Managing Third Party
Risk in the Cloud
Ecosystem
Dallas IIA Super Conference
Nov 1 , 2021
INNOVATE. TRANSFORM. SUCCEED.
Adapt to the new business reality.
Internal Audit, Risk, Business & Technology Consulting
INTRODUCTION
© 2021 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and
does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
Internal Use only, confidential
and for Protiviti Exclusive Client : Not for external distribution
Technology Consulting
DISCLAIMER
This Talk is NOT …
• A Primer on Cybersecurity 101
• Deep Dive in Cloud
This Talk is ALL About…
•
Cloud Fundamentals
•
Challenges with Hybrid Cloud
•
Evolve the TPRM Programs
© 2021 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm an d does not issue opinions on financial
statements or offer attestation services. All registered trademarks are the property of their respective owners.
3
AGENDA FOR
THIS
SESSION
•
What is the Cloud
•
•
Market Drivers
•
Challenges & Risks
•
Let’s talk SolarWinds
•
Shared Responsibility Governance
•
Compliance in the Cloud
•
Evolve the Cloud GRC & Audit Program
Next Steps & Q&A
© 2021 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm an d does not issue opinions on financial
statements or offer attestation services. All registered trademarks are the property of their respective owners.
QUICK QUESTION
How would you describe your response about knowledge of Cloud and Cloud
Security?
A. I can give an elevator pitch but would be nervous if someone asked me for
technical details
B. I’ve performed security assessments that have included Cloud platforms
C. If you wanted to interview me for a Cloud security job, I’m confident I can
impress you with my technical and conceptual knowledge
D. I think Cloud and Cloud security is a bunch of technology products, right?
E. Cloud and Cloud Security is no different than Traditional IT and security
© 2021 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm an d does not issue opinions on financial
statements or offer attestation services. All registered trademarks are the property of their respective owners.
5
WHAT IS CLOUD?
WHAT IS CLOUD?
Too many overly Complex or overly Simplified definitions
Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool
of configurable computing resources that can be rapidly provisioned and released with minimal management
effort or service provider interaction.
•
e.g., networks, servers, storage,
applications, and services
National Institute of Standards and Technologies Definition
Cloud is just someone else’s computer!
computer
© 2021 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and
does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
Internal Use only, confidential
and for Protiviti Exclusive Client : Not for external distribution
Technology Consulting
SOME KEY TERMS
The NIST Cloud Definitions Standard
Essential Characteristics
Broad Network
Access
Rapid Elasticity
Measured
Service
On-Demand
Self-Service
Deployment Models
Service Models
Public Cloud
Software as a
Service (Saas)
Community Cloud
Platform as a
Service (PaaS)
Private Cloud
Resource Pooling
Hybrid Cloud
Infrastructure as a
Service (IaaS)
Image courtesy NIST
This is the
“Magic”
This is the
“Type”
© 2021 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and
does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
Internal Use only, confidential
and for Protiviti Exclusive Client : Not for external distribution
This is the
“Service”
Technology Consulting
CLOUD SERVICE MODELS
#ProtivitiTech
Consume It
SaaS
Build On It
PaaS
Migrate To It
IaaSIaaS
Key Characteristics and Benefits
9
Logos are registered trademarks of their owners
IT Costs
Scalability
Deployment Efforts
SaaS
Licensing costs
Transparent – part of SaaS model
Already Deployed
PaaS
Lower upfront Costs
Improved
Quicker and Easier
IaaS
No infrastructure management
costs
Dynamic (scaling up & out)
Faster with on-demand
provisioning
© 2021 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and does
not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
MARKET DRIVERS
BENEFITS OF CLOUD
Big Data,
Data Analytics,
Machine Learning,
Artificial
Intelligence
Internet of Things,
Operational
Technology
Digital
Transformation
and DevOps
Requires massive
processing power,
secure data storage
capabilities and agile
design to exponentially
improve business
opportunities, security
risk visibility and with
trillions of data
statistics
Requires secure
connectivity, plus
massive storage and
processing capabilities
across global zones
Require customerfacing services able to
support rapid change
(e.g., multiple releases
per day) and secure
automation services
Massive power, agility, connectivity, storage, automation and security
© 2021 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and does
not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
Your traditional data
centers cannot
achieve this at
cost or at scale
Cloud
WHY MOVE TO CLOUD? MARKET DEMANDS A CLOUD SOLUTION
This is Silicon Valley…
Organizations
O with no
traditional IT and born in
the cloud
Massive power, agility, connectivity, storage, automation and security
© 2021 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and does
not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
Challenges & Risks
Today’s Organizations are Facing Unprecedented Challenges
NEW NORMAL -A COMPLEX LANDSCAPE
14
© 2021 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and does
not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
#ProtivitiTech
A COMPLEX SUPPLY CHAIN
15
© 2021 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and does
not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
#ProtivitiTech
WHO’S IN THE SUPPLY CHAIN?
#ProtivitiTech
CSP_EFG
CSP_BDE
CSP_XYZ
CSP_BDE
CSP_OPQ
CSP_ZTG
Staff - Contractors
CSP_QRE
GitLab
CSP_ZXE
CSP_ABC
CSP_FVG
CSP_KLM
Customers
CSP_BDE
CSP_KLM
CSP_TUV
CSP_HIJ
CSP_QRS
CSP_BDE
CSP_BDE
CSP_FGH
CSP_OHI
Big Data
CSP_RST
Vendors/Partners
16
CSP_YXR
GitHub
CSP_TVW
Clouds Everywhere!
© 2021 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and does
not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
CSP_TRE
CSP_MNO
CSP_JAL
Let’s Talk about SolarWinds
WHAT HAPPENED
#ProtivitiTech
SolarWinds is an American company that has provided software
products to almost all Fortune 500 companies to help manage
their networks, systems, and IT infrastructure.
In early 2020, hackers gained access and added
malicious code into SolarWinds's software system,
“Orion,” which is used by 33,000 of its customers.
As many as 18,000 customers ran this software
and spread the vulnerability to several major
companies and federal agencies.
18
© 2021 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and does
not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
Source: What Is the SolarWinds Hack and Why Is It a Big Deal?
(businessinsider.com)
Source: SolarWinds says dealing with hack fallout cost at least $18
million (yahoo.com)
Source: Massive SolarWinds hack has big businesses on high alert CNN
IMPACT
#ProtivitiTech
Microsoft said “the intruders only downloaded the source code
of a few components related to some of its cloud-based
products” including: a small subset of Azure components (subsets
of service, security, identity), Intune components, and Exchange
components - MSN
Organizations Attacked
“
State
Department of Treasury Department of
Department
Homeland
Department
Energy
Security
Since the hack was done so stealthily, and went
undetected for months, security experts say that some
victims may never know if they were hacked or not –The
Wall Street Journal
“
19
National Nuclear
Security
Administration
Source: What Is the SolarWinds Hack and Why Is It a Big Deal? (businessinsider.com)
Source: SolarWinds says dealing with hack fallout cost at least $18 million (yahoo.com)
Source: Massive SolarWinds hack has big businesses on high alert – CNN
Source: Microsoft says SolarWinds hackers downloaded some Azure, Exchange, and
Intune source code (msn.com)
© 2021 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and does
not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
IMPACT
#ProtivitiTech
“
Ongoing
Investigations
Hearings
“
Actions Taken
Companies will need to do clean-up similar to a hurricane," she
added. "It is going to be expensive and extensive — companies
are going to have to identify what has been breached and what,
if anything, remained stable.
– Kiersten Todt (former cybersecurity official in the Obama
administration)
Remediation
Efforts
Investments in
Cybersecurity
Researching New
Cybersecurity
Methods
Source: What Is the SolarWinds Hack and Why Is It a Big Deal? (businessinsider.com)
Source: SolarWinds says dealing with hack fallout cost at least $18 million (yahoo.com)
Source: Massive SolarWinds hack has big businesses on high alert - CNN
20
© 2021 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and does
not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
CHALLENGES & RISKS
Cyber threats that are increasing rapidly in volume and
sophistication. Threat actors using techniques we simply didn’t
see but have always been there.
The cloud ecosystem makes it’s harder to protect
sensitive data; leading to financial, legal , reputation
and safety consequences.
Shared Responsibility of the ecosystem is
not well understood across the business;
traditional GRC practices have not evolved
to the new reality.
21
© 2021 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and does
not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
#ProtivitiTech
CHALLENGES & RISKS
Data regulations are
increasing around
the world
22
Personal Information
Protection and Electronic
Documents Act (PIPEDA)
#ProtivitiTech
General Data
Protection Regulation
(GDPR 2016)
California Consumer
Privacy Act (CCPA) 2018
The Privacy Protection
Act (PPA) 2017
Federal Data
Protection Law 2000
Personal Data
Protection Bill 2018
Texas Privacy
Protection Act (2019)
Personal Data Protection
Act (PDPA 2012)
Lei Geral de Proteção
de Dados Pessoais
(LGPD 2019)
Personal Information
Security Specification 2018
Australia Privacy
Principles 2014
Personal Information
Protection Act (PIPA) 2011
Protection of Personal
Information Act 2013
(POPI)
Act on Protection of
Personal Information
(APPI) 2017
© 2021 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and does
not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
OUTCOMES OF CLOUD SECURITY CHALLENGES
People
fatigue
Ineffective incident
management lifecycles
Worrying about
incomplete visibility
23
#ProtivitiTech
© 2021 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and does
not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
Incomplete
knowledge of how
embedded it is
GRC/Privacy Programs need to Evolve
GOVERNANCE PROGRAMS NEEDS TO BE UPDATED FOR
CLOUD
#ProtivitiTech
• What are the Cloud Services we are prepared to Adopt?
• Who Owns and is Accountable for the Cloud Service Relationship, Services,
Subscriptions or Tenants?
• Does our Cloud Adoption align with our Business Strategy?
• Do we have a Common Language when we speak of Cloud?
• How our Use of Cloud for Compliance Effectiveness?
• How does Cloud Adoption introduce new Risks into our Organization?
• Do we have Understanding and Visibility of What and Where Cloud Services are
Deployed?
• What Compliance Activities are we Responsible for versus our CSP’s?
• Do we Know what Cloud Controls are in Place and Are they Different from our
Traditional Standards?
“Of 1200 companies surveyed, 69% wrongfully believed that Data Protection, Compliance
and Privacy obligations were the Responsibility of the Cloud Provider “ –Veritas 2020 Data Survey
25
© 2021 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and does
not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
SHARED RESPONSIBILITY –
NEW GOVERNANCE
A NEW GOVERNANCE PARADIGM – SHARED RESPONSIBILITY
#ProtivitiTech
Pizza as a Se r v ice
The higher the cloud stack, the
27
Traditional
On-Premises
(On Prem)
Infrastructure
as a Service
(IaaS)
Platform
as a Service
(PaaS)
Software
as a Service
(SaaS)
Dining Table
Dining Table
Dining Table
Dining Table
Soda
Soda
Soda
Soda
Electric / Gas
Electric / Gas
Electric / Gas
Electric / Gas
Oven
Oven
Oven
Oven
Fire
Fire
Fire
Fire
Pizza Dough
Pizza Dough
Pizza Dough
Pizza Dough
Tomato Sauce
Tomato Sauce
Tomato Sauce
Tomato Sauce
Toppings
Toppings
Toppings
Toppings
Cheese
Cheese
Cheese
Cheese
Made at Home
Take and Bake
Delivered Pizza
Dined Out
You Manage
Vendor Manages
less control you have over the environment
© 2021 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and does
not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
WHERE IS OUR DATA?
#ProtivitiTech
The dynamics of Hybrid Cloud deployments have changed the way Governance, Risk and Compliance Programs need to treat
data lifecycle management.
Cloud Requires a New POV
Managing Data Lifecyle
Data is Ethereal
Data Assets and Locations are Elastic
Multi-Tenancy
Shared Governance
Your Data GRC policies do not bind Multi-Tenants or the CSP’s; Weak
security could leak to other tenants
Data Custodian
Trust/Privacy Clarity
Hosting a SaaS solution on an IaaS platform makes you the custodian
and processor but not the owner
Data Owner
Supply Chain/BIA’s
Contract
As the Data Owner, you are responsible for 3 rd , 4th , 5th party handling
which includes unknown CSP Supply Chain
No Collection Standards
CSP becomes Data Processor and is not bound by your Data GRC nor
adherence to a Standard
Data Processor
Data Sovereignty
28
Governance Considerations
Data Flows not Known
CSP’s do not allow inspection of Orchestration and Abstraction layers
Managed Services/Forensics
© 2021 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and does
not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
THE CLOUD PROVIDER SUPPLY CHAIN IS MASSIVE!
Image: Cloud Security Alliance
Cloud Providers Infrastructure is not in scope for its custom er’s audits; they support it but not responsible for it
29
© 2021 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and does
not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
#ProtivitiTech
INTEGRATED APPROACH TO THIRD PARTY RISK
30
#ProtivitiTech
1
Scoping of vendors based on risk
2
Organisation focused on key specific risks
that the supplier/service presents
3
Vendors can manage customer risk through
their own process –thru Multi-tenants?
4
System reminds supplier of their
commitments –in Cloud?
5
Process established to track/manage the
closure of remediation plans –Cloud vendor
tracking?
6
Process fully integrated with business risk
process
© 2021 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and does
not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
CHALLENGES WE SEE IN EXECUTION
#ProtivitiTech
As a result of an increase in outsourcing of business and IT services, including the acceleration of cloud adoption,
the proportion of services and technology which sits outside of the boundaries of an organization has increased
significantly. Vendor risk management processes have often not effectively evolved to address this change in focus
Risk management vs. blanket control adherence – Are Risks unique to Cloud?
Pre-contractual due diligence –Does this include the Cloud Supply Chain?
Risk tracking and reporting –Who owns this for Cloud Licenses?
Risk acceptance not risk management
Regulatory drivers
31
© 2021 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and does
not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
WHAT REGULATORS ARE SAYING
Most regulatory and standards bodies
have issued guidance or are revaluating
previous guidance for cloud including
•
•
•
•
•
•
•
•
•
PCI-DSS
FFIEC
HIPAA
ISO 27018
SEC
FERPA
FEDRAMP
Multiple International Laws
Cross Border Data Restriction Laws
Interestingly, there are few updates from SEC/PCOAB
on Cloud topics –and that Cloud Adoption and the
impact on Auditors is still in the Research stage
For Immediate Release
April 30, 2020
FFIEC Issues Statement on Risk
Management for Cloud Computing Services
The Federal Financial Institutions Examination
Council (FFIEC) on behalf of its members today
issued a statement to address the use of cloud
computing services and security risk
management principles in the financial services
sector.
https://nasba.org/blog/2019/11/25/pcaob-still-studying-use-of-technology/
32
© 2021 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and
does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
Internal Use only: Not for external distribution
Technology Consulting
OUTCOMES OF TRADITIONAL APPROACHES TO GRC/TPRM
Cloud Adoption is
hard to Govern
Ineffective TPRM
lifecycles leads to
Shadow IT
Reliance on Cloud
Provider to manage
risk in their Supply
Chain
33
#ProtivitiTech
© 2021 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and does
not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
Technology
sprawl/bloat
• Poor integration
• Cost overruns
Update GRC Processes
Include Cloud Supply Chain in GRC
START WITH CLOUD GOVERNANCE
Polices, Standards and Controls
Policies, standards, controls for target
w orkloads
Regulatory Com pliance and Audits
Identification, enforcement, and reporting of
compliance controls
Polices,
Standards
and
Controls
#ProtivitiTech
Cloud Security Fram ew orks
Security standards and framew orks to protect
data and manage business service risk
Cloud
Security
Regulatory
Compliance
and Audits
Enterprise
Architecture
Governance
Hybrid Cloud
Governance
Chargeback Model
Tagging of resources for cost allocations
Service Consum ption Governance
Access control, scale-up /scale-dow n resources,
auto-shutdow n, cost performance metrics
tracking
35
Cloud
Center of
Excellence
Showback /
Chargeback
Model
Service
Consumption
Governance
Cloud Service
Lifecycle
Management
© 2021 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and does
not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
Enterprise Architecture Governance
Ensure alignment of architecture to set vision
and objectives
Cloud Center of Excellence
Explore, Introduce new capabilities and build
skills to support them
Cloud Service Lifecycle Managem ent
Maintain, retire, upgrade and ingest cloud
services for consumption by business groups
ADAPTED PEOPLE, PROCESS & TECHNOLOGIES TO
ADDRESS RISK
Shared
Responsibility
Model and
Know ledge
Fram ew orks
and
Benchm arks
Technical
Capabilities
and Tools
36
#ProtivitiTech
• Define how Shared Responsibility Model impacts structure and operational models for your organization
– Formalize and Communicate
– Update Governance policies, RACI’s
– Measure and Monitor
• Train employees
• Provide incentives and paths to certifications w here relevant
• Use established framew orks to holistically address environment
– Example: CSA Cloud Security Guidance, STAR and AZURE Well-Architected Framew ork
• Compliance and Regulatory concerns
• Align CIS Benchmarks, CCM and others to approved standards and governance policies
• Implement technical capabilities to enable real-time understanding of w hat is going on in the environment
• Use tools to reduce or remove human error, w hich increases speed of response and allow s security controls
to be automated
• Key considerations:
– Open Source vs. Enterprise
– Platform Agnostic vs. Platform Specific vs. Cloud Native
© 2021 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and does
not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
TOOLS TO ADDRESS TPRM GOVERNANCE – CSA CLOUD
SECURITY GUIDANCE & ATTESTATIONS
Application
Security
Supply Chain
TvM
Virtualization
and Containers
Domain 4
Domain 3
Domain 2
Domain 7
Data Security
and Encryption
Infrastructure
Security
Legal issues,
contracts and
E-discovery
Domain 8
Domain 1
Domain 6
Management
Plane and
Business
Continuity
Governance and
Enterprise Risk
Management
Domain 17 Domain 12
Related
Technologies
Information
Governance
Cloud
Computing
Concepts &
Architectures
Domain 16 Domain 11
Incident
Response
Domain 15 Domain 10
Domain 9
CSA Domains establish a stable,
secure baseline for cloud
operations and should become a
part of your Standards library.
Cloud Polices can be built from
Domains which emphasize
security, stability, and privacy in a
multi-tenant environment.
Domain 5
• Use established framew orks to holistically address environment
– CSA Cloud Security Guidance and CSP Well-Architected Fram eworks
• Compliance and Regulatory concerns
– Example: CSA CCM
– CIS, Azure Security Center, Azure/AWS/GCP Compliance FAQ’
• Compliance and Regulatory concerns
– Example: CSA CCM
– CIS, Azure Security Center, Azure/AWS/GCP Compliance FAQ’s
• Join ISAC’s and Peer Sharing Groups
Domain 14
Fram ew orks
and
Benchm arks
#ProtivitiTech
Compliance
and Audit
Management
Identity,
Entitlement, and
Access
Management
Universal
Endpoint
Source: Cloud Security Alliance
37
© 2021 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and does
not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
HAVE CONTINGENCY PLANS FOR DEPRECIATED/OBSOLETE SERVICES
© 2021 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and does
not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
38
ADD CSP SUPPLY CHAIN MONITORING TO YOUR GRC DASHBOARDS
© 2021 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and does
not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
39
MONITOR CSA STAR REGISTRY –EXAMPLE: AZURE ATTESTATIONS
© 2021 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and does
not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
MONITOR FOR CERTIFICATIONS AGAINST LEADING STANDARDS –
EXAMPLE: AWS
© 2021 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and does
not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
41
FINAL THOUGHTS
Consider the cloud ecosystem as part of the organization
Evolve the TPRM program
Include cloud in everything you do for GRC
Stay vigilant in monitoring for updates from your cloud providers
42
© 2021 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and does
not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
#ProtivitiTech
Q&A
RECOMMENDED RESOURCES
Recover: The NIST
Cybersecurity Framework’s
Outlier
Are You in the Ransomware
Sweet Spot?
#ProtivitiTech
Key Strategies to Mitigate
Ransomware Impact
Looking for more? Check out our Tech Insights Blog
44
© 2021 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and does
not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
Ransomware Crisis: 11
Actions to Secure Critical
Infrastructure