Day: June 13, 2017

SEATTLE, WA – June 5, 2017 – The Cloud Security Alliance (CSA), the world’s leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment, today announced the launch and immediate availability of the CSA Global Consultancy Program (CSA-GCP). The new professional services program, developed and managed by the CSA, has been established to support the growing global demand from organizations in need of improved cloud security posture and high standards of compliance and assurance. The CSA-GCP is grounded with CSA’s industry-leading and widely accepted best practices in cloud security and is being offered by a highly-vetted, trusted network of organizations and professionals with the first being BH Consulting, KMPG, Optiv and Securosis.

“For many organizations, adopting the cloud can seem like a monumental task, and it can be difficult to know where to begin as there are too many and often too complex series of business and technology decisions that must be understood and weighted,” said Daniele Catteddu, CTO of the CSA. “The Cloud Security Alliance Global Consulting Program has been created with precisely this in mind and supports our ongoing mission of providing best practices and education for secure cloud computing. These first four program providers are among the most trusted and recognized in the industry and bring with them a broad understanding of the challenges organizations face when moving to the cloud. We are excited and fortunate to have them on board.”

The first four providers making up the initial program network are:

BH Consulting is an independent advisory firm, specializing in information security consulting, ISO 27001, cybersecurity, risk assessment, cloud security, incident response, cloud and digital forensics, and training.

KPMG is one of the largest professional services companies in the world, providing audit, tax and advisory services. KPMG works closely with their clients, helping them to mitigate risks and grasp opportunities.

Optiv is a provider of end-to-end cybersecurity solutions to help companies plan, build and run successful cybersecurity programs in any technology environment, whether on premise, cloud or a hybrid of both.

Securosis is an information security research and advisory firm that has the field-tested techniques, frameworks, and programs to be “more” secure in the cloud than in data-centers, without sacrificing agility.

The CSA-GCP will initially focus on consultancy support in the areas of secure cloud design, cloud architectures, secure cloud implementation, cloud information security programs, cloud assessment and compliance, risk management, and cloud security governance. The following CSA best practices will be included as a reference body of knowledge: CSA Security Guidance, Cloud Control Matrix, Consensus Assessment Initiative, Open Certification Framework and STAR Program, Enterprise Architecture, and Software-Defined Perimeter.

Only organizations with a broad understanding of CSA best practices and values are eligible to be recognized as a qualified source of professional services based on CSA best practices. Provider fees for consultancy work are set independently by each authorized partner and are based on the individual program scope and support required. Organizations interested in working with one of the CSA-GCP providers may visit https://cloudsecurityalliance.org/global-consultancy/#_contact.

For more information on the CSA Global Consultancy Program, please visit https://cloudsecurityalliance.org/global-consultancy/.

About Cloud Security Alliance

The Cloud Security Alliance (CSA) is the world’s leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment. CSA harnesses the subject matter expertise of industry practitioners, associations, governments, and its corporate and individual members to offer cloud security-specific research, education, certification, events and products. CSA’s activities, knowledge and extensive network benefit the entire community impacted by cloud — from providers and customers, to governments, entrepreneurs and the assurance industry — and provide a forum through which diverse parties can work together to create and maintain a trusted cloud ecosystem.

Media Contact

Kari Walker for the CSA
ZAG Communications
703.928.9996
kari@zagcommunications.com

[Cloud Security Alliance Research News]

Few things can stunt the growth of an organization more than a lack of healthy communication. This is especially true in IT departments, where open lines of communication and transparency are paramount to efficiency and output. With that being said, have you considered the topic of internal communications and how you can improve in this area this year?

Prioritizing better internal communications
I’ve worked for a number of different companies in my career and have been exposed to a variety of different workplace styles. I’ve been in large organizations where it’s not uncommon to walk into the cafeteria and hardly recognize any of the faces in the room. I’ve also been a part of small businesses where the team consists of just a handful of people who have been together for a number of years.

What I’ve learned is that internal communications doesn’t have anything to do with size. That’s a misconception that a lot of people have. From my experience, communication was much better in the larger organization I was at than it was in the smaller one, at least in my opinion.

So if the size of the company – or the IT department – doesn’t matter, what does? It all comes down to strategy. If your organization doesn’t make internal communications and open collaboration strategic priorities, then it will fail to reap the rewards associated with these healthy pursuits.

When communication is prioritized within the IT department, everything changes. With one company I worked for years ago, I noticed that the simple act of having a 10-minute morning “powwow” had the benefit of setting the tone for the day. Instead of spending the first couple of hours wandering around and trying to figure out what to do, everyone – myself included – had a clear picture of what we were supposed to be doing.

Another company I recently consulted with was having trouble with work orders. One of the IT guys would see a work order in the system, respond to it, and then find out that it had already been completed by someone else. This sort of inefficiency was killing the department’s productivity. I suggested that they utilize a a system that gives everyone real-time access to work order progress. As soon as they switched, they saw a huge boost in productivity. But on an even more practical level, there was less frustration in the department, and everyone was much happier. In the months since, this satisfaction has led to better overall performance.

Actionable ways to emphasize communication
When it comes to communication in the IT department, you need to approach this challenge from all angles. That means implementing techniques, testing them, and sticking with the ones that work. With that being said, here are a few ideas.

1. Use the right tools and apps. In today’s business landscape, there’s no excuse for not using some of the numerous tools and resources you have at your disposal. From helpful tools like Slack and DialMyCalls to HipChat and Skype, there are many communication apps designed for the sole purpose of improving internal communications. Identify the ones that can positively impact your business, and proceed from there.
2. Create an open-door policy. Anyone who’s in a position of leadership within your IT department should be encouraged to have an open-door policy. With an open-door policy, you’re able to show employees that their opinions matter and engage them in effective ways. Two-way feedback is always better than a one-way chain of command. Maintaining an open-door policy is just one way of proving this.
3. Develop KPIs to evaluate results. How will you know if your efforts to improve internal communications are going well? While you can get some direct feedback from employees, this isn’t always the most quantifiable data. What you really need to do is establish some key performance indicators (KPIs) and track them. This gives you concrete numbers to rely on, and you can gauge long-term performance.

Never settle for average
You may assume that internal communications is all about talking, but this isn’t true. We did a lot of talking, storytelling, and joking in the small business I worked for. However, there simply wasn’t any healthy form of communication that allowed us to do our work better. The fact that we were comfortable being around each other masked this issue.

You may feel as if your IT department’s communication is fine, but fine doesn’t cut it. You must resolve to be better than average and recognize the supreme importance of seamless internal communications.

Anna Johannson, Writer

[ISACA Now Blog]

There continues to be a great deal of confusion over the new service organization reporting structure and which reports are the best to obtain. The basic intentions of the reports are as follows:

SOC 1 – Related to Internal Control over Financial Reporting
SOC 2 – Related to testing over the Trust Services Principles of Security, Availability, Processing Integrity, Confidentiality and Privacy
SOC 3 – A simplified report on the same principles in SOC 2 and available for public use

In this article, we won’t go into the details of what report you need to obtain. Here, we’ll help answer the question of what you should be doing once you get the report in your hands. Properly reviewing these reports is an essential part of the vendor management and risk management functions, and should be taken very seriously. You are only as strong as your weakest link, which could indeed be your vendors.

Obtaining the correct report
When obtaining the report, make sure it is the correct one. There are vendors that issue anywhere from one to sometimes more than 30 reports for different areas of their business. To increase the efficiency and effectiveness of your review, ensure you have the correct one. If you are reviewing card issuance procedures, the item processing report will not suffice.

Time period of report
The time period of the report should be reviewed to ensure it covers the needs of the user. Reporting periods vary and often don’t cover full calendar years (i.e. reporting period of October 1, 2016 – September 30, 2017). Make sure the time period meets your needs. If there is a gap between the report and the time period you require for your review, you can obtain what is called a bridge letter (serious investigation should be put into why). Ineffective controls at a key service provider could have serious consequences on your own control environment.

Management’s opinion on the operating effectiveness of the controls
Like the service auditor, management also opines on the operating effectiveness of controls. The same considerations should be taken as were done with the auditor’s opinion. If the two opinions differ, investigation of why should be performed.

Inclusion of control environment in reports
An aspect of reports that may have not been included in the past is description of the service organization’s control environment. This description can provide valuable insights and should be reviewed if present.

Control exceptions
Each report contains a section listing the controls tested and the results of that testing. Any exceptions noted should be investigated for possible impacts on your process. This especially holds true for controls being relied upon.

Vendors who have mature risk management and internal control functions have a minimal amount of exceptions in these reports. If you are seeing a high number, your level of caution should be raised.

User control considerations
Most reports contain a section listing controls that should be in place at the user (your) organization. These sections are typically called User Control Considerations, Complementary User Entity Controls or Description of Client Considerations. These are controls the service organization is assuming you have in place. They may not all be applicable to your business, but this section provides some great insight and may point out gaps in your control structure. Each user control consideration should be reviewed and addressed as applicable.

Subservice providers
Your service providers may be outsourcing part of the service they provide you. This could include hosting, helpdesk and other essential functions. The report you are reviewing should list what activities are outsourced. The term used in the report is most typically “subservice provider.” You should determine if you rely on that subservice and if you need to obtain a report from the subservice provider or perform any other sort of investigative activities. Remember, you are only as strong as your weakest link.

Controls relied upon and reports relied upon
As mentioned before, it is a good idea to keep a running listing of reports and controls you rely upon at your service organization. This will increase the efficiency and effectiveness of your review and will help manage your risk.

Performing your reviews with the proper amount of rigor will ensure you are practicing proper risk management. It is a best practice to create an internal checklist for reviewing the reports to ensure all areas are covered.

We hear stories every week regarding vendor weaknesses resulting in control breakdowns and, in some cases, data breaches. Establishing a proper vendor management program is essential to guard against these threats.

Shane O’Donnell, CISA, CPA, CCSFP, Principal, Chief Audit Executive, The Mako Group

[ISACA Now Blog]