Академический Документы
Профессиональный Документы
Культура Документы
Assessments
Donald Gallien
March 31, 2011
www.isaca.org
Overview
www.isaca.org
2
Quiz
www.isaca.org
Cloud Computing Basics
www.isaca.org
5
Deployment Models
Source: NIST
www.isaca.org
6
Service Models
Source: NIST
www.isaca.org
7
Another Way to Look as Service
Models
Example
SaaS WebEx
Provider Control
PaaS BPOS
www.isaca.org
8
Deployment Model Risk Profile
Likelihood of
Higher Data Security, Lower
Privacy, and
Control Breach
www.isaca.org
9
Service Model Risk Profile
Impact of Loss of
Higher Control & Security Lower
Breach
www.isaca.org
10
Cloud Refresher Summary
www.isaca.org
12
Assessing Cloud Computing
Universe Completeness
www.isaca.org
The Cloud Universe Challenge
Transient
Flexible Abstract
Rapidly
Dynamic Cloud Deployed
www.isaca.org
14
Finding the Clouds
Control
Points
www.isaca.org
15
Technology Governance
•Oversight
•Technology Approvals
•Partner Approvals
www.isaca.org
16
Firewalls and Encryption Certificates
Cloud computing
environments are unlikely
to stand-alone.
www.isaca.org
17
Invoices / T&E Reporting
•Vendor Master
•Invoice Lists
• •T&E Reporting
www.isaca.org
18
Process Walkthroughs
•Business Process
•Data Flow
•Technology Overview
www.isaca.org
19
Summary – Universe Completeness
www.isaca.org
20
Using a Cloud Computing Risk
Ranking Model
www.isaca.org
A few thoughts before we start
www.isaca.org
22
Cloud Risk Ranking Example
Audit
Cloud Risk Governance
Score Requirements /
Category Requirements
Frequency
Full Scope /
High >25 SAS 70 Type II
Annual
Limited Scope /
Medium 11-24 SAS 70 Type I
Bi – Annual
Risk Assess
Low <10 None
Only
www.isaca.org
24
Deployment Model Considerations
www.isaca.org
25
Service Model Considerations
www.isaca.org
26
Data Security Considerations
www.isaca.org
27
Physical Hosting Site
Considerations
High Medium Low
Hosting Undefined International Domestic
Site Location Location
- May result in cross border data protection
regulatory issues
Undefined - Difficult to demonstrate compliance with
regulations like GLBA
www.isaca.org
28
SOX Criticality Considerations
www.isaca.org
29
Dependent Applications
www.isaca.org
30
Recovery Time Objectives (RTO)
Considerations
High Medium Low
RTO 4 Hours 7 days 31 Days
www.isaca.org
31
Regions Supported Considerations
www.isaca.org
32
Summary – Cloud Risk Ranking
Models
• Cloud risk ranking attributes and scoring
must vary based on environment and need
• Risk attributes and scoring require alignment
with organizational standards
What other risk attributes might you use, and how would your
rank them on a high, medium, low basis?
www.isaca.org
33
Risk Ranking Case Study
www.isaca.org
Conclusions
www.isaca.org
35
Questions
Contact Information:
donald.w.gallien@aexp.com
www.isaca.org
36