Action List Before Adopting a Cloud Technology

Firstly the CISO has to work with the CIO and the business to understand the business need to implement this and then clearly articulate associated risk exposure to the firm and its stakeholders.

A detailed due diligence has to be completed following which the risk posture and risk mitigation guidance has to be provided. Subsequently a corporate policy along with the mitigating controls has to be implemented and training imparted to the relevant business users.

( Read more:  Top 5 Application Security Technology Trends)

Key parameters based on which a CISO should choose a vendor

Apart from the standard vendor due diligence one has to ensure the following –

  • Review security awareness & preparedness of the vendor (including staff) and real world deployment of the same from Cloud services perspective
  • Does the vendor meet all relevant Security and Compliance related industry standards?
  • Does the vendor have a strong DR program (Implemented & Tested) to maintain the continuity of services and has a DR site geographically at a safe distance?
  • Overall location of the vendor hosting center/facility from a threat exposure perspective (external & internal influencers)
  • Does the vendor offer “Try Me” program before getting into contract?

( Read More: Top 6 'Cloud Security' talks from RSA Conference 2016 (USA))

Top Questions to ask vendor for evaluating the offering/Vendor Evaluation Checklist

  • How does the vendor address Security issues like  Data protection in motion, Encryption Key management, Data management/storage, Access Controls?
  • Does the vendor offer Right to Audit
  • Does the vendor have a DR site? How far is it from the hosting site?

( Watch more : Checklist: How to choose between different types of Application Security Testing Technologies?)

Top mistakes to avoid while selecting a vendor

  • Not doing a due diligence on the vendor & services offered e.g. speaking to service provider’s customers
  • Not understanding Cloud’s intrinsic security issues and the standards involved
  • Not involving the multiple service providers in selection process. It is important that service providers with proven track record in the area are invited

-By  Rajesh R Nair, Vice President, Credit Suisse

( More:  Want to become a speaker and address the security community?  Click here  ) 

E-mail me when people leave their comments –

You need to be a member of CISO Platform to add comments!

Join CISO Platform

Comments

  • thanks for good article

This reply was deleted.