Upload
kai-roer
View
1.995
Download
0
Embed Size (px)
Citation preview
•The Roer Group: 1994
•Author & blogger
•Consulting, training and speaking worldwide
•Information securityand Risk Management
•Risk management
•Compliance and legal matters
•Humans
•Technology
•Business models
Source: http://en.wikipedia.org/wiki/Risk_management, 3rd June 2012
Risk is defined in ISO 31000 as the effect of uncertainty on objectives, whether positive or negative
Risk management is the identification, assessment, and prioritization of risks followed by coordinated and economical application of resources to minimize, monitor, and control the probability and /or impact of unfortunate events or to maximize the realization of opportunities.
Source: http://en.wikipedia.org/wiki/Risk_management, 3rd June 2012
Risk management requires
Risk management requires
•competence
Risk management requires
•competence
•resources
Risk management requires
•competence
•resources
Something most SME’s don’t have
• What are our risks when buying this service from this vendor?
• Can we accept those risks?• How will our cloud supplier(s) impact our
business contingency plan? • What if the cloud fail?
Plan for Cloud Fail!
•HIPAA
•SOx
•PCI-DSS
•The Patriot Act
•Basel I
•Basel II
•Basel III
•Gramm-Leach-Bliley
•Breach Notification Legislation
•Data Protection Directive
•The new EU Data Regulations
•FISMA
Any information connected to a person.
Data Protection Directive (Directive 95/46/EC)
Personal data are defined as “any information relating to an identified or identifiable natural person ("data subject"); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity;" (art. 2 a)
•Most laws and regulations fail to recognize the service providers role, and assume that the owner of the data also controls the infrastructure.
•Where (country) do you store the data?
•Which jurisdiction controls your data?
•What and who have access to the data?
•Privacy regulations in EU != USA
• What training will our users need in order to successfully use the cloud service?
• How does the cloud service impact our policies?
• Are we ready for cloud? What will need to be changed to prepare us?
• What alternative cloud services are available to us?
• What impact will the cloud implementation have on our IT-department?
• Who is in charge of support?
•99% of companies in EU are SME
•most lack knowledge, understanding and competence for maintaining their own systems
•Cloud provides a more secure and cost-efficient solution to most of these companies
• How will the cloud provider sustain themselves and stay in business?
• How important is price vs customation to us?
• What kind of impact will the use of this service have on our business model?
• What can we change in our current business model to benefit from the cloud possibilities?
?
http://roer.comTwitter: @kairoer