cloud service provider risk assessment (240298618)
DESCRIPTION
Does your institution have a risk assessment protocol for cloud providers? In this session, we will share how Rice University evaluates cloud providers via risk assessment tools and processes aimed at evaluating risks, sharing risk assessments with our customers so that they can make good business decisions with institutional data and data access.OUTCOMES: Learn what questions to ask when migrating services to a cloud provider * Learn how to set up a protocol for risk assessment * Understand who should be involved in the process for outsourcing to a cloud provider http://www.educause.edu/events/educause-annual-virtual-conference-2014/2014/cloud-service-provider-risk-assessmentTRANSCRIPT
![Page 1: Cloud Service Provider Risk Assessment (240298618)](https://reader031.vdocuments.mx/reader031/viewer/2022020519/577cc5041a28aba7119b0339/html5/thumbnails/1.jpg)
Cloud Service Provider Risk Assessment
Barry Ribbeck
Director SAI-CSI
Need to Tweet #EDU14 © 2014
![Page 2: Cloud Service Provider Risk Assessment (240298618)](https://reader031.vdocuments.mx/reader031/viewer/2022020519/577cc5041a28aba7119b0339/html5/thumbnails/2.jpg)
A little about Rice Located in Houston, Texas
101 years old
Private – R1
13,000 Faculty, Staff & Students
![Page 3: Cloud Service Provider Risk Assessment (240298618)](https://reader031.vdocuments.mx/reader031/viewer/2022020519/577cc5041a28aba7119b0339/html5/thumbnails/3.jpg)
Unabashed bragging
Because we are a bit proud and after all we are in
Texas
• Princeton Review – #1 Best value colleges in 2013,
#6 Happiest Students 2014
• Kiplinger’s Financial - #1 Best Value
• US News top 20
• Leiden #1 for Natural Sciences and engineering & #6
for all sciences
• #5 Athletic Academic rating by NCAA
• #7 US News Biomedical Engineering
![Page 5: Cloud Service Provider Risk Assessment (240298618)](https://reader031.vdocuments.mx/reader031/viewer/2022020519/577cc5041a28aba7119b0339/html5/thumbnails/5.jpg)
4 Things to Remember
What a cloud risk assessment is to Rice
• Our Method
• Our Tools
• Our Stakeholders
• Our Results
![Page 7: Cloud Service Provider Risk Assessment (240298618)](https://reader031.vdocuments.mx/reader031/viewer/2022020519/577cc5041a28aba7119b0339/html5/thumbnails/7.jpg)
Definitions
• Cloud Risk Assessment Protocol: A
step by step repeatable process used to
produce an understanding of risk
associated with relinquishing control of
data or management of services to an
external party.
• External party: any entity that does not
fall under an institutions direct
management.
![Page 8: Cloud Service Provider Risk Assessment (240298618)](https://reader031.vdocuments.mx/reader031/viewer/2022020519/577cc5041a28aba7119b0339/html5/thumbnails/8.jpg)
Risk Factors
– Enumerate Scope and Scale
– Contract and Practice
– Cost of non-compliance
– Cost of service
– Defined support boundaries
– data security management
– BC/DR planning
![Page 9: Cloud Service Provider Risk Assessment (240298618)](https://reader031.vdocuments.mx/reader031/viewer/2022020519/577cc5041a28aba7119b0339/html5/thumbnails/9.jpg)
Graphic Flow Chart Cloud Request
IT-Legal
Review
Assess and discuss
with client & vendor
Issues ? Yes
Complete contract, Document, Sign Off,
Implement, Support and Post for future Review
No
![Page 10: Cloud Service Provider Risk Assessment (240298618)](https://reader031.vdocuments.mx/reader031/viewer/2022020519/577cc5041a28aba7119b0339/html5/thumbnails/10.jpg)
Rice Workflow
1. Stakeholder requests review for
purchase of services
2. OGC and IT review the contract. IT
reviews the TOS and risk
3. Risk Assessment begins
Documentation review
Discussion with Stakeholder
Questions to vendor
![Page 11: Cloud Service Provider Risk Assessment (240298618)](https://reader031.vdocuments.mx/reader031/viewer/2022020519/577cc5041a28aba7119b0339/html5/thumbnails/11.jpg)
Rice Workflow - 2
Risk Assessment Concludes with a
document and checklist that is issued to
and reviewed with the stakeholder and
OGC stating any risks and
recommendations.
Review with OGC if require or it is
blessed to proceed.
![Page 12: Cloud Service Provider Risk Assessment (240298618)](https://reader031.vdocuments.mx/reader031/viewer/2022020519/577cc5041a28aba7119b0339/html5/thumbnails/12.jpg)
Items of Interest for IT
– Security (data protection, authX)
– Data Compliance Identification (PII,
FERPA, HIPAA,PCI, SOX, GLB, NCAA ..)
– Workflow analysis
– Data Management
– Back out plan
– Recent breach search
– Vendor review (financial, news, leadership)
– Periodic Review of TOS by stakeholder
![Page 13: Cloud Service Provider Risk Assessment (240298618)](https://reader031.vdocuments.mx/reader031/viewer/2022020519/577cc5041a28aba7119b0339/html5/thumbnails/13.jpg)
Tools Short List
– Cloud Security Alliance Security Trust
Assurance Registry (STAR) 7/14
– Breach reporting sites
– Rice review checklist
– HIMSS Healthcare Cloud Risk Assessment
– Cloud Risk Analysis Frameworks
– $Risk = Value of Loss * probability of loss
![Page 14: Cloud Service Provider Risk Assessment (240298618)](https://reader031.vdocuments.mx/reader031/viewer/2022020519/577cc5041a28aba7119b0339/html5/thumbnails/14.jpg)
Break for questions
![Page 16: Cloud Service Provider Risk Assessment (240298618)](https://reader031.vdocuments.mx/reader031/viewer/2022020519/577cc5041a28aba7119b0339/html5/thumbnails/16.jpg)
IT REVIEW
You have to read the contract(s)
• Establish responsibility
• Assess if the contract is skewed in favor of ?
• Determine Service warranty (AS IS?)
• SLAs linked to the contract
• Referenced security (data center audits)
• What will you pay for vs what you expect
• Key word searches (see key word list)
![Page 17: Cloud Service Provider Risk Assessment (240298618)](https://reader031.vdocuments.mx/reader031/viewer/2022020519/577cc5041a28aba7119b0339/html5/thumbnails/17.jpg)
Questions for Stakeholder
– Why this product?
– Who is using it, how and why they chose it?
– What data is exposed, how and what will you
do if there is a breach?
– What will you do if this service is unavailable?
– Will this be mission critical?
– How many people will be affected if the
service is unavailable
![Page 19: Cloud Service Provider Risk Assessment (240298618)](https://reader031.vdocuments.mx/reader031/viewer/2022020519/577cc5041a28aba7119b0339/html5/thumbnails/19.jpg)
Documents to Review
• Terms of Service
• Security Policy
• Privacy Policy
• Web Site (About Us)
• Data Center Audit Reports
• Web Site (Investors section)
![Page 20: Cloud Service Provider Risk Assessment (240298618)](https://reader031.vdocuments.mx/reader031/viewer/2022020519/577cc5041a28aba7119b0339/html5/thumbnails/20.jpg)
Contract Key Words • Indemnification (hold harmless)
• Warranty – what is the warranty if any?
• Export – export controls requirements
• Third Party – both upstream and downstream
• Liability – who pays for what when something goes wrong
• Termination – how does this all end
• Jurisdiction or Governing Law- Who’s back yard do we fight in
• Suspension – when service is halted
• Dispute – when you don’t agree what are the rules of engagement
• Service Level – IF ANY
• Discovery – how do you handle subpoenas
• Infringement – patents, intellectual property and copyright
• Privacy – what is done with your data
• ANY Hyperlinks – to other documents
• Notification – when are you notified of change or problem
![Page 21: Cloud Service Provider Risk Assessment (240298618)](https://reader031.vdocuments.mx/reader031/viewer/2022020519/577cc5041a28aba7119b0339/html5/thumbnails/21.jpg)
Other Terms
• Commercially reasonable
• Intellectual Property
• Limits of Liability
• Force Majeure
• Equitable Relief
![Page 22: Cloud Service Provider Risk Assessment (240298618)](https://reader031.vdocuments.mx/reader031/viewer/2022020519/577cc5041a28aba7119b0339/html5/thumbnails/22.jpg)
Example Statement
IT has reviewed X and has found that except where
noted above, X has demonstrated through successful
audits and controls what we would consider industry-
standard or better levels of security and operational
best practices within their operation. However,
regardless of the protections employed, no one is
immune from all attacks. IT recommends periodic
reevaluation of the term of service, development and
testing of a back out plan that includes data recovery
and a business continuity plan that would account for
loss of access to the services provided by X.
![Page 23: Cloud Service Provider Risk Assessment (240298618)](https://reader031.vdocuments.mx/reader031/viewer/2022020519/577cc5041a28aba7119b0339/html5/thumbnails/23.jpg)
Break for Questions
![Page 24: Cloud Service Provider Risk Assessment (240298618)](https://reader031.vdocuments.mx/reader031/viewer/2022020519/577cc5041a28aba7119b0339/html5/thumbnails/24.jpg)
Summary of the 4 things
• What a cloud risk assessment is to Rice
• Method – how Rice does it
• Tools – Due Diligence
• Stakeholders – get them involved
• Results – risk assessment and better
understanding of business process
![Page 25: Cloud Service Provider Risk Assessment (240298618)](https://reader031.vdocuments.mx/reader031/viewer/2022020519/577cc5041a28aba7119b0339/html5/thumbnails/25.jpg)
Seed Questions
• How long does a risk assessment like this take?
• How much man power is required?
• Do you charge fees to customers for this service?
• Have you had any cloud services go bad?
• How many cloud services do you currently support?
• What do you find is the real value in doing this work?
• Where do you think cloud services will go in the future?
• Are their standards being developed for cloud services?