cloud information governance alleviating risk and staying compliant_hb_final

7/29/2019 Cloud Information Governance Alleviating Risk and Staying Compliant_hb_final

1/13

Handbook

1EDITORS NOTE

2EXTENDING INFORMATION

GOVERNANCE CONTROLS

TO THE CLOUD

3DUE DILIGENCE,

PROVIDER RESEARCH

KEY TO COMPLIANCE

IN THE CLOUD

4THREE STEPS TO

MAINTAIN GRC DURING

CLOUD DEPLOYMENT

VIRTUALIZ

ATION

CLOUD

APPLICATI

ONDEVELOPMENT

HEALTHIT

NETWORKING

STORAGEARCHITECTURE

DATACENT

ERMANAGEMENT

BI/APPLICATIONS

DISASTER

RECOVERY/COMPLIANCE

SECURITY

Keep Cloud CompliantMoving operations to the cloud is an increasingly popular way to

save money and other resources. It also requires dramatic changes

to traditional information governance and risk practices.


2/13

Home

Editors Note

Extending

InformationGovernance

Controls to the

Cloud

Due Diligence,

Provider Research

Key to Compli-

ance in the Cloud

Three Steps to

Maintain GRC

During Cloud

Deployment

2 K E E P C L O U D C O M P L I A N T

Security Risks, Compliance a Major Cloud Concern

Organizations today generate and

are responsible for more data than ever before,

forcing companies to turn to cloud-based op-

tions to reduce data management costs. Cloud

computing has proven valuable from a data

storage standpoint, but it also raises numer-ous questions about information governance.

Most importantly, organizations must ensure

the data they are entrusting to the cloud is still

handled according to their compliance and se-

curity guidelines.

That delicate balancing act isnt always easy.

Organizations must determine where their

data management and security responsibili-

ties end, and where those of the cloud provider

begins. In this SearchCompliance handbook,

we examine how organizations can adapt infor-

mation governance processes to the cloud to

alleviate data risk and remain compliant with

myriad regulations.

In our rst article, ARMA International CEO

Marilyn Bier discusses information governance

controls in the cloud, including how to hold

your cloud provider accountable.

In our second article, Christine Parizo ex-

amineshow moving operations to the cloudinuences data security processes, what secu-rity-related questions you need to ask cloud

providers and the cloud contract wording that

helps ensure security.

In our third article, Ed Moyle outlines how

compliance ofcers can ensure their compa-

nies adhere to regulations and reduce risk after

moving operations to the cloud.

As the cloud increasingly becomes a valid

data management option, we hope you nd this

useful in helping your organization stay com-

pliant and reduce data-related risk.

Please write to me at [email protected]. n

Ben Cole

Editor, SearchCompliance.com

1EDITORS NOTE
mailto:[email protected]:[email protected]


3/13

Home

Editors Note

Extending


Controls to the

Cloud

Due Diligence,

Provider Research

Key to Compli-

ance in the Cloud

Three Steps to

Maintain GRC

During Cloud

Deployment


2CLOUDCONTRACTS Extending Information GovernanceControls to the Cloud

All organizations depend on informa-

tion to manage day-to-day operations, comply

with regulations, gauge nancial performance

and monitor strategic initiatives. This critical

information resides in the organizations busi-

ness records.Good information governance controls are

difcult enough to apply inside an organiza-

tion, even when it is using its own best prac-

tices tool set. While it is possible to manage

aspects of the lifecycle and disposition of the

information that resides in the cloud, these

rules become more difcult to enforce.

Proper information governance requires

a centralized control point, as well as effec-

tive enforcement, for an organizations records

management tool set to be effective, said

Brent Gatewood, owner of consultIG, in a re-

cent issue ofInformation Management maga-

zine. Today, the controls in place with most

SaaS [Software as a Service] providers are too

non-specic. The controls in place are collec-

tion-focused and largely managed according to

the providers rules, not those of the organiza-

tion whose information is being stored.

To satisfy the information governance needs

of most organizations, control and manage-ment of data in the cloud should reside inside

the organization itself and extend to cloud-

based repositories. A centralized tool manag-

ing lifecycle rules for the organization needs

to have the proper hooks into the data residing

in the cloud. These tools need to have a com-

plete view of the information owned by the

A centralized tool managinglifecycle rules for the organizationneeds to have the proper hooksinto the data residing in the cloud.


4/13

Home

Editors Note

Extending


Controls to the

Cloud

Due Diligence,

Provider Research

Key to Compli-

ance in the Cloud

Three Steps to

Maintain GRC

During Cloud

Deployment


2CLOUDCONTRACTS organization to be responsive to internal andexternal requests.

According to Gatewood, The reality is this:The tools may not exist, but organizations are

movingor have already moveddata into

the cloud. Data relationships and manage-

ment controls inside of organizations are more

important than ever. Unless the management

controls are already in place, it is unlikely that

individuals are going to seek advice about ex-

tending controls to cloud-based repositories.Cloud computing is not going away. It can be

a valuable tool, but a tool that needs to be un-

derstood and managed. Applying information

governance controls, with the proper relation-

ships in legal and information technology and

services, can help to reasonably manage infor-

mation in the cloud.

CLOUD PROVIDER ACCOUNTABILITY

Gatewood recommends that organizations con-

sidering a cloud-based initiativeor reviewing

a solution already in placend answers to the

following questions about contracts, audit con-

trols and integration points:

Contracts:

n What service are we contracting for and what

are the vendors records management andcompliance obligations?

n What kind of data controls does the vendor

have in place?

n How is information destroyed?

n

Can we set minimum and maximumretentions and at what level?

n Are there secure destruction options?

n What are the vendors policies for backups,

replication or failover?

n How do we conrm disposition takes place

on a timely basis and according to our rules?

Audit controls:

n What is the providers internal audit process?

n How often is the provider audited by external

agencies?


5/13

Home

Editors Note

Extending


Controls to the

Cloud

Due Diligence,

Provider Research

Key to Compli-

ance in the Cloud

Three Steps to

Maintain GRC

During Cloud

Deployment


2CLOUDCONTRACTS n What standards is the provider held to?n

Is the vendor open to being audited for com-pliance? (If not, this may be a sign of bigger

issues.)

Integration points:

n Is the vendor open to integration with our

systems and applications?

n

Has the vendor integrated with any systemsthat provide a structure for compliance?

Organizations must also consider if the

vendors policies and procedures related to the

handling and management of information are

acceptable. If they are not, Gatewood believesthe organization should either move the data

elsewhere or require an auditable change that

meets its needs.

Gatewood also recommends that organiza-

tions require a data map that details where

the information resides. Data maps can be

complicated because they detail what is often

a complex infrastructure that might involvethird-party relationships specic to your data,

but the effort to review them is denitely

worthwhile. Marilyn Bier


6/13

Home

Editors Note

Extending


Controls to the

Cloud

Due Diligence,

Provider Research

Key to Compli-

ance in the Cloud

Three Steps to

Maintain GRC

During Cloud

Deployment


3PROVIDERNEGOTIATIONS Due Diligence, Provider ResearchKey to Compliance in the Cloud

Organizations generate more data

than ever before through applications, email

and other computing tasks. Faced with at IT

budgets, companies are turning to the cloud for

storage, software and infrastructure.

This is much to the chagrin of the com-pliance department, which wakes up in cold

sweats thinking about data security. Experts

agree, however, that by conducting due dili-

gence, companies can minimize their cloud-

related risk.

Your security teams have to satisfy them-

selves that what the cloud provider is doing on

a routine basis meets or exceeds what theyd do

on premise, said John Howie, chief operating

ofcer of the Cloud Security Alliance.

But enterprises are limited in how they can

conduct this due diligence. For example, a cloud

provider audit may not be possible because

the provider doesnt want hordes of customers

tromping through its data centers. Penetration

testing could also shut down an enterprises

service because the cloud provider could view

it as a legitimate attack, Howie said.

CHECK PROVIDER CERTIFICATIONS

Because physical audits sometimes arent

possible, reputable cloud service provid-

ers should have certications. In the United

States, the two major certications are ISO/IEC

27001:2005 and SOC 2. ISO/IEC 27001:2005

provides a denition for how to run an infor-

mation security management system. It does

not say whether youre particularly good at it,

and it doesnt say that you have the controls in

place [that] are actually working, Howie cau-

tioned. It just certies that you have an infor-

mation security system that understands these

problems and is trying to improve.

SOC 2, which is the replacement for SAS

72 and is based on the audit standard AP 101,


7/13

Home

Editors Note

Extending


Controls to the

Cloud

Due Diligence,

Provider Research

Key to Compli-

ance in the Cloud

Three Steps to

Maintain GRC

During Cloud

Deployment


3PROVIDERNEGOTIATIONS contains the ve SysTrust principles devel-oped by the American Institute of Certied

Public Accountants and the Canadian Instituteof Chartered Accountants: condentiality, in-

tegrity, availability, security and privacy, ac-

cording to Howie.

Privacy is a little bit of a misnomer, because

its not privacy of the customers data, he

said. Rather, it means the privacy of the cloud

providers customer, not the customers of the

company that signs up for service.SOC 2 requires an audit by a large rm to

ensure the controls are adequate and working.

An SOC 2 report is then presented that con-

tains detailed information about vulnerabilities

and the environment as a whole. These details

often make cloud providers hesitant to let cus-

tomers see the results of SOC 2 reports, Howie

said.

ASK PROVIDERS THE RIGHT QUESTIONS

Before choosing a cloud provider, companies

need to ask prospective vendors some hard

questions to ensure theyll stay on the right

side of regulators. Its about asking questions

around what arrangements are going to be in

place to protect your information from the

creation stage to the processing, the storage,the transmission and, of course, destruction,

said Steve Durbin, global vice president of the

Information Security Forum. Eventually, the

contract with the provider will end and organi-

zations need to know what will happen to their

data when that occurs, he added.

Other questions should include how secure

the connection is, including whether a VPN isrequired to connect, and what the availability

is, Durbin said. Companies also need to ask en-

cryption-related questions, including whether

the data needs to be encrypted, what facilities

the cloud provider has to encrypt data and if

data should be encrypted before being trans-

mitted to the cloud service, he added.

Physical security is also important, accord-

ing to Mac McMillan, current chairman of the

HIMSS Privacy and Security Policy Task Force

and CEO of Austin, Texas-based IT security

consulting rm CynergisTek. Questions should

include how the cloud provider controls physi-

cal access and how systems are protected from

other customers data in colocation situations.


8/13

Home

Editors Note

Extending


Controls to the

Cloud

Due Diligence,

Provider Research

Key to Compli-

ance in the Cloud

Three Steps to

Maintain GRC

During Cloud

Deployment


3PROVIDERNEGOTIATIONS Finally, companies should check on the sta-tus of the cloud providers insurance, McMillan

said. For example, if theres a security breach,its important to know if the provider will in-

demnify the customer and pay for the notica-

tions, he said.

CONTRACT NEGOTIATIONS:

READ THE FINE PRINT

Due diligence doesnt stop at the negotiating

table. There is no one provision to include in

the contract to maintain compliance, but care-

ful language can help limit liability, according

to Robert Scott, managing partner at Southlake,

Texas-based technology law rm Scott & Scott

LLP.

If you outsource to a third-party cloud

service provider to handle or store personally

identiable, nancial or healthcare inform-

ation thats regulated in any way, the law

has a non-delegable duty that you cant just

outsource these legal responsibilities,

Scott said. Even changes to payment card

industry compliance standards, which now

apply to third-party services, do not absolve

enterprises of maintaining regulatory compli-

ance, he said.Enterprises need to ensure that their cloud

services providers agree to be bound by the

same regulations that they are, Scott said. For

nancial institutions, that means adhering to

regulations such as the Gramm-Leach-Bliley

Act, for example.

One thing to be wary of in contracts is provi-

sions where the cloud services provider asks

the enterprise to agree to limit data breach

liability, Scott cautioned. Such a provision

could work to signicantly limit the availability

of insurance and/or the ability to recover for

privacy-related claims that result from a data

breach, he said.

Contracts are always negotiable, and any

reasonable cloud provider will be willing to

negotiate with a customer regarding legitimate

regulatory compliance, data security and pri-

vacy concerns, Scott said. Theyre not going to

be a successful cloud service provider without

being sensitive to customer concerns in those

areas, he said. Christine Parizo


9/13

Home

Editors Note

Extending


Controls to the

Cloud

Due Diligence,

Provider Research

Key to Compli-

ance in the Cloud

Three Steps to

Maintain GRC

During Cloud

Deployment


4CLOUD RISK Three Steps to Maintain GRC During Cloud Deployment

For compliance professionals, theres

no overstating what a huge challenge a cloud

transition can be from a governance, risk and

compliance (GRC) perspective. A cloud deploy-

ment is challenging to start with, from both a

technical and operational level. Add to that the

complexity of ensuring post-cloud-deploy-

ment adherence to regulatory requirements,

such as the Payment Card Industry Data Secu-

rity Standard, the Health Insurance Portability

and Accountability Act (HIPAA), the Sarbanes-

Oxley Act and the Federal Information Security

Management Act, and it becomes even more

difcult.

The biggest challenge from a regulatory and

data risk standpoint comes about when an

organizations compliance team encounters a

cloud deployment after the fact. That hap-

pens more often than you might think: Most

cloud deployments dont happen in a graceful,

workmanlike manner where compliance teams

are kept in the loop from inception through the

nal stages of implementation.

Instead, what happens more often than not

is cloud adoption is far along before compli-

ance teams even realize its in place. Reasons

for this are varied. Most commonly, it occurs

when business teams bring in a cloud service

without realizing they should engage the com-

pliance department. Another common, under-

the-radar transition occurs when existing cloud

technology expands its scope from handling

non-sensitive information systems, such as

development and quality assurance, to include

regulated environments or to process, store and

transmit regulated data.

When this backdoor cloud deployment hap-

pens, compliance professionals nd themselves

behind the proverbial eight ball. By that point,

mitigation options are sparse because contracts

are already signed, environments are already

developed, controls are already in place and due


10/13

Home

Editors Note

Extending


Controls to the

Cloud

Due Diligence,

Provider Research

Key to Compli-

ance in the Cloud

Three Steps to

Maintain GRC

During Cloud

Deployment


4CLOUD RISK diligence assessments have already been com-pletedor, in some cases, not. What can com-

pliance professionals do at that point? Beloware a few immediate steps they can take.

STEP ONE: DONT PANIC.

ASSESS AND DOCUMENT RISK

Lets say a hospitals compliance professional

discovers that a clinical system (an electronic

medical record, for example) has been relo-

cated to an Infrastructure as a Service provider.

The questions that arise as a result of this

transition are legion: Have business associ-

ate agreements been signed? Is personal health

information being protected appropriately? Is

there a contractual arrangement to ensure noti-

cation in the event of a data breach?

Instead of immediately pushing back, a pru-

dent rst step might be to undertake a system-

atic analysis of the situation. After all, if the

vendor services healthcare providers regularly,

this wont be the rst time it has heard about

HIPAA, and it may have already spent quite a

bit of time thinking through how to address theadministrative, technical and physical controls

associated with its security rule. Compliance

ofcers should rst engage with internal teams

to nd out what level of due diligence theyve

done regarding information security during the

cloud deployment, as well as what controls the

vendor already has in place.

Its vital to understand two things: new com-

pliance gaps this cloud deployment introduces

to your organization, and any newly introduced

risk. The rst item is relatively straightforward:

Walk through each of your compliance re-

quirements and evaluate the cloud deployment

documentation to ensure the vendor agree-

ment meets these rules. To evaluate risk, you

can use one of the many readily available risk

assessment templates to assist in this regard.

Some examples include the Cloud Security

Alliances GRC stack (notably the Consensus

Its vital to understand new compliance gaps a cloud deploymentintroduces to your organization, and any newly introduced risk.


11/13

Home

Editors Note

Extending


Controls to the

Cloud

Due Diligence,

Provider Research

Key to Compli-

ance in the Cloud

Three Steps to

Maintain GRC

During Cloud

Deployment


4CLOUD RISK Assessments Initiative Questionnaire andCloud Controls Matrix), the European Net-

work and Information Security Agencys cloudcomputing risk assessment and the NIST SP

800-30.

STEP TWO: KNOW WHAT YOU CAN

CHANGE, AND WHAT YOU CANT

Its important to remember that the vendors

controls are what they are, and changing them

rapidly to meet your companys control gaps

is unlikely to be the most efcient path to

maintaining security. Compliance ofcers

can probably lean on vendors enough to make

changes, but they will not come quickly. In-

stead of railing against a vendors decien-

cies, companies should look inward to see

if there are things they can change on their

end to maintain data security during a cloud

deployment.

Of course, you should call out areas where

vendors controls are woefully inadequate and

note these concerns in risk assessments, in re-

ports to management and in long-term remedi-

ation plans. But also remember that its easier

to change your environment versus theirs.

During long-term remediation talks, ask what

controls you can implement in the short termto offset cloud-related security gaps. For exam-

ple, can you encrypt data in transit or at rest to

add a layer of protection? Or will implementing

additional monitoring controls help notify you

of inappropriate access?

STEP THREE: BUILD THE STRATEGIC

REMEDIATION ROADMAP

If you followed the steps outlined above, by

this point youll have two crucial pieces of

data: a gap analysis showing where you dont

meet your particular compliance requirements,

and a risk assessment identifying any potential

problem areas after the cloud deployment.

You will have also put in place short-term

stopgaps to address as many of those areas as

you can.

At this point, youll want to take a compre-

hensive look at changes that both you and the

vendor can make to maintain compliance. Keep

in mind that many cloud service providers have

resources on staff specically to understand


12/13

Home

Editors Note

Extending


Controls to the

Cloud

Due Diligence,

Provider Research

Key to Compli-

ance in the Cloud

Three Steps to

Maintain GRC

During Cloud

Deployment


4CLOUD RISK customer compliance requirements and addressthem when developing and offering services.

It behooves you to engage with those vendorresourcesyou might be surprised at the re-

sponsiveness and expertise.

Also remember that most responsible ven-

dors have a commercial incentive not to stone-

wall you. Any changes they make to meet your

compliance requirements or alleviate risk ulti-

mately helps them become more competitive in

your industry.

Long term, maintaining a compliant cloud

environment is an exercise in cooperation be-tween the company and its vendor(s). By objec-

tively analyzing and documenting compliance

gaps and risks, changing what the company can

do internally to close short-term gaps and put-

ting together a long-term plan, dealing with

unexpected cloud deployment doesnt have to

be as painful as it seems. Ed Moyle


13/13

Home

Editors Note

Extending


Controls to the

Cloud

Due Diligence,

Provider Research

Key to Compli-

ance in the Cloud

Three Steps to

Maintain GRC

During Cloud

Deployment


MARILYN BIER isCEO of ARMA International, a not-for-

prot records management and information governance

professional association. ARMA provides education,

publications and resources for the creation, organization,

security, maintenance and disposal of information in a

manner that align with and contribute to an organiza-

tions goals.

CHRISTINE PARIZO is a freelance writer specializing in

business and technology. She focuses on feature articles

for a variety of technology and business-focused pub-

lications, as well as case studies and white papers forbusiness-to-business technology companies. Christine

has a background in litigation technology and compli-

ance and was an assistant news editor for searchCRM

.com prior to launching her freelance career.

ED MOYLE is director of emerging business and technol-

ogy at ISACA. Moyle previously worked as a senior

security strategist for Savvis and a senior manager at

CTG. Prior to that, Moyle served as a vice president

and information security ofcer at Merrill Lynch Invest-

ment Managers.

ABOUT

THE

AUTHORS

Keep Cloud Compliant is a

SearchCompliance.com e-publication.

Rachel Lebeaux | Managing Editor

Ben Cole | Site Editor

Marilyn Bier, Ed Moyle,Christine Parizo | Contributing Writers

Christina Torode | Editorial Director

Linda Koury | Director of Online Design

Neva Maniscalco | Graphic Designer

Amalie Keerl | Director of Product Management

[email protected]

TechTarget

275 Grove Street, Newton, MA 02466

www.techtarget.com

2013 TechTarget Inc. No part of this publication may be transmitted or re-produced in any form or by any means without written permission from thepublisher. TechTarget reprints are available throughThe YGS Group.

About TechTarget: TechTarget publishes media for information technologyprofessionals. More than 100 focused websites enable quick access to a deepstore of news, advice and analysis about the technologies, products and pro-cesses crucial to your job. Our live and virtual events give you direct access toindependent expert commentary and advice. At IT Knowledge Exchange, oursocial community, you can get advice and share solutions with peers and experts.
http://searchcompliance.techtarget.com/mailto:[email protected]://reprints.ygsgroup.com/m/techtargethttp://reprints.ygsgroup.com/m/techtargethttp://reprints.ygsgroup.com/m/techtargetmailto:[email protected]://searchcompliance.techtarget.com/

cloud information governance alleviating risk and staying compliant_hb_final

Documents