continuous compliance service (ccs) - microsoft · visibility into their cloud risk exposure and...
TRANSCRIPT
Frequent updates to cloud compliance guidelines and new regulations such as PCI2.0 requiring virtualization assessments are easily managed within RiskVision’s �exible
The Enterprise Risk Intelligence CompanyContinuous Compliance Service (CCS)
Still Feeling At Risk in the Cloud?97% of the Global 2000 use virtualized private clouds and 52% use Software-as-a-Service (SaaS) public cloud vendors.1 As organizations move to cloud computing, security remains the top inhibitor to large scale adoption. Surveys conducted by Forrester Research show that within security, data protection and compliance are major
2 Adopting virtualization, cloud provisioning and multi-party outsourcing creates asset and data “location decoupling”. This makes managing cloud compliance inside security operations a new, unmet challenge. Until recently, there has not been a corresponding availability of frameworks and tools that organizations can use to place appropriate controls in their cloud infrastructure to attain compliance.
Lift your Haze with RiskVision Cloud Risk ManagementRiskVision, a member of the Cloud Security Alliance (CSA) and the American Institute
Risk Management (CRM). Agiliance Continuous Compliance Service™ (CCS) for CRM is an on-demand service for public cloud providers and private cloud operators to gain visibility into their cloud risk exposure and manage compliance.
cloud service. At the heart of this service is RiskVision’s Common Control Framework (CCF) which maps to the CSA GRC Stack (CCM, CAIQ) making controls monitoring easy. Scheduled asset and data vulnerability feeds are part of the compliance assessment and gap analysis. The RiskVision service also includes content updates such as NIST
Systrust 1.1 criteria, and SAS 70 II / SSAE 16 reporting.
Further, controls within RiskVision CCS for CRM are mapped against policies and related risks. With this correlated data feed, RiskVision CCS for CRM gives organizations the ultimate, prioritized and actionable risk view of their public cloud providers and private cloud operations.
CCS FOR CRM OFFERING
CCS for CRM is delivered on-demand and includes:• The RiskVision Compliance
Manager application• CSA GRC Stack controls and guidance
mapped to Agiliance risk framework• SAS 70 II / SSAE 16 reports and
WebTrust / Systrust criteria• Asset and Policy Importers using MS
Excel, MS Word, and XML • (1) Vulnerability Scanner connector• Hosting and administrative service• QuickStart installation service
CSA FRAMEWORKS & APIS
CCS for CRM is built on RiskVision’s Common Control Framework (CCF) and maps NIST, ISO and COBIT frameworks, along with PCI and HIPAA regulations as
in their GRC Stack.
CSA’s GRC Stack includes: • Cloud Controls Matrix (CCM)
providing detailed controls in 13 domains
• Consensus Assessments Initiative Questionnaire (CAIQ) providing a set of cloud provider questions derived from CCM
• CloudAudit providing an API for the Audit, Assertion, Assessment, and Assurance (A6)
“RiskVision shows leadership by adopt-ing our new industry recommenda-tions so quickly and helps evangelize best practices for providing security assurance within cloud computing.”
Jim Reavis, Executive DirectorCloud Security Alliance
RiskVision CCS for CRM enables cloud provider and cloud operations assessment and monitoring1 Nemertis Research, 2010 2 Forrester Research , 2010
PublicCloud
Providers
PrivateCloud
Operators
RiskVision Cloud
360 View ofRisk Posture
Risk
AssessmentAppetite
AcceptanceMitigation
CLO
UD
AU
DIT
CON
NEC
TORS
CON
NEC
TORS
CONTROLCHECKS
TECHNICALCHECKS
VULN. FEEDS
DATA FEEDS
VulnerabilityScanners
Data MonitoringFeed
CloudAuditFeed (FUTURE)
SAS 70II/SSAE 16 reports,cloud assessments (CAIQ)
SAS 70II/SSAE 16 reports,cloud assessments (CAIQ)
CloudControls
toRisk
Maps
Data andVulnerabilityGap Analysis
VulnerabilityScanners
Data MonitoringFeed
SCM
ControlAssessment
Common ControlFramework
CSA GRC Stack(CCM, CAIQ
mapped to COBIT,ISO, NIST, PCI,
HIPAA)
Data &VulnerabilityAssessment
PrioritizedRisk
Actions
Compliance Service™ are trademarksof RiskVision Inc. and / or its a�liates.
RiskVision CCS for CRM embraces your entire Cloud Risk Program life cycle and breaksit down into �ve logical stages: Scoping, Gap Analysis, Remediation, Certi�cation andMaintenance. RiskVision CCS for CRM provides organizations with speci�c content,
The Enterprise Risk Intelligence CompanyContinuous Compliance Service (CCS)
www.RiskVisionInc.com.©RiskVision 2016. All Rights Reserved.
A PROCESS THAT WORKS
Scoping• Scalable asset-centric Risk Management
Database (RMDB) incorporating virtual and physical assets
• Automatic asset inventory change
Gap Analysis• Automated cloud project and vendor
assessments based on CSA (CCM, CAIQ), NIST, ISO, COBIT, PCI, HIPAA
• covering end user as well as cloud provider organization
• Pre-built risk model for cloud risk assessment
Remediation• Incident and exception management• • Risk-based remediation process
• Cloud provider SAS 70 II / SSAE 16, CAIQ reports
• Cloud risk assessment CCM reports • Compliance reports (PCI, HIPAA)
Maintenance• Automated control checks against CCM• Cloud Risk Assessment Dashboard
GET STARTED TODAY
Learn • Trial • Purchase • Comply
tools and reports to measure and manage each step. Each of these stages represents a corresponding segment in the RiskVision CCS for CRM solution and contains rich content, easy to use tools and a complete set of audit-ready reports serving
dashboards provide a real-time view of cloud risk and relationships addressing a critical organizational need to attain compliance in their cloud.
RiskVision provides over 20 out-of-the box reports that address requirements at each stage of your CRM life cycle, saving time and improving results.
RiskVision Cloud Risk Assessment dashboard gives a real-time view of cloud compliance
Build your GRC Program on RiskVisionRiskVision CCS is built on the award-winning RiskVision GRC Platform proven at the world’s largest public and private sector organizations. RiskVision CCS for CRM is one of many supported regulations, frameworks and programs to help your organization start small and think big as you build a world-class GRC program to satisfy all internal and external stakeholders.
RiskVision Continuous Compliance Services run on the ‘top-rated’ RiskVision GRC Platform
RiskVision® is a registered trademark and RiskVision™, OpenGRC™ and Continuous
Other names may be trademarks of their respective owners.
Mai
nten
ance
ScopingGap Analysis
CSA: CCM, CAIQ
Certi cation
CCM: CAIQ, SAS 70 II/SSAE 16
Remediation
cloud projectsand vendors
Analysis againstCSA CMM and
CAIQ
Remediationagainst failed
controls
Monitoring ofongoing cloud
operations
compliance andsupport for
CloudAudit A6