The Cloud Security Rules
0 likes908 views
The document discusses risk management as defined by ISO 31000, emphasizing its importance in identifying, assessing, and minimizing risks in an organization. It highlights the challenges small and medium enterprises (SMEs) face regarding competence and resources for effective risk management, particularly in relation to cloud services and compliance with various regulations. The document also raises important considerations for data security, privacy regulations, and the impact of cloud services on business models.
The Cloud Security Rules
- 2. •The Roer Group: 1994 •Author & blogger •Consulting, training and speaking worldwide •Information security and Risk Management
- 4. •Risk management •Compliance and legal matters •Humans •Technology •Business models
- 6. Source: http://en.wikipedia.org/wiki/Risk_management, 3rd June 2012
- 7. Risk is defined in ISO 31000 as the effect of uncertainty on objectives, whether positive or negative Risk management is the identification, assessment, and prioritization of risks followed by coordinated and economical application of resources to minimize, monitor, and control the probability and /or impact of unfortunate events or to maximize the realization of opportunities. Source: http://en.wikipedia.org/wiki/Risk_management, 3rd June 2012
- 12. Risk management requires •competence •resources Something most SME’s don’t have
- 13. • What are our risks when buying this service from this vendor? • Can we accept those risks? • How will our cloud supplier(s) impact our business contingency plan? • What if the cloud fail?
- 14. Plan for Cloud Fail!
- 16. • HIPAA • Gramm-Leach-Bliley • SOx • Breach Notification Legislation • PCI-DSS • The Patriot Act • Data Protection Directive • Basel I • The new EU Data Regulations • Basel II • Basel III • FISMA
- 17. Data Protection Directive (Directive 95/46/EC) Personal data are defined as “any information relating to an identified or identifiable natural person ("data subject"); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity;" (art. 2 a) Any information connected to a person.
- 18. •Most laws and regulations fail to recognize the service providers role, and assume that the owner of the data also controls the infrastructure.
- 19. •Where (country) do you store the data? •Which jurisdiction controls your data? •What and who have access to the data? •Privacy regulations in EU != USA
- 24. • What training will our users need in order to successfully use the cloud service? • How does the cloud service impact our policies? • Are we ready for cloud? What will need to be changed to prepare us?
- 28. • What alternative cloud services are available to us? • What impact will the cloud implementation have on our IT-department? • Who is in charge of support?
- 35. •99% of companies in EU are SME •most lack knowledge, understanding and competence for maintaining their own systems •Cloud provides a more secure and cost- efficient solution to most of these companies
- 37. • How will the cloud provider sustain themselves and stay in business? • How important is price vs customation to us? • What kind of impact will the use of this service have on our business model? • What can we change in our current business model to benefit from the cloud possibilities?
- 39. ?
- 40. Kai Roer [email protected] http://roer.com Twitter: @kairoer