Presentation is loading. Please wait.

Presentation is loading. Please wait.

200 International Dr., Buffalo, NY 14221-5794 (716) 634-8800 Lifting the Fog to See the Cloud Information Security.

Published byTyrell Ashwill Modified over 9 years ago

Similar presentations

Presentation on theme: "200 International Dr., Buffalo, NY 14221-5794 (716) 634-8800 Lifting the Fog to See the Cloud Information Security."— Presentation transcript:

1 200 International Dr., Buffalo, NY 14221-5794 (716) 634-8800 www.dopkins.com Email: wprohn@dopkins.com Lifting the Fog to See the Cloud Information Security in a Hosted Environment William Prohn Managing Director Thomas O’Connor Consultant

2 200 International Dr., Buffalo, NY 14221-5794 (716) 634-8800 www.dopkins.com Email: wprohn@dopkins.com William M. Prohn CISSP ®, CISA ®, CGEIT ®, CRISC ®, Managing Director Dopkins System Consultants Background Thomas M. O’Connor B.S. Accounting Information Systems M.S. Forensic Accounting Consultant Dopkins System Consultants

3 200 International Dr., Buffalo, NY 14221-5794 (716) 634-8800 www.dopkins.com Email: wprohn@dopkins.comAgenda Introduction to the Cloud Benefits & Challenges in the Cloud Certifications ISACA Knowledge Center HIPAA o HITECH o HITRUST

4 200 International Dr., Buffalo, NY 14221-5794 (716) 634-8800 www.dopkins.com Email: wprohn@dopkins.com What is That? But now they only block the sun They rain and snow on everyone So many things I would have done But clouds got in my way I've looked at clouds from both sides now From up and down, and still somehow It's cloud illusions I recall I really don't know clouds at all – Joni Mitchell, “Both Sides Now”

5 200 International Dr., Buffalo, NY 14221-5794 (716) 634-8800 www.dopkins.com Email: wprohn@dopkins.com Introduction to the Cloud Simple Definition: Using the internet Replace the term ‘in the cloud’ in a statement with ‘on the internet’ We all use the ‘cloud,’ we just might not know it The term originates from network diagrams US Patent US_5485455 Alternate: Utilizing third party resources accessible through the internet

6 200 International Dr., Buffalo, NY 14221-5794 (716) 634-8800 www.dopkins.com Email: wprohn@dopkins.com Why Move to the Cloud? Reduce storage and archive costs Allow for remote access Allow for collaboration Improve search efficiency 24/7 Access and support Increased security with redundancy Reduce administrative overhead It’s All About the Compromise

7 200 International Dr., Buffalo, NY 14221-5794 (716) 634-8800 www.dopkins.com Email: wprohn@dopkins.com The Role of the Auditors Oversee and provide input on governance Consideration of security COBIT Objectives: May be concerned with any of the COBIT objectives IT PlanningBudgeting Risk Assessment Feasibility Service Level Management Business Continuity Physical Environment IT Governance

8 200 International Dr., Buffalo, NY 14221-5794 (716) 634-8800 www.dopkins.com Email: wprohn@dopkins.com What Moves to the Cloud? Applications & Software o Software as a Service [SaaS] Servers & IT Personnel o Infrastructure as a Service [IaaS] Programming languages, libraries, tools and services o Platform as a Service [PaaS]

9 200 International Dr., Buffalo, NY 14221-5794 (716) 634-8800 www.dopkins.com Email: wprohn@dopkins.comControls The compromise with each benefit is risk Controls are a response to that risk Are the controls designed and implemented appropriately? Are they operating effectively?

10 200 International Dr., Buffalo, NY 14221-5794 (716) 634-8800 www.dopkins.com Email: wprohn@dopkins.comControls ITGC audits typically focus on identifying and testing controls Manage Changes o Are changes authorized, tested and monitored? Logical Access o Is privileged access restricted to appropriate users? Other IT Operations o Is critical data regularly backed up? o Are incidents reported and addressed timely?

11 200 International Dr., Buffalo, NY 14221-5794 (716) 634-8800 www.dopkins.com Email: wprohn@dopkins.com Challenges in the Cloud What about controls in a hosted environment? Who owns the data? Who has access to the data? New Risks | New Controls | New Audit Steps [i.e. CSP][i.e. Data Center][i.e. System Admin]

12 200 International Dr., Buffalo, NY 14221-5794 (716) 634-8800 www.dopkins.com Email: wprohn@dopkins.com Challenges in the Cloud What about controls in a hosted environment? Who is responsible for backing up the data? What about incidents? New Risks | New Controls | New Audit Steps

13 200 International Dr., Buffalo, NY 14221-5794 (716) 634-8800 www.dopkins.com Email: wprohn@dopkins.com Service Level Agreements End-User Licensing Agreements Alternate providers o Bankruptcy o Acquisition Threats to CSPs Challenges in the Cloud Disaster Recovery & Business Continuity -- Gartner 1-in-4 Vendors Will Be Gone By 2015

14 200 International Dr., Buffalo, NY 14221-5794 (716) 634-8800 www.dopkins.com Email: wprohn@dopkins.com Challenges in the Cloud Cyber Security Insurance 31% of companies have a cyber security insurance policy 1 39% planned to purchase a policy within a year ‘Cloud Protection’ policies gaining popularity Cloud Coverage Typically Includes: Loss of income due to vendor down time Costs associated with procuring new vendor Costs of migrating to new vendor 1Managing Cyber Security as a Business Risk: Cyber Insurance in the Digital AgeManaging Cyber Security as a Business Risk: Cyber Insurance in the Digital Age -- (Ponemon Institute & Experian), August 2013

15 200 International Dr., Buffalo, NY 14221-5794 (716) 634-8800 www.dopkins.com Email: wprohn@dopkins.com Certifications & Compliance

16 200 International Dr., Buffalo, NY 14221-5794 (716) 634-8800 www.dopkins.com Email: wprohn@dopkins.com Certifications & Compliance HIPAA PCI DSS ISO 27001:2005 Protected Health Information Business Associate Agreements Payment Card Transactions International Information Security Standard

17 200 International Dr., Buffalo, NY 14221-5794 (716) 634-8800 www.dopkins.com Email: wprohn@dopkins.com ISACA Knowledge Center Topical Coverage: o Governance affecting cloud computing o Contractual compliance o Control issues specific to cloud computing COBIT & COSO Cross-references Intended to compliment other audit(s) One of 25+ ISACA audit programs available: ISACA Cloud Computing Management Audit/Assurance Program Cloud Computing Management Audit/Assurance Program

18 200 International Dr., Buffalo, NY 14221-5794 (716) 634-8800 www.dopkins.com Email: wprohn@dopkins.com Auditing in the Cloud Service Provider Responsibilities Service Level Agreements (SLAs) Performance and frequency of risk assessments Compliance and Audit: Right to Audit Third-party Reviews Compliance ISO 27001 Certification

19 200 International Dr., Buffalo, NY 14221-5794 (716) 634-8800 www.dopkins.com Email: wprohn@dopkins.com Auditing in the Cloud Incident Response, Notification and Remediation Review of SLAs Legal and regulatory compliance Data Security Encryption Identity and Access Management

20 200 International Dr., Buffalo, NY 14221-5794 (716) 634-8800 www.dopkins.com Email: wprohn@dopkins.com HIPAA & HITECH

21 200 International Dr., Buffalo, NY 14221-5794 (716) 634-8800 www.dopkins.com Email: wprohn@dopkins.comHIPAA Health Insurance Portability and Accountability Act Established in 1996 by Clinton Administration Make it easier for workers to maintain insurance coverage when changing jobs (portability) This is facilitated by digital files and electronic data This requires a level of security

22 200 International Dr., Buffalo, NY 14221-5794 (716) 634-8800 www.dopkins.com Email: wprohn@dopkins.comHIPAA Health Insurance Portability and Accountability Act Applies to health care organizations (HCOs) PROVIDERS and INSURERS Specifically EXCLUDES Workers’ Compensation Does NOT apply to medical records in other contexts, like employers

23 200 International Dr., Buffalo, NY 14221-5794 (716) 634-8800 www.dopkins.com Email: wprohn@dopkins.comHIPAA Health Insurance Portability and Accountability Act Three Rules that are relevant to compliance: EDI Rule ICD-9 ICD-10

24 200 International Dr., Buffalo, NY 14221-5794 (716) 634-8800 www.dopkins.com Email: wprohn@dopkins.comHIPAA Health Insurance Portability and Accountability Act Privacy Rule HCOs must “Reasonably safeguard” patient data

25 200 International Dr., Buffalo, NY 14221-5794 (716) 634-8800 www.dopkins.com Email: wprohn@dopkins.comHIPAA Health Insurance Portability and Accountability Act Security Rule Protect the Confidentiality, Integrity and Availability of Protected Health Information against “reasonably anticipated threats or hazards” Access Controls Audit Controls Authentication Transmission Security

26 200 International Dr., Buffalo, NY 14221-5794 (716) 634-8800 www.dopkins.com Email: wprohn@dopkins.comHITECH Health Information Technology for Economic and Clinical Health Enacted in 2009 as part of economic stimulus legislation Gives grant money to HCOs to implement new technologies such as EHR Creates fines and sanctions for HIPAA violations to pay for the grants

27 200 International Dr., Buffalo, NY 14221-5794 (716) 634-8800 www.dopkins.com Email: wprohn@dopkins.comHITECH Health Information Technology for Economic and Clinical Health Broadens the scope of HIPAA to include “Business Associates” of HCOs accountants, lawyers, consultants “create, maintain, receive or transmit”  “Cloud” even if they disclaim access New data breach notification rules Enforcement is on a “contingent fee” basis HHS gets to keep the money

28 200 International Dr., Buffalo, NY 14221-5794 (716) 634-8800 www.dopkins.com Email: wprohn@dopkins.comHIPAA Specific Controls Required: Risk Analysis/Risk Management Sanction Policy Incident Response/reporting process Data Backup plan Disaster Recovery Plan Data disposal/media re-use Written contracts with Business Associates

29 200 International Dr., Buffalo, NY 14221-5794 (716) 634-8800 www.dopkins.com Email: wprohn@dopkins.com Common Security Framework (CSF), a certifiable framework that can be used by any and all organizations that create, access, store or exchange personal health and financial information. Common Security Framework (CSF) harmonizes the requirements of existing standards and regulations, including federal (HIPAA, HITECH), third party (PCI, COBIT) and government (NIST, FTC). As a framework, the CSF provides organizations with the needed structure, detail and clarity relating to information security tailored to the healthcare industry. www.hitrustalliance.net

30 200 International Dr., Buffalo, NY 14221-5794 (716) 634-8800 www.dopkins.com Email: wprohn@dopkins.comQuestions

Download ppt "200 International Dr., Buffalo, NY 14221-5794 (716) 634-8800 Lifting the Fog to See the Cloud Information Security."

Similar presentations

HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.

HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.
Creating HIPAA-Compliant Medical Data Applications with Amazon Web Services Presented by, Tulika Srivastava Purdue University.

Creating HIPAA-Compliant Medical Data Applications with Amazon Web Services Presented by, Tulika Srivastava Purdue University.
Insurance in the Cloud Ben Hunter, Canadian Underwriting Specialist Technology Insurance Specialty Chubb Insurance Company of Canada.

Insurance in the Cloud Ben Hunter, Canadian Underwriting Specialist Technology Insurance Specialty Chubb Insurance Company of Canada.
Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group 209-754-9130

Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group
Health Insurance Portability and Accountability Act (HIPAA)HIPAA.

Health Insurance Portability and Accountability Act (HIPAA)HIPAA.
Www.lbmc.com HITRUST, HIPAA, & HITECH TURNING COMPLIANCE INTO COMPETITIVE ADVANTAGE Mark Fulford, Partner Thomas Lewis, Partner LBMC Risk Services.

HITRUST, HIPAA, & HITECH TURNING COMPLIANCE INTO COMPETITIVE ADVANTAGE Mark Fulford, Partner Thomas Lewis, Partner LBMC Risk Services.
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
Topics Rule Changes Skagit County, WA HIPAA Magic Bullet HIPAA Culture of Compliance Foundation to HIPAA Privacy and Security Compliance Security Officer.

Topics Rule Changes Skagit County, WA HIPAA Magic Bullet HIPAA Culture of Compliance Foundation to HIPAA Privacy and Security Compliance Security Officer.
Security, Privacy and the Cloud Connecticut Community Providers’ Association June 20, 2014 Steven R Bulmer, VP of Professional Services.

Security, Privacy and the Cloud Connecticut Community Providers’ Association June 20, 2014 Steven R Bulmer, VP of Professional Services.
Privacy, Security and Compliance Concerns for Management and Boards November 15, 2013 Carolyn Heyman-Layne, Esq. 1.

Privacy, Security and Compliance Concerns for Management and Boards November 15, 2013 Carolyn Heyman-Layne, Esq. 1.
Massachusetts privacy law and your business  Jonathan Gossels, President, SystemExperts Corporation  Moderator: Illena Armstrong  Actual Topic: Intersecting.

Massachusetts privacy law and your business  Jonathan Gossels, President, SystemExperts Corporation  Moderator: Illena Armstrong  Actual Topic: Intersecting.
© Copyright 2014 Saul Ewing LLP The Coalition for Academic Scientific Computation HIPAA Legal Framework and Breach Analysis Presented by: Bruce D. Armon,

© Copyright 2014 Saul Ewing LLP The Coalition for Academic Scientific Computation HIPAA Legal Framework and Breach Analysis Presented by: Bruce D. Armon,
Brief Synopsis of Computer Security Standards. Tenets of Information Systems Security Confidentiality Integrity Availability Over the years, standards.

Brief Synopsis of Computer Security Standards. Tenets of Information Systems Security Confidentiality Integrity Availability Over the years, standards.
Security Controls – What Works

Security Controls – What Works
CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.

CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.
Session 3 – Information Security Policies

Session 3 – Information Security Policies
ELECTRONIC MEDICAL RECORDS By Group 5 members: Kinal Patel David A. Ronca Tolulope Oke.

ELECTRONIC MEDICAL RECORDS By Group 5 members: Kinal Patel David A. Ronca Tolulope Oke.
Cloud Computing Stuart Dillon-Roberts. “In the simplest terms, cloud computing means storing & accessing data & programs over the Internet instead of.

Cloud Computing Stuart Dillon-Roberts. “In the simplest terms, cloud computing means storing & accessing data & programs over the Internet instead of.
The University of Kansas Medical Center Shadow Experience Training.

The University of Kansas Medical Center Shadow Experience Training.
Auditing Cloud Computing: Adapting to Changes in Data Management IIA and ISACA Joint Meeting March 12, 2013 Presented by: Jay Hoffman (AEP), John Didlott.

Auditing Cloud Computing: Adapting to Changes in Data Management IIA and ISACA Joint Meeting March 12, 2013 Presented by: Jay Hoffman (AEP), John Didlott.

Similar presentations

Ads by Google