Presentation is loading. Please wait.

Presentation is loading. Please wait.

Development of a Clean Room/Highly Restricted Zone June 12, 2012 Thomas Garrubba - CVS Caremark; Manager, Technical Assessments Group ©2011 The Shared.

Similar presentations


Presentation on theme: "Development of a Clean Room/Highly Restricted Zone June 12, 2012 Thomas Garrubba - CVS Caremark; Manager, Technical Assessments Group ©2011 The Shared."— Presentation transcript:

1 Development of a Clean Room/Highly Restricted Zone June 12, 2012 Thomas Garrubba - CVS Caremark; Manager, Technical Assessments Group ©2011 The Shared Assessments Program. All Rights Reserved.

2 2 What is it? ©2011 The Shared Assessments Program. All Rights Reserved. Clean Rooms (aka, Highly Restricted Zones) are: Specially secured environments offered in offshore development centers (ODC) from which client projects are executed. Offshore staff work with applications, data, and resources on the client’s network from within this secure environment. The area is usually configured for a predetermined number of seats in order to keep access to such data at a minimum. Due to the additional controls required, additional costs are usually incurred.

3 3 Who…Where…Why…How? ©2011 The Shared Assessments Program. All Rights Reserved. Who is Using a CR/HRZ?  Companies who are looking to reduce IT support costs by allowing secure-proven vendors to have access to non-test/QA data via their offshore resources Where are CR/HRZ’s being Utilized?  Many are used at offshore vendor locations but some companies are utilizing such facilities nationally at “state-side development centers” (SDC). Why are Companies using it?  It assists companies in meeting their cost reduction objectives while implementing a safe and secure IT support environment. How are CR/HRZ’s being used?  Many companies are currently utilizing CR/HRZ’s for their production support unless prohibited due to client contracts or other legal obligations.

4 4 The Development Process ©2011 The Shared Assessments Program. All Rights Reserved. Get an understanding as to scope (i.e., what data is to be accessed by your offshore vendor)  Talk to both the BU and the Vendor to understand what applications will be supported and what the client requirements are (i.e., what is to be accessed by your offshore vendor).  Insist you’re kept in the loop during the scoping process; that is, continue to converse with both the BU and the Vendor! Start an assessment of the Vendor with the SIG  Use the Shared Assessments SIG Questionnaire to vet the vendor with 100% test of controls Perform an onsite inspection of the facility  Do this for both the primary facility housing the CR/HRZ, and if possible, the B/U site.

5 5 The Development Process ©2011 The Shared Assessments Program. All Rights Reserved. Identify additional enhancements that you, IT Security, Privacy, Compliance, etc., feel that need to be included to make this facility as close to your own centrally managed facility:  General Security  Physical Security  Network Security  IT Security  Incident Management  Business Continuity/Disaster Recovery  Data Privacy  Access Controls  Personnel

6 6 The Development Process ©2011 The Shared Assessments Program. All Rights Reserved. Once you’ve identified the additional controls, establish this as your standard  Work with the proper management levels of IT, IT Security, Compliance, Privacy, etc., to obtain buy-in. Publish/promulgate these upon completion Use these new guidelines (standards) to certify the Room at least annually to ensure they continue to meet the requirements you’ve established.

7 7 Examples to Consider ©2011 The Shared Assessments Program. All Rights Reserved. Your Company and the Vendor ensure proper measures will be taken to erase all data on client systems prior to decommission or release of a person from project. All printing capabilities are disabled from the desktops. No internet access from the CR/HRZ desktops. No laptop/storage media is allowed inside the CR/HRZ. The secured area is restricted to dedicated personnel via electronic card key security with badge access required for both entry and exit. Auditable logs are to record all entry and exit events in CR/HRZ and are stored for a period agreed to between the Vendor and your company. Printers are not to be installed / allowed access from CR/HRZ. Removable media devices, PDA's, laptops, external storage devices, cameras or camera cell phones, and personal mobile phones are not to be allowed in the CR/HRZ. A security guard is to be stationed on the floor of the CR/HRZ with direct line-of-sight to the entrance/exit of the CR/HRZ. Closed-Circuit TV must be installed at the entry/exit of the CR/HRZ. LAN security may be established by creating a logically segregated network. Wireless access points are not allowed within the CR/HRZ network. There is to be no Internet access from the CR/HRZ. A dedicated Switch for the LAN connectivity for CR/HRZ desktops must be established. MAC Binding is to be enforced on all desktops located in the CVS Caremark CR/HRZ.

8 8 Examples to Consider ©2011 The Shared Assessments Program. All Rights Reserved. All systems are to be installed with standard client Firewall and Anti-Virus is deployed to prevent threats. The Vendor is to perform a Network Vulnerability analysis/scans (NVA) semi-annually on Internal Networks and Systems. The Vendor is to install Intrusion Detection and/or prevention systems (IDS/IPS) on all CVS Caremark CR/HRZ networks to monitor network intrusions. The Vendor is to review all logs pertaining to firewall, IDS/IPS are reviewed on a daily basis for any violations. The Vendor is to perform a review of network resources access list, audit logs on a quarterly basis. There are to be no local "Admin" rights assigned to users; that is, Windows' Group Policy Object (GPO) must be used to ensure all users have appropriate privileges. A monthly review of this list must be performed in conjunction by the Vendor and your Company. Your Company and the Vendor establishes a defined Incident Response Plan and a Service Level Agreement (SLA) for Incident Responses. The Vendor's recovery site implements identical controls as the production CR/HRZ. Copy/Paste and Drive mapping are disabled. Production data access is provided only through your Company’s Network Access environment (e.g., Citrix). The Vendor performs quarterly reviews of logical access rights and report exceptions to your Company’s CPO/CISO. Formalized training is performed annually for all CR/HRZ employees handling sensitive data. Stringent background checks are performed prior to working within the CR/HRZ such as Criminal, Academic, and Work History.

9 9 Questions/Answers ©2011 The Shared Assessments Program. All Rights Reserved..


Download ppt "Development of a Clean Room/Highly Restricted Zone June 12, 2012 Thomas Garrubba - CVS Caremark; Manager, Technical Assessments Group ©2011 The Shared."

Similar presentations


Ads by Google