Originally based on the Plan Do Check Act Model (PDCA), ISO 27001 is consistent with and easily integrated into other management systems standards and regulatory requirements. With the release of ISO/IEC 27001:2013, there will be increased consistency across all standards. ISO 27001 has been called the umbrella standard because of its strong management system founda- tion that ensures business systems and objectives are in place that drive process ownership and con- tinual improvement. As stated in Annex A within the standard, ISO/IEC 27001 “contains a comprehensive list of control ob- jectives and controls that have been found to be commonly relevant in organizations. Users of this Inter- national Standard are directed to Annex A as a starting point for control selection to ensure that no impor- tant control options are overlooked.” Additional controls may be necessary for cloud service providers, however. Some controls can be excluded with clear evidential justification and others can be replaced with compensating controls that meet or exceed the same requirement. In terms of the cloud, controls like those in the Cloud Control Matrix (CCM) can be added or even substituted, if justified. 51 www.eForensicsMag.com
Security standards that rely on self-assessment techniques and checklists ultimately fail to engage the deeper concerns of CIOs and CISOs. ISO/IEC 27001 plus CCM is certifiable by an accredited firm and has a formal management system to detect ongoing vulnerabilities, create information security controls, and preempt security threats. It is risk-based, and its assessment helps identify the controls needed to secure information. For this reason, ISO/IEC 27001 was used as the foundation for STAR Certification, but it can be used with any other industry-specific standard and/or framework either to supplement it or for specific needs such as government or healthcare contracts. The CCM can act as additional or com- pensatory controls to build a unified integrated system rather than reinforcing islands of information. The CCM is specifically designed to provide fundamental security principles to guide cloud vendors and to assist prospective cloud customers in assessing the overall security risk of a cloud provider. This matrix is meant to be integrated into the assessment by the auditor; referencing the applicable CCM control to the associated ISO 27001 controls (Statement of Applicability). The output will be the re- sult of the overall performance of the organization within the scope of certification. Figure 1. SOA To further the value and increase transparency, CSA STAR Certification contains a maturity model to assess how well managed the activities are in the control areas. The resulting maturity score helps drive internal improvements within the organization, but will not be listed on certificates. An organization must demonstrate that it has all the controls in place and operating effectively, how- ever, before an assessment of the management capability around the controls can take place. When an organization is audited, a Management Capability Score will be assigned to each of the control areas in the CCM. This will indicate the capability of the management in this area to ensure the control is operating effectively. 52 www.eForensicsMag.com
Figure 2. CCM Control Areas The management capability of the controls will be scored on a scale of 1-15. These scores have been divided into 5 different categories that describe the type of approach characteristic of each group of scores. Figure 3. Maturity Rating In order to make it possible for an assessor to consistently apply a score to the control area, each au- ditor is provided a grid that outlines what would be required of an organization to achieve each score. Depending on the capability level the client achieves, the audit report will categorize performance against the maturity model as: No Award A Bronze Award A Silver Award A Gold Award ISO 27001 is a management systems standard and by definition requires a systematic approach to man- aging an organization. Therefore, if an organization is certified to ISO 27001, it is very unlikely that they would not achieve at least a bronze award. STAR Certification leverages an holistic information security management system (ISO/IEC 27001) that, when applied using good risk management discipline, can address all cloud specific risks and rele- vant aspects of information security. Its benefits depend on proper scope and implementation; it must be Service Level Agreement (SLA. SLA complements and forms part of a service agreement. It is a means used to incorporate business strategic objectives and define the business desired results) driven. 53 www.eForensicsMag.com
Clients care about the security of their sensitive information and they care that cloud providers are cer- tified. However to provide the best level of security and service, management system implementation is equally important as it must be “fit-for-purpose.” A scope that is not is rather insignificant when it comes to cloud services. STAR Certification uniquely looks into scope relative to service, ensuring the most meaningful certification and providing evidence of 3rd party approval. SUMMARY • ISO 27001 requires the organization to evaluate customers’ requirements and expectations, as well as contractual requirements. To achieve this, it requires a system to be implemented. • ISO 27001 requires the organization to conduct a risk analysis that identifies the risks to meeting customers’ expectations. • CCM requires the organization to address specific issues that are critical to cloud security. • STAR Certification ensures the proper implementation and effectiveness of the CCM controls and scope are fit-for-purpose and SLA Driven. • The maturity model assesses and scores how well managed activities are in the control areas, pro- viding a clear route for continual improvement. IN THE NEXT MODULE WE WILL COVER Road Map to CSA STAR Certification – Optimizing processes, reducing costs and meeting international requirements. ABOUT BSI Our comprehensive approach creates a gateway to excellence for your organization. BSI’s training, assessment services, and so- ftware enable your business to continually improve. BSI’s inter- nal and lead auditor training provides an understanding of the ri- gors of management system standards and how to ensure com- pliance. Our assessments offer independent audits of your adhe- rence to these standards. BSI’s configurable, web-based softwa- re solution, Entropy™, automates risk management, document control, audit and compliance, performance, and incident mana- gement, effectively managing the drive for continuous improve- ment across the organization. From the decision to improve sys- tems through to registration and continual improvement, BSI is your business improvement solutions partner. ABOUT THE AUTHOR John DiMaria; CSSBB, HISP, MHISP, AMBCI, is the ISO Product Manager for BSI Group Americas. He has 30 years of successful experience in Standards and Management System Development, including Information Systems, ITSM, Business Continuity and Quality Assurance. John is responsible for oversee- ing, product roll-out, and client/sales education. He is a product spokesperson for BSI Group America, Inc regarding all standards covering Risk, Quality, Sustainability and Regulatory Compliance. John was one of the key innovators of CSA STAR Certification for cloud providers, a contributing author of the American Bar Association’s Cybersecurity Handbook, a working group member and key contributor to the NIST Cy- bersecurity Framework. John has been a keynote speaker internationally and featured in many publications concerning various topics regarding infor- mation security, sustainability and business continuity such as Computer World, Quality Magazine, Continuity Insights, Health and Safety Magazine, ABA Banking Journal, CPM Magazine, and Disaster Recovery Journal, GSN Magazine (dubbed “Busi- ness Continuity’s new standard bearer”) and featured on the cover of PENTEST Magazine. 54 www.eForensicsMag.com
ROAD MAP TO CSA STAR CERTIFICATION – OPTIMIZING PROCESSES, REDUCING COST AND MEETING INTERNATIONAL REQUIREMENTS by John DiMaria Corporate strategist Joel A. Barker stated, “when a paradigm shifts, everything goes back to zero”, and illustrated this meaning with the example of watchmaking (Joel A. Barker, Paradigms: The Business of Discovering the Future (New York: HarperCollins Publishers 1993) 15. 1993, p15.). F or centuries, the Swiss dominated the watchmaking industry and their national identity was somewhat tied to their expertise in the precision mechanics required to making accurate timepieces. Yet the Swiss were so passionate about their expertise that they hesitated to embrace the new technology in watchmaking with batteries and quartz crystals. With Japan’s introduction of the quartz wristwatch in 1969, the majority Swiss market share dropped from 80% at the end of World War II to only 10% in 1974 (Aran Hegarty, Innovation in the Watch Industry, Timezone.com, (November 1996) http://people.timezone.com/library/archives/archives0097). Ironically, it was the Swiss who had invented the quartz watch but failed to see its potential. When a paradigm shifts, you cannot count on past success. New technolo- gy, like the quartz in watchmaking, can revolutionize a market, creating a tec- tonic shift in accepted practice. The advent of the Cloud is such an advance- ment in technology and optimization of its capability – the new paradigm. How organizations evaluate Cloud Service Providers (CSPs) has become key to maximizing that optimization. CSA STAR Certification is the new cloud secu- rity standard of excellence. NOTE Some of the concepts in article 1 are a prerequisite for this article. It is recommended that you read article 1 if you have not already done so. 55 www.eForensicsMag.com
Figure 1. The Business Challenge Figure 2. Why Optimization? Optimization of processes is critical to ensure continual improvement. The goal is to lower costs by increasing efficiencies to offset the costs of increasing security. This will allow improved services to the customer base. Figure 3. Optimization Process However, optimization cannot occur without fully analyzing the organization’s current status. Measuring where the organization is today versus where it needs to be long term is critical to optimizing processes. 56 www.eForensicsMag.com
BUILDING THE BUSINESS CASE FOR PURSUING STAR CERTIFICATION The benefits for becoming STAR Certified are extensive. To build a convincing business case requires a number of factors. The following is a list of points that have been developed from companies that have become certified. CERTIFICATION FOR CLOUD SERVICES IS ON THE GLOBAL AGENDA • In the Agenda of the European Commission • Requested from Art.29 (Art.29 Working Party – European commission.) WP as a measure for priva- cy compliance • Already part of government cloud strategy in countries such as USA, Singapore, Thailand, China, Honk Kong, Taiwan • In Europe various Member States are looking at a certification/accreditation schema for cloud ser- vice especially in Public Procurement • The UK G-Cloud is based on logic of companies accredited to offer service in the App Store. STAR process meets these requirements. CSA STAR PRINCIPLES ARE AN EXTENSION OF SCOPE FOR ISO/IEC 27001 • Comparability – results are repeatable, quantifiable and comparable across different certification targets • Scalability – the scheme can be applied to large and small organizations • Proportionality (risk-based) – evaluation takes into account risk of occurrence of threats for which controls are implemented • Composability/modularity – addresses the issue of composition of cloud services including depend- encies and inheritance/reusability of certifications • Technology neutrality – allows innovative or alternative security measures • Transparency of the overall auditing process CSA STAR CERTIFICATION IS USER AND BUSINESS FRIENDLY • Provides a globally relevant certification to reduce duplication of efforts • Addresses localized, national-state and regional compliance needs • Addresses industry specific requirements • Addresses different assurance requirements • Addresses “certification staleness” – assure provider is still secure after “point in time” certification • User-centric • Voluntary, business driven • Leverage global standards/schemes • Do all of the above while recognizing the dynamic and fast-changing world that is cloud CERTIFICATION PROVIDES THE ULTIMATE BUSINESS OBJECTIVES • To improve customer trust in cloud services • To improve security of cloud services • To increase the efficiency of cloud service procurement • To make it easier for cloud providers and customers to achieve compliance • To provide greater transparency to customers about provider security practices • To achieve all the above objectives as cost-effectively as possible CSA STAR PROVIDES ASSURANCE TO CLIENTS • ISO 27001 requires the organization to evaluate customers’ requirements, expectations, and con- tractual constraints. It necessitates the organization to implement a system to achieve this • ISO 27001 requires the organization to conduct a risk analysis that identifies the risks to meeting customers’ expectations • The Cloud Controls Matrix (CCM) requires the organization to address specific issues that are criti- cal to cloud security • The maturity model assesses how well activities are managed in the control areas 57 www.eForensicsMag.com
THE JOURNEY TO CSA STAR CERTIFICATION – IMPLEMENTATION CONSIDERATIONS AND ROAD MAP • The desire to increase transparency, create competitive advantage and customer demand are two of the primary reasons companies pursue STAR Certification. A GAP ANALYSIS OF THE INFORMATION SECURITY MANAGEMENT SYSTEM IS REQUIRED AND SHOULD INCLUDE • Security policy • Organizational security • Asset classification and control • Personnel security • Physical and environmental security • Communications and operations management • Access control • System development and maintenance • Business continuity management • Compliance PLANNING FOR CSA STAR CERTIFICATION Figure 4. CSA STAR Certification Formula PLANNING A management system will need to be built on ISO/IEC 27001 sections 4 – 10 plus address applicable ISO/IEC 27001 Annex A + CCM Controls and any other internal or regulatory requirements. At minimum, the 10 sections mentioned in the gap analysis above will need to be covered. As background, ISO/IEC 27001 is a management systems standard with seven core processes (Figure 6). It outlines the processes and procedures an organization must have in place to manage information security issues in core areas of the business. It does not stipulate exactly how the process should oper- ate, allowing for flexibility so an organization can be run as business requirements dictate. Figure 5. Core Processes www.eForensicsMag.com 58
IMPLEMENTATION PROJECT PLAN In the implementation phase, a defined project plan needs to be defined and followed. As Figure 7 indi- cates, the plan has 4 stages and 18 defined steps. Figure 6. Planning Route – Best Practice STAGE 1: COMMITMENT TO IMPLEMENT Identify the organizational goals and objectives. Build a team and assign a leader who has direct access to top management. 59 www.eForensicsMag.com
Figure 7. Commitment to Implement STAGE 2: STATUS UPDATE Training Needs Analysis – At this point it is important to consider what training will be required. Team members need the proper skills to ensure successful implementation. Perform a Gap Analysis – It is vital to understand various aspects of the organization in order to know exactly what needs to be achieved to meet the requirements of certification. Mapping a course for a pro- ject without having the proper information is like driving to a new location without any guidance to reaching the destination. Failure to understand where the gaps lie will cause cost overruns and wasted resources. Implementation Project Plan Preparation – With the information provided by the Gap Analysis, devel- oping a well-informed project plan is like mapping out a long journey; the destination, timeframe and best route to take as well as the milestones that need to be reached along the way are all required. Resources and responsibilities for each task will need to be outlined to instill process ownership. In the event of un- foreseen disruptions, the implementation plan will allow for adjustments and adaptations to stay on track. 60 www.eForensicsMag.com
Figure 8. Example Project Plan Structure Estimate Costs – The budget is very critical as every step and control is a cost, so it is important to pe- riodically review and justify the plan’s requirements. Subsequent audits also require adequate data and documentation regarding the controls established. Figure 9. Stage II www.eForensicsMag.com 61
STAGE 3: IMPLEMENT AND OPERATE Support the Project – With the plan and budget in place, it is time to put the plan into action. Hands-on top management commitment is a requirement as is authorizing each process owner to carry out their tasks to keep them accountable. Monitor the Project – Continuous monitoring of the project is critical. This is also the stage where in- ternal audits begin. Metrics and key process indicators are established to test the management system and to ensure the metrics and objectives are adequately aligned, and make any necessary adjustments. The metrics also monitor maturity and drive continual improvement by constantly monitoring the inputs and outputs of the organization. Figure 10. Implement and Operate STAGE 4 MONITOR, MEASURE AND REVIEW Management review – During and after implementation, top management needs to review the organiza- tion’s information security management system (ISMS) at planned intervals to ensure its continuing suit- ability, adequacy and effectiveness. This also is an indicator of top management involvement. The management review should include consideration of: a) the status of actions from previous management reviews b) changes in external and internal issues that are relevant to the ISMS c) feedback on the information security performance, including trends from metrics and audit results Prepare for Certification – This is the point where preparation for the CSA STAR certification audit starts. All the sections of ISO/IEC 27001 should be addressed. The Statement of Applicability (Figure 12) indi- cating what controls are in place including the cloud specific controls in the CCM, explanation of those controls and justifications for any exclusions as well. 62 www.eForensicsMag.com
Figure 11. Stage 4 Figure 12. SOA www.eForensicsMag.com 63
The key factors related to STAR Certification that must be part of the overall ISO/IEC 27001 system are as follows: • Evaluate the efficiency of an organization’s ISMS and ensure the scope, processes and objectives are “Fit for Purpose” (particularly suitable; fitting; compatible) • Help the organization prioritize areas for improvement and lead them towards business excellence • Enable effective comparison across other organizations in the applicable sector • Enable the auditor to assess a company’s performance, on long-term sustainability and risks, in ad- dition to ensuring they are Service Level Agreement (SLA) driven With implementation complete, it is best practice to monitor the system for a specified period of time depending on the size and complexity of the organization to ensure the system is flowing as expected. Attention needs to be directed to confirm that key metrics are being monitored and providing the data re- quired and at least one management review has been held and documented, and the system has been validated as effective. LESSONS LEARNED There are a number of areas where lessons can be learned from organizations who initially had difficulty with certification. Lack of Commitment – Make sure a good business case has been built and management is committed to the project. Without it, not only will it make implementation a challenge, but the system will not be in compliance with the standard. Time and Resources – These are the two most valuable things in any organization. Management com- mitment and good planning will ensure there are plenty of both. Scope and boundaries creep – Don’t “Boil the Ocean”. There’s an old joke… “How do you eat an el- ephant”? A: “One bite at a time”. This is true for implementation. Start small, get some quick wins and expand the scope over time. Unless it is a very small company, trying to certify the entire organization at one time will be a lesson in futility. Training and awareness – This can have the greatest impact to your process. Proven to be one of the lowest cost but most effective moves to make, training and awareness can have the greatest impact on process development. Investment to upgrade an organization’s talent is never a waste. Project Management – The need of good project management cannot be overstated. Keeping every- one focused and on track will ensure targets and objectives are met within the appropriate timeframe. THE CERTIFICATION PROCESS Certification acts as a screening process to all cloud procurement people and brings the accountability and transparency that is necessary to build trust in the cloud. Below are the next steps and a high-level view of the certification process. • Obtain quotation and submit application • Auditor is appointed • System reviewed to ensure standard requirements addressed and registration assessment planned • Initial assessment conducted • Conformity and effectiveness of system to standard assessed plus maturity evaluation • Corrective action plan (if required) submitted • Registration confirmed • Certificate issued – ISO 27001 + CSA STAR with Maturity Rating – Information added to CSA STAR Registry • Continuous assessment program (3 year cycle) 64 www.eForensicsMag.com
Figure 13. Certification Steps CONCLUSION In summary, there are several key steps that will ensure implementation success. Once achieved, there are vast advantages and benefits to certification. Implementation key steps • Obtain commitment and support from senior management • Engage the whole business with good internal communication • Establish a competent and knowledgeable implementation team to deliver best results, sharing roles and responsibilities • Download the CCM from the CSA • Compare existing systems and processes with the requirements of the CCM. Get feedback from customers on current processes and service • Make sure the scope is aligned with customer-critical processes and implement all relevant controls • Benchmark current capability against the maturity model and identify opportunities to improve • Clearly lay out a well-communicated plan of activities and timescales. Make sure roles are understood • Train staff to carry out internal audits • Regularly review controls to make sure they remain appropriate, effective and deliver continual im- provement The Cloud Control Matrix (CCM) and ISO/IEC 27001 advantages • Mapped against all the other relevant standards: ISO 27001, COBIT, HIPAA, NIST SP800-53, Fed- Ramp, PCI, BITS, GAPP, Jericho Forum, NERC CIP, ENISA IAF, etc • Written with the intention to make it publically available. • Updated to keep pace with changes. • Drives continuous improvement… How it provides assurance to your clients • ISO 27001 requires the organization to evaluate their customers’ requirements, expectations, and contractual constraints. It requires that a system has been implemented to achieve this • ISO 27001 requires the organization has conducted a risk analysis that identifies the risks to meet- ing their customers’ expectations • The CCM requires the organization to address specific issues that are critical to cloud security • The maturity model assesses how well are managed in the control areas. 65 www.eForensicsMag.com
Sales and Marketing Benefits: • Added to the current management system • An ISO/IEC 27001 certification plus a STAR certificate are evidence of both compliance and perfor- mance to suppliers, customers, and other interested parties • The ability to benchmark an organization’s performance and gauge improvement from year to year • An independently validated report from an external Certified Body (CB) body which can be used to demonstrate an organization’s progress & performance levels • Exclusive to the STAR Registry • Meets G-Cloud requirements (Mark Dunne, “Cloud Security Alliance and Government Cloud“ eFo- rensics Magazine ISG issue 04, (Feb 2014):p 2.) Strategic Benefits: • A 360º enhanced assessment giving senior management full visibility to evaluate the effectiveness of both their management system and the roles and responsibilities of personnel within the organization. • A flexible assessment that can be tailored through the Statement of Applicability. This guarantees the results and measurements of assessments are both relevant and necessary in helping organiza- tions manage their business. • A comprehensive business report that goes beyond a usual assessment report and gives a strategic and accurate overview of an organization’s performance enabling senior management to identify ac- tion areas needed. • A set of improvement targets to encourage an organization to move beyond compliance toward con- tinual improvement. Operational Benefits • Scalable to organizations of all sizes. Provides information that allows an understanding of where the organization is now and measure any improvements, internally benchmark sites, and potentially benchmark the external supply chain to stimulate healthy competition. • A visual representation of the status of a business that instantly highlights strengths and weakness- es, allowing clients to maximize resources, improve operational efficiencies and reduce costs. • Independent reassurance to prove to senior management where the risks, threats, and opportunities lie within a business. ABOUT THE AUTHOR John DiMaria; CSSBB, HISP, MHISP, AMBCI, is the ISO Product Manager for BSI Group Americas. He has 30 years of successful experience in Standards and Management System Development, including Information Systems, ITSM, Business Continuity and Quality Assurance. John is responsible for oversee- ing, product roll-out, and client/sales education. He is a product spokesperson for BSI Group America, Inc regarding all standards covering Risk, Quality, Sustainability and Regulatory Compliance. John was one of the key innovators of CSA STAR Certification for cloud providers, a contributing author of the American Bar Association’s Cybersecurity Handbook, a working group member and key contributor to the NIST Cy- bersecurity Framework. John has been a keynote speaker internationally and featured in many publications concerning various topics regarding infor- mation security, sustainability and business continuity such as Computer World, Quality Magazine, Continuity Insights, Health and Safety Magazine, ABA Banking Journal, CPM Magazine, and Disaster Recovery Journal, GSN Magazine (dubbed “Busi- ness Continuity’s new standard bearer”) and featured on the cover of PENTEST Magazine. 66 www.eForensicsMag.com
EFORENSICS CSA STAR CERTIFICATION SUPPLY CHAIN MANAGEMENT USING CSA STAR CERTIFICATION by John DiMaria When an organization adopts cloud services, it is in fact expanding its operations from a local or regional presence to a more global one. As a result, the corresponding organizational operations’ strategy needs to be adjusted to align with these changes. A more formal analysis of the supply-chain as part of a more comprehensive due diligence review also needs to be considered (By definition, the Cloud Controls Matrix (CCM) is a baseline set of security controls created by the Cloud Security Alliance to help enterprises assess the risk associated with a cloud computing provider). L ast year, the Cloud Security Alliance (CSA) published a report entitled, “The Notorious Nine” outlining the top threats in cloud security. (Top Threats Working Group, 2013) Not surprisingly, Insufficient Due Dili- gence made the list. The report points out that organizations are rushing to the cloud without a complete understanding of the cloud service provider’s (CSP) environment, applications or even the various services which are be- ing pushed to the cloud. It is also not always clear how the CSP handles in- cidents, encryption, and security monitoring. Organizations are rarely aware of all the risks they take when working with a CSP. In fact, the risks are mul- tifaceted and are far more complex than those they experienced before mov- ing to the cloud. 67 www.eForensicsMag.com
CSA went on to point out that an organization that rushes to adopt cloud services may subject itself to a number of issues, including: • Contractual issues over obligations regarding liability, response, and/or transparency • Mismatched expectations between the CSP and the customer • Lack of internal training and awareness within the user organization • Potential for software designers/engineers that are developing software to be unaware of associ- ated risks Many organizations are turning to the cloud because of the resources required to manage complex sup- ply chains. It can be challenging for most organizations to understand the supply-chain structure of the CSP’s environment; however, an increase in transparency will increase trust. As pointed out in the 2013 PWC and the MIT Forum for SupplyChain Innovation, “The size of the sup- ply chain network has increased, dependencies between entities and between functions have shifted, the speed of change has accelerated and the level of transparency has decreased”. (PwC and the MIT Forum for Supply Chain Innovation, 2013) This is certainly a call to action and STAR Certification can serve as that screening process that will allow cloud users to have the transparency required to make informed decisions and increase trust. STAR Certification serves the supply-chain well for both users and providers by: • Improving customer trust in cloud services • Enhancing security of cloud services • Increasing the efficiency of cloud service procurement • Making it easier for cloud providers and customers to show compliance • Providing greater transparency to customers about provider security practices • Achieving these objectives as cost-effectively as possible By requiring STAR Certification down the supply-chain, and in particular to tier one and tier two suppliers, the following will be recognized and addressed: • A globally relevant certification to reduce duplication of efforts is provided • Localized, national, state, and regional compliance needs are met • Industry specific requirements are managed • Different assurance requirements are controlled • “Certification staleness” is prevented and assurance provider remains secure after “point in time” certification • Service is user-centric, voluntary, and business driven • Global standards/schemes are leveraged The CSA STAR Registry serves as a depository for organizations at all levels of transparency, i.e., self- assessment or certification, allowing the user to know the scope covered and whether the organization is certified. In certifying to CSA STAR the supplier complies with the most rigorous scheme ever developed for cloud security, based on the most globally accepted information security standard, ISO/IEC ISO 27001. The CSP’s are monitored to ensure their systems mature and grow through a measurement of how well the processes are managed and how they improve over time. 68 www.eForensicsMag.com
Figure 1. Example Process Maturity Report It is critical that businesses and other organizations that depend on cloud services adopt a similar ap- proach in evaluating those services and demand the highest level of transparency available. The harm that potential disruptions or breaches pose to daily operations must be equaled by the allocation of suffi- cient resources to assess threats, take preventive measures, and mitigate damage that results from any incidents that occur. Failure to work with suppliers to mitigate threats and prepare an effective response can lead to huge financial losses, irreparable damage to the organization, or even its untimely demise. In module 4, we will reveal the next step in improving transparency and trust in the cloud…continuous monitoring. BIBLIOGRAPHY • PwC and the MIT Forum for Supply Chain Innovation. (2013). Making the Right Risk Decisions to Strengthen Operations Perfor- mance. PwC. • Top Threats Working Group. (2013). The Notorious Nine – Cloud Computing Top Threats in 2013. Cloud Security Alliance. ABOUT THE AUTHOR John DiMaria; CSSBB, HISP, MHISP, AMBCI, is the ISO Product Manager for BSI Group Americas. He has 30 years of successful experience in Standards and Management System Development, including Information Systems, ITSM, Business Continuity and Quality Assurance. John is responsible for oversee- ing, product roll-out, and client/sales education. He is a product spokesperson for BSI Group America, Inc regarding all standards covering Risk, Quality, Sustainability and Regulatory Compliance. John was one of the key innovators of CSA STAR Certification for cloud providers, a contributing author of the American Bar Association’s Cybersecurity Handbook, a working group member and key contributor to the NIST Cy- bersecurity Framework. John has been a keynote speaker internationally and featured in many publications concerning various topics regarding infor- mation security, sustainability and business continuity such as Computer World, Quality Magazine, Continuity Insights, Health and Safety Magazine, ABA Banking Journal, CPM Magazine, and Disaster Recovery Journal, GSN Magazine (dubbed “Busi- ness Continuity’s new standard bearer”) and featured on the cover of PENTEST Magazine. 69 www.eForensicsMag.com
CONTINUOUS MONITORING – CONTINUOUS AUDITING/ASSESSMENT OF RELEVANT SECURITY PROPERTIES by John DiMaria While the Cloud Security Alliance’s (CSA) STAR Certification has certainly raised the bar for cloud providers, any audit is still a snapshot of a point in time. What goes on between audits can still be a blind spot. To provide greater visibility, the CSA developed the Cloud Trust Protocol (CTP), an industry initiative which will enable real time monitoring of a CSP’s security properties, as well as providing continuous transparency of services and comparability between services on core security properties (Source: CSA CTP Working Group Charter). What you will learn: T his process is now being further developed by BSI and other indus- try leaders. CTP forms part of the Governance, Risk, and Compliance In the last 3 modules we covered stack and the Open Certification Framework as the continuous monitor- STAR Certification and the increased ing component, complementing point-in-time assessments provided by STAR transparency created by the ex- certification and STAR attestation. CTP is a common technique and nomencla- panded scope, Cloud Control Matrix ture to request and receive evidence and affirmation of current cloud service op- (CCM), and maturity model. STAR erating circumstances from CSPs. Certification raises the level of trust users have in cloud service provid- CONTINUOUS MONITORING: THE CONCEPT ers (CSP). This module is a look into the future. According to the current CTP guidelines, in order to be of maximum benefit, there must be a meaningful comparison between products and accurate data reporting the state of the system being measured. Therefore security attrib- utes and their metrics must be: • Well defined – the parameter definition is not ambiguous. Suppliers must not be able to interpret measures differently which would allow them to game the market by applying more generous interpretations and there- fore reduce comparability and degrade consumer trust. • Determinate – multiple measurements of identical systems in identical states must give the same result. For example, measurements which re- sult in random results are of no value. 70 www.eForensicsMag.com
• Correlated – customer utility attribute metrics must be strongly correlated with perceived value to consumers. For example, clock speed for CPUs is not a useful measure unless it is correlated to re- al world performance on typical consumer tasks. • Comparable – the parameter must reflect the same quantity across different measurement targets. For example, if the scope of measurement is not well defined,one cloud provider may report the availability of the coffee machine in its data center, while another might report the availability of its web services. In this case, the measurements are not comparable. • Standardized – the same exact term and definition are used across different contexts. If suppliers report product features according to different terms, results are not comparable. Figure 1. CSA GRC Stack Model (The GRC Stack (V2.0) Understanding and applying the CSA GRC stack for payoffs and protection. Cloud Security Alliance. https://csa.org wp-content/uploads/2011/11/GRC_STACK_PPT_FINAL.pptx accessed August 1, 2014) The main goal of the CTP is to allow cloud clients to make queries about critical security attributes in the cloud. It is expected that continuous monitoring will be an extension of the CSA STAR Certification process and attributes will be validated and certified as part of the STAR Certification scheme. BSI has taken a leadership role by Co-Chairing the CTP Working Group. As the original developers of information security standards and one of the co-founders of ISO, we volunteer our expertise in the spirit of technological and process advancement. CSA STAR Continuous is currently under development and the target date of delivery is 2015. Please monitor the CSA Website: https://cloudsecurityalliance.org/star/ for the latest developments and contact BSI at [email protected] with questions. ABOUT THE AUTHOR John DiMaria; CSSBB, HISP, MHISP, AMBCI, is the ISO Product Manager for BSI Group Americas. He has 30 years of successful experience in Standards and Management System Development, including Information Systems, ITSM, Business Continuity and Quality Assurance. John is responsible for oversee- ing, product roll-out, and client/sales education. He is a product spokesperson for BSI Group America, Inc regarding all standards covering Risk, Quality, Sustainability and Regulatory Compliance. John was one of the key innovators of CSA STAR Certification for cloud providers, a contributing author of the American Bar Association’s Cybersecurity Handbook, a working group member and key contributor to the NIST Cy- bersecurity Framework. John has been a keynote speaker internationally and featured in many publications concerning various topics regarding infor- mation security, sustainability and business continuity such as Computer World, Quality Magazine, Continuity Insights, Health and Safety Magazine, ABA Banking Journal, CPM Magazine, and Disaster Recovery Journal, GSN Magazine (dubbed “Busi- ness Continuity’s new standard bearer”) and featured on the cover of PENTEST Magazine. 71 www.eForensicsMag.com
Search
