Cloud Service Procurement Engaging the CISO for a

Cloud Service Procurement: Engaging the CISO for a Risk Assessment WALTER PETRUSKA INFORMATION SECURITY OFFICER UNIVERSITY OF SAN FRANCISCO EDUCAUSE SPC MAY 5, 2015

Conversation Starter: Asking Questions �Is your CISO involved in the procurement process? Do you have a CISO? Do you have a procurement process? �HOW is, or how SHOULD your CISO be involved? Business Process – Coordination between key parties � Business Units / Schools � IT Organization – Operations and Project Management Office � Purchasing Organization � Legal / Contract review focuses on LEGALITY and completeness � Finance and Accounting (Registered Vendor / D&B report) � Risk Management staff including Insurance and Liability review � Finance- Periodic review of open-ended service agreements

Hypothesis: The Cloud is the Future �Trend data from Forrester and Gartner agree �Educause Top 10 #8: Mobile, Cloud, Digital Policy �HEISC #3: Develop effective Cloud 3 rd Party Policy �Promised Benefits: Quick implementation – Reap rewards earlier Minimal internal support costs – Reduces ongoing expense �However- Critical questions are not asked or considered before signing agreements or starting service delivery with Cloud Services.

Generic Resources – Frameworks �Educause Security Guide - HEISC �Shared Assessments �Cloud Security Alliance (CSA) CCM �PCI - DSS �FEDramp Security Assessment Framework �Controls and Maturity: ISO 27001 SSAE 16 �Internet 2 Net+ solutions program

USF Process Documents and Authorities �Security Services VSA � 3 rd Party Data Release Agreement �SSN Release – via AVP of Human Resources �Accounting & Business Services Vendor Application �OGC Contract Review �Departmental Budget and Finance Managers - POs �Purchasing Review – Checklist of above items �Accounts Payable – Contract Management

Develop Policies AND Standards �Policy in a vacuum is oftentimes ineffective Communicate regularly with your key stakeholders �Providing consultative support as well as clear standards for assessment. – ITSM approach Give guiding outcomes, provide sample language for each facet of the Technology initiative (Service/Platform/Resource) �VSA: Vendor Security Assessment (form) Iterative – Required �Finance: Annual Vendor Scorecard

Conversation – Process – Assess – Communicate Standards - Monitor and Collaborate �Start the conversation early �Invite yourself – write yourself into a process �Build support – work together �Use Common Frameworks to guide the Assessment �Communicate customized technology standards and preferences to potential vendors to assure best fit �Continuously Monitor your agreements for changes �Maintain Vendor performance records �Collaborate outside of your organization> Educause

End Note: Several documents and framework examples referenced on slides contained within this Power. Point file were demonstrated live during the conference session. These items are not included within this presentation due to file size, complexity or due to the sensitive nature of the Vendor Security Assessment questions or the Systems Architecture reflected or revealed by those items. If you attended the session, and would like to receive a ‘generic’ version of these items, email: infosec@usfca. edu