April 24, 2014 Event

Governance, Risk and Compliance (GRC) and the Cloud
Please save the date for our April 24th event.

Is GRC in the cloud the same as GRC in traditional, on premise computing? If no, what are the differences? As more, larger and regulated companies seek to take advantage of cloud computing how should they think about GRC in the cloud?

Join us for a discussion with leading cloud GRC experts as they share what their companies did to meet their requirements. What tools were / were not helpful? And, what would they recommend to others?

In addition, we will present an overview CSA best practices and frameworks such as the Cloud Control Matrix (CCM) and the Consensus Assessment Initiative Questions (CAIQ).

The CSA is a member-driven organization dedicated to sharing experiences, lessons learned and best practices. Join us for networking and an informative conversation on the legal, policy and organizational risk issues surrounding GRC.

Pizza/Soda will be provided by BSI Group America and Elastica Inc. Thanks to our event sponsors!

Thursday, April 24
6:00pm – 9:00pm

300 Madison Avenue
22nd Floor
New York, NY 10017

Speakers include:
– John DiMaria, BSI Group America Inc. CSA OCF, CTP Working Groups
– Zulfikar Ramzan, Elastica, Inc., Chief Technology Officer


6:15pm-6:30pm: Welcome and CSA-NY chapter update & news

6:35pm-7:45pm: The Details Matter: Security Laws That Demand Attention
John DiMaria, BSI Group America Inc. CSA OCF, CTP Working Groups

This session will show how companies leverage the Cloud Controls Matrix, Consensus Assessments Initiative Questionnaire (CAIQ) and CSA STAR Certification to increase transparency in the cloud. These resources are designed for peeling back and revealing those layers of accountability and responsibility between Cloud Service Providers and their Tenants, applying measurable risk-based decision making for both assessing and attesting to governance, risk and compliance best practices. This session will provide a thorough overview of GRC in the cloud, from awareness to certification.

Among the key topics covered:

  • Overview of the CSA GRC Stack family of research and tools
  • Theory and design of Cloud Controls Matrix (CCM)
  • Mapping your own requirements into CCM
  • Using Consensus Assessments Initiative Questionnaire (CAIQ) to perform provider assessment
  • Security transparency and the Open Certification Framework (OCF)
  • An inside look at CSA STAR Certification
  • How CSA STAR Certification facilitates compliance with G-Cloud

7:45pm-9:00pm: Reasoning about Enterprise Application Security in a Cloudy World
The concept of “cloud security” is both metaphorically and quite literally nebulous. The security community has spent time trying to come to terms with what it actually means to “secure the cloud”. Within that, an important component of cloud security involves safeguarding how organizations leverage third-party public cloud services (e.g., SaaS applications).

There are some frameworks proposed for reasoning about the security of SaaS applications; for example, Gartner’s Public Cloud Security Management Lifecycle. What are some of the key elements of such a framework and how can they be tactically implemented?

Also, when it comes to cloud security, the industry is fragmented. There are different problem sub-domains and, in many case, point solutions to specific parts of the problem space. Therefore it becomes important to understand the relative strengths and drawbacks of different approaches and understand how these pieces fit together as part of a more holistic approach to securing cloud usage within an organization.

This presentation will describe the overall frameworks and give details on their ramifications. It will also provide insights into what the overall SaaS security landscape looks like.