Archive for the ‘Third-party risk’ category

The Future of Corporate IT: Implications for Information Risk, Part 2

May 25, 2010

We wrote recently about the five trends impacting the future of corporate IT, and the implication of first three trends for CISOs – information over process, IT Embedded in Business Services, and externalized service delivery. In this post we want to continue with the implications for the CISOs for the other two trends postulated in that work.

(more…)

Advertisements

The Future of Corporate IT: Implications for Information Risk, Part 1

May 18, 2010

Two weeks ago we shared with you findings from the broader IT practice research effort about five trends that will reshape corporate IT functions in the next five years. In the next few posts we want to discuss with you risk and security implications arising from those trends. Here we tackle the first of the three trends postulated by the > future of corporate IT.

(more…)

Checklists will not increase your Cloud Computing Security

April 6, 2010

While most members are looking for differences between outsourcing and cloud computing, and developing better assessments to evaluate cloud vendors – a recent discussion between a few IREC members has provided a framework for a different approach to cloud vendors. One of the members in the panel has decided to completely drop the checklist approach to reviewing cloud vendors. He believes that the traditional approach of using ISO 27001 or NIST based questionnaires does not work well with the cloud vendors for a variety of reasons. First most vendors at this time are too new to have the security assessment process down to a point where they can respond to ISO/NIST based assessments. Second vendors are hesitant about putting to paper any information on paper that can leak and reduce their competitive edge in this rapidly growing market. Third the storage of information in the cloud can sometimes make traditional assessment unfeasible – for example Google can break and store your information in 200 different locations in multiple countries making traditional location assessment impractical while simultaneously making it harder for a breached information to be meaningfully used by hackers.   

 This obviously means that CISOs whose companies are moving forward with cloud computing initiatives at this time have to assume a lot of risk  So what shoud CISOs of those company’s do? First have a discussion about security with your cloud vendor. CISOs at first mover companies  have connected their security team with the vendors security team and found that a conversation has allayed most of their fears. Two most cloud vendors have better security controls than anything developed in house. As one CISO said “All cloud vendors are in the security business, one breach and their business is over because hackers will get every companies data. They have a lot of reasons to protect this data.” Finally have vendors buy insurance against your contract so that if a breach does happen and everyone is suing the cloud vendor, the insurance can pay your comapny off.

Obviously these recommendations are more relevant to those security folks who have to move to the cloud now. The consensus from the folks in the call was as cloud vendor’s start getting more mature they will obtain NIST or ISO certifications that can be used in assessments and will also develop better processes to respond to third party assessment requests.

2010 Information Security Outlook

Desktop Virtualization a tool for mitigating third party risk?

March 9, 2010

According to a recent report published by the Infrastructure Executive Council, a majority of 100+ organization surveyed plan to adopt Desktop Virtualization in 2009-2010 time frame. Most members have stated that cost savings are the #1 driver, followed closely by security and mobility. What’s interesting is that over the long run security and mobility might become bigger drivers for adoption as some of the cost savings from hardware and software costs will be balanced by increased costs in the data center.

As of now most members are using the technology for certain categories of workers where there is low need of desktop customization: offshore, contract, outsourced, and call center. Since this is also the group that information risk cares about from a data leakage perspective, this would be a win-win situation for both infrastructure and security teams. We should see even more companies selecting this technology for targeted deployment in 2010.

Drivers of Desktop Virtualization

Assessing the risk of cloud computing

November 24, 2009

The European Network and Information Security Agency (ENISA) has a new report out:  “Cloud Computing: Benefits, risks, and recommendations for information security”. This report does  a good job of laying out definitions of “the cloud”, including breaking it down into more meaningful services (SaaS, PaaS, and IaaS), and walking through how to think about the risks rather than just whipping up a bunch of horror stories.  Some of the nice attributes of the study include:

  • identification of the top risks of cloud computing in general
  • clear, detailed walk through of the risk assessment process that an organization should follow to assess its own risks, with several examples
  • balances consideration of the risk of not using the cloud

The study is also notable as a good example of how to perform and present an ISO 27005 risk assessment.

A few other good resources for thinking about the risk of cloud computing:

Who is financially responsible for a security breach? Things are changing.

July 21, 2009

The understanding of financial responsibility for security breaches continues to evolve. Where will it stop, and could a CISO ever be held personally financially responsible? (more…)