Cloud Vendor Security Risk Assessments: An Update from the ...
Transcript of Cloud Vendor Security Risk Assessments: An Update from the ...
![Page 1: Cloud Vendor Security Risk Assessments: An Update from the ...](https://reader033.fdocuments.us/reader033/viewer/2022051402/627c562ea4468107b3293ffb/html5/thumbnails/1.jpg)
Cloud Vendor Security Risk Assessments: An Update from the HEISC
Shared Assessments Working Group
Charles Escue, Indiana [email protected]
![Page 2: Cloud Vendor Security Risk Assessments: An Update from the ...](https://reader033.fdocuments.us/reader033/viewer/2022051402/627c562ea4468107b3293ffb/html5/thumbnails/2.jpg)
• HECVAT Promotion• HEISC Shared Assessments working group
• Project inspiration & collective vision• Phase I & Phase II deliverables• Current State
• Using the HECVAT in your institution• Leveraging community strength• Securing leadership buy-in• Early HECVAT adoption successes
• What’s next for the HECVAT?• Questions
https://www.educause.edu/hecvathttps://www.ren-isac.net/hecvatAgenda
![Page 3: Cloud Vendor Security Risk Assessments: An Update from the ...](https://reader033.fdocuments.us/reader033/viewer/2022051402/627c562ea4468107b3293ffb/html5/thumbnails/3.jpg)
Rapid Cloud Service Adoption
Proper Assessment Becoming Burdensome
Enterprise Risk Management Program Development
Vendor Risk Management Program Development
Information Security Programs Evolving Quickly
Too Much Going On!
Project inspiration came from many sources
![Page 4: Cloud Vendor Security Risk Assessments: An Update from the ...](https://reader033.fdocuments.us/reader033/viewer/2022051402/627c562ea4468107b3293ffb/html5/thumbnails/4.jpg)
Share work done at one organization with others
Create a space for finding/sharing existing assessments
Reduce unnecessary burden, focus on critical functions
Support the HigherEd information security community
Outlining the job to be done
![Page 5: Cloud Vendor Security Risk Assessments: An Update from the ...](https://reader033.fdocuments.us/reader033/viewer/2022051402/627c562ea4468107b3293ffb/html5/thumbnails/5.jpg)
Working group founders created a robust charter, quickly steering development efforts
Charter ObjectivesStandard Security Controls
Document
Provide a tool to facilitate HE
usage
Address unique
operations of HE
Many existing questionnaires but none that covered the broad range of subjects to the degree needed in Higher Ed
![Page 6: Cloud Vendor Security Risk Assessments: An Update from the ...](https://reader033.fdocuments.us/reader033/viewer/2022051402/627c562ea4468107b3293ffb/html5/thumbnails/6.jpg)
Committed, Action Oriented Work Group(s)
A multi-phase development
approach
19+ Contributing Organizations
HE excitement, openness to
change, feedback
So what has it taken to forge this new opportunity for collaboration?
![Page 7: Cloud Vendor Security Risk Assessments: An Update from the ...](https://reader033.fdocuments.us/reader033/viewer/2022051402/627c562ea4468107b3293ffb/html5/thumbnails/7.jpg)
● Jon Allen, Baylor University ● John Bruggeman, Hebrew Union College,
Jewish Institute of Religion● Charles Escue, Indiana University● Karl Hassler, University of Delaware ● Craig Munson, Minnesota State Colleges &
Universities● Mitch Parks, University of Idaho ● Laura Raderman, Carnegie Mellon University● Sandy Silk, Harvard University
● Staff Liaisons from EDUCAUSE, Internet2, and REN-ISAC:○ Joanna Grama○ Todd Herring○ Nick Lewis○ Kim Milford○ Valerie Vogel
Initial Contributors; Phase 1
![Page 8: Cloud Vendor Security Risk Assessments: An Update from the ...](https://reader033.fdocuments.us/reader033/viewer/2022051402/627c562ea4468107b3293ffb/html5/thumbnails/8.jpg)
● Jon Allen, Baylor University ● Samantha Birk, IMS Global Learning Consortium● Jeff Bohrer, IMS Global Learning Consortium● Sarah Braun, University of Colorado – Denver● David Cassada, University of California – Davis● Matthew Dalton, University of Massachusetts
Amherst● Charles Escue, Indiana University● Kolin Hodgson, University of Notre Dame● Tom Horton, Cornell University● Leo Howell, North Carolina State University● Alex Jalso, West Virginia University● Wyman Miles, Cornell University
● Staff Liaisons from EDUCAUSE, Internet2, and REN-ISAC:○ Joanna Grama○ Todd Herring○ Nick Lewis○ Kim Milford○ Valerie Vogel
More Contributors; Phase 2
![Page 9: Cloud Vendor Security Risk Assessments: An Update from the ...](https://reader033.fdocuments.us/reader033/viewer/2022051402/627c562ea4468107b3293ffb/html5/thumbnails/9.jpg)
Show a general workflow of 3PA
Documentation
Assessment
Approval
Reporting
Cloud Vendor /
Data Sharing Request
Onboarding
![Page 10: Cloud Vendor Security Risk Assessments: An Update from the ...](https://reader033.fdocuments.us/reader033/viewer/2022051402/627c562ea4468107b3293ffb/html5/thumbnails/10.jpg)
We are all doing the same thing with minor changes to fit our environments
+
+
+VENDORX
MAINTAIN
![Page 11: Cloud Vendor Security Risk Assessments: An Update from the ...](https://reader033.fdocuments.us/reader033/viewer/2022051402/627c562ea4468107b3293ffb/html5/thumbnails/11.jpg)
Using similar documentation facilitates HE sharing and reduces vendor burden
+
+
+VENDORX
MAINTAIN
HECVAT
HECVAT
HECVAT
HECVAT
![Page 12: Cloud Vendor Security Risk Assessments: An Update from the ...](https://reader033.fdocuments.us/reader033/viewer/2022051402/627c562ea4468107b3293ffb/html5/thumbnails/12.jpg)
The Higher Education Cloud Vendor Assessment Tool (HECVAT), what is it?
A tool used to improve efficiency and consistency in vendor assessments within HE
A holistic document that covers our common operating environments in HE
An avenue to state HE expectations for security to vendors offering services in the cloud
![Page 13: Cloud Vendor Security Risk Assessments: An Update from the ...](https://reader033.fdocuments.us/reader033/viewer/2022051402/627c562ea4468107b3293ffb/html5/thumbnails/13.jpg)
So how did the HECVAT come to life?
H.E.
Carnegie MellonUniversity
Indiana University
Other Institutions
Existing Questionnaires
CAIQ
CUTS
Reduced from 300+ to 282 questions
Performed a gap analysisagainst the CAIQ
![Page 14: Cloud Vendor Security Risk Assessments: An Update from the ...](https://reader033.fdocuments.us/reader033/viewer/2022051402/627c562ea4468107b3293ffb/html5/thumbnails/14.jpg)
General InformationSharing Disclosure
Qualifiers*Documentation
Company Overview Third (Fourth) Parties *Consulting *PCI DSS *HIPAA *
Range from Application Security toVulnerability Scanning
CORE
Safeguards
Use Case
Generally, there are three information gathering goals
![Page 15: Cloud Vendor Security Risk Assessments: An Update from the ...](https://reader033.fdocuments.us/reader033/viewer/2022051402/627c562ea4468107b3293ffb/html5/thumbnails/15.jpg)
Application/Service SecurityAuthentication, Authorization,
and AccountingBusiness Continuity Plan *Change ManagementDataDatabaseDatacenterDisaster Recovery Plan *
Firewalls, IDS, IPS, and NetworkingMobile Applications *Physical SecurityPolicies, Procedures, and ProcessesProduct EvaluationQuality AssuranceSystems Management &
ConfigurationVulnerability Scanning
The HECVAT covers a broad range of safeguard groups
![Page 16: Cloud Vendor Security Risk Assessments: An Update from the ...](https://reader033.fdocuments.us/reader033/viewer/2022051402/627c562ea4468107b3293ffb/html5/thumbnails/16.jpg)
What can the HECVAT do for your organization?
Onboarding
Reporting
Assessment10/80/10
![Page 17: Cloud Vendor Security Risk Assessments: An Update from the ...](https://reader033.fdocuments.us/reader033/viewer/2022051402/627c562ea4468107b3293ffb/html5/thumbnails/17.jpg)
There are many factors in successfully adopting the HECVAT at your institution
Security/RiskAssessmentExpectations
Data Stewards
Purchasing
Resources Skills
Policy
Leadership
![Page 18: Cloud Vendor Security Risk Assessments: An Update from the ...](https://reader033.fdocuments.us/reader033/viewer/2022051402/627c562ea4468107b3293ffb/html5/thumbnails/18.jpg)
The HECVAT’s scope is specific and it has some limitations
Can be cumbersome for low risk evaluations
Requires committed resources to properly digest and analyze vendor responses
May not be appropriate for vendor engagements using lower-level data classifications
![Page 19: Cloud Vendor Security Risk Assessments: An Update from the ...](https://reader033.fdocuments.us/reader033/viewer/2022051402/627c562ea4468107b3293ffb/html5/thumbnails/19.jpg)
Making the HECVAT usable for many institutions meant making it smaller
282 81HECVAT
HECVAT Lite
Short on time? Short on personnel to review? Short on budget? Short on risk?
![Page 20: Cloud Vendor Security Risk Assessments: An Update from the ...](https://reader033.fdocuments.us/reader033/viewer/2022051402/627c562ea4468107b3293ffb/html5/thumbnails/20.jpg)
• Understanding how HECVAT questions compare to industry standards is useful
• Standards mapping enable smoother adoption of the HECVAT
• Phase 2 contributors spent countless hours creating the crosswalk of six initial standards
Many institutions have some assessment capability; how can the HECVAT fit in?
CIS 20 Critical Security Controls (v6.1)HIPAAISO 27002:2013NIST Cybersecurity Framework (CSF)NIST SP 800-53r4NIST SP 800-171r1
![Page 21: Cloud Vendor Security Risk Assessments: An Update from the ...](https://reader033.fdocuments.us/reader033/viewer/2022051402/627c562ea4468107b3293ffb/html5/thumbnails/21.jpg)
Staff Liaisons from EDUCAUSE, Internet2, and REN-ISAC truly support the effort!
NET+CLOUD
BROKER INDEX
COMMS&
THE REST
![Page 22: Cloud Vendor Security Risk Assessments: An Update from the ...](https://reader033.fdocuments.us/reader033/viewer/2022051402/627c562ea4468107b3293ffb/html5/thumbnails/22.jpg)
Pilot use began
October 2016
Exclusive use of HECVAT for all third-party assessments
began January 2017
HECVAT-Lite released in May 2017; used in RFP
process when appropriate
As of September 2017, we
have received 34 populated
HECVATs
Next Step:Matching HECVAT
standards crosswalk to IU program
After That: Improve
assessment reporting for
HECVAT standards
HECVAT & HECVAT-LiteV1.06 released October 2017
Indiana University was one of the first adopters of HECVAT; we saw immediate improvement
![Page 23: Cloud Vendor Security Risk Assessments: An Update from the ...](https://reader033.fdocuments.us/reader033/viewer/2022051402/627c562ea4468107b3293ffb/html5/thumbnails/23.jpg)
What will Phase 3 efforts focus on?
Cloud Broker Index Support and Usage
Obstacles to adopt HECVAT at your
institutionHECVAT & HECVAT-Lite Use and Participation
![Page 24: Cloud Vendor Security Risk Assessments: An Update from the ...](https://reader033.fdocuments.us/reader033/viewer/2022051402/627c562ea4468107b3293ffb/html5/thumbnails/24.jpg)
Cloud Vendor Security Risk Assessments: An Update from the HEISC
Shared Assessments Working Group
Charles Escue, Indiana [email protected]
Questions?