Cloud Security and Compliance Assessment

vault opening to the clouds

Professional Services

link to professional services
link to strategy workshop
link to opportunity assessment
link to readiness assessment
link to implementation services
link to review services
link to consulting services
service methodology wheel with planning box highlighted

The Cloud Security and Compliance Assessment is part of our Planning Phase of our Service Methodology. It is based on the information discovered in our Cloud Strategy Workshop, Cloud Opportunity Assessment or similar levels and value of information obtained by other means. The primary function of the Cloud Security and Compliance Assessment is to help you understand your security posture, policies and compliance exposures.

The exact length of a particular Cloud Security and Compliance Assessment depends on the complexity of the environment and the specific security regulations and rules that apply. We estimate that length based on the information available from the Strategy Workshop or other sources along with a scoping call prior to submitting a bid for the engagement. Typically a Cloud Security and Compliance Assessment requires three to five days on site plus time spent remotely analyzing the results and preparing the final report.

Objectives

The Cloud Security and Compliance Assessment is an on-site consulting engagement with the goal of examining and maintaining an organization’s security posture by identifying the potential data security risk(s) involved in moving targeted workloads to the Cloud.

The objectives of the this assessment service are:

  • Examine and understand your current security strategy, including compliance, regulatory and internal policies, and related processes such as backup, disaster recovery, data life cycle management, and the handling of discovery orders.
  • Focusing on targeted workloads for the Cloud, identify the physical location of all stored data including backup and disaster recovery copies, servers, workstations and interconnecting networks used for the targeted workloads, and the specific security policies and requirements that apply to these workloads.
  • Create requirements on the Cloud implementation to protect the security of the data to the same level as it has currently, and if different, to the level required to meet all policies and requirements.

Pre-visit Items

Prior to the actual on-site visit, Purposeful Clouds collects all existing and pertinent information. This could be the Cloud Strategy and Workshop Report from a Cloud Strategy Workshop, the Cloud Opportunity Assessment Report from a Cloud Opportunity Assessment, or equivalent value information collected by other means. If this information is not readily available, that will impact the required length of the Cloud Security and Compliance Assessment engagement.

We also hold a Kick-off Call to establish the roles and responsibilities, logistics, schedules and high-level goals for the on-site visit.

During the on-site visit

The on-site session usually starts with:

  • A short presentation covering the main security issues related to the Cloud and the transition to and from the Cloud.
  • A review of the initial workloads currently targeted to move to the Cloud first, concentrating on the requirements for security for each workload.
  • Discussion of your security concerns and policies, including:
    • Compliance and regulatory concerns
    • Internal security policies and procedures
    • Existing infrastructures and policies for backup, disaster recovery, data life cycle management, and processing discovery orders
  • A short explanation of how we intend to proceed with the data collection.
  • A scheduling conversation to get the information necessary to satisfy the Objectives listed above based on availability of your personnel.

The majority of the on-site visit is spent in small groups capturing the required information. For each of the targeted workloads:

  • Identify the physical location of all stored data, including backup and disaster recovery copies
  • Identify servers and workstations involved
  • Identify network infrastructure used
  • Identify existing security posture that applies to this workload

Each mid-afternoon we have a quick review of what has been covered, what needs to be covered, and list any data collection issues so they can get addressed.

Post-visit

After the on-site visit, we analyze the information provided and prepare the deliverables. We may have a few specific questions which we will ask via a scheduled conference call.

Deliverables

Cloud Security and Compliance Assessment Executive Summary

This brief executive-level report covers the scope, approach, high-level findings and recommendations identified during the Assessment Service for the benefit of your senior management.

Cloud Security and Compliance Assessment Report

This comprehensive report has detail from the Assessment Service including:

  • Summary and review of the analysis performed
  • For each targeted workload:
    • The set of security requirements for the workload necessary to match the existing security posture for the workload
    • If different, the set of security requirements for the workload necessary to match the required security posture for the workload as determined during the on-site visit
  • The security requirements to be provided to the Cloud Service Provider(s) to cover all selected workloads
  • A gap analysis identifying differences between current security position and pre-defined policy
  • A set of recommendations on the Cloud implementation necessary to meet these requirements (IaaS, PaaS, SaaS or some combination; Public Cloud, Private Cloud, Community Cloud or Hybrid Cloud)

Summary Presentation

We deliver a summary presentation highlighting the findings of the Assessment Service in a 1-2 hour on-line meeting about two weeks after the on-site visit.

Downloads