Remarks Adam Montserin CEO, iGovTT 2

Re-Cap of Last Meeting Update on GovNeTT RFP Status of the eGIF Policy By Kevin Ramcharitar Solution Architect Office, Consulting Unit 3

Draft Policy Information & Communication Technology & Systems Specifications Approval Denyse White, Consulting Unit 28 March, 2013

 Limited IT professionals throughout GoRTT  Administrative/Operational role of National Information Systems Centre  Process established in 1990  NISC subsumed by National ICT Centre 20??  Responsibilities retained by iGovTT

 IT professionals prevalent throughout GoRTT  Strategic advisory role of iGovTT  Policy last revisited in 2006  Incorporated within the CTB regulations 6 Current State

 Inconsistent adherence to the process  Time delays to GoRTT agencies  Value add vs. resource allocation – iGovTT 7

Stakeholders  Ministry of Finance  Central Tenders Board  Permanent Secretaries (Equivalent Accounting Officers)  ICT and Procurement Specialists 8

Governance 9 iGovTT Bi Annual Update of Specifications GoRTT Agencies Compliance Sign Off Permanent Secretary Procurement Approval Ministry of Finance Release of Funds for Expenditure

Compliance Sign-Off 10

Exception Governance 11 GoRTT Agency Request review and approval iGovTT Review and Provide Recommendation Permanent Secretary Procurement Approval Ministry of Finance Release of Funds for Expenditure

Primary Questions Do you agree with the purpose as defined in the ICT and Systems Specifications Policy? Should there be any inclusions or exclusions to the scope? Are there any other legislation or guidelines that should be included for consideration in the adoption of the policy? Do you agree with the objective of establishing this devolved authority? Are there any other areas that should be included for consideration? 12

Consultation Process Consultation Document Circulated Feedback timeframe – 3 weeks from issuance Feedback submitted via – - Denyse White – – General Comments on Secure Log In Site – Print Copy Denyse White National Information and Communication Technology Company Limited (iGovTT) 52 Pembroke Street Port of Spain (fax) 13

14

Thank You iGovTT Thank You iGovTT Lord Harris Court 52 Pembroke Street Port of Spain Republic of Trinidad and Tobago Telephone: (868) Fax: (868) Website: Facebook:

Cloud Computing Varma Maharaj Solution Architect Office, Consulting Unit 28 March, 2013

What is Cloud Computing? The Use of Computing Hardware and Software Delivered as-a-Service over a Network

Common Characteristics of Cloud Computing  Ubiquitous Access  Resource Virtualization  Pay-as-You-Use  Elasticity  Remotely Hosted

Community Cloud

Public Cloud

Private Cloud

Hybrid Cloud

Infrastructure as a Service  Rent fundamental infrastructure: -processing -storage, -networking  Deploy software, applications and even operating systems

Software as a Service  No Hardware/Software to Manage  Service Delivery via web browser

Platform as a Service  Deploy and develop your own software  Configure hosting options

 Lowered ICT Costs  Lowered Client License Cost  Pay-as-you-Use  Ubiquitous Access  Reduced Procurement Times and Requirements  24 x 7 Availability  Simplified Centralized Applications  Improved Application Redundancy

Disadvantages of the Cloud  Data Protection  Governance  Security Control  Requires Persistent Connection  Limited features

 Benefits of Economies of Scale  Overall Reduction in ICT Operational and Capital Cost  Focus on Services Offered – Less Focus on Management of Infrastructure  Eco-Friendly

 Satisfying Infrastructure Demands  Increased Elasticity and Agility  Governance & Ownership

How Developing Countries Approach Cloud:  Leverage For ICT Advancement  Advanced ICT Innovation at Lowered Cost  Begin The Transition to Next Generation Models of ICT Such as Cloud

How Major Countries Approach Cloud:  Incorporate cloud computing in their ICT strategy  Many applications already deployed via the cloud  Enables efficient/effective ICT sharing  United States, United Kingdom and Singapore

 Cloud is Here  Structural and Cultural Shift from Traditional ICT  Security Concerns Can Be Overcome  Leverage Existing Government ICT Infrastructure  Explore and Implement a Cloud Strategy

Thank You iGovTT Thank You iGovTT Lord Harris Court 52 Pembroke Street Port of Spain Republic of Trinidad and Tobago Telephone: (868) Fax: (868) Website: Facebook:

Security Considerations in Cloud Computing Khafra Murray, Security & Assurance Unit 28 March, 2013

Security Considerations of the Cloud  No information system is 100% Safe  Understand the risks of cloud computing  How cloud hosting companies have approached security  Law and Jurisdiction are critical  Best practice for companies utilizing the cloud

No System is 100% Safe  Every system once thought secure has been breeched  Cloud services have become and will continue to be a very lucrative target for hackers  It’s still Hardware + Software + People, just not YOUR hardware, YOUR software or YOUR people.

Risks Inherent to Cloud Computing  Disconnect in Information Control  Disconnect in control systems and policy  Disconnect in SLA interpretations  Black Box Managed Services / Lack of Transparency  Single Points of Failure

Information Control  Data is no longer “on premises” subject to audited physical protections  Data subject to service provider’s backup policies, including off-site storage  Data is subject to service provider’s retention policies  Provider Liability for data loss is minimal

Disconnect in Internal Controls  Service Provider will have their own control mechanisms  Policies (HR, Financial, workflows) internal to the provider and invisible to the cloud subscriber will have an impact on the risk to cloud services.  Processes such as change management may not align to client standards (Microsoft Azure failure 2013)

Service Level Agreements  Do not provide guarantees, only a promise of best effort  Can often be misinterpreted, disagreements in SLA interpretation can stall service delivery  There is always compromise/imbalance between the risk transferred to the provider and the accountability in the event of service or data loss.

Black Box / Lack of Transparency  Service providers provide high level concepts of the architecture, but no more  Hardware and software used in the infrastructure cannot be audited for vulnerabilities by the client  Providers do not permit audits of their operations/processes/policies by the client  Public Cloud subscribers are co-tenants - you don’t know who’s data or what class of data is being hosted along with yours

Single Points of Failure  Despite the distributed nature of many cloud services, even the largest suffer system-wide outages (Amazon, Windows Azure)  Business operations are affected without any powers or access to affect the recovery  Traditional BCP cannot replicate cloud based services

Law  The Patriot Act stipulates than data stored in the USA or under the custodianship of a US company can be accessed by that government in the course of an investigation – Service providers are legally barred from informing subscribers of the access to their data  In T&T it is illegal to store sensitive government data overseas unless the foreign territory provides equal or greater protections for data privacy and confidentiality

Jurisdiction  Data stored in any country is subject to the laws and compliance requirements of that country in preference to any other  Companies registered in the United States can be mandated to provide electronic data stored in any servers under it’s control in any country  In the event of a data breach of GoRTT data at a foreign cloud service provider, the process to grant access to digital evidence would take no less than 6 months

Maintain Control and Confidentiality  Private Cloud deployments over public cloud services  Data encryption for data in motion (client/server) as well as data at rest. – There are security solutions which do this  Ensure that data classification policies are robust and services subscribed to support the class of data

Managing Risk in The Cloud: Due Diligence  Inquire about exception monitoring and reporting  Vigilance around platform updates and access privileges  Ask where data (including backups) is stored AND processed, and inquire as to the details of data protection laws in the relevant jurisdictions.

Due Diligence  Independent assessments and certifications  Third party transparency  BCP/DR activities align with cloud based processing and services  Availability guarantees and liability  Find out whether the cloud provider will accommodate of GoRTT security policy Managing Risk in The Cloud:

Thank You iGovTT Thank You iGovTT Lord Harris Court 52 Pembroke Street Port of Spain Republic of Trinidad and Tobago Telephone: (868) Fax: (868) Website: Facebook:

Moderated by Denyse White 50