•Order Series (ORD) •Materials Handling Series (MAT) •Tax Services Series (TAX) •Warehousing Series (WAR) •Financial Series (FIN) •Government Series (GOV) •Manufacturing Series (MAN) •Delivery Series (DEL) •Engineering Management & Contract Series (ENG)

•Insurance/Health Series (INS) •Miscellaneous ANSI X12 Transactions Series (MIS) •Mortgage Series (MOR) •Product Services Series (PSS) •Quality and Safety Series (QSS) •Student Information Series (STU) •Transportation:

-Air and Motor Series (TAM) -Ocean Series (TOS) -Rail Series (TRS) -Automotive Series (TAS)

CICA is a new approach to message design aimed at resolving the costly proliferation of differing (and often incompatible) XML messages used for business-to-business data exchange. CICA gives developers access to reusable components that can be used to construct interface standards to satisfy common business requirements as well as industry-specific needs.

CICA is a syntax-neutral architecture that supports both business content and implementation information. CICA messages ("documents") can currently be expressed as XML schemata.

•Quality of Service standards? •Service Level Agreement?•Eliminating capital expenditures on hardware and software.•Transferring for Service Management to the Service Provider.•Access to broader ranges of applications at lower costs?•More functionality though their service offerings?•More flexibility with capital budget vs operating budget?•Improve the efficiency of their data center by transferring inefficient processes.•Who will champion the adoption of Cloud Computing? •Open standards that fuelled the rapid growth of Cloud Computing?

• Clouds are complex comprising highly specialized applications made up of even more granular, yet simple application procedures replicated thousands of times

• Clouds can generate both security benefits and risks • How can we establish and maintain trust? • How can the virtualization of servers, and systems maintain

acceptable levels of security?• How can encryption be successfully deployed and managed

over extremely complex over millions and maybe billions of unique data streams and business channels?

• How can we even hope to achieve mandatory compliance with statutes, regulations and contractual obligations?

•Tactically “Virtualization” is about saving money•Strategic “Virtualization” leads to flexible resourcing

1). Enables economies of scale: Cloud providers maximize the usage of their resources to make money.

2). Decouples users from implementation: Virtualization forces the relationship to change from implementation, to service level agreements.

3). Speed, flexibility, agility: Early adopters of cloud computing talk about how quickly they can get new servers online. Compared to the 4-6 weeks it takes an average IT shop to deploy a server, just about anything is faster. However, virtual machines can be deployed roughly 30 times faster.

4). Breaks software pricing and licensing: Software Manufacturers can’t charge users for physical capacity when only a small portion of that is used. Its also impossible to charge for every potential server the software might be running on.

5). Enables, motivates chargeback: When servers can be delivered in minutes rather than weeks, IT users ask for more – roughly two times as much. IT needs to focus more on usage accounting, and chargeback.

•Authority Attack (with or without artefact): using fake identification or badge, utility service, or law enforcement uniform, to gain access or identify a key individual by name/title as supposed friend or acquaintance or claiming authority such as a lawyer or auditor and demanding information (impersonation).

•Zero-Sum Knowledge Attack: Baiting someone to add, deny or clarify pieces of information or incorrect information, claiming to know more than they actual do, to solicit more information.

•Exaggerated/Knee-jerk Response Attack: making an outlandish lie in order to get someone to respond with the correct information.

•Persistent Attack: Continuous harassment using guilt, intimidation and other negative ways to reveal information. This could take place over days, weeks, months.

•Stake-Out Attack: Analyze operational activity over a period of time including people, regular mail, or special courier, and/or supply deliveries, the patrol patterns of guards, location of CCTV, off hours activity.

•“The boy who cried wolf” Attack: Setting off a series of false alarms, either physical or digital, until some gets tied of responding and disables the alarm system.

•Help Desk Attack: Impersonating a current or new end-use needing help with access to a network or server.

•Fake Survey/Questionnaire Attack: Win a free trip to Hawaii, or somewhere special in exchange for completing a survey and answering questions about work or you network.

•Quality of Service Standards •Open Standards•Ajax (asynchronous JavaScript and XML)•Java•Delphi•Product Realization•Software Development Life Cycle•Acceptance Criteria•Quality Management – ISO 9001:2008

•7 Product realization •7.1 Planning of product realization •7.2 Customer-related processes •7.3 Design and development •7.4 Purchasing •7.5 Production and service provision •7.6 Control of monitoring and measuring equipment

SCOPE: Review and assess proposed Cloud services for Software as a Service, Platform as a Service and Infrastructure as a Service.

RATIONAL: Consideration was given for the fact that Cloud services are a new service deliver approach that has not yet been fully implemented. Based on this fact we believe that there will be more emphasis on partnering with service providers who can demonstrate the ability to manage required controls through collaborative partnerships successfully transferring risk to the service providers. Critical areas such as procurement, systems acquisition and development will be of primary importance. Transparency of processes, consistency of outcomes, and quality of service and deliverables will become more and more important and thus understanding of the potential issues important to its success.

The threat-risk assessment was facilitated against existing best practices for information security management systems, ISO/IEC 27001:2005. These controls are based on industry best practice for information handling based on known vulnerabilities and risks associated with most businesses. The ISO/IEC 27001:2005 standard was initially developed by the UK Government.

http://gizmodo.com/5449037/google-hacked-the-chinese-hackers-right-back;

•Unauthorized and/or up coordinated and planned changes•Ineffective acceptance criteria•Ineffective application tests for malicious code •Broken or ineffective cryptographic controls•Unchecked technical vulnerabilities•Missing security requirements•Noncompliance with legal obligations •Missing audit requirements•Ineffective security in development and support processes•Missing confidentiality agreements•Ineffective or broken network access control•Unknown users accessing the network•Ineffective privilege management•Incomplete removal of access rights upon exits•Ineffective or missing fault logging•Weak external party service delivery management

•Missing or weak governance of external party services•Missing capacity management•Lack of information handling procedures•Missing or weak information exchange policies and procedures •No exchange agreements•Below standard network controls•Weak security of network services•No independent reviews of information security•Unchecked risks related to external parties•No flow down security and privacy obligations in external party agreements•Weak application and information access controls•No corrective and/or preventive actions for errors in processing of applications•Broken or weak electronic commerce services•Ineffective Audit logging•No security of log information•Inability to collect evidence•Ineffective Business Continuity planning

•Week or ineffective control of secure areas•Operating system access control•Unprotected system files•No reporting of information security incidents•No reporting of security weaknesses•Ineffective compliance with security policies and standards•Missing authorization process for information processing facilities•No communication concerning acceptable use of assets•Noncompliance with classification guidelines•Missing information labelling and handling•Ineffective employee/contractor security screening•Missing or ineffective information security awareness, education and training•No disciplinary process for employees or contractors

• Reduce risk by transferring it to Cloud Service Provider• Security auditing and testing could be simplified• Streamline the automation of security management • Built-in redundancy will improve disaster recovery and business continuity• Lower Total Cost of Ownership• Lower costs of services• Reduce the need for capital by as much as 40%• Provide a broader range of services• Provide an agile response to increases and decreases in service demands

• Establishing Trust?• Suppliers response to audit findings• Support for investigations and evidence gathering• System administrator accountability• Drawing the line between proprietary and nonproprietary for examination.• Virtualized servers and applications • Physical control of that data• Mandatory compliance with statutes, regulations and contractual obligations

• How will Metering be managed moving forward? I believe that it will be resolved through regulation or the addition of an independent third-party to monitor and charge back usage. I do not believe that it will be left to the parties to work out when there is so much at stake including HST.

• Compliance will be a challenge that will only be resolved with a combination of contractual language and transparency through the adoption of best practices like ISO/IEC 27001 will be the best approach.

• Procurement will play a key role that will require lawyers and subject matter experts to develop a new approach with more emphasis on service usage and metering. This will gradually move us away from the current reoccurring expenses associated with annual maintenance and licensing.

• Business Continuity is absolute critical to maintaining service continuity and availability. This has not yet been addressed by Cloud Service providers, but it needs to be. This is a statutory obligation for service providers providing services to government.

• Telecommunications touches on service continuity and capacity management. How will the Cloud Service providers manage this in a world based on usage and metering? It’s yet to be determined.

• Who will administer Access Control and how will that be coordinated? This will be a critical decision that affects the transfer of risk and responsibility.

• How will Systems Acquisition and Development be handled? This touches on procurement while putting more emphasis on defining requirements, testing and validation of services. Subject Matter Experts will play a key role. Some in-house expertise will need to be maintained and developed to carry on this role on behalf of the province/customer to assure that we are getting what we need and pay for. Quality Management standards like ISO/IEC 9001:2008 could be leveraged to focus this effort.

• How will Incident Management be handled? Communication with clients and customers needs to be formalized. Evidence gathering during investigations is already becoming an issue in today's Internet based world.

Contact – http://ca.linkedin.com/in/markesbernard;

Security Posture:

•Equilibrium State (EQ): In this state the threats are identified and the appropriate safeguards are deemed to be in place .•Vulnerable State (VU): In this state the threats far outweigh the safeguards.•Excessive State (EX): In this state the safeguards far outweigh the threats. This can result in an overspending in the area of security measures.

Information Classification:

•Low Sensitivity (L): a). limited financial losses, b). limited impact in service level, or, c). performance, embarrassment and inconvenience.

•Medium Sensitivity (M): a). loss of competitive advantage, b). loss of confidence in the government program, c). significant financial loss, d). legal action, or, e). damage to partnerships, relationships and reputations.

•High Sensitivity (H): a). extremely significant financial loss, b). loss of life or public safety, c). loss of confidence in the government, d). social hardship, or, e). major political or economic impact.

•Unclassified (U): a) information of public knowledge that can be found on most government web sites and would include such information as the government telephone books, advertisements for job opportunities in the various ministries, government-wide initiatives such as Government-On-Line, public health information, job classification level and range of pay scale.