Академический Документы
Профессиональный Документы
Культура Документы
CONTINUOUS
OVERSIGHT IN
THE CLOUD
How to Improve Cloud Security, Privacy and
Compliance
2 CONTINUOUS OVERSIGHT IN THE CLOUD
CONTENTS
4 Today’s Technology Landscape:
Continuous Oversight for Continuous
Evolution
6 / New Processing Realities Require a
Paradigm Shift in Long-Standing Practices
7 Benefits of Continuous Oversight
8 Strategy, Challenges and Execution
9 / Strategies for Identifying and
Mitigating Risk in the Cloud
9 / Get Started With Fundamentals
10 / Define Strategy, Assign
Responsibilities and Take Action
12 / Maintain a Continuous Cloud Service
Assurance and Oversight Program
13 / Capture the Right Metrics
13 / Key Supply Chain Metrics
14 / Key Incident and Breach Metrics
14 / Example Metrics for Common
Challenges
15 Call to Action
16 Acknowledgments
ABSTRACT
Many emerging technologies and practices—including artificial intelligence (AI), big data
analytics, Internet of Things (IoT) devices and third-party services—directly or indirectly
access a wide variety of cloud services. Today’s dense hyperconnectivity not only
envelops products and consumers, but also links enterprises and business processes in
ways that often erase traditional boundaries between internal and external domains.
Cloud computing services are increasingly mediating the connections. In this
environment, information assurance professionals must not only address longstanding
information security threats and vulnerabilities, but they also face new challenges relative
to their experience in the field just a few years—or even months—before.
This white paper advocates for continuous oversight of the wide variety of cloud services
used by organizations—a set of distinct, but related, management and assurance
practices that address critical emerging risk domains, including security, privacy and
compliance. Continuous oversight includes:
• Continuous cloud assurance tailored appropriately for each type of service being
provided, and for the associated type (private, community, public or hybrid) of cloud.
This ensures risk is being appropriately addressed, and compliance obligations are
being met.
• Continuous supply chain management and oversight for cloud vendors, and their
subcontractors. Ensuring security, privacy and compliance activities are monitored in
addition to associated processing environments.
• Continuous improvement (CI) to ensure that cloud services’ security, privacy and
compliance activities remain relevant and effective, to provide risk and maturity level
metrics, and to indicate where improvements are necessary.
enterprises of all sizes struggled to address information incident in the past year. Absence of documented policies,
security management effectively. In the late 1990s to early standards and supporting procedures for information
2000s, legislatures and other authorities worldwide security, privacy and compliance management across all
enacted new laws and regulations. At the same time, types of cloud environments can result in ad hoc or
novel technologies emerged that further complicated the uninformed assurance activities, which, in turn, may
management of information security and privacy conflict with other enterprise policies and procedures.
programs. Today, on top of accumulated regulatory and • Bring your own device (BYOD)—It is becoming the norm (and
technology challenges, enterprises face several tectonic no longer an exception) for employees to use their own devices
shifts in the digital business landscape including: when performing business activities. Eighty-seven percent of
1
1
IT Svit, “New AWS Tech Introduced During AWS Re:Invent 2017,” 12 May 2017, https://itsvit.com/blog/new-aws-tech-introduced-aws-reinvent-2017
2
2
Check Point, “The 2019 Security Report,” https://www.cloudcomputing-news.net/news/2019/feb/22/check-point-exposes-yet-more-shared-
responsibility-misunderstandings-cloud-security/
3
3
Syntonic Research, “BYOD Policy Requirements For a Secure BYOD Environment,” 18 March 2019, https://solutions.pcmcanada.com/byod-policy-
requirements-for-a-secure-byod-environment
4
4
Shadow IT includes applications or devices used by employees but not approved/implemented by the enterprise. For more on shadow IT, see ISACA,
“Shadow IT Primer,” http://www.isaca.org/knowledge-center/research/researchdeliverables/pages/shadow-it-primer.aspx
5
5
Bitglass, “Mission Impossible: Securing BYOD,” November 2018, https://pages.bitglass.com/MissionImpossibleSecuringBYOD_LP.html
house applications for supporting and integrating those the US Congress its third bill on IoT security in March 2019.10 10
analytics within the business environment. Big data analytics Enterprises must consider the complete risk environment when
6
produces three exabytes of data per day. This data can be
6
addressing IoT devices.
overwhelmingly sensitive for the business, and often qualifies • Artificial intelligence (AI)—Investments in AI have drastically
as personal data as well. Organizations are also increasingly accelerated since 2016.11 New and emerging AI, including
11
12
using big data security analytics as an integral part of security machine learning (ML), 12
predictive analytics13 and deep
13
14
control decision-making. However, such use creates additional learning, 14
all pose complex security challenges and raise
security and privacy issues as seen in a recent survey that privacy concerns that have not existed to date. Because of
found the single biggest obstacle when using or planning to use these new security and privacy challenges, there are new
security analytics solutions for 68 percent of organizations, considerations information assurance professionals must
especially those bared in the European Union, was data privacy evaluate, in addition to their current responsibilities. Many
7
and security. Another consideration is that an enterprise that
7
information assurance professionals will need a plan to deal
deploys a big data infrastructure in one vendor’s public cloud with these challenges effectively and cost efficiently since their
may discover that the implementation does not meet enterprise budgets do not usually increase in light of risk associated with
risk standards or privacy requirements—or may simply find that these new technologies. Consider the following example which
the price increase is prohibitive—and thus, a new service illustrates why these new challenges must be addressed.
provider must be sought. In this context, the security of cloud Software developers increasingly use AI in applications that
services and associated applications—including data affect the lives and livelihoods of consumers and workers
confidentiality, integrity, availability and portability—are all throughout a wide range of populations. The developers need to
8
constant concerns. 8
ensure the AI algorithms used within those applications have
• Internet of Things (IoT) devices—IoT devices are becoming enough accuracy, that the integrity of the calculations will be
ubiquitous in business environments: 20.4 billion IoT devices preserved, and that resulting privacy risks will be successfully
9
will be in use by 2020. IoT devices and cloud services are
9
identified. However, without guidance from information
inherently related, because most IoT devices are designed as assurance professionals, these important actions will likely not
end points that collect data for processing elsewhere, usually in be performed.
cloud processing centers. IoT end points and cloud processing Alongside new technology challenges, information
may mutually compound security risk and the complexity of assurance professionals commonly inherit security and
assurance, because most IoT devices and apps are not compliance issues associated with legacy systems and
sufficiently secure, if secured at all. US lawmakers introduced to decades-old personal data—sometimes stored in
6
6
SecurityScorecard, “Looking Ahead to RSAC 2019: How Can We Work for BETTER Privacy and Security?,” 1 March 2019,
https://securityscorecard.com/blog/looking-ahead-to-rsac-2019
7
7
KuppingerCole, “Big Data and Information Security: How Big Data Technology Can Help in Increasing Cyber Attack Resilience by Better Detection of
Attacks, Enabling Real Time Response,” 2016, https://bi-survey.com/security-big-data-challenges
8
8
Data privacy and security in the cloud reflect the greatest obstacles for security analytics solutions, according to 68 percent of enterprises responding
to a recent big data security analytics survey. The response is especially characteristic of enterprises in the European Union (EU). See KuppingerCole,
“Big Data and Information Security: How Big Data Technology Can Help in Increasing Cyber Attack Resilience by Better Detection of Attacks, Enabling
Real Time Response,” 2016, https://bi-survey.com/security-big-data-challenges
9
9
Boufis, Eli; “Profit, Peril And The Internet Of Things,” Forbes, 2 January 2019, https://www.forbes.com/sites/eliboufis/2019/01/02/profit-peril-and-the-
internet-of-things
10
10
Lemos, Robert; “New IoT Security Bill: Third Time’s the Charm?,” DarkReading, 18 March 2019, https://www.darkreading.com/iot/new-iot-security-bill-
third-times-the-charm/d/d-id/1334190
11
11
Organisation for Economic Co-operation and Development (OECD), “Private Equity Investment in Artificial Intelligence,” OECD Going Digital Policy Note,
December 2018, http://www.oecd.org/going-digital/ai/private-equity-investment-in-artificial-intelligence.pdf
12
12
According to ISACA, “Machine learning, which includes predictive analytics, covers cognitive systems that go beyond big data analytics.” See ISACA,
“Machine Learning Drives Big Business Benefits,” 2015, http://www.isaca.org/Knowledge-
Center/Research/Documents/machine_whp_eng_0615.pdf?regnum=492717.
13
13
According to SAS Insights, “Predictive analytics is the use of data, statistical algorithms and machine learning techniques to identify the likelihood of
future outcomes based on historical data. The goal is to go beyond knowing what has happened to providing a best assessment of what will happen in
the future.” See SAS Institute, Inc., “Predictive Analytics: What it is and Why it Matters,” https://www.sas.com/en_us/insights/analytics/predictive-
analytics.html.
14
14
According to Bernard Marr, “Deep learning is a subset of machine learning where artificial neural networks, algorithms inspired by the human brain, learn
from large amounts of data.” See Marr, Bernard; “What Is Deep Learning AI? A Simple Guide With 8 Practical Examples,” Forbes, 1 October 2018,
https://www.forbes.com/sites/bernardmarr/2018/10/01/what-is-deep-learning-ai-a-simple-guide-with-8-practical-examples/#385f2948d4ba.
outdated, disparate legacy media, across sundry information security, privacy and compliance
geographic locations—all of which still need to be management strategies to support continuous
maintained, protected or migrated. These factors monitoring, assurance and compliance that aligns with
combined magnify into much larger and complex risk than associated goals to support the new processing realities.
have ever existed before.
Factors in the general business environment can place
Once the initial goal of establishing information security additional strain on legacy technology and business
and privacy controls and processes, and meeting all practices, not only for large organizations spanning
applicable legal requirements for security and privacy multiple countries, but also for small and medium
compliance has been met, information assurance enterprises. These create major challenges, some of
professionals must continue to maintain maturity levels which include:
on an ongoing basis, and perform the actions necessary • Cloud security and privacy risk—Lack of understanding about
to reach the targeted maturity levels15 for their 15
the unique types of cloud security and privacy risk, along with a
information security and privacy compliance programs. lack of insight of the full scope of issues involved, result in an
New Processing Realities teams to be accountable for the various necessary actions to
The complexity of current business processing acquire sufficient, effective cloud security, privacy and
environments requires rethinking the longtime tradition of compliance resources. This means critical supporting tools may
having one central set of security, privacy and compliance not be acquired and implemented appropriately.
policies and procedures that apply generally to all • Acquiring and retaining IT talent—After gaining experience in
applications, systems, networks and data. Certainly, small and medium-sized enterprises, IT resources may leave for
having an overarching set of high-level corporate rules to larger organizations that provide better salaries and/or benefits.
establish an overall security, privacy and compliance Even within larger organizations, entry-level resources may find
framework is necessary. However, traditional governance opportunities with other organizations after gaining experience.
documents must be expanded to cover multiple, and often Many organizations are simply left with open positions or less
hybrid, systems in multiple locations, that are typically experienced workers to mitigate complex risk environments.
managed by multiple entities. Taken together, all the foregoing factors contribute to
continuous evolution in technology, regulatory and
A growing number of enterprises collect, process, store
business environments—especially considering the
and access data within cloud services managed internally,
overarching trend toward using cloud computing services.
but owned by other entities. These environments are
New levels of enterprise risk demand an equally broad,
accessed by a wide range of mobile apps, with significant
comprehensive and holistic response: continuous
amounts of data collected, processed and stored in an
oversight for continuous evolution.
endless number of possible end points, including worker-
owned devices that are likely vulnerable in many ways. In
this context, organizations should update their
15
15
For more information about maturity levels, see CMMI V2.0 at https://cmmiinstitute.com/cmmi.
into current security, privacy and compliance levels, new risk and compliance issues and provide insights for
oversight and monitoring also lay the groundwork for real- Business leaders often get lost in debates about
time metrics and facilitate effective maintenance of information security, privacy and compliance
16
ongoing security and privacy management. 16
The requirements, cyberattacks, privacy breaches,
following oversight and monitoring activities, when management frameworks, legal requirements, acceptable
overseen by a technical-minded governing board, and are assessment and controls, risk management
applicable to all types and sizes of organizations: responsibilities, metrics—and a laundry list of other
• Continuous internal monitoring—Continuous monitoring issues.
throughout the data life cycle supports continuous awareness
Amidst the ongoing debates, business leaders sometimes
of risk levels at any point in time and allows for the most
forget why information security and privacy ultimately
expedient response to help ensure continuous compliance and
matter. Focusing on the benefits of continuous oversight
effective risk management.
can help remind leaders that information security, privacy
• Continuous external cloud assurance—Enterprises cannot
and compliance assurance supports the overall success
assume that external cloud services meet all their information
of the business—and thus may help alleviate many
security, privacy and compliance requirements. Historically, and
recurring debates.
to date, such assumptions have blindsided organizations and
for external cloud services will help provide timely insights to oversight and monitoring programs:
critical functions and risk areas, allowing appropriate controls to • Promote real time information security, privacy and compliance
be implemented to reduce risk. risk management; identify and enumerate risk early; help
• Continuous supply chain management—Digital environments anticipate incidents and prevent breaches; and avoid potential
of third-party vendors and their subcontractors constantly costs, fines, and damage to business reputation
change. An assessment or audit may have confirmed • Support valid and appropriate ongoing information system and
acceptable practices a year ago, but enterprises cannot assume common controls authorization, helping to ensure that
the practices are still the same a year later, or that risk levels appropriate controls are in place at any point in time for each
remain acceptable. Continuous oversight must extend to all associated business process
supply chain vendors, contractors and other third-parties. • Provide senior leaders and executives with information to make
• Continuous improvement (CI)—Establishing security, privacy timely, cost-effective risk management decisions
and compliance controls is not a onetime effort. Business • Support design and implementation of information security and
environments change on a daily basis; new technologies privacy controls within development life cycles, reducing the
emerge, new vulnerabilities are introduced as software is need to return to planning stages after deployment, and
updated, and new threats surface as malicious actors discover addressing security and privacy issues
weaknesses in technology. Digital environments must be
16
16
For a full discussion, see National Institute of Standards and Technology (NIST), “Information Security Continuous Monitoring (ISCM) for Federal
Information Systems and Organizations,” NIST Special Publication 800-137, September 2011,
https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-137.pdf.
17
17
For example, in late 2018 it was reported that NICE Systems, a cloud service provider for Verizon, had a misconfigured file repository that exposed the
names, addresses, account details, and account personal identification numbers (PINs) for as many as 14 million US Verizon customers. See “Cloud
Leak: How A Verizon Partner Exposed Millions of Customer Accounts,” Upguard, 12 December 2018, https://www.upguard.com/breaches/verizon-cloud-
leak
• Connect risk management processes within data, applications • Support proactive responsibility and accountability for controls
and systems to risk management processes at organizational and risk management throughout the enterprise and its third-
levels parties, including CSPs and their subcontractors
must be addressed as enterprises adapt to new business controls are not implemented or sufficiently addressed. These
processing realities. Current threats, vulnerabilities, legal actions create more risk for the business. Legal and regulatory
requirements and associated consequences must all be penalties and fines—often levied against noncompliant
considered. Some of the most common challenges companies—are increasing, as are civil suits21 against
21
• Fifteen undertakings
be unintended or malicious, but nonetheless, just like the
• Twelve prosecutions
external bad actor, will always exist. Some internal personnel
• Damage to brand and bottom line—The publicity from security
simply lack awareness of appropriate security practices and
incidents and privacy breaches can significantly damage brand
engage in risky behaviors. Others innocently make mistakes
value and result in lost customers. Fines and penalties for
and some choose to act maliciously.
breaches, incidents and noncompliance can be huge,23 even23
ways that regulators and clients deem unacceptable—or even implementing continuous oversight of cloud services much
contractually negligent. The results could result in brand more challenging.
damage and lost customers. • Managing full supply chain security, privacy and compliance
oversight—Keeping track of all the players within the
Strategies for Identifying and organization’s supply chain is often more than a full-time job.
The amount of risk organizations need to track within the full
Mitigating Risk in the Cloud supply chain ecosystem is large and includes tracking the
In the 1980s and 1990s, information security was largely a specific vendors, their locations, primary contact information,
matter of protecting intellectual property and the network data involved, applications involved, information security,
to help ensure data confidentiality, integrity and availability privacy and compliance activities being performed by each of
(CIA), and mitigating associated risk. In the late 1990s, as the vendors, regular audits, review of assessments, and more.
enterprises went online, connected to other businesses, Processes need to be established to identify the risk each
and started collecting, processing and sharing more vendor throughout the entire supply chain brings to the
personal information, the challenges expanded, and organization, along with determining how to monitor vendor risk
required insight into the types of personal information levels on an ongoing basis. Additionally, the organization must
being processed and exchanged, and third-parties with determine the best ways to ensure vendors report security
access to the data. In the 2000s and 2010s, businesses failures, incidents and privacy breaches in a timely and
everywhere developed a web presence, and many created sufficient manner, and also ensure vendor security, privacy and
social media sites. These new online presences expanded compliance management programs are validated.
risk boundaries, far beyond the corporate network that • Full systems, applications, data life cycle improvement—This
was formerly controlled almost exclusively by internal includes ensuring proper information security controls, privacy
staff. Suddenly, enterprises needed to assess risk controls and compliance requirements are built into each
associated with CSPs and then develop security and application and system from the point in time that they are
compliance oversight capabilities accordingly. In this era being designed, through implementation, updating, and end of
of cyberattacks and breaches, key business leaders and use. Historically, information security issues have not been
decision makers have grown increasingly concerned addressed until late in the life cycle, often just before
about the ability to deliver core business capabilities and implementation into production. And more recently, privacy
also reduce risk. Their concerns include: controls are also usually considered and addressed late in the
A POA&M should consider the following fundamental supply chain management and improvement? Key stakeholders
assessments: 25 25
typically include:
24
24
Generally, a CAP provides specific information as to remediation of findings/weaknesses, and includes a determination of causal factors and trends. A
POA&M is a more high-level management tool for tracking the mitigation of cybersecurity program and system level findings/weaknesses.
25
25
For a useful reference explaining how to write a POA&M, see “FedRAMP Plan of Actions and Milestones (POA&M): Template Completion Guide,” Version
2.1, 21 February 2018, https://www.fedramp.gov/assets/resources/documents/CSP_POAM_Template_Completion_Guide.pdf
• Define the enterprise’s continuous assurance and oversight • Establishing responsibilities throughout the continuous
strategy—Establishing an enterprisewide strategy for monitoring processes, which includes creating and
consistent, standardized continuous monitoring methodologies reviewing the associated data, reports and metrics, and
and practices will maximize the program’s effectiveness, making changes and adjustments based upon results and
efficiencies, and value. An effective strategy results when communications with the associated cloud service
throughout the organization, then extend out to the supply • Define organizational roles for continuous assurance and
chain, and apply to the cloud services being used. The strategy oversight implementation—Key stakeholders are needed to
should include monitoring security, privacy and compliance identify and support those with responsibility for continuous
metrics; performing assessments with appropriate frequency; oversight, monitoring, assurance, supply chain management
and providing reports regularly to key stakeholders. High-level and improvement. Stakeholders should ensure that responsible
components include documented policies and supporting personnel have the skills, time, resources and authority for all
• Performing security, privacy and compliance impact and After key resources are assigned responsibilities, they can
risk analyses implement the strategy. Key activities specific to cloud
• Determining sources and sample sizes for data used to services include:
create metrics that are appropriate for each type of cloud
• Analyzing data including:
service used
• Determining the specific types of data to collect about the
• Implementing enterprisewide cloud services monitoring
cloud services security and privacy risk levels and
tools with the appropriate frequencies for data gathering
associated metrics, along with the specific sources of
and metrics calculations established for the business
data
environment
• Determining when it is necessary to collect supplementary
• Defining key continuous monitoring metrics for each type
data, such as through performing audits, or by
of cloud service
implementing automated vulnerability scanning tools, to
• Establishing and implementing security, privacy and
clarify security-, privacy- and compliance-related
compliance status monitoring and reporting
information that is being analyzed
• Assessing threats and vulnerabilities through appropriate
• Determining the best ways to communicate data and
information sources
associated reports to the appropriate department or staff,
• Determining effectiveness of security, privacy and
both internal and within cloud services management as
compliance controls
appropriate, such as through raw data feeds, database
• Maintaining—and, as appropriate, modifying—the
views, logs, statistics, and so on
monitoring strategy for cloud services and associated
• Analyzing data within the context of the determined risk
actions to take for metrics that fall below target minimum
tolerances, determining the possible impact of
acceptable levels
vulnerabilities within the network and systems, according
• Determining active monitoring practices within the
to the organization’s mission, the contract with each of the
business environment and extending them out through
cloud services, consideration of business processes, and
the cloud services, to determine security, privacy and
estimating the impact of mitigation activities on the
compliance controls effectiveness, status and risk
business and upon the relationship with the cloud service
impacts
• Considering new, emerging and evolving vulnerability and threat
• Ongoing authorization for using each cloud service
data during the analyses
supported with updates for requirements based on
• Reviewing analysis reports to determine next steps, such as • Understanding of each cloud service’s current security,
whether to apply mitigation activities, or to transfer, avoid, reject, privacy and compliance posture
or accept risk, or to terminate the associated CSP contract • Support of the process by which each cloud service
• Recording resolution of risk along with documenting the performs informed risk management decision-making and
reasons for the associated decisions, along with the contracts ongoing authorizations
that the cloud service agreed to, and who will be accountable • Understanding of improvements needed within each cloud
for the actions necessary to implement risk resolutions service to better assess vendor and third-party security,
• Reporting findings of assessments and monitoring privacy and compliance management programs
• Communicating the effectiveness of each cloud service’s • Ability to respond to known and emerging threats for each
• Providing appropriate metrics for continuous assurance and • Reviewing and updating, as needed, the procedures for all
improvement associated with each cloud service aspects of the cloud services continuous monitoring strategy,
• Documenting each cloud service’s challenges, including current relevance of the overall strategy, accuracy in
• Responding to findings, which may include risk mitigation metrics being used, reporting requirements, and monitoring and
actions, risk acceptance, risk avoidance, or risk sharing and assessment frequencies
transfer, or termination of the cloud service, all in accordance • Determining if any of the data collected to support established
with established business risk tolerance determinations, and as cloud service metrics are no longer needed for reporting
appropriate to meet the terms for each associated cloud purposes or have been determined not to be useful in
• Coordinating responses with the contact responsible for each desired security, privacy and compliance risk levels within each
26
26
National Institute of Standards and Technology (NIST), “Information Security Continuous Monitoring (ISCM) for Federal information Systems and
Organizations,” NIST Special Publication 800-137, September 2011, https://nvlpubs.nist.gov/nistpubs/legacy/sp/nistspecialpublication800-137.pdf
environment
interfacing with CSPs. What are the total APIs for the total of all
Selecting and implementing the right metrics
cloud services and what are the total APIs for each cloud
methodology appropriate for the type of cloud services
service?
being used will help enterprises maintain continuous
• Number of workforce members using each cloud provider
monitoring for the cloud services the enterprise depends
interface
upon to support their business activities. The following
• Change in number of cloud service critical vendors, suppliers,
metrics should be considered.
contractors and other third-parties from the previous review
27
27
ISACA, COBIT® 2019 Design Guide: Designing an Information and Technology Governance Solution, USA, 2018,
https://www.isaca.org/COBIT/Pages/COBIT-2019-Design-Guide.aspx
28
28
API is the common term for application programming interface. See National Institute of Standards and Technology (NIST), Computer Resource Center
Glossary, “Application Programming Interface,” https://csrc.nist.gov/glossary/term/Application-Programming-Interface.
• Number of cloud services that reported security incidents, • Time it takes for security incident activity to be detected and
privacy breaches and non-compliance issues since the last processed through the system
review. • Time to make a decision on what action(s) to take in response
• Time it took (in hours and/or days, as appropriate for each to an alert
cloud service) for cloud services to respond to security • Percentage of alerts not determined to be valid threats
• Time it took for each cloud service to apply critical security • Time to identify a privacy breach
Examples of key related metrics include: Key metrics to support such insights—and help mitigate
the associated risks associated with cloud services—
• Number of cyberincidents revealed by the alerts
include:
• Number of personal information items involved with each
individual supply chain involved with each specific incident 1 Amount (in number of bytes, files, etc.) of egress traffic leaving
• Number of external entities notified the organization’s private cloud and sent to contracted cloud
• Number of security alerts communicated to each cloud service services, in addition to unauthorized internet sites
and associated external entity 2 Amount of traffic (in number of bytes, messages and/or files)
• Number of cloud services, and their supply chain partners flowing to and from BYOD endpoints within the corporate
Key Incident and Breach Metrics services, involving big data analytics
Enterprises should establish and document key 4 Volume of personal data (in number of bytes, records, etc.) used
categories of security incidents and privacy breaches, and within AI processes, and the associated cloud services
track the number of breaches and incidents by category. 5 Number of legal requirements covering the use, protection,
29
29
National Institute of Standards and Techonology (NIST), “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations,”
Special Publication 800-171, Revision 1, December 2016, https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171r1.pdf
6 Volume of traffic to/from IoT devices within the corporate 8 Number of employees using IoT devices within the business
Call to Action
Enterprises of all sizes throughout the world face • Continuous improvement initiatives to ensure that cloud
significant, new types of information security, privacy and services security, privacy and compliance activities remain
compliance challenges. The use of cloud services relevant and effective, and provide metrics to gauge success
introduces many of these challenges—largely because and indicate where improvements are necessary.
they involve new and emerging technologies and The following actions will help meet these challenges:
practices, including AI, big data analytics, IoT and BYODs,
1 Obtain visible and strong support of executive leaders for
among others. Supply chain services and products also
implementing continuous monitoring activities for cloud
are increasingly provided through cloud connections—or
services used by the organization.
within cloud servers—so all associated risk must be
2 Implement continuous compliance, audit, assurance activities
mitigated.
and oversight for each cloud service.
Information assurance professionals can mitigate risk 3 Ensure that all applicable legal requirements for privacy
created by emerging technologies and practices— protections become the norm throughout all the cloud services
propagated in many ways by cloud computing and cloud used by the organization, and that they are continuously
activities. Critical activities and initiatives for information 4 Maintain continuous oversight of all cloud services and
security, privacy and compliance programs include: associated parties throughout the entire supply chain to remain
Acknowledgments
ISACA would like to acknowledge:
Gabriela Reynaga
Mohammed Khan
CISA, CRISC, COBIT 5 Foundation, GRCP
CISA, CRISC, CIPM
Holistics GRC, Mexico
Senior Global Audit Manager, USA
Gregory Touhill
Abbas Kudrati
CISM, CISSP
CISA, CISM, CGEIT
Cyxtera Federal Group, USA
Chief Security Advisor, Australia
Ted Wolff
Tim Sattler
CISA
CISA, CRISC, CISM, CGEIT, CCSP, CISSP
Vanguard, Inc., USA
Corporate Information Security Officer,
Germany
About ISACA
Now in its 50th-anniversary year, ISACA® (isaca.org) is a global association
1700 E. Golf Road, Suite 400
helping individuals and enterprises achieve the positive potential of
Schaumburg, IL 60173, USA
technology. Today’s world is powered by information and technology, and
ISACA equips professionals with the knowledge, credentials, education and
community to advance their careers and transform their organizations. ISACA Phone: +1.847.660.5505
leverages the expertise of its 460,000 engaged professionals—including its
Fax: +1.847.253.1755
140,000 members—in information and cybersecurity, governance, assurance,
risk and innovation, as well as its enterprise performance subsidiary, CMMI® Support: support.isaca.org
Institute, to help advance innovation through technology. ISACA has a
presence in more than 188 countries, including more than 220 chapters Website: www.isaca.org
worldwide and offices in both the United States and China.
About SecurityScorecard
Provide Feedback:
Headquartered in the heart of New York City, SecurityScorecard’s vision is to
create a new language for measuring and communicating security risk. The www.isaca.org/continuous-oversight
company was founded in late 2013 by Dr. Aleksandr Yampolskiy and Sam
Kassoumeh, two former cybersecurity practitioners who had served, Participate in the ISACA Online
respectively, as chief information security officer and head of security and Forums:
https://engage.isaca.org/onlineforums
compliance. With cloud solutions becoming an increasingly integral part of
the security technology stack, Yampolskiy and Kassoumeh recognized the
Twitter:
need to address third- and fourth-party risk as well as better understand the www.twitter.com/ISACANews
security capabilities of their business partners. Since its founding, the
company has grown dramatically, and now counts hundreds of leading brands LinkedIn:
www.linkedin.com/company/isaca
as customers. SecurityScorecard is backed by leading venture capital
investors including Sequoia Capital, GV, NGP Capital, Evolution Equity Facebook:
Partners, Boldstart Ventures and AXA Venture Partners, among others. For www.facebook.com/ISACAHQ
more information, visit securityscorecard.com.
Instagram:
www.instagram.com/isacanews/
DISCLAIMER
ISACA has designed and created Continuous Oversight in the Cloud: How to
Improve Cloud Security, Privacy and Compliance (the “Work”) primarily as an
educational resource for professionals. ISACA makes no claim that use of any
of the Work will assure a successful outcome. The Work should not be
considered inclusive of all proper information, procedures and tests or
exclusive of other information, procedures and tests that are reasonably
directed to obtaining the same results. In determining the propriety of any
specific information, procedure or test, professionals should apply their own
professional judgment to the specific circumstances presented by the
particular systems or information technology environment.
RESERVATION OF RIGHTS
Continuous Oversight in the Cloud: How to Improve Cloud Security, Privacy and Compliance