April 2016 Campus Cloud Security Shared Assessments Agenda Current State Existing Solutions Somewhere to Start Questions Current state Campuses are rapidly adopting cloud services and deploying software systems ID: 697516
Download Presentation The PPT/PDF document "Jon Allen, Baylor University and Nick Le..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Jon Allen, Baylor University and Nick Lewis, Internet2
April 2016
Campus Cloud Security Shared Assessments Slide2
Agenda
Current State
Existing Solutions
Somewhere to Start
QuestionsSlide3
Current state
Campuses are rapidly adopting cloud services and deploying software systemsAssessing the risk for cloud services and software systems as quickly as possible
Developing vendor risk
mgmt
programs
Developing enterprise risk
mgmt
programs
Evolving information security programs as quickly as possible
Too much to do to effectively do it all!Slide4
What problem are you trying to solve?
How to as easily and quickly as reasonably possible share work done at one campus with other campuses
Freeing
up time to dedicate back to critical information security functions
Create a forum/space to share and find existing shared assessments
Build on the existing higher education information security community sharingSlide5
Example
Graduate Admissions wants to use Slate for applications Add to risk assessment list to address ASAP
Could e-mail various security lists to see if anyone has used or assessed it
Could check external vendor, or NET+, to see if it has been assessed
Work with
dept
on assessment and contract
Potentially spend significant amount of time and slow down
dept
requestorSlide6
We’re not proposing….
Replacing your information security risk assessment programs
Replace existing communities
Approve the security of a cloud service or software
Replace NET+ programSlide7
Existing Solutions?
Existing vendor management programsExisting commercial service providers like
3PAS
,
Skyhigh
Registry
, and others
Community service providers like Shared Assessments, CSA CSTAR, and others
NET+ programSlide8
Potential Challenges
Intent is not for “approval”, but to help a campus save some time in managing their third party vendors and service
providers
Could provide insight into security operations on a campus
Providing access control to just higher
ed
Materials can’t be under NDA
How to incorporate into your information security programsSlide9
What Assessment Questionnaire?
Existing security questionnaires CSA’s Consensus Assessments Initiative Questionnaire
Google’s Vendor Security Assessment
Questionnaire
NIST 800-53v4, ISO27001, and many others
Develop something new – NO!Slide10
Potential Solutions
Does this need to be more than just some metadata and a pointer to a report
?
Trying for low maintenance, but high
value (also free)
Can this be done in existing community activities?
Email list, Box folder, Internet2 forum, wiki, other?Slide11
Somewhere to start
Start with an Internet2 Working GroupStart with mailing list -
shared-security-assessments@internet2.edu
Figure out if Box folder, Internet2 Forum, or Mailing list would meet the need
Do we want to have a conference call?
Develop a usage document explaining how to use, metadata required, and disclaimer
Announce!Slide12
Questions for you
Is this of interest of you and your teams?
Would you actually use it?
Would you be willing to share your
assessments?
Do you want to help get this started?Slide13
Questions for us?
If you have any questions, please contact:
Jon Allen, CISSP,
EnCE
Assistant Vice President
& CISO
Jon_Allen@baylor.edu
Nick Lewis,
Internet2 NET
+ Program Manager, Security and
Identity
nlewis@internet2.eduSlide14
Campus Cloud Security Shared Assessments
Please remember to fill out your session evaluation!