Tag Archives: Compliance

Governance, Risk and Compliance in the Cloud research project

cloudaudit_logocai_logo_clipped

ccm-logoctp-logo

A major UK-based telecommunications company proposed to conduct a joint research  with MSc Information Security students at UCL.

The use of cloud computing as a way of providing and consuming on-demand, pay-as-you-consume ICT service has revolutionised the industry.  Services like Amazon EC2 have seen a huge increase in its revenue. However, currently it is the Small and Medium Enterprises (SMEs) that are leading the way in the use of these public Infrastructure as a Service (IaaS) offerings. 

The company envisages that as these services become more mature and secure, they will be adopted and used by more “traditional” enterprises like the finance, health and government sector.

Governance, Risk and Compliance (GRC) plays a very important role in the IT policies of these institutions and as such, for any solution to be adopted by them, these aspects of the IT policies will have to be considered.  Several initiatives have been started to address this issue. The Cloud Security Alliance’s  GRC Stack is one of the most mature and accepted initiative in this area. It consists of four main stacks – Cloud Controls Matrix, Consensus Assessments Initiative, Cloud Audit and Cloud Trust Protocol.

It was very interesting to participate in the series of workshops to investigate how  this framework would impact and be used by the company. This helped me to learn a lot about the telecoms industry and the way they are adopting cloud technologies in a secure way.

Risk management and compliance tools

Citicus

Citicus MOCA – iPhone/iPad tool that enables you to complete a criticality assessment in minutes, anywhere, anytime, using a highly-respected technique that has been successfully applied to many thousands of assessments over the last decade.  In essence, this highlights the maximum credible loss to your organisation if the worst happens to an asset (e.g. theft, fire, flood, malfunction).

Control Systems Security Program (CSSP) – free tool that provides users with a systematic and repeatable approach for assessing the security posture of their cyber systems and networks. It includes both high-level and detailed questions related to all industrial control and IT systems.

If you struggle to comply with HIPAA, the NIST HIPAA Security Toolkit Application can help you better understand the requirements of the HIPAA Security Rule, implement those requirements, and assess implementations in operational environment.

Information systems auditing

ID-10031899

Information systems audit do’s:

1. The main goal of an audit is not to find weak controls or policy violations, but to help a company mitigate its risks and achieve compliance.
2. Remember that an audit strengthens a discipline within a company.
3. An auditor is responsible for making sure that risks in weak areas don’t materialize, so he makes appropriate observations and comments.
4. Beware of flattery and concealment.
5. Replace opinions with facts and evidences.
6. Invest in improving communication skills.
7. When you finish interviewing someone, always give them a brief summary of the current situation (e.g. your observations: good and/or bad) if possible.
8. Do not add any photo/video materials or document copies to your final report.
9. Create good report templates in advance.

Information systems audit don’ts:

1. Don’t criticize.
2. Don’t argue.
3. Don’t use professional or specialized jargon.
4. Don’t say that you understand if you actually don’t.
5. Don’t try to guess.
6. Don’t use tests that can potentially cause incidents.
7. Don’t write only negative observations in your final report.

Image courtesy of Michal Marcol / FreeDigitalPhotos.net