What are some of the operational activities that have to take place? Making sure that you have liaison set up with different organizational groups that you have identified, how you're going to handle incident response, and how you're going to work with the auditors. That management acknowledges their responsibility for good governance in terms of due diligence. You may have some stuff that's in the Cloud, but very definitely you're going to have to integrate security with the other IT processes. From that list, what are some of the different groups that you have to work with or liaise with. Insurance, training, business unit, HR, legal, the employees themselves, maybe budgeting, maybe procurement, maybe the project management office. From across organizational responsibility, security is going to cover a number of different job functions. We have to have access to the information for all of the people involved with security then we can identify what's necessary for them to do their job. What we call the principle of least privilege. Just to give you an example, look at the slide AD and you will see some of the cross organizational responsibilities between the steering committee, between the tactical level, the data custodians, even down to the operational level, the people that are actually using and running the systems. This is an example from the University of Washington and how they have established their cross organizational responsibilities. When we talk about incident response, how do you identify, how do you contain, and then how do you prevent that incident from becoming a significant interruption to the business? Auditing is a way of getting a third party look at your objectives, your scope, and to make sure that what you're doing is effective and efficient with respect to the controls, actually meeting the security control objectives. Managing security technology. They're all different. All the devices are different, the people are different, but all of them still have to be managed. Remember, you are the primary subject matter expert when it comes to information security and information security management. Due diligence, that's part of good governance. There are actually two concepts, due diligence and due care. Due diligence detect what's wrong and due care fix the things that maybe your vulnerability assessment has shown. Do what a prudent person could do given the same set of circumstances. What are some of the components that go into that? Senior management support, senior management statement of intent, which we call policy. The standards on how we're going to implement that policy, putting together a solid security awareness training program, doing risk assessment, doing backup and disaster recovery. Testing, looking at the controls, making sure that the metrics are in place, and things as simple as testing your different plans. Part of what we have to do is we have to manage and control access to the information resources, including the information security controls. We have to look at vulnerabilities. Somebody in the information security management group should have access to all or at least some of the vulnerability alerting services like US-CERT, MITRE, and SecurityFocus' Bugtraq, the @Risk Newsletter from SANS, and so forth. One of the things that we have to do, we have to get auditing involved and make sure that we are in compliance that were being audited and that we know that the controls are actually working, that we're following policy, that we're in compliance with the defined to standards for how policy was to be implemented. If there are any non-compliance issues that we're working on resolving those, and that may mean that you need to go to management and get additional funding or staffing in order to be in compliance. It could be that you have users that have gotten you out of compliance. We need to enforce that compliance requirement. We have to look at risk. We have to assess the risk. Risk is made up of three things, assets, the threats to those assets, and where they're vulnerable. We identify all of the business functions in the business impact analysis. We filter those down into the ones that are critical. We identify the resources that support those business functions, the assets, and then we do threat and vulnerability assessment for those. Vulnerability is just that, it's a systematic approach for identifying how a threat might exploit the system. It could be it's a control that's weak and it could be that you have inherent weaknesses. That's the way the system comes, so that's the way it's designed. We do risk and business impact analysis. What will be the impact to the business, for example, if you launched connectivity to your Internet service provider? We identify all of those different impacts so that management can use that information in decision making to determine what controls we're going to add or to put in place. We look at what resources that business function is dependent upon when we do business impact analysis because that's going to identify the resources, the assets, if you would, and now we know how to protect those assets or at least identify the threats and the vulnerabilities to them. When we're talking about outsourcing or using third-party providers for some of the services and they maybe security services like we may contract with Cisco to manage our network remotely. We may contract with McAfee to manage our endpoint hardening remotely. All of that is driven by a number of things. We may not have the skill set, we may not have enough funding to do that internally. There may be some requirements when we look at that third party to see whether or not they are actually viable. It could be that we are anticipating some unexpected costs or some service inadequate because of the inadequacy or the lack of training on our own staff's part. The fundamental purpose for outsourcing is to make sure that you and your third party agree and both groups know their roles and responsibilities when it comes to security and how do we address disagreements once that contract is in place and being enforced. By that current way, that contract we've referred to as the service level agreement. We may even choose to put some of the things that we have, some of our systems into the Cloud. This defines Cloud computing as a model for enabling convenient on-demand access to a shared pool of configurable resources that can be rapidly provisioned and released with minimal management effort. We have basically five characteristics. On-demand self-service, a broad network access, you can access the Cloud from anywhere on the planet, we have shared resource pooling, we can expand rapidly what we call elasticity, and we pay for what we use, measured service. There are three basic models: Infrastructure as a service, that's hardware. Platform as a service, that's hardware and operating system. Then software as a service, that's hardware, operating system, and then some software. Maybe you have outsourced your electronic mail and you're using Google Gmail then Gmail would be the software as a service. Now there are some other offerings; security, you may see that as MaaS or SEC security as a service, identity, as a service, IDaaS, Big Data databases as a service, DaaS, or forensics, FRaaS. What are the advantages of going to the Cloud? Resource utilization, cost savings, quicker response, faster cycles when it comes to innovation, reduced implementation time, as well as system resilience availability. There are two critical areas that we need to consider if you're thinking about moving some applications to the Cloud. First of all, how are you going to handle security and in particular, data encryption keys? Then do you have a valid, a viable cloud service provider? What are some of the advantages of doing that? How do we integrate that into everything else that we're doing? How do we integrate security, for example, into system development life cycle or system life cycle? How do we integrate security into change management, configuration management, version control, and release management? What I'd like for you to do now, take a couple of minutes and identify just one advantage for moving active directory. That's Identity as a service to the Cloud. Come up with the advantage, but then come up with an alternative solution that you might recommend to management instead of going to the Cloud.
