cloud security alliance meeting presentation v3
DESCRIPTION
TRANSCRIPT
1
Cloud Security Alliance Chapter Meeting
Tweet #csamtg
2
WelcomeDefinition of some commonly used, but often misunderstood terms.
Subject matter might be controversial
Please make a note of the page number, jot down your thoughts, and hold questions and comments for the discussion period (Only 30 seconds per slide! ).
ORtweet #csamtg with slide number X
and your question or comment
Please keep
clean?
3
Standardstand·ard[stan-derd] noun 1. something considered by an authority or by general consent as a basis of comparison; an approved model.
4
Who Defines Standards?
What does it mean to have a clean house?
Who should decide?Occupants of the houseIndependent authority or
general consent
Why not?
5
Standards“Clean” Defined by Occupant: 1. Self defined-not a standard by
definition No clutter Clean floors No food left on the counter
Bare Minimum
6
Standards“Clean” Defined by Authority: 2. Broad objectives
No clutter No dishes in the sink Clean floors No dust No food left on the counter Everything in its place
Get to decide what this means to
you.
7
Standards“Clean” Defined by Authority (cont.): 3. More detailed
No clutter No clothes on the floor Beds must be made No excessive trinket collection or picture hanging
No dishes in the sink Dishes must be placed in the dishwasher
immediately Sink must be washed after use
Clean floors Carpeted floors must be vacuumed daily Tiled floors must be cleaned daily with bleach Baseboards must be wiped down with a rag by
hand No dust
All furniture surface areas must be dusted daily The inside of the refrigerator, stove, and all
appliances must be wiped daily
Sometimes not
applicable
8
Standards“Clean” Defined by Authority (cont.): 4. Hybrid – Even More Detailed in some areas, but not
applicable in others No clutter (In the kitchen)
Nothing on the floor No counter top appliances Range must be electric All appliances must be stainless steel
No dishes in the sink Sink must not be used for washing dishes Dishwasher must be commercial quality
Clean floors (In the kitchen) Floors must be cleaned daily with bleach Baseboards must be wiped down with a rag by hand Anti-bacterial spray must be used daily
No dust (In the kitchen) The outside of the refrigerator, stove, and all appliances
must be wiped daily The inside of the refrigerator, stove, and all appliances
must be wiped daily Bedrooms, living rooms, den, bathrooms, etc. (N/A)
9
Assuranceas·sur·ance[uh-shoor-uhns, -shur-] noun 1. a positive declaration intended to give confidence:
10
Assurance1. My house is clean.
2. His house was clean when I inspected it.
3. His house was clean all last year.
4. His house is continually clean.
What about after?
Really?
What about
before?
What about after?
How do you know?
11
Assurance“My house is clean.” Self Assessment or
Management Attestation High risk – Low Reliability Requires high degree of
trust in the person making the attestation
Lack of accountability. Leads to cutting corners because no one is looking.
12
Assurance“His house was clean when I checked.” Third Party Attestation (Point
in Time) Medium Risk & Reliability Provides minimal if any
assurance, and still requires trust.
Lack of accountability. Leads to cutting corners when no one is looking.
13
Assurance“His house was clean all last year.” Third Party Attestation (Period
of Time)Low Risk – High Reliability
“Trust, but verify”Provides reasonable assurance.
Accountability exists - When
corners are cut, there is a high likelihood of being caught
14
Assurance“His house is continually clean.”• Perpetual Validation (Real Time -
Utopia)• Little to No Risk – Very High
Reliability• Provides near absolute
assurance, and does not require trust
• Accountability exists. Corners cannot be cut, or there is a certainty of being caught
15
Certifiedcer·ti·fied[sur-tuh-fahyd] adjective 1. having or proved by a certificate 2. guaranteed; reliably endorsed:
I am a CISA.
Does ISACA
guarantee my work?
16
Which Assurance Should “Certified” Belong To?
1. Self Assessment2. Third Party Attestation –
Point in Time3. Third Party Attestation –
Period of Time4. Perpetual Validation –
Real Time Utopia
Please tweet
answer.
17
Security Standards & AssuranceStandard Standard Category Assurance
CSA STAR More Detailed Self Assessment
NIST/FedRAMP More Detailed Self Assessment
COBIT Broad Objectives Self Assessment
HIPAA / HITRUST Broad Objectives Point in Time
ISO 27001 Broad Objectives Point in Time
PCI-DSS Hybrid – Focused on cardholder data environments
Point in Time
N/A – Controls Related to Financial Statement Accuracy Only
Self Defined AICPA SSAE 16 - SOC1 (formerly SAS70)Type 1 – Point in TimeType 2 – Period of Time
Trust Services Principles & Criteria (TSPC)
Broad Objectives AICPA SSAE 10~14 – SOC2/SOC3Type 1 – Point in TimeType 2 – Period of Time
18
Issues Created for Service Organizations
Forced to satisfy customer’s need for assurance with multiple standards and audits.
Wasting time scheduling and supporting external auditors from multiple firms.
Wasting time scheduling and supporting audits by customers exercising their “right to audit.”
Lack of clarity and confusion regarding customer expectations.
19
Is there a “Silver Bullet” to Satisfy Everyone?
No.
Governing bodies will always require their own standards and reports- (ie VISA, Mastercard require PCI, Federal Government requires HIPAA compliance)
Customers have to provide their external auditors reports that meet their requirements.
20
What can be done to reduce the burden of compliance?
Take the best from each available Standard and Assurance
Get Period of Time Assurance With
More Detailed Standards
How?
21
What can be done to reduce the burden of compliance?
Use SOC2 Type 2 Report as the Assurance wrapper for:
Any or all of the following:o ISO 27001o CSA STARo PCI-DSSo HITECHo NIST/FedRamp
What?
Who would Test?
Accountants?
What good would it do? Reports come from separate
auditors.
22
SOC2 and “Additional Subject Matter”
The SOC2 Attestation Standard (AT-101 or SSAE 10~14) allows for inclusion of other standards
CPA firms can partner with QSAs and ISO registrars to conduct testing together eliminating testing redundancy
Is this even allowed?
Yes…”Technical Specialists”
AT-101Is there much
overlap in standards?
Yes.
PCI-DSS
TSPC
23
SOC2 and “Additional Subject Matter”
At the end of the engagement, organizations receive a SOC2 report that covers a period of time
ANDThey receive separate
reports covering the other standards-i.e. PCI-ROC, and / or ISO Certificate
24
SOC2 and “Additional Subject Matter”
One core set of audit work serves as the basis for multiple reports
Customers receive o Solid detail great standards like
CSA STAR provideo Little to No Risk – Very high
reliability provided by period of time testing
o Specific reports to satisfy everybody
o International Acceptance
25
Objectors Say
CPA firms that are not competent to perform CSA STAR, ISO 27001, PCI-DSS, etc. testing are not competent to accept the engagement referencing SAS 73 as the Technical Specialist guideline CPA firms must follow.
We say, the AICPA provided for the use of technical specialists in AT-101, and the standard is clear. The use of specialists to demonstrate competence is allowed.
AT-101 This knowledge requirement may be met, in part, through the use of one or more specialists on a particular attest engagement if the practitioner has sufficient knowledge of the subject matter (a) to communicate to the specialist the objectives of the work and (b) to evaluate the specialist's work to determine if the objectives were achieved.
26
Objectors Say
ISO 27001 is a real time assurance because the certificate is valid for three years.
We say, read the fine print. The certificate is void if any of the terms in the certificate agreement are broken. See - "Proof that ISO 27001 is a Point-in-Time Assurance"
27
Objectors Say
Period of Time assurance is no better than Point in Time assurance because both are “dated”, meaning they are irrelevant even before they are issued.
We say, the discipline that is instilled in an organization, that knows there is an increased likelihood of being caught when they stray, shifts culture in the direction of better security.
28
Questions?
29
About Us