May 17, 2011

May 17, 2011 Agenda

6:00 – 6:20 Introductions, welcome and about NY Metro CSA Chapter

6:20 – 6:30 A few words from our sponsor: PWC

6:30 – 6:45 About CSA Global: Dov Yoran

6:45 – 7:15 Committee Chair Overview(s)

7:15 – 7:30 Open Discussion, Membership Points of Interest• Upcoming meetings

• Website developments

• How to get involved with CSA

7:30 - Food Drinks and Networking

Introductory Comments and Welcome: Pamela Fusco

• Welcome to the CSA NY Metro Chapter Kickoff

• How and why about the Chapter

• Founding members

• Committees

• CSA Global interaction

• Future vision

CSA NY Metro Chapter

• New York, Connecticut and New Jersey• Mission – Cloud Risks and threats

To promote the use of best practices for

providing security assurance in reducing and

identifying threats and risks within Cloud Computing

CSA NY Metro Board Members

Dov Yoran - Chairman  Role and Responsibility

Background: •Partner, MetroSITE Group•Founding Member CSA, contributed to Guidance v1 and v2

Focus:•Establish / maintain relationship with CSA Global•Ensure NY Metro meets chapter requirements•Communications to/from Global CSA and NY Metro Chapter

Elad Yoran – Finance Chairman

Background:•Founder & CEO - Security Growth Partners•Wharton MBA (Truth is that no one else wanted this job)

Focus:•CSA NYMetro Chapter - Not for profit entity•Responsible for financial management of our chapter•Not chief fundraiser.  Fundraising is all of our responsibilities. Our chapter will be as successful as we enable it to be, i.e. we'll need funds for events, programs, educational and networking activities•Sponsorships - will put together a sponsorship program.  Looking for volunteers to help develop and manage. Other ideas?Other ideas?

Peter Laberee, Esq. – General Council

Background: •B.A., J.D. – University of Pennsylvania•29 years of corporate law experience•Partner in several national law firms•Founder Laberee Law PC , a corporate law boutique

Focus:

•Serve as general counsel – legal resource for chapter

•Form CSA NY legal entity and manage books/records with corporate secretary and officers

•Interested in chapter formulating a model form of cloud-based SLA

Jason Falciola – Secretary

Background:

•Previously Technical Security Practitioner with IBM MSS

•Currently Technical Account Manager with Qualys - SaaS provider of security & compliance services

•Board member of NJ Infragard chapter

Focus:

•Ensuring proper documentation and communication of Board meetings and Chapter business/records.

•Supporting relationship with CSA Global.

•Participate in chapter development – It is what we all make of it!

•Volunteer on Events committee (Others?).

About the Cloud Security Alliance:Dov Yoran

• Global, not-for-profit organization• 19,000+ individual members, 90+ corporate members• Building best practices and a trusted cloud ecosystem• Agile philosophy, rapid development of applied research

GRC: Balance compliance with risk management Reference models: build using existing standards Identity: a key foundation of a functioning cloud economy Champion interoperability Advocacy of prudent public policy

 “To promote the use of best practices for providing security assurance within Cloud Computing, and provide education on the uses of Cloud

Computing to help secure all other forms of computing.”

What is Cloud Computing?

• On demand provisioning• Elasticity• Multi-tenancy• Key types

• Infrastructure as a Service (IaaS): basic O/S & storage

• Platform as a Service (PaaS): IaaS + rapid dev

• Software as a Service (SaaS): complete application

• Public, Private, Community & Hybrid Cloud deployments

• Industry leading practices for securing cloud computing.

• 14 Domains of concern – governing, operating groupings & Security as a Service (new Candidate!).

• Version 2.1 Guidance already in Use

• Version 3 of Guidance – Work in Progress

Scott Saltz – Operations Chairman

• Committee Chair– Scott Saltz

– ssaltz@batblue.com

– (212) 461-3322 x3007

• Committee Members– John Bertoli

– Jordan Hadas

– Sundar Narayanaswamy

– Peter Nowak

• Website - www.CSANYMetro.org

• LinkedIn - Cloud Security Alliance - New York Metro Chapter

• All events will be listed on both sites

• Registration will be through www.CSANYMetro.org

• Content - submit to info@csanymetro.org

• Blogs, events, articles, ideas, etc.

Brian Peister – Events Chairman

Background•President & Owner – iSecure LLC –Info. Risk Consulting•Over 12+ Years of information Security Experience in Retail, Manufacturing, Healthcare, Financial, Insurance, telecom and Gov Sectors.•Built application security, data protection and incident response programs for Large Enterprises.•Former NY/ NJ OWASP Board Member.•Recently architected and implemented Cloud risk framework for large financial institution.

Focus:•Facilitate cloud security events focused towards our memberships goals and pain points.

Brian Peister – Events Chairman

Locations: New York, New Jersey and Connecticut Event Committees - Coordinating and Programming

• Committee Leads - Jason Falciola and Israel Bryski• Coordinating encompasses, logistics, confirming event agenda, registration

and ordering food • Programs will consist of choosing event topics, confirming speakers, audience

focus (CSO, Architect, developer, etc.) and assisting with building event agenda.

Event Topics & Format – Broad Focus from Executive to Developers Level

• Cloud Security Domains – 14 and counting!• Projects - GRC Stack, CloudSIRT, Security as a Service, Cloud Audit.• Various meeting formats: SME Presentations , Roundtables, Panels, Hands on

events, Competitions.

• Develop "Working Group Committees" - Invite individuals to join the CSA NY Metro Chapter and encourage them to be members of Working Groups by:• Contacting (NY/NJ/CT) (ISSA/ISC2/ISACA) Presidents to

market CSA NY Metro Chapter in their respective organizations• Sending emails to CSA NY chapter member organizations

socializing about the new CSA NY chapter • Documenting guidance on how to join the NY Metro CSA

Chapter for new members (direct them to website and registration instructions)

• Advertise (on the web site) committees inviting participation

Tim Lynam – Education Chairman

• Prep program for the CCSK developed or guidance on vendors/personnel who offer it. Possibly for Prep program for the CCSK developed or guidance on vendors/personnel who offer it. Possibly for Q2/3 at CSA NY Metro Chapter

• CSA framework aligned with other frameworks like ISO 27001/2, SafeHarbor, Cobit, etc., or repurposed as enhancing the CCM framework to align it with emerging regulatory trends to be determined

• Security assessment in the cloud – guidelines to determine whether or not your vendor has placed you in the cloud without your knowledge. What mandatory controls are needed to be in place?

• Privacy framework for an organization moving to the cloud - personal data in the cloud

• Correlation between vendor risk management and cloud security – organizations typically have reasonably mature vendor risk management programs. We can look at how best to leverage this in a cloud scenario. What should be the approach and what are some of the additional processes and controls an organization would need to consider?

Education Committee New Project Ideas

Education Committee New Project Ideas (Continued….)

• Cloud Assurance – approach & methodology (leverage some of the recent SOC reporting changes)

• Cloud Provider Assessments: Questionnaire to be provided on Web Site by CSA NY Metro to meet the minimum CSA baseline

• Identify the additional information security risks associated with the Cloud and what are the additional risks the Cloud Provider is going to introduce by hosting your environment

• Possible working group for SAS70 processes to be updated for the Cloud

• Benefits of using the Cloud for a cost, recourse, time, and security

perspective. Kill” White Paper Development

3-5 people per whitepaper working group review, 1 to chair/editor, others to research/review:

• Domain 7 DR/BC review whitepaper – Tim: Q2/3

• Domain 4 Compliance and Audit whitepaper – Don, Karthik:Q3/4

• Domain 3 - All Domains Overview for Contract and SLA

Negotiations – Tim, Karthik: Q4

Education Committee New Project Ideas (Continued…)

• CSA CCSK Certificate versus a Certification: develop possible guidance for CSA to establish a certification program. (Right now, it is only a certificate after taking the test but input from our committee will be essential to determine the certification process with input from the other committees possibly)

(For example: Could a CIA, CISA, CRISC, CGEIT CISSP or CISM along with the CCSK certificate and work experience be part of a certification process?)

• http://ccsk-training.eventbrite.com/• How can we increase the marketability of the CCSK? What is its

USP (unique selling proposition)?

CCSK Training and Certification Support/Initiation

Membership Committee

• Developing our membership

• Opportunities for members

• How to get involved

• Leveraging website for community and membership events, activities and committees

Proposed Meetings

Contact

To volunteer and get involved please contact us at: info@csanymetro.org

Website: www.CSANYMetro.org

Find us on LinkedIn: http://www.linkedin.com/groups?http://www.linkedin.com/groups?mostPopular=&gid=3606473mostPopular=&gid=3606473

Thank You!