Cloud Service Procurement: Engaging the CISO for a Risk Assessment

Slides:



Advertisements
Similar presentations
Pamela Norris Project Manager Kraft Kennedy & Lesser, Inc.
Advertisements

Public Private Partnerships MUNICIPAL PPP CONFERENCE Date: 18 February 2010.
Chapter 3 Project Initiation
Chapter 3 Project Initiation. The stages of a project  Project concept  Project proposal request  Project proposal  Project green light  Project.
WELCOME TO THE PROCUREMENT SEMINAR Procurement and Contracts An Overview of Contract Administration.
Value Management Group International, LLC : Product Control File ReviewVM G I.
Corporate Support Richard Brown, Business Director.
Every student. every classroom. every day. Professional Services Contracts Overview and Current Processes.
Roles and Responsibilities
An Integrated Control Framework & Control Objectives for Information Technology – An IT Governance Framework COSO and COBIT 4.0.
IT Governance: COBIT, ISO17799 & ITIL. Introduction COBIT ITIL ISO17799Others.
Cloud Compliance Considerations March 24, 2015 | Jason Smith, CISSP.
DEVELOPING AND MAINTAINING A TITLE III POLICY AND PROCEDURES MANUAL HBCU TITLE III ASSOCIATION TECHNICAL ASSISTANCE WORKSHOP JUNE 24, 2014 Mrs. Cheryl.
Integrated Knowledge & Information Policy Framework iKMS Practitioners’ Conference Singapore November
Internal Control Systems
Information Security IBK3IBV01 College 3 Paul J. Cornelisse.
Welcome and Introduction to the Security Task Force Peter Siegel Co-Chair, Security Task Force Chief Information Officer and Vice Provost University of.
Illuminating Britelite’s Internal Services for Success Strategy for Process Improvement.
Driving Value from IT Services using ITIL and COBIT 5 July 24, 2013 Gary Hardy ITWinners.
THE POWER OF BEING UNDERSTOOD AUDIT | TAX | CONSULTING.
Collaborating for Quality through the Project Quality Plan Matthew Conlon ESS ACCSYS QA/QC Quality Learning & Planning.
IT Vendor Management March, 2015 Peter Baskette Pratike Patel.
Project Management Project Reviews
DoD Template for Application of TLCSM and PBL
Local Government Sustainability in Queensland – Where to from here?
Office 365 Security Assessment Workshop
First Appointment Meeting Presented by: Presented to: Date:
12.3 Control Procurements The process of managing procurement relationships, monitoring contract performance and making changes or corrections as needed.
If It Ain’t Broke, Reengineer It!
12.2 Conduct Procurements The process of obtaining seller responses, selecting a seller and awarding the contract The team applies selection criteria.
Auditing Cloud Services
Presentation to the Portfolio Committee on Finance
Third Party Risk Governance in a Diverse Environment
Responsibilities & Tasks Week 2
MIE Conference Session: Telling your Financial Story
Information Technology Service Management
Streamlining Vendor Risk Management with the HECVAT
9/16/2018 The ACT Government’s commitment to Performance and Accountability – the role of Evaluation Presentation to the Canberra Evaluation Forum Thursday,
Project Roles and Responsibilities
Risk Register I want to plan a project
Quality Management Systems – Requirements
Asset Governance – Integrated Strategic Asset Management
Competency Based Learning and Development
Cyber Security: The Risk to Associations Today’s Speakers:
Why ISO 27001? Subtitle or presenter
GlobAL Public Procurement Conference September 2018
Contract Manager Training
By Joseph Carnevale, CIP Partner & Director of Sales
Equitable Services to Eligible Non-Public Schools
Chris Ince ISO Lead Auditor Security Risk Management Ltd
Purchasing & IT Security Originally Presented at Fall ACCBO
Why ISO 27001? MARIANNE ENGELBRECHT
Procurement Hub Partners
Student Data & Privacy.
Employee engagement Delivery guide
Portfolio, Programme and Project
DSC Contract Management Committee Meeting
A JOINT PRESENTATION BY
KEY INITIATIVE Shared Services Function Management
KEY INITIATIVE Shared Services Optimization
Project Kick-off <Customer Name> <Project Name>
KEY INITIATIVE Internal Control and Technical Accounting
DSC Contract Management Committee Meeting
National data opt-out - Preparing for implementation
SPOT CHECKS 2016.
Portfolio Committee on Communications
Manager’s Financial Responsibilities: School of Medicine and Health Sciences Sharon.
The state of digital supplier risk management: In partners we trust
Information Resources Technology - Information Security Office
Risk-Based Vendor Management
Presentation transcript:

Cloud Service Procurement: Engaging the CISO for a Risk Assessment Walter Petruska Information security officer University of San francisco Educause SPC May 5, 2015

Conversation Starter: Asking Questions Is your CISO involved in the procurement process? Do you have a CISO? Do you have a procurement process? HOW is, or how SHOULD your CISO be involved? Business Process – Coordination between key parties Business Units / Schools IT Organization – Operations and Project Management Office Purchasing Organization Legal / Contract review focuses on LEGALITY and completeness Finance and Accounting (Registered Vendor / D&B report) Risk Management staff including Insurance and Liability review Finance- Periodic review of open-ended service agreements

Hypothesis: The Cloud is the Future Trend data from Forrester and Gartner agree Educause Top 10 #8: Mobile, Cloud, Digital Policy HEISC #3: Develop effective Cloud 3rd Party Policy Promised Benefits: Quick implementation – Reap rewards earlier Minimal internal support costs – Reduces ongoing expense However- Critical questions are not asked or considered before signing agreements or starting service delivery with Cloud Services.

Generic Resources – Frameworks Educause Security Guide - HEISC Shared Assessments Cloud Security Alliance (CSA) CCM PCI - DSS FEDramp Security Assessment Framework Controls and Maturity: ISO 27001 SSAE16 Internet2 Net+ solutions program

USF Process Documents and Authorities Security Services VSA 3rd Party Data Release Agreement SSN Release – via AVP of Human Resources Accounting & Business Services Vendor Application OGC Contract Review Departmental Budget and Finance Managers - POs Purchasing Review – Checklist of above items Accounts Payable – Contract Management

Develop Policies AND Standards Policy in a vacuum is oftentimes ineffective- Communicate regularly with your key stakeholders Providing consultative support as well as clear standards for assessment. – ITSM approach Give guiding outcomes, provide sample language for each facet of the Technology initiative (Service/Platform/Resource) VSA: Vendor Security Assessment (form) Iterative – Required Finance: Annual Vendor Scorecard

Conversation – Process – Assess – Communicate Standards - Monitor and Collaborate Start the conversation early Invite yourself – write yourself into a process Build support – work together Use Common Frameworks to guide the Assessment Communicate customized technology standards and preferences to potential vendors to assure best fit Continuously Monitor your agreements for changes Maintain Vendor performance records Collaborate outside of your organization> Educause

End Note Note: Several documents and framework examples referenced on slides contained within this PowerPoint file were demonstrated live during the conference session. These items are not included within this presentation due to file size, complexity or due to the sensitive nature of the Vendor Security Assessment questions or the Systems Architecture reflected or revealed by those items. If you attended the session, and would like to receive a ‘generic’ version of these items, email: infosec@usfca.edu

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.