Preview only show first 10 pages with watermark. For full document please download

Cloud Information Governance Alleviating Risk And Staying Compliant_hb_final

   EMBED

  • Rating

  • Date

    December 1969
  • Size

    294.5KB
  • Views

    224
  • Categories


Share

Transcript

DISASTER RECOVERY/COMPLIANCE APPLICATION DEVELOPMENT DATA CENTER MANAGEMENT STORAGE ARCHITECTURE BI/APPLICATIONS VIRTUALIZATION Handbook SECURITY NETWORKING HEALTH IT CLOUD Keep Cloud Compliant Moving operations to the cloud is an increasingly popular way to save money and other resources. It also requires dramatic changes to traditional information governance and risk practices. 1 2 3 4 EDITOR’S NOTE EXTENDING INFORMATION GOVERNANCE CONTROLS TO THE CLOUD DUE DILIGENCE, PROVIDER RESEARCH KEY TO COMPLIANCE IN THE CLOUD THREE STEPS TO MAINTAIN GRC DURING CLOUD DEPLOYMENT EDITOR’S NOTE 1 Security Risks, Compliance a Major Cloud Concern Organizations today generate and are responsible for more data than ever before, forcing companies to turn to cloud-based options to reduce data management costs. Cloud computing has proven valuable from a data storage standpoint, but it also raises numerous questions about information governance. Most importantly, organizations must ensure the data they are entrusting to the cloud is still handled according to their compliance and security guidelines. That delicate balancing act isn’t always easy. Organizations must determine where their   data management and security responsibilities end, and where those of the cloud provider begins. In this SearchCompliance handbook, we examine how organizations can adapt information governance processes to the cloud to alleviate data risk and remain compliant with myriad regulations. In our first article, ARMA International CEO Marilyn Bier discusses information governance controls in the cloud, including how to hold your cloud provider accountable. In our second article, Christine Parizo examines how moving operations to the cloud influences data security processes, what security-related questions you need to ask cloud providers and the cloud contract wording that helps ensure security. In our third article, Ed Moyle outlines how compliance officers can ensure their companies adhere to regulations and reduce risk after moving operations to the cloud. As the cloud increasingly becomes a valid data management option, we hope you find this useful in helping your organization stay compliant and reduce data-related risk. Please write to me at [email protected] n Ben Cole Editor, SearchCompliance.com Home Editor’s Note Extending Information Governance Controls to the Cloud Due Diligence, Provider Research Key to Compliance in the Cloud Three Steps to Maintain GRC During Cloud Deployment 2   KEEP CLOUD COMPLIANT CLOUD CONTRACTS 2 Home Extending Information Governance Controls to the Cloud All organizations depend on information to manage day-to-day operations, comply with regulations, gauge financial performance and monitor strategic initiatives. This critical information resides in the organization’s business records. Good information governance controls are difficult enough to apply inside an organization, even when it is using its own best practices tool set. While it is possible to manage aspects of the lifecycle and disposition of the information that resides in the cloud, these rules become more difficult to enforce. “Proper information governance requires a centralized control point, as well as effective enforcement, for an organization’s records management tool set to be effective,” said Brent Gatewood, owner of consultIG, in a recent issue of Information Management magazine. “Today, the controls in place with most SaaS [Software as a Service] providers are too non-specific. The controls in place are collection-focused and largely managed according to the provider’s rules, not those of the organization whose information is being stored.” To satisfy the information governance needs of most organizations, control and management of data in the cloud should reside inside Editor’s Note Extending Information Governance Controls to the Cloud Due Diligence, Provider Research Key to Compliance in the Cloud Three Steps to Maintain GRC During Cloud Deployment A centralized tool manag­ ing lifecycle rules for the organization needs to have the proper hooks into the data residing in the cloud. the organization itself and extend to cloudbased repositories. A centralized tool managing lifecycle rules for the organization needs to have the proper hooks into the data residing in the cloud. These tools need to have a complete view of the information owned by the 3   KEEP CLOUD COMPLIANT CLOUD CONTRACTS 2 Home Editor’s Note Extending Information Governance Controls to the Cloud Due Diligence, Provider Research Key to Compliance in the Cloud Three Steps to Maintain GRC During Cloud Deployment organization to be responsive to internal and external requests. According to Gatewood, “The reality is this: The tools may not exist, but organizations are moving—or have already moved—data into the cloud. Data relationships and management controls inside of organizations are more important than ever. Unless the management controls are already in place, it is unlikely that individuals are going to seek advice about extending controls to cloud-based repositories.” Cloud computing is not going away. It can be a valuable tool, but a tool that needs to be understood and managed. Applying information governance controls, with the proper relationships in legal and information technology and services, can help to reasonably manage information in the cloud. Contracts: ■■ What service are we contracting for and what are the vendor’s records management and compliance obligations? ■■ What kind of data controls does the vendor have in place? is information destroyed? ■■ How ■■ Can we set minimum and maximum   retentions and at what level? there secure destruction options? ■■ Are ■■ What are the vendor’s policies for backups, replication or failover? do we confirm disposition takes place on a timely basis and according to our rules? ■■ How CLOUD PROVIDER ACCOUNTABILITY Gatewood recommends that organizations considering a cloud-based initiative—or reviewing a solution already in place—find answers to the following questions about contracts, audit controls and integration points: Audit controls: ■■ What is the provider’s internal audit process? ■■ How often is the provider audited by external agencies? 4   KEEP CLOUD COMPLIANT CLOUD CONTRACTS 2 Home ■■ What ■■ Is standards is the provider held to? the vendor open to being audited for compliance? (If not, this may be a sign of bigger issues.) Editor’s Note Extending Information Governance Controls to the Cloud Due Diligence, Provider Research Key to Compliance in the Cloud Three Steps to Maintain GRC During Cloud Deployment Integration points: ■■ Is the vendor open to integration with our systems and applications? ■■ Has the vendor integrated with any systems that provide a structure for compliance? Organizations must also consider if the vendor’s policies and procedures related to the handling and management of information are acceptable. If they are not, Gatewood believes the organization should either move the data elsewhere or require an auditable change that meets its needs. Gatewood also recommends that organizations require a data map that details where the information resides. Data maps can be complicated because they detail what is often a complex infrastructure that might involve third-party relationships specific to your data, but the effort to review them is definitely worthwhile. —Marilyn Bier 5   KEEP CLOUD COMPLIANT PROVIDER NEGOTIATIONS 3 Home Due Diligence, Provider Research Key to Compliance in the Cloud Organizations generate more data than ever before through applications, email and other computing tasks. Faced with flat IT budgets, companies are turning to the cloud for storage, software and infrastructure. This is much to the chagrin of the compliance department, which wakes up in cold sweats thinking about data security. Experts agree, however, that by conducting due diligence, companies can minimize their cloudrelated risk. “Your security teams have to satisfy themselves that what the cloud provider is doing on a routine basis meets or exceeds what they’d do on premise,” said John Howie, chief operating officer of the Cloud Security Alliance. But enterprises are limited in how they can conduct this due diligence. For example, a cloud provider audit may not be possible because the provider doesn’t want hordes of customers tromping through its data centers. Penetration testing could also shut down an enterprise’s service because the cloud provider could view it as a legitimate attack, Howie said. Editor’s Note Extending Information Governance Controls to the Cloud Due Diligence, Provider Research Key to Compliance in the Cloud Three Steps to Maintain GRC During Cloud Deployment CHECK PROVIDER CERTIFICATIONS Because physical audits sometimes aren’t possible, reputable cloud service providers should have certifications. In the United States, the two major certifications are ISO/IEC 27001:2005 and SOC 2. ISO/IEC 27001:2005 provides a definition for how to run an information security management system. It does not say whether “you’re particularly good at it, and it doesn’t say that you have the controls in place [that] are actually working,” Howie cautioned. “It just certifies that you have an information security system that understands these problems and is trying to improve.” SOC 2, which is the replacement for SAS 72 and is based on the audit standard AP 101, 6   KEEP CLOUD COMPLIANT PROVIDER NEGOTIATIONS 3 Home Editor’s Note Extending Information Governance Controls to the Cloud Due Diligence, Provider Research Key to Compliance in the Cloud Three Steps to Maintain GRC During Cloud Deployment contains the five “SysTrust” principles developed by the American Institute of Certified Public Accountants and the Canadian Institute of Chartered Accountants: confidentiality, integrity, availability, security and privacy, according to Howie. “Privacy is a little bit of a misnomer, because it’s not privacy of the customer’s data,” he said. Rather, it means the privacy of the cloud provider’s customer, not the customers of the company that signs up for service. SOC 2 requires an audit by a large firm to ensure the controls are adequate and working. An SOC 2 report is then presented that contains detailed information about vulnerabilities and the environment as a whole. These details often make cloud providers hesitant to let customers see the results of SOC 2 reports, Howie said. ASK PROVIDERS THE RIGHT QUESTIONS Before choosing a cloud provider, companies need to ask prospective vendors some hard questions to ensure they’ll stay on the right side of regulators. “It’s about asking questions around what arrangements are going to be in place to protect your information … from the creation stage to the processing, the storage, the transmission and, of course, destruction,” said Steve Durbin, global vice president of the Information Security Forum. Eventually, the contract with the provider will end and organizations need to know what will happen to their data when that occurs, he added. Other questions should include how secure the connection is, including whether a VPN is required to connect, and what the availability is, Durbin said. Companies also need to ask encryption-related questions, including whether the data needs to be encrypted, what facilities the cloud provider has to encrypt data and if data should be encrypted before being transmitted to the cloud service, he added. Physical security is also important, according to Mac McMillan, current chairman of the HIMSS Privacy and Security Policy Task Force and CEO of Austin, Texas-based IT security consulting firm CynergisTek. Questions should include how the cloud provider controls physical access and how systems are protected from other customers’ data in colocation situations. 7   KEEP CLOUD COMPLIANT PROVIDER NEGOTIATIONS 3 Home Finally, companies should check on the status of the cloud provider’s insurance, McMillan said. For example, if there’s a security breach, it’s important to know if the provider will indemnify the customer and pay for the notifications, he said. Editor’s Note Extending Information Governance Controls to the Cloud Due Diligence, Provider Research Key to Compliance in the Cloud Three Steps to Maintain GRC During Cloud Deployment CONTRACT NEGOTIATIONS: READ THE FINE PRINT Due diligence doesn’t stop at the negotiating table. There is no one provision to include in the contract to maintain compliance, but careful language can help limit liability, according to Robert Scott, managing partner at Southlake, Texas-based technology law firm Scott & Scott LLP. “If you outsource to a third-party cloud service provider to handle or store personally identifiable, financial or healthcare information that’s regulated in any way, the law   has a non-delegable duty that you can’t just outsource these legal responsibilities,”   Scott said. Even changes to payment card   industry compliance standards, which now apply to third-party services, do not absolve enterprises of maintaining regulatory compliance, he said. Enterprises need to ensure that their cloud services providers agree to be bound by the same regulations that they are, Scott said. For financial institutions, that means adhering to regulations such as the Gramm-Leach-Bliley Act, for example. One thing to be wary of in contracts is provisions where the cloud services provider asks the enterprise to agree to limit data breach liability, Scott cautioned. “Such a provision could work to significantly limit the availability of insurance and/or the ability to recover for privacy-related claims that result from a data breach,” he said. Contracts are always negotiable, and any reasonable cloud provider will be willing to negotiate with a customer regarding legitimate regulatory compliance, data security and privacy concerns, Scott said. “They’re not going to be a successful cloud service provider without being sensitive to customer concerns in those areas,” he said. —Christine Parizo 8   KEEP CLOUD COMPLIANT CLOUD RISK 4 Home Three Steps to Maintain GRC During Cloud Deployment For compliance professionals, there’s no overstating what a huge challenge a cloud transition can be from a governance, risk and compliance (GRC) perspective. A cloud deployment is challenging to start with, from both a technical and operational level. Add to that the complexity of ensuring post-cloud-deployment adherence to regulatory requirements, such as the Payment Card Industry Data Security Standard, the Health Insurance Portability and Accountability Act (HIPAA), the SarbanesOxley Act and the Federal Information Security Management Act, and it becomes even more difficult. The biggest challenge from a regulatory and data risk standpoint comes about when an organization’s compliance team encounters a cloud deployment “after the fact.” That happens more often than you might think: Most cloud deployments don’t happen in a graceful, workmanlike manner where compliance teams are kept in the loop from inception through the final stages of implementation. Instead, what happens more often than not is cloud adoption is far along before compliance teams even realize it’s in place. Reasons for this are varied. Most commonly, it occurs when business teams bring in a cloud service without realizing they should engage the compliance department. Another common, underthe-radar transition occurs when existing cloud technology expands its scope from handling non-sensitive information systems, such as development and quality assurance, to include regulated environments or to process, store and transmit regulated data. When this backdoor cloud deployment happens, compliance professionals find themselves behind the proverbial eight ball. By that point, mitigation options are sparse because contracts are already signed, environments are already developed, controls are already in place and due Editor’s Note Extending Information Governance Controls to the Cloud Due Diligence, Provider Research Key to Compliance in the Cloud Three Steps to Maintain GRC During Cloud Deployment 9   KEEP CLOUD COMPLIANT CLOUD RISK 4 Home diligence assessments have already been completed—or, in some cases, not. What can compliance professionals do at that point? Below are a few immediate steps they can take. STEP ONE: DON’T PANIC. ASSESS AND DOCUMENT RISK Editor’s Note Extending Information Governance Controls to the Cloud Due Diligence, Provider Research Key to Compliance in the Cloud Three Steps to Maintain GRC During Cloud Deployment Let’s say a hospital’s compliance professional discovers that a clinical system (an electronic medical record, for example) has been relocated to an Infrastructure as a Service provider. The questions that arise as a result of this transition are legion: Have business associate agreements been signed? Is personal health information being protected appropriately? Is there a contractual arrangement to ensure notification in the event of a data breach? Instead of immediately pushing back, a prudent first step might be to undertake a systematic analysis of the situation. After all, if the vendor services healthcare providers regularly, this won’t be the first time it has heard about HIPAA, and it may have already spent quite a bit of time thinking through how to address the administrative, technical and physical controls associated with its security rule. Compliance officers should first engage with internal teams to find out what level of due diligence they’ve done regarding information security during the cloud deployment, as well as what controls the vendor already has in place. It’s vital to understand two things: new compliance gaps this cloud deployment introduces to your organization, and any newly introduced risk. The first item is relatively straightforward: Walk through each of your compliance requirements and evaluate the cloud deployment documentation to ensure the vendor agreement meets these rules. To evaluate risk, you can use one of the many readily available risk assessment templates to assist in this regard. Some examples include the Cloud Security Alliance’s GRC stack (notably the Consensus It’s vital to understand new com­ pliance gaps a cloud deployment introduces to your organization, and any newly introduced risk. 1 0   KEEP CLOUD COMPLIANT CLOUD RISK 4 Home Assessments Initiative Questionnaire and Cloud Controls Matrix), the European Network and Information Security Agency’s cloud computing risk assessment and the NIST SP 800-30. Editor’s Note Extending Information Governance Controls to the Cloud Due Diligence, Provider Research Key to Compliance in the Cloud Three Steps to Maintain GRC During Cloud Deployment STEP TWO: KNOW WHAT YOU CAN CHANGE, AND WHAT YOU CAN’T to change your environment versus theirs. During long-term remediation talks, ask what controls you can implement in the short term to offset cloud-related security gaps. For example, can you encrypt data in transit or at rest to add a layer of protection? Or will implementing additional monitoring controls help notify you of inappropriate access? It’s important to remember that the vendor’s controls are what they are, and changing them rapidly to meet your company’s control gaps   is unlikely to be the most efficient path to maintaining security. Compliance officers can probably lean on vendors enough to make changes, but they will not come quickly. Instead of railing against a vendor’s deficiencies, companies should look inward to see if there are things they can change on their end to maintain data security during a cloud deployment. Of course, you should call out areas where vendors’ controls are woefully inadequate and note these concerns in risk assessments, in reports to management and in long-term remediation plans. But also remember that it’s easier STEP THREE: BUILD THE STRATEGIC REMEDIATION ROADMAP If you followed the steps outlined above, by this point you’ll have two crucial pieces of   data: a gap analysis showing where you don’t meet your particular compliance requirements, and a risk assessment identifying any potential problem areas after the cloud deployment.   You will have also put in place short-term stopgaps to address as many of those areas as you can. At this point, you’ll want to take a comprehensive look at changes that both you and the vendor can make to maintain compliance. Keep in mind that many cloud service providers have resources on staff specifically to understand 1 1   KEEP CLOUD COMPLIANT CLOUD RISK 4 Home Editor’s Note Extending Information Governance Controls to the Cloud Due Diligence, Provider Research Key to Compliance in the Cloud Three Steps to Maintain GRC During Cloud Deployment customer compliance requirements and address them when developing and offering services. It behooves you to engage with those vendor resources—you might be surprised at the responsiveness and expertise. Also remember that most responsible vendors have a commercial incentive not to stonewall you. Any changes they make to meet your compliance requirements or alleviate risk ultimately helps them become more competitive in your industry. Long term, maintaining a compliant cloud environment is an exercise in cooperation between the company and its vendor(s). By objectively analyzing and documenting compliance gaps and risks, changing what the company can do internally to close short-term gaps and putting together a long-term plan, dealing with unexpected cloud deployment doesn’t have to be as painful as it seems. —Ed Moyle 1 2   KEEP CLOUD COMPLIANT ABOUT THE AUTHORS MARILYN BIER is CEO of ARMA International, a not-for- Home Editor’s Note Extending Information Governance Controls to the Cloud Due Diligence, Provider Research Key to Compliance in the Cloud Three Steps to Maintain GRC During Cloud Deployment profit records management and information governance professional association. ARMA provides education, publications and resources for the creation, organization, security, maintenance and disposal of information in a manner that align with and contribute to an organization’s goals. CHRISTINE PARIZO is Keep Cloud Compliant is a   SearchCompliance.com e-publication. Rachel Lebeaux | Managing Editor a freelance writer specializing in business and technology. She focuses on feature articles for a variety of technology and business-focused publications, as well as case studies and white papers for business-to-business technology companies. Christine has a background in litigation technology and compliance and was an assistant news editor for searchCRM .com prior to launching her freelance career. ED MOYLE is Ben Cole | Site Editor Marilyn Bier, Ed Moyle, Christine Parizo | Contributing Writers Christina Torode | Editorial Director Linda Koury | Director of Online Design Neva Maniscalco | Graphic Designer Amalie Keerl | Director of Product Management [email protected] TechTarget 275 Grove Street, Newton, MA 02466  www.techtarget.com © 2013 TechTarget Inc. No part of this publication may be transmitted or reproduced in any form or by any means without written permission from the publisher. TechTarget reprints are available through The YGS Group. About TechTarget: TechTarget publishes media for information technology professionals. More than 100 focused websites enable quick access to a deep store of news, advice and analysis about the technologies, products and processes crucial to your job. Our live and virtual events give you direct access to independent expert commentary and advice. At IT Knowledge Exchange, our social community, you can get advice and share solutions with peers and experts. director of emerging business and technology at ISACA. Moyle previously worked as a senior security strategist for Savvis and a senior manager at CTG. Prior to that, Moyle served as a vice president and information security officer at Merrill Lynch Investment Managers. 1 3   KEEP CLOUD COMPLIANT