Considering Cloud Computing?

The idea of using the cloud is very appealing to more business leaders.  Licensing, operational support and availability are attractive cost factors that are driving its growing acceptance.  Sarbanes-Oxley, the European Union Data Protection Act, PCI DSS, HIPAA and various state privacy laws are still in play.  Business leaders and auditors need to understand the impact of who owns the controls that ensure compliance.

 Your responsibility for compliance does not go away just because you don't manage the servers, as reported by Jim Buchanan on www.cio.com.  He offers these four points to consider.

1.  What impact to your IT workload?

Check identity access management, data protection and incident response procedures.  Be aware of server locations.  Your European customer data should be on servers located in Europe.  Investigate multi-tenancy and de-provisioning, and what a vendor's offering will mean to your organization.  Encryption will be a factor  you need to consider.

2.  Standards?

Consider which applications you want to move to the cloud.  The standards for cloud computing are not mature yet.  A Forrester executive reports that "SAS70 and ISO 27001 are helpful, but they are point-in-time."  The Cloud Security Alliance is developing a GRC Standards suite that will help you assess your position.

3.  Service Level Agreements

Don't settle for a standard contract.  Even small firms can leverage their position as a new industry or regional client to negotiate terms that protect them.  Due diligence is key.

4.  Security is key

To better understand the risks of moving to the cloud, bring in the Enterprise Risk and IT Security teams up-front.  These professionals can help assess the risk and contribute to a solution, including the costs for mitigating any new risks.

Business Continuity Planning

Every business has thought about Disaster Recovery and Business Continuity Planning.  But are they prepared?  Verizon is currently facing a disruption in service due to the strike called by its union-represented workers.

Having worked for "Ma Bell" and her successors, I have been through this cycle every 3 years since 1975.  I have seen the planning as an observer and as the IT Project Lead for BCP in 2006.  

It is imperative that enterprise risks of this magnitude be identified and comprehensive plans be documented and tested before they are needed. 

Access Control is the single most time-consuming task I faced. These are controls that SOX and PCI auditors may need to review.

1. How many different applications are in scope?  What are the roles for users?
2. How will the business block unauthorized access to company and customer data from striking workers?   Deleting user accounts is not a viable solution. 
3. Can the company effectively block striking users while providing access to those pay and benefits-related sites that must not be blocked?
4. How will accounts be created for any temporary assignments, especially for management workers who need enhanced access?  
5. Managers of striking workers may need extra permissions while providing coverage, but do they create Segregation of Duties conflicts?
6. How do temp workers get trained in anticipation of the strike?  Providing access to temps is a challenge, especially in the weeks just prior to a potential work-stoppage.

This is just a sampling of  the challenges facing any IT Business Continuity planner.  The list is extensive and, in many cases, not apparent to the casual observer.  IT will be called upon to perform its magic as each department documents their plan for continuity.  A good team effort will avoid any last-minute scrambling.  The customers are better served when IT is engaged all along the way.

PCI Compliance

During a recent webinar I attended, a question was asked if PCI compliance was the same as SOX compliance.  My experience has been that many in the IT organizations presume they are the same, but there are some very significant differences.

First, SOX is a Federal law and with it comes the enforcement the FBI or other law enforcement agencies. 

Auditors use SOX as a guideline and much of Section 404 is subject to interpretation as to how to achieve compliance.  I experienced this in 2005 when I worked with 3 different external audit firms engaged to help during my employer’s initial assessment.  All had good ideas, but there was a difference in the viewpoints.

The Payment Card Industry Data Security Standard (PCI DSS) is not a law, but rather a contractual standard, requiring participating merchants, banks and credit card processors to comply. Credit card companies can change it at will; enforce it as they choose, with no appeal process.

The volume of credit card transactions will determine audit requirements and any credit card transaction is in scope, including pen and paper.  Financial sanctions are steep for failure to comply and may even deny a merchant status to process credit cards.  This is a risk to a merchant’s reputation and to their ability to execute sales transactions.

PCI compliance audit is also different.  The processes and data in scope for review are different than SOX audits.  The PCI Security Standards Council has done a great job in providing a detailed audit process.  It is very specific and straight-forward.  You can download it from their web site at https://www.pcisecuritystandards.org/security_standards/documents.php.