cloud information governance alleviating risk and staying compliant_hb_final
TRANSCRIPT
-
7/29/2019 Cloud Information Governance Alleviating Risk and Staying Compliant_hb_final
1/13
Handbook
1EDITORS NOTE
2EXTENDING INFORMATION
GOVERNANCE CONTROLS
TO THE CLOUD
3DUE DILIGENCE,
PROVIDER RESEARCH
KEY TO COMPLIANCE
IN THE CLOUD
4THREE STEPS TO
MAINTAIN GRC DURING
CLOUD DEPLOYMENT
VIRTUALIZ
ATION
CLOUD
APPLICATI
ONDEVELOPMENT
HEALTHIT
NETWORKING
STORAGEARCHITECTURE
DATACENT
ERMANAGEMENT
BI/APPLICATIONS
DISASTER
RECOVERY/COMPLIANCE
SECURITY
Keep Cloud CompliantMoving operations to the cloud is an increasingly popular way to
save money and other resources. It also requires dramatic changes
to traditional information governance and risk practices.
-
7/29/2019 Cloud Information Governance Alleviating Risk and Staying Compliant_hb_final
2/13
Home
Editors Note
Extending
InformationGovernance
Controls to the
Cloud
Due Diligence,
Provider Research
Key to Compli-
ance in the Cloud
Three Steps to
Maintain GRC
During Cloud
Deployment
2 K E E P C L O U D C O M P L I A N T
Security Risks, Compliance a Major Cloud Concern
Organizations today generate and
are responsible for more data than ever before,
forcing companies to turn to cloud-based op-
tions to reduce data management costs. Cloud
computing has proven valuable from a data
storage standpoint, but it also raises numer-ous questions about information governance.
Most importantly, organizations must ensure
the data they are entrusting to the cloud is still
handled according to their compliance and se-
curity guidelines.
That delicate balancing act isnt always easy.
Organizations must determine where their
data management and security responsibili-
ties end, and where those of the cloud provider
begins. In this SearchCompliance handbook,
we examine how organizations can adapt infor-
mation governance processes to the cloud to
alleviate data risk and remain compliant with
myriad regulations.
In our rst article, ARMA International CEO
Marilyn Bier discusses information governance
controls in the cloud, including how to hold
your cloud provider accountable.
In our second article, Christine Parizo ex-
amineshow moving operations to the cloudinuences data security processes, what secu-rity-related questions you need to ask cloud
providers and the cloud contract wording that
helps ensure security.
In our third article, Ed Moyle outlines how
compliance ofcers can ensure their compa-
nies adhere to regulations and reduce risk after
moving operations to the cloud.
As the cloud increasingly becomes a valid
data management option, we hope you nd this
useful in helping your organization stay com-
pliant and reduce data-related risk.
Please write to me at [email protected]. n
Ben Cole
Editor, SearchCompliance.com
1EDITORS NOTE
mailto:[email protected]:[email protected] -
7/29/2019 Cloud Information Governance Alleviating Risk and Staying Compliant_hb_final
3/13
Home
Editors Note
Extending
InformationGovernance
Controls to the
Cloud
Due Diligence,
Provider Research
Key to Compli-
ance in the Cloud
Three Steps to
Maintain GRC
During Cloud
Deployment
3 K E E P C L O U D C O M P L I A N T
2CLOUDCONTRACTS Extending Information GovernanceControls to the Cloud
All organizations depend on informa-
tion to manage day-to-day operations, comply
with regulations, gauge nancial performance
and monitor strategic initiatives. This critical
information resides in the organizations busi-
ness records.Good information governance controls are
difcult enough to apply inside an organiza-
tion, even when it is using its own best prac-
tices tool set. While it is possible to manage
aspects of the lifecycle and disposition of the
information that resides in the cloud, these
rules become more difcult to enforce.
Proper information governance requires
a centralized control point, as well as effec-
tive enforcement, for an organizations records
management tool set to be effective, said
Brent Gatewood, owner of consultIG, in a re-
cent issue ofInformation Management maga-
zine. Today, the controls in place with most
SaaS [Software as a Service] providers are too
non-specic. The controls in place are collec-
tion-focused and largely managed according to
the providers rules, not those of the organiza-
tion whose information is being stored.
To satisfy the information governance needs
of most organizations, control and manage-ment of data in the cloud should reside inside
the organization itself and extend to cloud-
based repositories. A centralized tool manag-
ing lifecycle rules for the organization needs
to have the proper hooks into the data residing
in the cloud. These tools need to have a com-
plete view of the information owned by the
A centralized tool managinglifecycle rules for the organizationneeds to have the proper hooksinto the data residing in the cloud.
-
7/29/2019 Cloud Information Governance Alleviating Risk and Staying Compliant_hb_final
4/13
Home
Editors Note
Extending
InformationGovernance
Controls to the
Cloud
Due Diligence,
Provider Research
Key to Compli-
ance in the Cloud
Three Steps to
Maintain GRC
During Cloud
Deployment
4 K E E P C L O U D C O M P L I A N T
2CLOUDCONTRACTS organization to be responsive to internal andexternal requests.
According to Gatewood, The reality is this:The tools may not exist, but organizations are
movingor have already moveddata into
the cloud. Data relationships and manage-
ment controls inside of organizations are more
important than ever. Unless the management
controls are already in place, it is unlikely that
individuals are going to seek advice about ex-
tending controls to cloud-based repositories.Cloud computing is not going away. It can be
a valuable tool, but a tool that needs to be un-
derstood and managed. Applying information
governance controls, with the proper relation-
ships in legal and information technology and
services, can help to reasonably manage infor-
mation in the cloud.
CLOUD PROVIDER ACCOUNTABILITY
Gatewood recommends that organizations con-
sidering a cloud-based initiativeor reviewing
a solution already in placend answers to the
following questions about contracts, audit con-
trols and integration points:
Contracts:
n What service are we contracting for and what
are the vendors records management andcompliance obligations?
n What kind of data controls does the vendor
have in place?
n How is information destroyed?
n
Can we set minimum and maximumretentions and at what level?
n Are there secure destruction options?
n What are the vendors policies for backups,
replication or failover?
n How do we conrm disposition takes place
on a timely basis and according to our rules?
Audit controls:
n What is the providers internal audit process?
n How often is the provider audited by external
agencies?
-
7/29/2019 Cloud Information Governance Alleviating Risk and Staying Compliant_hb_final
5/13
Home
Editors Note
Extending
InformationGovernance
Controls to the
Cloud
Due Diligence,
Provider Research
Key to Compli-
ance in the Cloud
Three Steps to
Maintain GRC
During Cloud
Deployment
5 K E E P C L O U D C O M P L I A N T
2CLOUDCONTRACTS n What standards is the provider held to?n
Is the vendor open to being audited for com-pliance? (If not, this may be a sign of bigger
issues.)
Integration points:
n Is the vendor open to integration with our
systems and applications?
n
Has the vendor integrated with any systemsthat provide a structure for compliance?
Organizations must also consider if the
vendors policies and procedures related to the
handling and management of information are
acceptable. If they are not, Gatewood believesthe organization should either move the data
elsewhere or require an auditable change that
meets its needs.
Gatewood also recommends that organiza-
tions require a data map that details where
the information resides. Data maps can be
complicated because they detail what is often
a complex infrastructure that might involvethird-party relationships specic to your data,
but the effort to review them is denitely
worthwhile. Marilyn Bier
-
7/29/2019 Cloud Information Governance Alleviating Risk and Staying Compliant_hb_final
6/13
Home
Editors Note
Extending
InformationGovernance
Controls to the
Cloud
Due Diligence,
Provider Research
Key to Compli-
ance in the Cloud
Three Steps to
Maintain GRC
During Cloud
Deployment
6 K E E P C L O U D C O M P L I A N T
3PROVIDERNEGOTIATIONS Due Diligence, Provider ResearchKey to Compliance in the Cloud
Organizations generate more data
than ever before through applications, email
and other computing tasks. Faced with at IT
budgets, companies are turning to the cloud for
storage, software and infrastructure.
This is much to the chagrin of the com-pliance department, which wakes up in cold
sweats thinking about data security. Experts
agree, however, that by conducting due dili-
gence, companies can minimize their cloud-
related risk.
Your security teams have to satisfy them-
selves that what the cloud provider is doing on
a routine basis meets or exceeds what theyd do
on premise, said John Howie, chief operating
ofcer of the Cloud Security Alliance.
But enterprises are limited in how they can
conduct this due diligence. For example, a cloud
provider audit may not be possible because
the provider doesnt want hordes of customers
tromping through its data centers. Penetration
testing could also shut down an enterprises
service because the cloud provider could view
it as a legitimate attack, Howie said.
CHECK PROVIDER CERTIFICATIONS
Because physical audits sometimes arent
possible, reputable cloud service provid-
ers should have certications. In the United
States, the two major certications are ISO/IEC
27001:2005 and SOC 2. ISO/IEC 27001:2005
provides a denition for how to run an infor-
mation security management system. It does
not say whether youre particularly good at it,
and it doesnt say that you have the controls in
place [that] are actually working, Howie cau-
tioned. It just certies that you have an infor-
mation security system that understands these
problems and is trying to improve.
SOC 2, which is the replacement for SAS
72 and is based on the audit standard AP 101,
-
7/29/2019 Cloud Information Governance Alleviating Risk and Staying Compliant_hb_final
7/13
Home
Editors Note
Extending
InformationGovernance
Controls to the
Cloud
Due Diligence,
Provider Research
Key to Compli-
ance in the Cloud
Three Steps to
Maintain GRC
During Cloud
Deployment
7 K E E P C L O U D C O M P L I A N T
3PROVIDERNEGOTIATIONS contains the ve SysTrust principles devel-oped by the American Institute of Certied
Public Accountants and the Canadian Instituteof Chartered Accountants: condentiality, in-
tegrity, availability, security and privacy, ac-
cording to Howie.
Privacy is a little bit of a misnomer, because
its not privacy of the customers data, he
said. Rather, it means the privacy of the cloud
providers customer, not the customers of the
company that signs up for service.SOC 2 requires an audit by a large rm to
ensure the controls are adequate and working.
An SOC 2 report is then presented that con-
tains detailed information about vulnerabilities
and the environment as a whole. These details
often make cloud providers hesitant to let cus-
tomers see the results of SOC 2 reports, Howie
said.
ASK PROVIDERS THE RIGHT QUESTIONS
Before choosing a cloud provider, companies
need to ask prospective vendors some hard
questions to ensure theyll stay on the right
side of regulators. Its about asking questions
around what arrangements are going to be in
place to protect your information from the
creation stage to the processing, the storage,the transmission and, of course, destruction,
said Steve Durbin, global vice president of the
Information Security Forum. Eventually, the
contract with the provider will end and organi-
zations need to know what will happen to their
data when that occurs, he added.
Other questions should include how secure
the connection is, including whether a VPN isrequired to connect, and what the availability
is, Durbin said. Companies also need to ask en-
cryption-related questions, including whether
the data needs to be encrypted, what facilities
the cloud provider has to encrypt data and if
data should be encrypted before being trans-
mitted to the cloud service, he added.
Physical security is also important, accord-
ing to Mac McMillan, current chairman of the
HIMSS Privacy and Security Policy Task Force
and CEO of Austin, Texas-based IT security
consulting rm CynergisTek. Questions should
include how the cloud provider controls physi-
cal access and how systems are protected from
other customers data in colocation situations.
-
7/29/2019 Cloud Information Governance Alleviating Risk and Staying Compliant_hb_final
8/13
Home
Editors Note
Extending
InformationGovernance
Controls to the
Cloud
Due Diligence,
Provider Research
Key to Compli-
ance in the Cloud
Three Steps to
Maintain GRC
During Cloud
Deployment
8 K E E P C L O U D C O M P L I A N T
3PROVIDERNEGOTIATIONS Finally, companies should check on the sta-tus of the cloud providers insurance, McMillan
said. For example, if theres a security breach,its important to know if the provider will in-
demnify the customer and pay for the notica-
tions, he said.
CONTRACT NEGOTIATIONS:
READ THE FINE PRINT
Due diligence doesnt stop at the negotiating
table. There is no one provision to include in
the contract to maintain compliance, but care-
ful language can help limit liability, according
to Robert Scott, managing partner at Southlake,
Texas-based technology law rm Scott & Scott
LLP.
If you outsource to a third-party cloud
service provider to handle or store personally
identiable, nancial or healthcare inform-
ation thats regulated in any way, the law
has a non-delegable duty that you cant just
outsource these legal responsibilities,
Scott said. Even changes to payment card
industry compliance standards, which now
apply to third-party services, do not absolve
enterprises of maintaining regulatory compli-
ance, he said.Enterprises need to ensure that their cloud
services providers agree to be bound by the
same regulations that they are, Scott said. For
nancial institutions, that means adhering to
regulations such as the Gramm-Leach-Bliley
Act, for example.
One thing to be wary of in contracts is provi-
sions where the cloud services provider asks
the enterprise to agree to limit data breach
liability, Scott cautioned. Such a provision
could work to signicantly limit the availability
of insurance and/or the ability to recover for
privacy-related claims that result from a data
breach, he said.
Contracts are always negotiable, and any
reasonable cloud provider will be willing to
negotiate with a customer regarding legitimate
regulatory compliance, data security and pri-
vacy concerns, Scott said. Theyre not going to
be a successful cloud service provider without
being sensitive to customer concerns in those
areas, he said. Christine Parizo
-
7/29/2019 Cloud Information Governance Alleviating Risk and Staying Compliant_hb_final
9/13
Home
Editors Note
Extending
InformationGovernance
Controls to the
Cloud
Due Diligence,
Provider Research
Key to Compli-
ance in the Cloud
Three Steps to
Maintain GRC
During Cloud
Deployment
9 K E E P C L O U D C O M P L I A N T
4CLOUD RISK Three Steps to Maintain GRC During Cloud Deployment
For compliance professionals, theres
no overstating what a huge challenge a cloud
transition can be from a governance, risk and
compliance (GRC) perspective. A cloud deploy-
ment is challenging to start with, from both a
technical and operational level. Add to that the
complexity of ensuring post-cloud-deploy-
ment adherence to regulatory requirements,
such as the Payment Card Industry Data Secu-
rity Standard, the Health Insurance Portability
and Accountability Act (HIPAA), the Sarbanes-
Oxley Act and the Federal Information Security
Management Act, and it becomes even more
difcult.
The biggest challenge from a regulatory and
data risk standpoint comes about when an
organizations compliance team encounters a
cloud deployment after the fact. That hap-
pens more often than you might think: Most
cloud deployments dont happen in a graceful,
workmanlike manner where compliance teams
are kept in the loop from inception through the
nal stages of implementation.
Instead, what happens more often than not
is cloud adoption is far along before compli-
ance teams even realize its in place. Reasons
for this are varied. Most commonly, it occurs
when business teams bring in a cloud service
without realizing they should engage the com-
pliance department. Another common, under-
the-radar transition occurs when existing cloud
technology expands its scope from handling
non-sensitive information systems, such as
development and quality assurance, to include
regulated environments or to process, store and
transmit regulated data.
When this backdoor cloud deployment hap-
pens, compliance professionals nd themselves
behind the proverbial eight ball. By that point,
mitigation options are sparse because contracts
are already signed, environments are already
developed, controls are already in place and due
-
7/29/2019 Cloud Information Governance Alleviating Risk and Staying Compliant_hb_final
10/13
Home
Editors Note
Extending
InformationGovernance
Controls to the
Cloud
Due Diligence,
Provider Research
Key to Compli-
ance in the Cloud
Three Steps to
Maintain GRC
During Cloud
Deployment
10 K E E P C L O U D C O M P L I A N T
4CLOUD RISK diligence assessments have already been com-pletedor, in some cases, not. What can com-
pliance professionals do at that point? Beloware a few immediate steps they can take.
STEP ONE: DONT PANIC.
ASSESS AND DOCUMENT RISK
Lets say a hospitals compliance professional
discovers that a clinical system (an electronic
medical record, for example) has been relo-
cated to an Infrastructure as a Service provider.
The questions that arise as a result of this
transition are legion: Have business associ-
ate agreements been signed? Is personal health
information being protected appropriately? Is
there a contractual arrangement to ensure noti-
cation in the event of a data breach?
Instead of immediately pushing back, a pru-
dent rst step might be to undertake a system-
atic analysis of the situation. After all, if the
vendor services healthcare providers regularly,
this wont be the rst time it has heard about
HIPAA, and it may have already spent quite a
bit of time thinking through how to address theadministrative, technical and physical controls
associated with its security rule. Compliance
ofcers should rst engage with internal teams
to nd out what level of due diligence theyve
done regarding information security during the
cloud deployment, as well as what controls the
vendor already has in place.
Its vital to understand two things: new com-
pliance gaps this cloud deployment introduces
to your organization, and any newly introduced
risk. The rst item is relatively straightforward:
Walk through each of your compliance re-
quirements and evaluate the cloud deployment
documentation to ensure the vendor agree-
ment meets these rules. To evaluate risk, you
can use one of the many readily available risk
assessment templates to assist in this regard.
Some examples include the Cloud Security
Alliances GRC stack (notably the Consensus
Its vital to understand new compliance gaps a cloud deploymentintroduces to your organization, and any newly introduced risk.
-
7/29/2019 Cloud Information Governance Alleviating Risk and Staying Compliant_hb_final
11/13
Home
Editors Note
Extending
InformationGovernance
Controls to the
Cloud
Due Diligence,
Provider Research
Key to Compli-
ance in the Cloud
Three Steps to
Maintain GRC
During Cloud
Deployment
11 K E E P C L O U D C O M P L I A N T
4CLOUD RISK Assessments Initiative Questionnaire andCloud Controls Matrix), the European Net-
work and Information Security Agencys cloudcomputing risk assessment and the NIST SP
800-30.
STEP TWO: KNOW WHAT YOU CAN
CHANGE, AND WHAT YOU CANT
Its important to remember that the vendors
controls are what they are, and changing them
rapidly to meet your companys control gaps
is unlikely to be the most efcient path to
maintaining security. Compliance ofcers
can probably lean on vendors enough to make
changes, but they will not come quickly. In-
stead of railing against a vendors decien-
cies, companies should look inward to see
if there are things they can change on their
end to maintain data security during a cloud
deployment.
Of course, you should call out areas where
vendors controls are woefully inadequate and
note these concerns in risk assessments, in re-
ports to management and in long-term remedi-
ation plans. But also remember that its easier
to change your environment versus theirs.
During long-term remediation talks, ask what
controls you can implement in the short termto offset cloud-related security gaps. For exam-
ple, can you encrypt data in transit or at rest to
add a layer of protection? Or will implementing
additional monitoring controls help notify you
of inappropriate access?
STEP THREE: BUILD THE STRATEGIC
REMEDIATION ROADMAP
If you followed the steps outlined above, by
this point youll have two crucial pieces of
data: a gap analysis showing where you dont
meet your particular compliance requirements,
and a risk assessment identifying any potential
problem areas after the cloud deployment.
You will have also put in place short-term
stopgaps to address as many of those areas as
you can.
At this point, youll want to take a compre-
hensive look at changes that both you and the
vendor can make to maintain compliance. Keep
in mind that many cloud service providers have
resources on staff specically to understand
-
7/29/2019 Cloud Information Governance Alleviating Risk and Staying Compliant_hb_final
12/13
Home
Editors Note
Extending
InformationGovernance
Controls to the
Cloud
Due Diligence,
Provider Research
Key to Compli-
ance in the Cloud
Three Steps to
Maintain GRC
During Cloud
Deployment
12 K E E P C L O U D C O M P L I A N T
4CLOUD RISK customer compliance requirements and addressthem when developing and offering services.
It behooves you to engage with those vendorresourcesyou might be surprised at the re-
sponsiveness and expertise.
Also remember that most responsible ven-
dors have a commercial incentive not to stone-
wall you. Any changes they make to meet your
compliance requirements or alleviate risk ulti-
mately helps them become more competitive in
your industry.
Long term, maintaining a compliant cloud
environment is an exercise in cooperation be-tween the company and its vendor(s). By objec-
tively analyzing and documenting compliance
gaps and risks, changing what the company can
do internally to close short-term gaps and put-
ting together a long-term plan, dealing with
unexpected cloud deployment doesnt have to
be as painful as it seems. Ed Moyle
-
7/29/2019 Cloud Information Governance Alleviating Risk and Staying Compliant_hb_final
13/13
Home
Editors Note
Extending
InformationGovernance
Controls to the
Cloud
Due Diligence,
Provider Research
Key to Compli-
ance in the Cloud
Three Steps to
Maintain GRC
During Cloud
Deployment
13 K E E P C L O U D C O M P L I A N T
MARILYN BIER isCEO of ARMA International, a not-for-
prot records management and information governance
professional association. ARMA provides education,
publications and resources for the creation, organization,
security, maintenance and disposal of information in a
manner that align with and contribute to an organiza-
tions goals.
CHRISTINE PARIZO is a freelance writer specializing in
business and technology. She focuses on feature articles
for a variety of technology and business-focused pub-
lications, as well as case studies and white papers forbusiness-to-business technology companies. Christine
has a background in litigation technology and compli-
ance and was an assistant news editor for searchCRM
.com prior to launching her freelance career.
ED MOYLE is director of emerging business and technol-
ogy at ISACA. Moyle previously worked as a senior
security strategist for Savvis and a senior manager at
CTG. Prior to that, Moyle served as a vice president
and information security ofcer at Merrill Lynch Invest-
ment Managers.
ABOUT
THE
AUTHORS
Keep Cloud Compliant is a
SearchCompliance.com e-publication.
Rachel Lebeaux | Managing Editor
Ben Cole | Site Editor
Marilyn Bier, Ed Moyle,Christine Parizo | Contributing Writers
Christina Torode | Editorial Director
Linda Koury | Director of Online Design
Neva Maniscalco | Graphic Designer
Amalie Keerl | Director of Product Management
TechTarget
275 Grove Street, Newton, MA 02466
www.techtarget.com
2013 TechTarget Inc. No part of this publication may be transmitted or re-produced in any form or by any means without written permission from thepublisher. TechTarget reprints are available throughThe YGS Group.
About TechTarget: TechTarget publishes media for information technologyprofessionals. More than 100 focused websites enable quick access to a deepstore of news, advice and analysis about the technologies, products and pro-cesses crucial to your job. Our live and virtual events give you direct access toindependent expert commentary and advice. At IT Knowledge Exchange, oursocial community, you can get advice and share solutions with peers and experts.
http://searchcompliance.techtarget.com/mailto:[email protected]://reprints.ygsgroup.com/m/techtargethttp://reprints.ygsgroup.com/m/techtargethttp://reprints.ygsgroup.com/m/techtargetmailto:[email protected]://searchcompliance.techtarget.com/