ADOPTION THROUGHOUT THE ORGANIZATION.
10 Step 5: CREATE SECURITY POLICIES, PROCEDURES, AND STANDARDS A set of guidelines is important to ensure that all compliance measures are identified and the entire organization is driving toward achievement of the same goals. For example, for a healthcare provider, it may be important to provide HIPAA- and HITECH-compliant health care services to new and existing patients. In order to do so, the organization must build security policies that define the constraints in the handling of Protected Health Information (PHI), procedures that define the process of acquiring PHI, and guidelines that encourage the general adoption of best practices. When you are audited for SOX, PCI Data Security Standard (DSS), or any other relevant compliance standard that affects your business, the auditor will look at existing policies, how you have implemented them, and whether they are being followed throughout your organization. Every company audited wants to make sure it passes the audit, and if you have completed all the previous steps outlined in this process, it will make it easier for you to create security guidelines that can be consistently enforced. New clients often ask, “What’s the easiest way to create security policies, procedures, and standards,” and the answer is simple—turn to best practices. When it comes to establishing security guidelines, it is much easier, more practical and productive to edit than it is to create. Assuming you have gone through the previous four steps, security and compliance teams have had to establish many of the policies necessary to address business requirements. Read everything you can and apply best practices to creating policies that align with business goals, develop procedures that are realistic and that will be acceptable to the organization, and wherever possible turn to industry standards to guide you. Cloud services are a major advantage for growing organizations that have not yet embedded established policies and procedures into the company. The enterprise can rely on the best practices the service provider has developed over years of experience in similar environments. As with many enterprise cloud service providers, including NaviSite, change management is a clearly defined process governed by well-established guidelines. Each change must be approved by the proper personnel, and then implemented in a quality assurance environment. Once it is tested and approved through a user acceptance procedure, it is introduced to the end-user community in the least intrusive manner possible with a clearly defined back-out procedure in place in case there are unforeseen problems or issues with user adoption. By turning to high-performance cloud computing, the enterprise can dramatically reduce the learning curve for developing security policies, procedures, and standards. Organizations can accelerate the adoption of best practices for protecting enterprise resources by adopting proven security methodologies.
11 AUDIT AND REVIEW OFTEN CHECKLIST It is important to review the security plan on a regular basis, report on achievements of goals, and audit the compliance of the organization to the security policies and procedures. If it is part of your overall business plan, a third-party audit can provide an impartial review of the controls and report on compliance to established programs, such as SSAE 16, PCI DSS, or Safe Harbor. Some industries mandate audits, and U.S. publicly traded companies have to conduct internal audits every quarter when they release financial statements. Understanding the auditing requirements for your business and the frequency of your audits is essential not only for ensuring compliance with relevant requirements but also for maintaining best practices for securing enterprise resources. For example, SSAE 16 Audits are conducted every six months but at NaviSite we conduct internal audits every three months to ensure ongoing compliance and provide assurance that our data centers and our support infrastructure remain current with SSAE 16 requirements. The SSAE 16 Audit is aligned with our security goals because it assures customers that our processes, procedures, and controls have been formally reviewed. It also demonstrates our compliances with Section 404 of the Sarbanes-Oxley Act. By auditing and reviewing the results regularly, companies can implement a constant audit cycle that ensures that the controls remain in place and that that they are being followed. If problems occur, they can be identified and remediated before the next audit cycle. Step 6: AUDITAND REVIEW OFTEN
12 CONTINUOUS IMPROVEMENT CHECKLIST A well-developed security plan will allow for the continuous improvement of security and compliance. At a minimum, annually review your cloud computing security plan with senior executives and your cloud services provider, and revise goals and objectives as needed. Review and edit security policies and procedures, and actively report back to the organization the accomplishments of the security and compliance teams. Many companies believe that once they have solid policies and procedures in place they do not need to revisit them— but your industry and your business will change over time, and the technology available to support your security plan will evolve. Just ten years ago remote workers had limited access to enterprise applications, but rapid advances in VPN technology and massive demand for secure remote access have driven most companies to develop policies and procedures to support a mobile workforce. And the technology to support these policies and procedures are enabling businesses to provide the flexibility for employees to work from virtually anywhere. Review all of your generally accepted security policies at least annually. At NaviSite, we review our security policies on an even more frequent basis. An annual review is designed into some compliance policies; if that’s the case for your business consider reviewing your security policies every six months so you have the time to evaluate your current policies, update them when needed and change procedures when necessary before your next audit. Continuous improvement is the key to your security plan. Understanding the dynamic nature of your business and constantly evaluating security requirements are the foundation for implementing a successful continuous improvement strategy. Step 7: CONTINUOUSLY IMPROVE
13 Properly managed cloud infrastructure provides better security than most enterprise data centers, applications, and IT infrastructure. It allows companies to more efficiently deploy scarce technical personnel. Use this proven process and the summary checklist provided in Appendix A as an easy guide to structuring your cloud computing security plan. Selecting a stable cloud service provider with world-class data centers, enterprise cloud computing infrastructure, application expertise, and a proven security methodology will help the enterprise reap the financial rewards of cloud computing while implementing a security framework optimized for the requirements of cloud architectures. These seven steps are meant to serve as a framework to guide companies as they develop a secure cloud-computing plan. By following these guidelines, organizations can structure security and compliance programs to take advantage of the financial benefits of managed cloud applications and services while meeting organizational security and compliance objectives. ABOUT NAVISITE For more information about secure cloud computing services from NaviSite, please visit www.navisite.com or send an e-mail to us at webinfo@navisite.com or call us at 1.888.298.8222 to discuss your secure cloud computing requirements. Conclusion FOR MORE INFORMATION TO LEARN ABOUT CLOUD SERVICES FROM NAVISITE, VISIT: www.navisite.com
AppendixA: 7 STEPS TO DEVELOPINGA CLOUD SECURITY PLAN CHECKLIST By following these seven steps to developing a secure outsourcing plan developed by NaviSite, the enterprise can rely on a proven methodology for cost-effectively and securely outsourcing IT services. STEP 1: REVIEW YOUR BUSINESS GOALS  Understand your business goals and direction  Develop cloud security policies based on cross- departmental input that includes insights from senior management and all of the stakeholders  Ensure that all security policies are aligned with strategic goals, and that the procedures are practical and pragmatic STEP 2: MAINTAIN A RISK MANAGEMENT PROGRAM  Develop and maintain a risk management program centrally, and view it holistically  Carefully define exactly who is authorized to accept risk on behalf of the enterprise  Implement a well-defined and carefully maintained risk management program so you can provide an aggregated view of the risk that a company is willing to accept  Ensure that security professionals regularly conduct careful analysis to develop responsible programs and build in the necessary controls and auditing capabilities to mitigate risks and protect organizational assets  Gain executive-level buy-in to the cloud computing risk assessment policy, and for publicly traded companies, gain Board-level approval if necessary  Consider seamless failover to a redundant data center and disaster recovery planning integral to risk management STEP 3: CREATE A SECURITY PLAN THAT SUPPORTS YOUR BUSINESS GOALS • Develop goals with measurable results that are consistent with providing support for the growth and stability of the company • Include compliance programs, technologies, and processes with specific metrics • Work with your cloud service provider to ensure that your security plan is nimble enough to support evolving corporate strategies or regulatory requirements STEP 4: ESTABLISH CORPORATE-WIDE SUPPORT • Gain the approval of your cloud computing security plan from not only executive management but also the general workforce • Make sure security policies are not in conflict with other policies from different departments, and that they are not too time-consuming • Establish levels of security that can be centrally managed and conveniently implemented across the organization Appendix A, Page 1
AppendixA: 7 STEPS, CONTINUED STEP 5: CREATE SECURITY POLICIES, PROCEDURES, AND STANDARDS  Establish a set of guidelines to ensure that all compliance measures are identified  Make sure that compliance requirements are reflected in your policies and procedures  Ensure that auditors can clearly review your policies and how you have implemented so they can that they are being followed.  Design a comprehensive, layered approach based on a security framework to address common regulatory requirements. This will make it easier to adopt and maintain security procedures that can be audited so you can achieve your security and compliance goals. • Turn to this 7-step plan as the foundation for your internal audits. If you don’t have these steps in place, you won’t have a structure that auditors can easily follow • Read everything you can and apply best practices to creating policies that align with business goals. • Develop procedures that are realistic and that will be acceptable to the organization STEP 6: AUDIT AND REVIEW OFTEN • Review the security plan on a regular basis, report on achievements of goals, and audit the compliance of the organization to the security policies and procedures • If it is part of your overall business plan, turn to a third- party audit to provide an impartial review of the controls and report on compliance to established programs • Understand the auditing requirements for your business and the frequency of your audits not only for ensuring compliance with relevant requirements but also so you can implement best practices for securing enterprise resources • Audit and review the results regularly to ensure that the controls remain in place and that that they are being followed • If an audit reveals any potential security or compliance problems, ensure they are remediated before the next audit cycle STEP 7: CONTINUOUSLY IMPROVE • Annually review your cloud computing security plan with senior management and your cloud services provider • Re-establish goals • Review and edit security policies and procedures • Actively report back to the organization the accomplishments of the security and compliance teams These steps should be implemented sequentially, and it is an iterative process based on best practices and focused on continuous improvement. By following these guidelines, organizations can structure security and compliance programs to take advantage of the economic advantages of managed cloud applications and services while meeting organizational security and compliance objectives Appendix A, Page 2

Recomendados

Agiliance Risk Vision
Agiliance Risk VisionAgiliance Risk Vision
Agiliance Risk Visionagiliancecommunity
 
Cyber risk management-white-paper-v8 (2) 2015
Cyber risk management-white-paper-v8 (2) 2015Cyber risk management-white-paper-v8 (2) 2015
Cyber risk management-white-paper-v8 (2) 2015Accounting_Whitepapers
 
2018 State of Cyber Resilience Insurance
2018 State of Cyber Resilience Insurance2018 State of Cyber Resilience Insurance
2018 State of Cyber Resilience InsuranceAccenture Insurance
 
MCGlobalTech Commercial Cybersecurity Capability Statement
MCGlobalTech Commercial Cybersecurity Capability StatementMCGlobalTech Commercial Cybersecurity Capability Statement
MCGlobalTech Commercial Cybersecurity Capability StatementWilliam McBorrough
 
New technologies - Amer Haza'a
New technologies - Amer Haza'aNew technologies - Amer Haza'a
New technologies - Amer Haza'aFahmi Albaheth
 
Ch3 cism 2014
Ch3 cism 2014Ch3 cism 2014
Ch3 cism 2014Aladdin Dandis
 
The Cyber Security Leap
The Cyber Security LeapThe Cyber Security Leap
The Cyber Security LeapAccenture New Zealand
 
Security of the future - Adapting Approaches to What We Need
Security of the future - Adapting Approaches to What We NeedSecurity of the future - Adapting Approaches to What We Need
Security of the future - Adapting Approaches to What We Needsimplyme12345
 

Recomendados

Agiliance Risk Vision
Agiliance Risk VisionAgiliance Risk Vision
Agiliance Risk Visionagiliancecommunity
 
Cyber risk management-white-paper-v8 (2) 2015
Cyber risk management-white-paper-v8 (2) 2015Cyber risk management-white-paper-v8 (2) 2015
Cyber risk management-white-paper-v8 (2) 2015Accounting_Whitepapers
 
2018 State of Cyber Resilience Insurance
2018 State of Cyber Resilience Insurance2018 State of Cyber Resilience Insurance
2018 State of Cyber Resilience InsuranceAccenture Insurance
 
MCGlobalTech Commercial Cybersecurity Capability Statement
MCGlobalTech Commercial Cybersecurity Capability StatementMCGlobalTech Commercial Cybersecurity Capability Statement
MCGlobalTech Commercial Cybersecurity Capability StatementWilliam McBorrough
 
New technologies - Amer Haza'a
New technologies - Amer Haza'aNew technologies - Amer Haza'a
New technologies - Amer Haza'aFahmi Albaheth
 
Ch3 cism 2014
Ch3 cism 2014Ch3 cism 2014
Ch3 cism 2014Aladdin Dandis
 
The Cyber Security Leap
The Cyber Security LeapThe Cyber Security Leap
The Cyber Security LeapAccenture New Zealand
 
Security of the future - Adapting Approaches to What We Need
Security of the future - Adapting Approaches to What We NeedSecurity of the future - Adapting Approaches to What We Need
Security of the future - Adapting Approaches to What We Needsimplyme12345
 
Simplifying Security for Cloud Adoption - Defining your game plan
Simplifying Security for Cloud Adoption - Defining your game planSimplifying Security for Cloud Adoption - Defining your game plan
Simplifying Security for Cloud Adoption - Defining your game planSecurestorm
 
Integrating-Cyber-Security-for-Increased-Effectiveness
Integrating-Cyber-Security-for-Increased-EffectivenessIntegrating-Cyber-Security-for-Increased-Effectiveness
Integrating-Cyber-Security-for-Increased-EffectivenessAyham Kochaji
 
Module 4 disaster recovery student slides ver 1.0
Module 4 disaster recovery student slides ver 1.0Module 4 disaster recovery student slides ver 1.0
Module 4 disaster recovery student slides ver 1.0Aladdin Dandis
 
Overview Of Benchmatrix Products And Services
Overview Of Benchmatrix Products And ServicesOverview Of Benchmatrix Products And Services
Overview Of Benchmatrix Products And ServicesWaqas Zafar
 
Avoiding Data Breaches in 2016: What You Need to Kow
Avoiding Data Breaches in 2016: What You Need to Kow Avoiding Data Breaches in 2016: What You Need to Kow
Avoiding Data Breaches in 2016: What You Need to Kow Enterprise Management Associates
 
Module 2 information security risk management student slides ver 1.0
Module 2 information security risk management student slides ver 1.0Module 2 information security risk management student slides ver 1.0
Module 2 information security risk management student slides ver 1.0Aladdin Dandis
 
Fraudulent Methods for Attacking Bank Networks and Prevention 2014
Fraudulent Methods for Attacking Bank Networks and Prevention 2014Fraudulent Methods for Attacking Bank Networks and Prevention 2014
Fraudulent Methods for Attacking Bank Networks and Prevention 2014Aladdin Dandis
 
BizCarta-2
BizCarta-2BizCarta-2
BizCarta-2Pradeep Kumar
 
Transform Your Security Operations with Security Automation and Orchestration
Transform Your Security Operations with Security Automation and OrchestrationTransform Your Security Operations with Security Automation and Orchestration
Transform Your Security Operations with Security Automation and OrchestrationEnterprise Management Associates
 
Cyber-Risk-Management-Assessment (1)
Cyber-Risk-Management-Assessment (1)Cyber-Risk-Management-Assessment (1)
Cyber-Risk-Management-Assessment (1)OCTF Industry Engagement
 
Avoiding Data Breaches in 2016: What You Need to Know
Avoiding Data Breaches in 2016: What You Need to Know Avoiding Data Breaches in 2016: What You Need to Know
Avoiding Data Breaches in 2016: What You Need to Know Enterprise Management Associates
 
Group reading assignments on managing cloud risk
Group reading assignments on managing cloud riskGroup reading assignments on managing cloud risk
Group reading assignments on managing cloud riskIbrahim Adeboye Apena
 
CISO-Fundamentals
CISO-FundamentalsCISO-Fundamentals
CISO-FundamentalsGary Hayslip CISSP, CISA, CRISC, CCSK
 
So you want to be a CISO - 5 steps to Success
So you want to be a CISO - 5 steps to SuccessSo you want to be a CISO - 5 steps to Success
So you want to be a CISO - 5 steps to SuccessGary Hayslip CISSP, CISA, CRISC, CCSK
 
Ch4 cism 2014
Ch4 cism 2014Ch4 cism 2014
Ch4 cism 2014Aladdin Dandis
 
Why Corporate Security Professionals Should Care About Information Security
Why Corporate Security Professionals Should Care About Information Security Why Corporate Security Professionals Should Care About Information Security
Why Corporate Security Professionals Should Care About Information Security Resolver Inc.
 
Erm talking points
Erm talking pointsErm talking points
Erm talking pointsEnterpriseGRC Solutions, Inc.
 
Information Security Strategic Management
Information Security Strategic ManagementInformation Security Strategic Management
Information Security Strategic ManagementMarcelo Martins
 
Meraj Ahmad - Information security in a borderless world
Meraj Ahmad - Information security in a borderless worldMeraj Ahmad - Information security in a borderless world
Meraj Ahmad - Information security in a borderless worldnooralmousa
 
5 must haves - cloud confidence
5 must haves - cloud confidence5 must haves - cloud confidence
5 must haves - cloud confidenceSean Dickson
 
SECURITY
SECURITYSECURITY
SECURITYTony Fanelli
 
Cybersecurity.pdf
Cybersecurity.pdfCybersecurity.pdf
Cybersecurity.pdfPetaBytz Technologies
 

Mais conteúdo relacionado

Mais procurados

Simplifying Security for Cloud Adoption - Defining your game plan
Simplifying Security for Cloud Adoption - Defining your game planSimplifying Security for Cloud Adoption - Defining your game plan
Simplifying Security for Cloud Adoption - Defining your game planSecurestorm
 
Integrating-Cyber-Security-for-Increased-Effectiveness
Integrating-Cyber-Security-for-Increased-EffectivenessIntegrating-Cyber-Security-for-Increased-Effectiveness
Integrating-Cyber-Security-for-Increased-EffectivenessAyham Kochaji
 
Module 4 disaster recovery student slides ver 1.0
Module 4 disaster recovery student slides ver 1.0Module 4 disaster recovery student slides ver 1.0
Module 4 disaster recovery student slides ver 1.0Aladdin Dandis
 
Overview Of Benchmatrix Products And Services
Overview Of Benchmatrix Products And ServicesOverview Of Benchmatrix Products And Services
Overview Of Benchmatrix Products And ServicesWaqas Zafar
 
Module 2 information security risk management student slides ver 1.0
Module 2 information security risk management student slides ver 1.0Module 2 information security risk management student slides ver 1.0
Module 2 information security risk management student slides ver 1.0Aladdin Dandis
 
Fraudulent Methods for Attacking Bank Networks and Prevention 2014
Fraudulent Methods for Attacking Bank Networks and Prevention 2014Fraudulent Methods for Attacking Bank Networks and Prevention 2014
Fraudulent Methods for Attacking Bank Networks and Prevention 2014Aladdin Dandis
 
Transform Your Security Operations with Security Automation and Orchestration
Transform Your Security Operations with Security Automation and OrchestrationTransform Your Security Operations with Security Automation and Orchestration
Transform Your Security Operations with Security Automation and OrchestrationEnterprise Management Associates
 
Group reading assignments on managing cloud risk
Group reading assignments on managing cloud riskGroup reading assignments on managing cloud risk
Group reading assignments on managing cloud riskIbrahim Adeboye Apena
 
Why Corporate Security Professionals Should Care About Information Security
Why Corporate Security Professionals Should Care About Information Security Why Corporate Security Professionals Should Care About Information Security
Why Corporate Security Professionals Should Care About Information Security Resolver Inc.
 
Information Security Strategic Management
Information Security Strategic ManagementInformation Security Strategic Management
Information Security Strategic ManagementMarcelo Martins
 
Meraj Ahmad - Information security in a borderless world
Meraj Ahmad - Information security in a borderless worldMeraj Ahmad - Information security in a borderless world
Meraj Ahmad - Information security in a borderless worldnooralmousa
 

Mais procurados (19)

Simplifying Security for Cloud Adoption - Defining your game plan
Simplifying Security for Cloud Adoption - Defining your game planSimplifying Security for Cloud Adoption - Defining your game plan
Simplifying Security for Cloud Adoption - Defining your game plan
 
Integrating-Cyber-Security-for-Increased-Effectiveness
Integrating-Cyber-Security-for-Increased-EffectivenessIntegrating-Cyber-Security-for-Increased-Effectiveness
Integrating-Cyber-Security-for-Increased-Effectiveness
 
Module 4 disaster recovery student slides ver 1.0
Module 4 disaster recovery student slides ver 1.0Module 4 disaster recovery student slides ver 1.0
Module 4 disaster recovery student slides ver 1.0
 
Overview Of Benchmatrix Products And Services
Overview Of Benchmatrix Products And ServicesOverview Of Benchmatrix Products And Services
Overview Of Benchmatrix Products And Services
 
Avoiding Data Breaches in 2016: What You Need to Kow
Avoiding Data Breaches in 2016: What You Need to Kow Avoiding Data Breaches in 2016: What You Need to Kow
Avoiding Data Breaches in 2016: What You Need to Kow
 
Module 2 information security risk management student slides ver 1.0
Module 2 information security risk management student slides ver 1.0Module 2 information security risk management student slides ver 1.0
Module 2 information security risk management student slides ver 1.0
 
Fraudulent Methods for Attacking Bank Networks and Prevention 2014
Fraudulent Methods for Attacking Bank Networks and Prevention 2014Fraudulent Methods for Attacking Bank Networks and Prevention 2014
Fraudulent Methods for Attacking Bank Networks and Prevention 2014
 
BizCarta-2
BizCarta-2BizCarta-2
BizCarta-2
 
Transform Your Security Operations with Security Automation and Orchestration
Transform Your Security Operations with Security Automation and OrchestrationTransform Your Security Operations with Security Automation and Orchestration
Transform Your Security Operations with Security Automation and Orchestration
 
Cyber-Risk-Management-Assessment (1)
Cyber-Risk-Management-Assessment (1)Cyber-Risk-Management-Assessment (1)
Cyber-Risk-Management-Assessment (1)
 
Avoiding Data Breaches in 2016: What You Need to Know
Avoiding Data Breaches in 2016: What You Need to Know Avoiding Data Breaches in 2016: What You Need to Know
Avoiding Data Breaches in 2016: What You Need to Know
 
Group reading assignments on managing cloud risk
Group reading assignments on managing cloud riskGroup reading assignments on managing cloud risk
Group reading assignments on managing cloud risk
 
CISO-Fundamentals
CISO-FundamentalsCISO-Fundamentals
CISO-Fundamentals
 
So you want to be a CISO - 5 steps to Success
So you want to be a CISO - 5 steps to SuccessSo you want to be a CISO - 5 steps to Success
So you want to be a CISO - 5 steps to Success
 
Ch4 cism 2014
Ch4 cism 2014Ch4 cism 2014
Ch4 cism 2014
 
Why Corporate Security Professionals Should Care About Information Security
Why Corporate Security Professionals Should Care About Information Security Why Corporate Security Professionals Should Care About Information Security
Why Corporate Security Professionals Should Care About Information Security
 
Erm talking points
Erm talking pointsErm talking points
Erm talking points
 
Information Security Strategic Management
Information Security Strategic ManagementInformation Security Strategic Management
Information Security Strategic Management
 
Meraj Ahmad - Information security in a borderless world
Meraj Ahmad - Information security in a borderless worldMeraj Ahmad - Information security in a borderless world
Meraj Ahmad - Information security in a borderless world
 

Semelhante a 7 Steps to Developing a Secure Cloud Services Plan

5 must haves - cloud confidence
5 must haves - cloud confidence5 must haves - cloud confidence
5 must haves - cloud confidenceSean Dickson
 
Security Framework for Digital Risk Managment
Security Framework for Digital Risk ManagmentSecurity Framework for Digital Risk Managment
Security Framework for Digital Risk ManagmentSecurestorm
 
Rethinking compliance
Rethinking complianceRethinking compliance
Rethinking complianceS. Hanau
 
Intelligent Security: Defending the Digital Business
Intelligent Security: Defending the Digital BusinessIntelligent Security: Defending the Digital Business
Intelligent Security: Defending the Digital Businessaccenture
 
Understanding Cloud Maturity.pdf
Understanding Cloud Maturity.pdfUnderstanding Cloud Maturity.pdf
Understanding Cloud Maturity.pdfCiente
 
10-TOP-IT-INITIATIVES_6-6-16
10-TOP-IT-INITIATIVES_6-6-1610-TOP-IT-INITIATIVES_6-6-16
10-TOP-IT-INITIATIVES_6-6-16Peak 10
 
Cybersecurity: Quick Preparedness Assessment
Cybersecurity: Quick Preparedness AssessmentCybersecurity: Quick Preparedness Assessment
Cybersecurity: Quick Preparedness AssessmentCBIZ, Inc.
 
Power your businesswith risk informed decisions
Power your businesswith risk informed decisionsPower your businesswith risk informed decisions
Power your businesswith risk informed decisionsAlireza Ghahrood
 
S sdlc datasheet q1-2015 v fnl
S sdlc datasheet q1-2015 v fnlS sdlc datasheet q1-2015 v fnl
S sdlc datasheet q1-2015 v fnlSally Chan
 
Cyber Defence - Service portfolio
Cyber Defence - Service portfolioCyber Defence - Service portfolio
Cyber Defence - Service portfolioKaloyan Krastev
 
2005 issa journal-risk-management
2005 issa journal-risk-management2005 issa journal-risk-management
2005 issa journal-risk-managementasundaram1
 
Building a business case for expanding your AppSec Program
Building a business case for expanding your AppSec ProgramBuilding a business case for expanding your AppSec Program
Building a business case for expanding your AppSec ProgramNicolas Gohmert
 
Sharpening revenue assurance_july 2015
Sharpening revenue assurance_july 2015Sharpening revenue assurance_july 2015
Sharpening revenue assurance_july 2015Silas Musakali
 

Semelhante a 7 Steps to Developing a Secure Cloud Services Plan (20)

5 must haves - cloud confidence
5 must haves - cloud confidence5 must haves - cloud confidence
5 must haves - cloud confidence
 
SECURITY
SECURITYSECURITY
SECURITY
 
Cybersecurity.pdf
Cybersecurity.pdfCybersecurity.pdf
Cybersecurity.pdf
 
Security Framework for Digital Risk Managment
Security Framework for Digital Risk ManagmentSecurity Framework for Digital Risk Managment
Security Framework for Digital Risk Managment
 
Cc unit 4 updated version
Cc unit 4 updated versionCc unit 4 updated version
Cc unit 4 updated version
 
Rethinking compliance
Rethinking complianceRethinking compliance
Rethinking compliance
 
Lead Through Disruption Guide PDF
Lead Through Disruption Guide PDFLead Through Disruption Guide PDF
Lead Through Disruption Guide PDF
 
Intelligent Security: Defending the Digital Business
Intelligent Security: Defending the Digital BusinessIntelligent Security: Defending the Digital Business
Intelligent Security: Defending the Digital Business
 
Understanding Cloud Maturity.pdf
Understanding Cloud Maturity.pdfUnderstanding Cloud Maturity.pdf
Understanding Cloud Maturity.pdf
 
10-TOP-IT-INITIATIVES_6-6-16
10-TOP-IT-INITIATIVES_6-6-1610-TOP-IT-INITIATIVES_6-6-16
10-TOP-IT-INITIATIVES_6-6-16
 
Cybersecurity: Quick Preparedness Assessment
Cybersecurity: Quick Preparedness AssessmentCybersecurity: Quick Preparedness Assessment
Cybersecurity: Quick Preparedness Assessment
 
Power your businesswith risk informed decisions
Power your businesswith risk informed decisionsPower your businesswith risk informed decisions
Power your businesswith risk informed decisions
 
SunGard Assurance-CM - Business Continuity Software
SunGard Assurance-CM - Business Continuity SoftwareSunGard Assurance-CM - Business Continuity Software
SunGard Assurance-CM - Business Continuity Software
 
S sdlc datasheet q1-2015 v fnl
S sdlc datasheet q1-2015 v fnlS sdlc datasheet q1-2015 v fnl
S sdlc datasheet q1-2015 v fnl
 
NG-Brochure
NG-BrochureNG-Brochure
NG-Brochure
 
Cyber Defence - Service portfolio
Cyber Defence - Service portfolioCyber Defence - Service portfolio
Cyber Defence - Service portfolio
 
2005 issa journal-risk-management
2005 issa journal-risk-management2005 issa journal-risk-management
2005 issa journal-risk-management
 
CISO as a service in India | Senselearner
CISO as a service in India | SenselearnerCISO as a service in India | Senselearner
CISO as a service in India | Senselearner
 
Building a business case for expanding your AppSec Program
Building a business case for expanding your AppSec ProgramBuilding a business case for expanding your AppSec Program
Building a business case for expanding your AppSec Program
 
Sharpening revenue assurance_july 2015
Sharpening revenue assurance_july 2015Sharpening revenue assurance_july 2015
Sharpening revenue assurance_july 2015
 

Mais de Envision Technology Advisors

Meeting the Challenges of HIPAA Compliance, Phishing Attacks, and Mobile Secu...
Meeting the Challenges of HIPAA Compliance, Phishing Attacks, and Mobile Secu...Meeting the Challenges of HIPAA Compliance, Phishing Attacks, and Mobile Secu...
Meeting the Challenges of HIPAA Compliance, Phishing Attacks, and Mobile Secu...Envision Technology Advisors
 
Unleashing IT: Seize Innovation, Accelerate Business, Drive Outcomes. All thr...
Unleashing IT: Seize Innovation, Accelerate Business, Drive Outcomes. All thr...Unleashing IT: Seize Innovation, Accelerate Business, Drive Outcomes. All thr...
Unleashing IT: Seize Innovation, Accelerate Business, Drive Outcomes. All thr...Envision Technology Advisors
 

Mais de Envision Technology Advisors (20)

How to Migrate Without Downtime
How to Migrate Without DowntimeHow to Migrate Without Downtime
How to Migrate Without Downtime
 
Meeting the Challenges of HIPAA Compliance, Phishing Attacks, and Mobile Secu...
Meeting the Challenges of HIPAA Compliance, Phishing Attacks, and Mobile Secu...Meeting the Challenges of HIPAA Compliance, Phishing Attacks, and Mobile Secu...
Meeting the Challenges of HIPAA Compliance, Phishing Attacks, and Mobile Secu...
 
The Ultimate Guide To Business Continuity
The Ultimate Guide To Business ContinuityThe Ultimate Guide To Business Continuity
The Ultimate Guide To Business Continuity
 
Defeating Cyber Threats
Defeating Cyber ThreatsDefeating Cyber Threats
Defeating Cyber Threats
 
Cloud Based Email
Cloud Based EmailCloud Based Email
Cloud Based Email
 
Survivors Guide To The Cloud
Survivors Guide To The CloudSurvivors Guide To The Cloud
Survivors Guide To The Cloud
 
Ten Myths About Deleted Files
Ten Myths About Deleted FilesTen Myths About Deleted Files
Ten Myths About Deleted Files
 
Disaster Recovery - Deep Dive
Disaster Recovery - Deep DiveDisaster Recovery - Deep Dive
Disaster Recovery - Deep Dive
 
The State of Global Markets 2013
The State of Global Markets 2013The State of Global Markets 2013
The State of Global Markets 2013
 
Ten Myths About Recovery Deleted Files
Ten Myths About Recovery Deleted FilesTen Myths About Recovery Deleted Files
Ten Myths About Recovery Deleted Files
 
Detecting Stopping Advanced Attacks
Detecting Stopping Advanced AttacksDetecting Stopping Advanced Attacks
Detecting Stopping Advanced Attacks
 
8 Strategies For Building A Modern DataCenter
8 Strategies For Building A Modern DataCenter8 Strategies For Building A Modern DataCenter
8 Strategies For Building A Modern DataCenter
 
Unleashing IT: Seize Innovation, Accelerate Business, Drive Outcomes. All thr...
Unleashing IT: Seize Innovation, Accelerate Business, Drive Outcomes. All thr...Unleashing IT: Seize Innovation, Accelerate Business, Drive Outcomes. All thr...
Unleashing IT: Seize Innovation, Accelerate Business, Drive Outcomes. All thr...
 
Avoiding The Seven Deadly Sins of IT
Avoiding The Seven Deadly Sins of ITAvoiding The Seven Deadly Sins of IT
Avoiding The Seven Deadly Sins of IT
 
Cloud or Onsite BDR?
Cloud or Onsite BDR?Cloud or Onsite BDR?
Cloud or Onsite BDR?
 
Forrester Emerging MSSP Wave
Forrester Emerging MSSP WaveForrester Emerging MSSP Wave
Forrester Emerging MSSP Wave
 
RetroFit's Network Monitoring Solution
RetroFit's Network Monitoring SolutionRetroFit's Network Monitoring Solution
RetroFit's Network Monitoring Solution
 
Network Latency
Network LatencyNetwork Latency
Network Latency
 
2013 Threat Report
2013 Threat Report2013 Threat Report
2013 Threat Report
 
Termination of Windows XP
Termination of Windows XPTermination of Windows XP
Termination of Windows XP
 

Último

Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 

Último (20)

Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 

7 Steps to Developing a Secure Cloud Services Plan

  • 1. Whitepaper: 7 Steps to Developing a Cloud Security Plan
  • 2. Executive Summary: 7 Steps to Developing a Cloud Security Plan Designing and implementing an enterprise security plan can be a daunting task for any business. To help facilitate this endeavor NaviSite has developed a manageable process and checklist that can be used by enterprise security, compliance, and IT professionals as a framework for crafting a successful cloud computing security plan. It defines seven steps— sequentially—that have been tested and refined through NaviSite’s experiences helping hundreds of companies secure enterprise resources according to best practices. This plan enables organizations to gain the economic advantages of secure and compliant managed cloud services.
  • 3. Table of Contents INTRODUCTION …………………………………………………………………………………….…... 4 STEP 1: REVIEW YOUR BUSINESS GOALS …………………………………………………….…. 6 STEP 2: MAINTAIN A RISK MANAGEMENT PROGRAM …………………………………….……. 7 STEP 3: CREATE A SECURITY PLAN THAT SUPPORTS YOUR BUSINESS GOALS ………………………………………………....…… 9 STEP 4: ESTABLISH CORPORATE-WIDE SUPPORT ……………………………...………..…...10 STEP 5: CREATE SECURITY POLICIES, PROCEDURES, AND STANDARDS …………………………………………….…….....................11 STEP 6: AUDIT AND REVIEW OFTEN ..…………………………..………………………..…...….12 STEP 7: CONTINUOUSLY IMPROVE ………………………………..………………………………13 CONCLUSION ………………………………………………………………………..………………….14 APPENDIX A: 7 STEPS TO DEVELOPING A CLOUD SECURITY PLAN CHECKLIST ………………………………………………………..…. 15
  • 4. Introduction Cloud computing provides compelling cost and strategic benefits, including: scalability with reduced capital expenditure; more efficient use of IT resources; and the ability for an organization to focus on their core competency. Many well established security technologies and procedures can be applied to cloud computing to provide enterprise-class security. In many cases the cloud provider can achieve better security in a virtualized environment than enterprises can achieve internally. Selecting a service provider with strong security procedures and services in cloud computing can be a strategic move, but enterprise organizations need to continue to take an active role in security and risk management. Working together, the cloud provider and the enterprise can ensure that existing security practices are being complemented and that enterprise resources are protected according to industry best practices. Cloud infrastructure services enable improved efficiencies for IT, allowing companies to reduce capital expenses even as resource demand increases. They also provide companies a competitive edge through greater scalability and flexibility to address business opportunities. Concerns around the security of cloud infrastructure have been viewed as a barrier to adoption, but there are seven tangible steps enterprises can take to gain the cost and business advantages of cloud services without compromising the security of enterprise applications. By following these steps the enterprise can rely on a proven methodology for cost-effectively and securely leveraging cloud services. NaviSite takes pride in ensuring its enterprise customers services are secure and reliable but encourages all businesses—no matter what provider they are partnering with— to take an active role in being sure their specific security and compliance requirements are met. 4 “…THERE ARE SEVEN TANGIBLE STEPS ENTERPRISES CAN TAKE TO GAIN THE COST AND BUSINESS ADVANTAGES OF CLOUD SERVICES WITHOUT COMPROMISING THE SECURITY OF ENTERPRISE APPLICATIONS.”
  • 5. Secure cloud services plan breaks down into the following seven steps: By following these steps organizations can structure security and compliance programs to take advantage of the economic advantages of managed cloud services while meeting organizational security and compliance objectives. 5 FIGURE 1: 7 STEPS. STEP 6: Audit and Review Often STEP 2: Maintain a Risk Management Program STEP 3: Create a Security Plan that Supports Your Business Goals STEP 4: Secure Corporate- Wide Support STEP 5: Create Security Policies, Procedures, and Standards STEP 1: Review Your Business Goals STEP 7: Continuously Improve
  • 6. 6 SECURITY IS NOT A ONE-SIZE-FITS-ALL SCENARIO Step 1: REVIEW YOUR BUSINESS GOALS It is important that any cloud security plan begins with the basic understanding of your specific business goals. Security is not a one-size-fits-all scenario and should focus on enabling: • TECHNOLOGIES: Authentication and authorization, managing and monitoring, and reporting and auditing technologies should be leveraged to protect, monitor, and report on access to information resources • PROCESSES: Methodologies should be established that define clear processes for everything from provisioning and account establishment through incident management, problem management, change control, and acceptable use policies so that processes govern access to information • PEOPLE: Organizations need access to the proper skill sets and expertise to develop security plans that align with business goals Too often, organizations view internal security and compliance teams as inhibitors to advancing the goals of the business. Understanding the business objectives and providing long-term strategies to enable business growth, customer acquisition, and customer retention is essential to any successful security plan. The best way to do this is to develop cloud security policies based on cross- departmental input. A successful security program includes contribution from all stakeholders to ensure that policies are aligned and procedures are practical and pragmatic. The broader the input the more likely the final security plan will truly align with, and support corporate goals. Executive input is not only essential to ensure that assets are protected with the proper safeguards, but also to ensure that all parties understand the strategic goals. For example, if a company plans to double in size within a few years, security infrastructure needs to be designed to support scalability. CASE IN POINT: At NaviSite, we often see customers faced with the challenge of making major security and technology changes to address evolving corporate goals. For example, a customer that hosts multiple merchant sites had a Payment Card Industry (PCI)-compliant application, but when it was acquired, its parent company required stricter controls that conformed to the enterprise-wide PCI program. The acquired company came to us with a small company perspective, while the new parent company wanted to enforce even tighter security across its divisions. We worked with them to realign and bolster the goals of the acquired company’s security and compliance programs with the corporate goals of the parent company. By reviewing the business goals with the stakeholders from the parent company, the newly acquired company, and our security team, we were able to identify and document the objectives for the new compliance program and ensure that they were aligned with the over-arching PCI program.
  • 7. 7 AN EFFECTIVE CLOUD COMPUTING RISK MANAGEMENT PROGRAM IS IMPORTANT FOR REDUCING THE OVERALL RISK TO THE ORGANIZATION. Step 2: MAINTAIN A RISK MANAGEMENT PROGRAM It is naïve to think that your applications will never be breached, whether they are hosted in your data center or in a managed data center. Every organization needs to develop and maintain a risk management program, and it should be done centrally and viewed holistically. An effective cloud computing risk management program is important for reducing the overall risk to the organization. It is also essential for prioritizing the utilization of resources and for providing the business with a long-term strategy. If a growing organization can identify and reduce the risk of new products, technologies, processes, people, and vendors, it can better focus on revenue growth and improved profitability. It is only through a well-defined and carefully maintained risk management program that you can provide an aggregated view of the risk that a company is willing to accept. The generalized view is that you assess the value of the asset, assess the loss expectancy probability, and then quantify whether the organization is willing to accept the risk of loss or whether steps should be taken to mitigate the chances of that loss. Security professionals are encouraged to regularly conduct careful analysis to develop responsible programs and build in the necessary controls and auditing capabilities to mitigate threats and maintain a reasonable security program that protects organizational assets, given budgetary resources. The cloud computing risk assessment policy requires buy-in from the very top. This program should be audited, and policies defined that explicitly state who can accept risk on behalf of the organization. If you have a well-developed risk management program in place, then you have identified your critical assets and established appropriate levels of protection. By moving some or all of your business applications to the cloud, you gain the additional benefits of your providers business continuity planning and protection from unthinkable events, such as natural disasters. Seamless failover to a redundant data center thousands of miles away provides shareholders with increased comfort in knowing their business is protected and secure. At NaviSite, we continue to see disaster recovery and business continuity initiatives gaining increased corporate focus as a direct result of the migration of ERP applications to the cloud. For example, a publicly traded company outsourced its financial applications to NaviSite. However they did not have a business continuity and disaster recovery (BCDR) plan. As we worked with them on their risk management program - identifying risks, evaluating the value of the assets, and looking at annualized loss expectancies to build out the level of assurance they needed - they realized the economic argument and value for enabling seamless failover to a redundant site across the country. Management went back to the Board of Directors and quickly received approval. The company now has a solid disaster recovery program in place with annual testing to ensure business continuity. They did not initially understand the risk its shareholders were incurring until it developed a formal risk management program, and by quantifying that risk the company was able to take appropriate steps to mitigate and protect itself adequately while ensuring business continuity.
  • 8. 8 MANY OF THE NEEDS TO CHANGE SECURITY PLANS ARE NOT A RESULT OF CORPORATE STRATEGIES BUT EVOLUTIONS OF COMPLIANCE REQUIREMENTS. Step 3: CREATE A SECURITY PLAN THAT SUPPORTS YOUR BUSINESS GOALS Your cloud computing security plan should include goals with measurable results that are consistent with providing support for the growth and stability of the company. The plan should include compliance programs, technologies, and processes with very specific results. For example, a growing IT services company may pursue a data center compliance program, such as SSAE 16 (the successor to the SAS 70 standard) a service management framework which requires in-depth audits of control activities that include: security monitoring, change management, problem management, backup controls, physical and environmental safeguards, and logical access. Goals should include: • Specific date for completion • Verification of achievement, such as a Service Organization Controls (SOC) report • Measurable expected result, such as a reduction in reported incidents by five percent, improvement of risk mitigation by reduction of Annualized Loss Expectancy (ALE) by ten percent, or successful passing of customer audits increasing by twenty percent The security plan in many ways becomes a natural extension of the previous two steps. For example, if a U.S. company is planning for an IPO, becoming compliant with the Sarbanes- Oxley Act (SOX) requirement is essential. Section 404 of SOX explicitly requires management and the external auditor to report on the adequacy of the company's Internal Control on Financial Reporting (ICFR). Companies have to assure that the data is valid and has not been altered. It is primarily the responsibility of the IT group to ensure SOX compliance. Many of the needs to change security plans are not a result of corporate strategies but evolutions of compliance requirements. For example, at NaviSite, we help clients maintain compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The Health Information Technology for Economic and Clinical Health Act (HITECH) addresses the privacy and security concerns associated with the electronic transmission of health information and it extends the privacy and security provisions of HIPAA. By partnering with cloud providers, organizations are more nimble and can more easily modify their security plans to support evolving corporate strategies or regulatory requirements.
  • 9. 9 Step 4: ESTABLISH CORPORATE-WIDE SUPPORT & ALIGNMENT A key element of a successful cloud computing security plan is the involvement and support of the plan across the organization. Many security departments build out vast arrays of policies that are difficult to implement across the organization. Prioritizing these policies and ensuring that they are not in conflict with other policies from different departments is essential for establishing support and acceptance. A given security policy may not rely on the latest technology or provide the most secure results, but balancing ease of deployment and organizational acceptance with security is a necessary tradeoff. Organizations need to establish levels of security that meet business goals and comply with regulatory requirements and risk management policies, but that can be centrally managed and conveniently implemented across the organization with minimal negative impact to productivity. Recognize that it is impossible to completely eliminate risk, but it is prudent to mitigate it in a reasonable manner. At NaviSite, we have found that the key is to take time to gain a solid understanding of how a company develops its products and services and delivers them to its customers. The majority of your time spent building support for security policies should not be spent in writing those policies, but instead should be spent in learning how the business truly functions so that security can better contribute to its success, and not be viewed as a hindrance or a daily obstacle. For example, we have worked with manufacturing companies that were building highly sensitive products. In one company, the security team designed a security plan that was so restrictive the plant had to ignore the mandated controls to function productively. This led to the failure of the third-party audit and ultimately a recall of the product manufactured with the circumvented controls. We also worked with an insurance company that developed an application for estimating the cost of insurance that secured the data sources used by the application; they wrote security policies such that they restricted internal departments from viewing critical data needed to perform their jobs. Companies need to ensure that the security plan is not only aligned with the goals of the organization, but also with the goals of the major departments that will be implementing it. Gaining this acceptance streamlines adoption throughout the organization. GAINING ACCEPTANCE ON SECURITY POLICY AND PROCEDURE AHEAD OF TIME STREAMLINES ADOPTION THROUGHOUT THE ORGANIZATION.
  • 10. 10 Step 5: CREATE SECURITY POLICIES, PROCEDURES, AND STANDARDS A set of guidelines is important to ensure that all compliance measures are identified and the entire organization is driving toward achievement of the same goals. For example, for a healthcare provider, it may be important to provide HIPAA- and HITECH-compliant health care services to new and existing patients. In order to do so, the organization must build security policies that define the constraints in the handling of Protected Health Information (PHI), procedures that define the process of acquiring PHI, and guidelines that encourage the general adoption of best practices. When you are audited for SOX, PCI Data Security Standard (DSS), or any other relevant compliance standard that affects your business, the auditor will look at existing policies, how you have implemented them, and whether they are being followed throughout your organization. Every company audited wants to make sure it passes the audit, and if you have completed all the previous steps outlined in this process, it will make it easier for you to create security guidelines that can be consistently enforced. New clients often ask, “What’s the easiest way to create security policies, procedures, and standards,” and the answer is simple—turn to best practices. When it comes to establishing security guidelines, it is much easier, more practical and productive to edit than it is to create. Assuming you have gone through the previous four steps, security and compliance teams have had to establish many of the policies necessary to address business requirements. Read everything you can and apply best practices to creating policies that align with business goals, develop procedures that are realistic and that will be acceptable to the organization, and wherever possible turn to industry standards to guide you. Cloud services are a major advantage for growing organizations that have not yet embedded established policies and procedures into the company. The enterprise can rely on the best practices the service provider has developed over years of experience in similar environments. As with many enterprise cloud service providers, including NaviSite, change management is a clearly defined process governed by well-established guidelines. Each change must be approved by the proper personnel, and then implemented in a quality assurance environment. Once it is tested and approved through a user acceptance procedure, it is introduced to the end-user community in the least intrusive manner possible with a clearly defined back-out procedure in place in case there are unforeseen problems or issues with user adoption. By turning to high-performance cloud computing, the enterprise can dramatically reduce the learning curve for developing security policies, procedures, and standards. Organizations can accelerate the adoption of best practices for protecting enterprise resources by adopting proven security methodologies.
  • 11. 11 AUDIT AND REVIEW OFTEN CHECKLIST It is important to review the security plan on a regular basis, report on achievements of goals, and audit the compliance of the organization to the security policies and procedures. If it is part of your overall business plan, a third-party audit can provide an impartial review of the controls and report on compliance to established programs, such as SSAE 16, PCI DSS, or Safe Harbor. Some industries mandate audits, and U.S. publicly traded companies have to conduct internal audits every quarter when they release financial statements. Understanding the auditing requirements for your business and the frequency of your audits is essential not only for ensuring compliance with relevant requirements but also for maintaining best practices for securing enterprise resources. For example, SSAE 16 Audits are conducted every six months but at NaviSite we conduct internal audits every three months to ensure ongoing compliance and provide assurance that our data centers and our support infrastructure remain current with SSAE 16 requirements. The SSAE 16 Audit is aligned with our security goals because it assures customers that our processes, procedures, and controls have been formally reviewed. It also demonstrates our compliances with Section 404 of the Sarbanes-Oxley Act. By auditing and reviewing the results regularly, companies can implement a constant audit cycle that ensures that the controls remain in place and that that they are being followed. If problems occur, they can be identified and remediated before the next audit cycle. Step 6: AUDITAND REVIEW OFTEN
  • 12. 12 CONTINUOUS IMPROVEMENT CHECKLIST A well-developed security plan will allow for the continuous improvement of security and compliance. At a minimum, annually review your cloud computing security plan with senior executives and your cloud services provider, and revise goals and objectives as needed. Review and edit security policies and procedures, and actively report back to the organization the accomplishments of the security and compliance teams. Many companies believe that once they have solid policies and procedures in place they do not need to revisit them— but your industry and your business will change over time, and the technology available to support your security plan will evolve. Just ten years ago remote workers had limited access to enterprise applications, but rapid advances in VPN technology and massive demand for secure remote access have driven most companies to develop policies and procedures to support a mobile workforce. And the technology to support these policies and procedures are enabling businesses to provide the flexibility for employees to work from virtually anywhere. Review all of your generally accepted security policies at least annually. At NaviSite, we review our security policies on an even more frequent basis. An annual review is designed into some compliance policies; if that’s the case for your business consider reviewing your security policies every six months so you have the time to evaluate your current policies, update them when needed and change procedures when necessary before your next audit. Continuous improvement is the key to your security plan. Understanding the dynamic nature of your business and constantly evaluating security requirements are the foundation for implementing a successful continuous improvement strategy. Step 7: CONTINUOUSLY IMPROVE
  • 13. 13 Properly managed cloud infrastructure provides better security than most enterprise data centers, applications, and IT infrastructure. It allows companies to more efficiently deploy scarce technical personnel. Use this proven process and the summary checklist provided in Appendix A as an easy guide to structuring your cloud computing security plan. Selecting a stable cloud service provider with world-class data centers, enterprise cloud computing infrastructure, application expertise, and a proven security methodology will help the enterprise reap the financial rewards of cloud computing while implementing a security framework optimized for the requirements of cloud architectures. These seven steps are meant to serve as a framework to guide companies as they develop a secure cloud-computing plan. By following these guidelines, organizations can structure security and compliance programs to take advantage of the financial benefits of managed cloud applications and services while meeting organizational security and compliance objectives. ABOUT NAVISITE For more information about secure cloud computing services from NaviSite, please visit www.navisite.com or send an e-mail to us at webinfo@navisite.com or call us at 1.888.298.8222 to discuss your secure cloud computing requirements. Conclusion FOR MORE INFORMATION TO LEARN ABOUT CLOUD SERVICES FROM NAVISITE, VISIT: www.navisite.com
  • 14. AppendixA: 7 STEPS TO DEVELOPINGA CLOUD SECURITY PLAN CHECKLIST By following these seven steps to developing a secure outsourcing plan developed by NaviSite, the enterprise can rely on a proven methodology for cost-effectively and securely outsourcing IT services. STEP 1: REVIEW YOUR BUSINESS GOALS  Understand your business goals and direction  Develop cloud security policies based on cross- departmental input that includes insights from senior management and all of the stakeholders  Ensure that all security policies are aligned with strategic goals, and that the procedures are practical and pragmatic STEP 2: MAINTAIN A RISK MANAGEMENT PROGRAM  Develop and maintain a risk management program centrally, and view it holistically  Carefully define exactly who is authorized to accept risk on behalf of the enterprise  Implement a well-defined and carefully maintained risk management program so you can provide an aggregated view of the risk that a company is willing to accept  Ensure that security professionals regularly conduct careful analysis to develop responsible programs and build in the necessary controls and auditing capabilities to mitigate risks and protect organizational assets  Gain executive-level buy-in to the cloud computing risk assessment policy, and for publicly traded companies, gain Board-level approval if necessary  Consider seamless failover to a redundant data center and disaster recovery planning integral to risk management STEP 3: CREATE A SECURITY PLAN THAT SUPPORTS YOUR BUSINESS GOALS • Develop goals with measurable results that are consistent with providing support for the growth and stability of the company • Include compliance programs, technologies, and processes with specific metrics • Work with your cloud service provider to ensure that your security plan is nimble enough to support evolving corporate strategies or regulatory requirements STEP 4: ESTABLISH CORPORATE-WIDE SUPPORT • Gain the approval of your cloud computing security plan from not only executive management but also the general workforce • Make sure security policies are not in conflict with other policies from different departments, and that they are not too time-consuming • Establish levels of security that can be centrally managed and conveniently implemented across the organization Appendix A, Page 1
  • 15. AppendixA: 7 STEPS, CONTINUED STEP 5: CREATE SECURITY POLICIES, PROCEDURES, AND STANDARDS  Establish a set of guidelines to ensure that all compliance measures are identified  Make sure that compliance requirements are reflected in your policies and procedures  Ensure that auditors can clearly review your policies and how you have implemented so they can that they are being followed.  Design a comprehensive, layered approach based on a security framework to address common regulatory requirements. This will make it easier to adopt and maintain security procedures that can be audited so you can achieve your security and compliance goals. • Turn to this 7-step plan as the foundation for your internal audits. If you don’t have these steps in place, you won’t have a structure that auditors can easily follow • Read everything you can and apply best practices to creating policies that align with business goals. • Develop procedures that are realistic and that will be acceptable to the organization STEP 6: AUDIT AND REVIEW OFTEN • Review the security plan on a regular basis, report on achievements of goals, and audit the compliance of the organization to the security policies and procedures • If it is part of your overall business plan, turn to a third- party audit to provide an impartial review of the controls and report on compliance to established programs • Understand the auditing requirements for your business and the frequency of your audits not only for ensuring compliance with relevant requirements but also so you can implement best practices for securing enterprise resources • Audit and review the results regularly to ensure that the controls remain in place and that that they are being followed • If an audit reveals any potential security or compliance problems, ensure they are remediated before the next audit cycle STEP 7: CONTINUOUSLY IMPROVE • Annually review your cloud computing security plan with senior management and your cloud services provider • Re-establish goals • Review and edit security policies and procedures • Actively report back to the organization the accomplishments of the security and compliance teams These steps should be implemented sequentially, and it is an iterative process based on best practices and focused on continuous improvement. By following these guidelines, organizations can structure security and compliance programs to take advantage of the economic advantages of managed cloud applications and services while meeting organizational security and compliance objectives Appendix A, Page 2