Presentation is loading. Please wait.

Presentation is loading. Please wait.

Cloud Service Procurement: Engaging the CISO for a Risk Assessment

Published byAleesha Tyler Modified over 6 years ago

Similar presentations

Presentation on theme: "Cloud Service Procurement: Engaging the CISO for a Risk Assessment"— Presentation transcript:

1 Cloud Service Procurement: Engaging the CISO for a Risk Assessment
Walter Petruska Information security officer University of San francisco Educause SPC May 5, 2015

2 Conversation Starter: Asking Questions
Is your CISO involved in the procurement process? Do you have a CISO? Do you have a procurement process? HOW is, or how SHOULD your CISO be involved? Business Process – Coordination between key parties Business Units / Schools IT Organization – Operations and Project Management Office Purchasing Organization Legal / Contract review focuses on LEGALITY and completeness Finance and Accounting (Registered Vendor / D&B report) Risk Management staff including Insurance and Liability review Finance- Periodic review of open-ended service agreements

3 Hypothesis: The Cloud is the Future
Trend data from Forrester and Gartner agree Educause Top 10 #8: Mobile, Cloud, Digital Policy HEISC #3: Develop effective Cloud 3rd Party Policy Promised Benefits: Quick implementation – Reap rewards earlier Minimal internal support costs – Reduces ongoing expense However- Critical questions are not asked or considered before signing agreements or starting service delivery with Cloud Services.

4 Generic Resources – Frameworks
Educause Security Guide - HEISC Shared Assessments Cloud Security Alliance (CSA) CCM PCI - DSS FEDramp Security Assessment Framework Controls and Maturity: ISO 27001 SSAE16 Internet2 Net+ solutions program

5 USF Process Documents and Authorities
Security Services VSA 3rd Party Data Release Agreement SSN Release – via AVP of Human Resources Accounting & Business Services Vendor Application OGC Contract Review Departmental Budget and Finance Managers - POs Purchasing Review – Checklist of above items Accounts Payable – Contract Management

6 Develop Policies AND Standards
Policy in a vacuum is oftentimes ineffective- Communicate regularly with your key stakeholders Providing consultative support as well as clear standards for assessment. – ITSM approach Give guiding outcomes, provide sample language for each facet of the Technology initiative (Service/Platform/Resource) VSA: Vendor Security Assessment (form) Iterative – Required Finance: Annual Vendor Scorecard

7 Conversation – Process – Assess – Communicate Standards - Monitor and Collaborate
Start the conversation early Invite yourself – write yourself into a process Build support – work together Use Common Frameworks to guide the Assessment Communicate customized technology standards and preferences to potential vendors to assure best fit Continuously Monitor your agreements for changes Maintain Vendor performance records Collaborate outside of your organization> Educause

8 End Note Note: Several documents and framework examples referenced on slides contained within this PowerPoint file were demonstrated live during the conference session. These items are not included within this presentation due to file size, complexity or due to the sensitive nature of the Vendor Security Assessment questions or the Systems Architecture reflected or revealed by those items. If you attended the session, and would like to receive a ‘generic’ version of these items,

Download ppt "Cloud Service Procurement: Engaging the CISO for a Risk Assessment"

Similar presentations

Pamela Norris Project Manager Kraft Kennedy & Lesser, Inc.

Pamela Norris Project Manager Kraft Kennedy & Lesser, Inc.
Public Private Partnerships MUNICIPAL PPP CONFERENCE Date: 18 February 2010.

Public Private Partnerships MUNICIPAL PPP CONFERENCE Date: 18 February 2010.
Chapter 3 Project Initiation

Chapter 3 Project Initiation
Chapter 3 Project Initiation. The stages of a project  Project concept  Project proposal request  Project proposal  Project green light  Project.

Chapter 3 Project Initiation. The stages of a project  Project concept  Project proposal request  Project proposal  Project green light  Project.
WELCOME TO THE PROCUREMENT SEMINAR Procurement and Contracts An Overview of Contract Administration.

WELCOME TO THE PROCUREMENT SEMINAR Procurement and Contracts An Overview of Contract Administration.
Value Management Group International, LLC : Product Control File ReviewVM G I.

Value Management Group International, LLC : Product Control File ReviewVM G I.
Corporate Support Richard Brown, Business Director.

Corporate Support Richard Brown, Business Director.
Every student. every classroom. every day. Professional Services Contracts Overview and Current Processes.

Every student. every classroom. every day. Professional Services Contracts Overview and Current Processes.
Roles and Responsibilities

Roles and Responsibilities
An Integrated Control Framework & Control Objectives for Information Technology – An IT Governance Framework COSO and COBIT 4.0.

An Integrated Control Framework & Control Objectives for Information Technology – An IT Governance Framework COSO and COBIT 4.0.
IT Governance: COBIT, ISO17799 & ITIL. Introduction COBIT ITIL ISO17799Others.

IT Governance: COBIT, ISO17799 & ITIL. Introduction COBIT ITIL ISO17799Others.
Cloud Compliance Considerations March 24, 2015 | Jason Smith, CISSP.

Cloud Compliance Considerations March 24, 2015 | Jason Smith, CISSP.
DEVELOPING AND MAINTAINING A TITLE III POLICY AND PROCEDURES MANUAL HBCU TITLE III ASSOCIATION TECHNICAL ASSISTANCE WORKSHOP JUNE 24, 2014 Mrs. Cheryl.

DEVELOPING AND MAINTAINING A TITLE III POLICY AND PROCEDURES MANUAL HBCU TITLE III ASSOCIATION TECHNICAL ASSISTANCE WORKSHOP JUNE 24, 2014 Mrs. Cheryl.
Integrated Knowledge & Information Policy Framework iKMS Practitioners’ Conference Singapore November 10 2006.

Integrated Knowledge & Information Policy Framework iKMS Practitioners’ Conference Singapore November
Internal Control Systems

Internal Control Systems
Information Security IBK3IBV01 College 3 Paul J. Cornelisse.

Information Security IBK3IBV01 College 3 Paul J. Cornelisse.
Welcome and Introduction to the Security Task Force Peter Siegel Co-Chair, Security Task Force Chief Information Officer and Vice Provost University of.

Welcome and Introduction to the Security Task Force Peter Siegel Co-Chair, Security Task Force Chief Information Officer and Vice Provost University of.
Illuminating Britelite’s Internal Services for Success Strategy for Process Improvement.

Illuminating Britelite’s Internal Services for Success Strategy for Process Improvement.
Driving Value from IT Services using ITIL and COBIT 5 July 24, 2013 Gary Hardy ITWinners.

Driving Value from IT Services using ITIL and COBIT 5 July 24, 2013 Gary Hardy ITWinners.
THE POWER OF BEING UNDERSTOOD AUDIT | TAX | CONSULTING.

THE POWER OF BEING UNDERSTOOD AUDIT | TAX | CONSULTING.

Similar presentations

Ads by Google