Cloud Security Alliance, Atlanta Chapter Meeting Q1 2012 - SSAE16 SOC 1 2 3 ISO 27001 FedRAMP CCM
-
Upload
phil-agcaoili -
Category
Documents
-
view
1.415 -
download
0
description
Transcript of Cloud Security Alliance, Atlanta Chapter Meeting Q1 2012 - SSAE16 SOC 1 2 3 ISO 27001 FedRAMP CCM
Cloud Security Alliance Q1’12 Chapter Meeting
1
Tweet #csamtg
WelcomeDefinition of some commonly used, but often misunderstood terms.
Subject matter might be controversial
Please make a note of the page number, jot down your thoughts, and hold questions and comments for the discussion period (Only 30 seconds per slide! ).
ORtweet #csamtg with slide number X
and your question or comment2
Please keep
clean?
Standardstand·ard[stan-derd] noun 1. something considered by an authority or by general consent as a basis of comparison; an approved model.
3
Who Defines Standards?
What does it mean to have a clean house?
Who should decide?Occupants of the houseIndependent authority or
general consent
4
Why not?
Standards“Clean” Defined by Occupant: 1. Self defined-not a standard by
definition No clutter Clean floors No food left on the counter
5
Bare Minimum
Standards“Clean” Defined by Authority: 2. Broad objectives
No clutter No dishes in the sink Clean floors No dust No food left on the counter Everything in its place
6
Get to decide what this means to
you.
Standards“Clean” Defined by Authority (cont.): 3. More detailed
No clutter No clothes on the floor Beds must be made No excessive trinket collection or picture hanging
No dishes in the sink Dishes must be placed in the dishwasher
immediately Sink must be washed after use
Clean floors Carpeted floors must be vacuumed daily Tiled floors must be cleaned daily with bleach Baseboards must be wiped down with a rag by
hand No dust
All furniture surface areas must be dusted daily The inside of the refrigerator, stove, and all
appliances must be wiped daily7
Sometimes not
applicable
Standards“Clean” Defined by Authority (cont.): 4. Hybrid – Even More Detailed in some areas, but not
applicable in others No clutter (In the kitchen)
Nothing on the floor No counter top appliances Range must be electric All appliances must be stainless steel
No dishes in the sink Sink must not be used for washing dishes Dishwasher must be commercial quality
Clean floors (In the kitchen) Floors must be cleaned daily with bleach Baseboards must be wiped down with a rag by hand Anti-bacterial spray must be used daily
No dust (In the kitchen) The outside of the refrigerator, stove, and all appliances
must be wiped daily The inside of the refrigerator, stove, and all appliances
must be wiped daily Bedrooms, living rooms, den, bathrooms, etc. (N/A)
8
Assuranceas·sur·ance[uh-shoor-uhns, -shur-] noun 1. a positive declaration intended to give confidence:
9
Assurance1. My house is clean.
2. His house was clean when I inspected it.
3. His house was clean all last year.
4. His house is continually clean.10
What about after?
Really?
What about
before?
What about after?
How do you know?
Assurance“My house is clean.” Self Assessment or
Management Attestation High risk – Low Reliability Requires high degree of
trust in the person making the attestation
Lack of accountability. Leads to cutting corners because no one is looking.
11
Assurance“His house was clean when I checked.” Third Party Attestation (Point
in Time) Medium Risk & Reliability Provides minimal if any
assurance, and still requires trust.
Lack of accountability. Leads to cutting corners when no one is looking.
12
Assurance“His house was clean all last year.” Third Party Attestation (Period
of Time)Low Risk – High Reliability
“Trust, but verify”Provides reasonable assurance.
Accountability exists - When
corners are cut, there is a high likelihood of being caught
13
Assurance“His house is continually clean.”• Perpetual Validation (Real Time -
Utopia)• Little to No Risk – Very High
Reliability• Provides near absolute
assurance, and does not require trust
• Accountability exists. Corners cannot be cut, or there is a certainty of being caught 14
Certifiedcer·ti·fied[sur-tuh-fahyd] adjective 1. having or proved by a certificate 2. guaranteed; reliably endorsed:
15
I am a CISA.
Does ISACA
guarantee my work?
Which Assurance Should “Certified” Belong To?
1. Self Assessment2. Third Party Attestation –
Point in Time3. Third Party Attestation –
Period of Time4. Perpetual Validation –
Real Time Utopia
16
Please tweet
answer.
Security Standards & AssuranceStandard Standard Category Assurance
CSA STAR (CCM, CAIQ, etc.) More Detailed Self Assessment
NIST/FedRAMP More Detailed Self Assessment
COBIT Broad Objectives Self Assessment
HIPAA / HITRUST Broad Objectives Point in Time
ISO 27001 Broad Objectives Point in Time
PCI-DSS Hybrid – Focused on cardholder data environments
Point in Time
N/A – Controls Related to Financial Statement Accuracy Only
Self Defined AICPA SSAE 16 - SOC1 (formerly SAS70)Type 1 – Point in TimeType 2 – Period of Time
Trust Services Principles & Criteria (TSPC)
Broad Objectives AICPA SSAE 10~14 – SOC2/SOC3Type 1 – Point in TimeType 2 – Period of Time
17
Issues Created for Service Organizations
Forced to satisfy customer’s need for assurance with multiple standards and audits.
Wasting time scheduling and supporting external auditors from multiple firms.
Wasting time scheduling and supporting audits by customers exercising their “right to audit.”
Lack of clarity and confusion regarding customer expectations. 18
Is there a “Silver Bullet” to Satisfy Everyone?
No.
Governing bodies will always require their own standards and reports- (ie VISA, Mastercard require PCI, Federal Government requires HIPAA compliance)
Customers have to provide their external auditors reports that meet their requirements.
19
What can be done to reduce the burden of compliance?
Take the best from each available Standard and Assurance
Get Period of Time Assurance With
More Detailed Standards
20
How?
What can be done to reduce the burden of compliance?
Use SOC2 Type 2 Report as the Assurance wrapper for:
Any or all of the following:o ISO 27002o CSA CCMo PCI-DSSo HITECHo NIST/FedRamp
21
What?
Who would Test?
Accountants?
What good would it do? Reports come from separate
auditors.
SOC2 and “Additional Subject Matter”
The SOC2 Attestation Standard (AT-101 or SSAE 10~14) allows for inclusion of other standards
CPA firms can partner with QSAs and ISO registrars to conduct testing together eliminating testing redundancy
22
Is this even allowed?
Yes…”Technical Specialists”
AT-101Is there much
overlap in standards?
Yes.
PCI-DSS
TSPC
SOC2 and “Additional Subject Matter”
At the end of the engagement, organizations receive a SOC2 report that covers a period of time
AND They receive separate reports
covering the other standards-i.e. PCI-DSS (ROC), and / or ISO 27001 Certificate
23
SOC2 and “Additional Subject Matter”
One core set of audit work serves as the basis for multiple reports
Customers receive o Solid detail great standards like
CSA CCM provideo Little to No Risk – Very high
reliability provided by period of time testing
o Specific reports to satisfy everybody
o International Acceptance24
Objectors Say
CPA firms that are not competent to perform CSA STAR, ISO 27001, PCI-DSS, etc. testing are not competent to accept the engagement referencing SAS 73 as the Technical Specialist guideline CPA firms must follow.
We say, the AICPA provided for the use of technical specialists in AT-101, and the standard is clear. The use of specialists to demonstrate competence is allowed. 25
AT-101 This knowledge requirement may be met, in part, through the use of one or more specialists on a particular attest engagement if the practitioner has sufficient knowledge of the subject matter (a) to communicate to the specialist the objectives of the work and (b) to evaluate the specialist's work to determine if the objectives were achieved.
Objectors Say
ISO 27001 is a real time assurance because the certificate is valid for three years.
We say, read the fine print. The certificate is void if any of the terms in the certificate agreement are broken. See - "Proof that ISO 27001 is a Point-in-Time Assurance"
26
Objectors Say
Period of Time assurance is no better than Point in Time assurance because both are “dated”, meaning they are irrelevant even before they are issued.
We say, the discipline that is instilled in an organization, that knows there is an increased likelihood of being caught when they stray, shifts culture in the direction of better security. 27
Discussion & Reading
28
The Risk Assurance Revolution has Begunhttp://riskassuranceguy.blogspot.com/2012/01/risk-assurance-revolution-has-begun.html
SOC Reports: The customer is always righthttp://turnkeyit.blogspot.com/2012/01/soc-reports-customer-is-always-right.html
Standards, Audits, and Certifications: Which One is Right?http://www.infosecisland.com/blog/show/slug/19296-Standards-Audits-and-Certifications-Which-One-is-Right/page/2.html
When I See a Can in the Road, All I Want to do is Smash Ithttps://www.infosecisland.com/blogview/19769-When-I-See-a-Can-in-the-Road-All-I-Want-to-do-is-Smash-It.html
Why Data Centers Don't Need SSAE 16https://www.infosecisland.com/blogview/16080-Why-Data-Centers-Dont-Need-SSAE-16.html
Why Data Centers Need SSAE 16https://www.infosecisland.com/blogview/16952-Why-Data-Centers-Need-SSAE-16.html
SOC 2 for Cloud Computinghttps://www.infosecisland.com/blogview/17174-SOC-2-for-Cloud-Computing.html
AICPA Fumbles Audit Standards at the 5-Yard Linehttp://www.datacenterknowledge.com/archives/2012/01/19/aicpa-fumbles-audit-standards-at-the-5-yard-line/
Good Reading:http://www.schrammassurance.com/wp-content/uploads/2012/01/11-Schramm-SAS70-to-AT101-KLv4.pdf http://cpa2biz.com/AST/Main/CPA2BIZ_Primary/AuditAttest/Standards/StandardsImplementationGuidance
CSA Atlanta Chapter Q1’12 Meeting Feedback:http://www.linkedin.com/groupItem?view=&gid=3664160&type=member&item=91992030&qid=bd5c4379-ecac-4383-b1e8-1a7387f86ac3&trk=group_most_recent_rich-0-b-ttl&goback=.gmr_3664160http://www.linkedin.com/groupItem?view=&gid=3664160&type=member&item=46520870&qid=bd5c4379-ecac-4383-b1e8-1a7387f86ac3&goback=.gmr_3664160.gde_3664160_member_91992030
LinkedIn Group on SOC Reports:http://www.linkedin.com/groups/SOC-formerly-SAS70-Reports-4223260?
The Cloud Security Alliance Governance, Risk, and Compliance (CSA GRC)
Stack• A suite of four integrated and reinforcing CSA initiatives (the “stack packages”)– The Stack Packs
• Cloud Controls Matrix• Consensus Assessments Initiative• Cloud Audit• CloudTrust Protocol
• Designed to support cloud consumers and cloud providers• Prepared to capture value from the cloud as well as support
compliance and control within the cloud
7 Oct 2011 Page 29The CSA GRC V2.0 Workshop | Ron Knode
The CSA GRC StackBringing the Stack Pack TogetherDelivering Stack Pack Description
Continuous monitoring … with a purpose
• Common technique and nomenclature to request and receive evidence and affirmation of current cloud service operating circumstances from cloud providers
Claims, offers, and the basis for auditing service
delivery
• Common interface and namespace to automate the Audit, Assertion, Assessment, and Assurance (A6) of cloud environments
Pre-audit checklists and questionnaires to inventory controls
• Industry-accepted ways to document what security controls exist
The recommended foundations for controls
• Fundamental security principles in specifying the overall security needs of a cloud consumers and assessing the overall security risk of a cloud provider
7 Oct 2011 Page 30The CSA GRC V2.0 Workshop | Ron Knode
CSA GRC Value Equation Contributions for Consumers and Providers
What control requirements should I have as a cloud consumer or cloud provider?
How do I ask about the control requirements that are satisfied (consumer) or express my claim of control response (provider)?
How do I announce and automate my claims of audit support for all of the various compliance mandates and control obligations?
How do I know that the controls I need are working for me now (consumer)? How do I provide actual security and transparency of service to all of my cloud users (provider)?
• Individually useful• Collectively powerful • Productive way to
reclaim end-to-end information risk management capability
• Individually useful• Collectively powerful • Productive way to
reclaim end-to-end information risk management capability
Static claims & assurances
Dynamic (continuous) monitoring and transparency
7 Oct 2011 Page 31The CSA GRC V2.0 Workshop | Ron Knode
Using the GRC StackMaking the Stack Pack Approach Work for You
• Easy to get started• Many successful combinations• Benefits accrue with each stack pack addition• Multiple alternatives to application and
deployment• Mapped across multiple compliance mandates
7 Oct 2011 Page 32The CSA GRC V2.0 Workshop | Ron Knode
GRC Stack
2011 Recap•GRC Stack Training Courses offered across US and Europe•Cloud Security Alliance acquires CTP from CSC (July)•CCM 1.2 released (August)•CAIQ 1.1 released (September)
GRC Stack
2012•CCM v1.3•CAIQ and CCM migrating to database format•More GRC Stack Training Courses (TBA)•2012 CTP Roadmap release – Volunteer opportunities and more details will be announced in Q1https://cloudsecurityalliance.org/research/grc-stack/
Also New for 2012
https://cloudsecurityalliance.org/star/
The CSA Security, Trust & Assurance Registry (STAR) is a publicly accessible registry that documents the security controls provided by various cloud service providers.It helps users assess the security of cloud providers they currently use or are considering contracting with. It is a simple but powerful idea, cloud providers post self assessments of their cloud services, CSA makes these assessments publicly available and cloud consumers can use this data to make informed purchasing decisions. It supports CSA GRC Stack, AICPA SOC, ISO 27001, FedRAMP, etc.
2012 CSA Conferences
CSA Summit 2012 at RSA-USA February 27 – March 2Moscone Center - San Francisco
ContactHelp Us Secure Cloud Computing
– www.cloudsecurityalliance.org– [email protected]– LinkedIn: www.linkedin.com/groups?gid=1864210– Twitter: @cloudsa
About Us
38
Phil Agcaoili@hacksec