Aicpa tech+panel presentation t6 managing risks and security 2014 v3
1. Aria Resort and Casino
Las Vegas, NV
Session T6: Managing Risks and Security in the Cloud
Environment (Panel Discussion)
Catherine Bruder
Steve Ursillo, Jr.
Brian Thomas
Aaron Klein
Peter Karpas
#PSTECH
1
2. American Institute of CPAs®
#PSTECH
Session Agenda
Introduction to the Cloud
Panel Discussion
• Q&A Format
- Assessing the risks prior to moving into the Cloud
environment
- Managing the risks after moving into the Cloud environment
2
3. American Institute of CPAs®
#PSTECH
Steve Ursillo, Jr.
CPA, CIA, CFE, CISA, CISM, CITP, CISSP, CGEIT, CRISC
Principal, Director of Technology & Assurance Services
Sparrow, Johnson & Ursillo, Inc.
sursillojr@sju.com
Steve is a principal and the director of Information
Technology and Assurance Services at Sparrow,
Johnson & Ursillo, Inc., a Rhode Island-based full-
service CPA firm. Steve specializes in information
security and privacy assurance services such as
network and system vulnerability testing, penetration
testing, information systems audits, internal control over
financial reporting audits and Service Organization
Control (SOC) attestations. Steve is currently the Co-
Lead for the AICPA Cyber Security Task Force, along
with serving on the Service Organization Control (SOC)
Reporting Task Force. He graduated with a master’s
degree in computer information systems (security) from
Boston University and a bachelor’s degree in business
administration (accounting) from Bryant University.
3
4. American Institute of CPAs®
#PSTECH
Catherine Bruder
CPA, CITP, CISA, CISM
Shareholder, Doeren Mayhew
bruder@doeren.com
Catherine is the Shareholder of Information
Technology Assurance Services for Doeren Mayhew, a
CPA firm in Troy, Michigan. She is responsible for the
planning and supervision of all forms of technology
assurance including SSAE 16 and SOC reporting, IT
audits, network vulnerability assessments, penetration
testing, security program development, and disaster
recovery planning. Catherine currently serves on the
AICPA Service Organization Controls Task Force.
4
5. American Institute of CPAs®
#PSTECH
Brian Thomas
CISA, CISSP
Partner, Weaver
Brian.Thomas@WeaverLLP.com
Brian is the partner in charge of Weaver’s IT Advisory
Services team, which provides a range of technology
based assurance and consulting related services. With
experience managing teams delivering IT-focused
solutions such as SOC reporting, system integration,
information security assessment, SOX assistance, IT
audits, and IT project management, Brian brings diverse
knowledge and technical skills to his clients. He is a
member of the AICPA’s SOC Reporting Task Force and a
member of the IM Advisory Council at the McCombs
School of Business of The University of Texas. He
graduated with a master’s degree and a bachelor’s
degree in engineering from the University of Texas – i.e.
not a CPA.
5
6. American Institute of CPAs®
#PSTECH
Aaron Klein
Founder- COO CloudCheckr Inc.
aaron.klein@cloudcheckr.com
Aaron is the Founder and Chief Operating Officer of
CloudCheckr Inc. CloudCheckr’s industry leading
software solution provides visibility, security, cost
management, and compliance controls so that users
can confidently maximize their agility in the
decentralized cloud environment. He has authored a
series of whitepapers around public cloud best practices
and mapping infrastructure controls to NIST 800-53
requirements. Aaron is also a regular contributor to
Amazon Cloud Journal, DZone, DevOps.com, and other
leading publications. Aaron earned a J.D. from State
University of New York at Buffalo and a B.A. from
Brandeis University.
6
7. American Institute of CPAs®
#PSTECH
Peter Karpas
CEO – Xero North America
Peter.karpas@xero.com
Peter recently joined Xero as the CEO of North
America. Prior to Xero, Peter held a number of senior
roles at PayPal and Intuit. He was Vice President &
General Manager of Small Business for PayPal,
responsible for driving all of PayPal's small business
efforts in North America. Prior to PayPal, Karpas spent
over 10 years at Intuit. He was President and General
Manager of the Quicken Health Group and served as
the company's Chief Marketing and Product
Management Officer, VP and General Manager of the
Quicken Solutions Group, and General Manager for
QuickBooks Industry-Specific Solutions. He is currently
a member of the Board of Trustees for the Computer
History Museum.
7
10. American Institute of CPAs®
#PSTECH
IDC Forecasts
Spending on public IT cloud services will reach
$47.4 billion in 2013 and is expected to be more than
$107 billion in 2017
Over the 2013–2017 forecast period, public IT cloud
services will have a compound annual growth rate
(CAGR) of 23.5%, five times that of the industry
overall
•Software as a service (SaaS) will remain the largest
public IT cloud services category, capturing 59.7%
of revenues in 2017
10
12. American Institute of CPAs®
#PSTECH
Introduction
Software as a Service (Saas)
• Provides web-based access to software systems. This arrangement
provides specialty or industry specific automation functionality without the
capital investment in equipment and ongoing support and maintenance
expense.
Platform as a Service (PaaS)
• Offers hardware and software layers comprising a computing platform
which is delivered like a service. This particular layer of cloud computing
enables companies to construct, test and deploy systems from a
centralized environment.
Infrastructure as a Service (IaaS)
• Where software and hardware, the equipment which supports automated
operations, are purchased as a fully outsourced service versus buying and
maintaining these assets in-house. IaaS provides a company on-demand
storage, computing and networking capacity.
12
13. American Institute of CPAs®
#PSTECH
Cloud Deployment Options
Private Cloud
• Colocation: server racks (equipped with power, cooling, and
bandwidth) are rented on a monthly basis.
Public Cloud
• Managed Hosting: service provider provides IT infrastructure
resources, such as applications and storage, available over the
Internet. Services may be free or subscribed on a pay-per-usage
basis.
Hybrid Cloud
• Combination of Private and Public
13
14. American Institute of CPAs®
#PSTECH
Cloud Supply Chain Information Security
Risks
You can outsource business capability or function but
you cannot outsource accountability for information
security
• Control Gaps (shared control)
- Information security (access controls, vulnerability, & patch
management)
- Security architecture
- Data governance (lifecycle management)
- Release management (change control)
- Facility security
• Control dependencies
- Corporate governance
- Incident response
- Resiliency
- Risk and compliance management
14
16. American Institute of CPAs®
#PSTECH
Prior to Moving Into the Cloud
Business Considerations
• What information and Services would you move to the cloud?
• Who is the right person to help manage the Cloud vendor
relationship?
• Are you going to be able to gain measure against established or
best practice benchmarks?
Legal and compliance considerations
• How do users know if the Cloud vendor is in compliance with
regulations and obligations?
• What should a user consider in relations to legal implications?
16
17. American Institute of CPAs®
#PSTECH
Prior to Moving Into the Cloud
Cost and contractual considerations
• Should a user continue paying existing contractual costs for
assets and services that are to be moved to the Cloud?
• Can a user determine the Return on Investment (ROI) or the risk
to the Total Cost of Ownership (TCO)?
• What are other factors that a user should consider?
- Existing software licenses, flexibility of solution/ contract, etc.
17
18. American Institute of CPAs®
#PSTECH
After Moving Into the Cloud
• What should be considered if your organization or entity is
currently engaged in the use of a cloud vendor (after the fact)?
• What are the options to help mitigate risks associated with
engaging with a cloud vendor?
• How can an user ensure that risks are mitigated?
• What should a user consider in relation to legal implications?
• If an incident (such as a security breach) does occur with your
cloud vendor, what are the appropriate escalation procedures?
• What Best practices for resource and cost monitoring are
available?
- Usage, scope creep, power or bandwidth consumption and
the process controls around it.
18
20. American Institute of CPAs®
#PSTECH
Join Information Management and
Technology Assurance (IMTA)
IMTA Premium Member Benefits:
• Safari Books Online
• Discounts on educational programs, such as AICPA TECH+
conference, NAAATS conference, and IT Audit School program
• Discounts on valuable software and tools, including Audimation
Services, Inc IDEA® products/ training sessions and
InformationActive ActiveData® products
• Valuable technology content, including discussion papers,
content suites, studies & practice aids
• Communications, including electronic newsletters, featured
articles, and news about the profession and the community
• Networking groups and IT Section events at AICPA conferences
20
Visit http://www.aicpa.org/InterestAreas/InformationTechnology for more details.
21. American Institute of CPAs®
#PSTECH
What is a Certified Information Technology
Professional (CITP)?
A CITP is a CPA:
• Specialty designation that identifies CPAs with the unique ability
to bridge between business and technology
• The CITP Body of Knowledge represents the fundamental
concepts of information management and technology assurance
including:
- Risk Assessment
- Fraud Considerations
- Internal Control and IT General Controls
- Evaluate, Test and Report
- Information Management and Business Intelligence
21
22. American Institute of CPAs®
#PSTECH
CITP Credential Holder Benefits
CITP Marketing Toolkit
CPA Practice Advisor – A CPA Focused magazine
Full access to technical resources, content suites
and practice aids.
Find a CPA/CITP Online Database
Member Discounts Information Management and
Technology Assurance (IMTA) Division Web
Seminars
22
BEFORE BOARDING/CONSIDERATIONS:
Cloud risk sample questions, feel free to add or change..........
-What information and Services would you move to the cloud? BRIAN
•How do users know if the cloud vendor is in compliance with regulations and obligations? STEVE
Are you going to be able to gain measure against established or best practice benchmarks? AARON
•What are some of the Cost, Legal and Contractual considerations? AARON
•Can a user determine the Return on Investment (ROI) or the risk to the Total Cost of Ownership (TCO)? BRIAN
•Should a user continue paying existing contractual costs for assets and services that are to be moved to the cloud? STEVE
•What are other factors that a user should consider? BRIAN
•STEVE
•Should a user continue paying existing contractual costs for assets and services that are to be moved to the cloud? STEVE
•Can a user determine the Return on Investment (ROI) or the risk to the Total Cost of Ownership (TCO)? BRIAN
•What are other factors that a user should consider? BRIAN
AFTER Boarding......
•What should be considered if your organization or entity is currently engaged in the use of a cloud vendor (after the fact)? BRIAN
-What are the options to help mitigate risks associated with engaging with a cloud vendor? STEVE
-How can an user ensure that risks are mitigated? BRIAN
-What should a user consider in relation to legal implications? AARON
-If an incident (such as a security breach) does occur with your cloud vendor, what are the appropriate escalation procedures? STEVE
-What Best practices for resource and cost monitoring are available? Ex. Usage, scope creep, power or bandwidth consumption and the process controls around it. AARON