Action List Before Adopting a Cloud Technology

Firstly the CISO has to work with the CIO and the business to understand the business need to implement this and then clearly articulate associated risk exposure to the firm and its stakeholders.

A detailed due diligence has to be completed following which the risk posture and risk mitigation guidance has to be provided. Subsequently a corporate policy along with the mitigating controls has to be implemented and training imparted to the relevant business users.

( Read more:  Top 5 Application Security Technology Trends)

Key parameters based on which a CISO should choose a vendor

Apart from the standard vendor due diligence one has to ensure the following –

  • Review security awareness & preparedness of the vendor (including staff) and real world deployment of the same from Cloud services perspective
  • Does the vendor meet all relevant Security and Compliance related industry standards?
  • Does the vendor have a strong DR program (Implemented & Tested) to maintain the continuity of services and has a DR site geographically at a safe distance?
  • Overall location of the vendor hosting center/facility from a threat exposure perspective (external & internal influencers)
  • Does the vendor offer “Try Me” program before getting into contract?

( Read More: Top 6 'Cloud Security' talks from RSA Conference 2016 (USA))

Top Questions to ask vendor for evaluating the offering/Vendor Evaluation Checklist

  • How does the vendor address Security issues like  Data protection in motion, Encryption Key management, Data management/storage, Access Controls?
  • Does the vendor offer Right to Audit
  • Does the vendor have a DR site? How far is it from the hosting site?

( Watch more : Checklist: How to choose between different types of Application Sec...)

Top mistakes to avoid while selecting a vendor

  • Not doing a due diligence on the vendor & services offered e.g. speaking to service provider’s customers
  • Not understanding Cloud’s intrinsic security issues and the standards involved
  • Not involving the multiple service providers in selection process. It is important that service providers with proven track record in the area are invited

-By  Rajesh R Nair, Vice President, Credit Suisse

( More:  Want to become a speaker and address the security community?  Click here  ) 

Views: 653

Join the Discussion ...

You need to be a member of CISO Platform to join the discussion!

Join CISO Platform

Comment by Kinshuk De on December 30, 2013 at 10:53pm

thanks for good article

© 2020   Created by CISO Platform.   Powered by

Badges  |  Report an Issue  |  Privacy Policy  |  Terms of Service