Identity l\1anagement Cl oud architecture Strategy and Guidelines Cloud ri sk evaluation Compliance Ownership/ Liability/ lncide nts Vendor's Financial Strength SLAs Infrastructure Audit Proof of Application Security Disaster Recovery Posture - Saas Strategy Application Architecture Integration of Identity Management/ f.ederation/ SSO Saas Policy and Guidelines Policy Technology Lost/ Stolen devices BYOD - C'loud Computing - Mobile Technologie s HR/ On Boarding/Termination - Processe s Business Partnerships Business Continuity and Disaster Recovery ROSI Security Projects - Budget FTE and contractors { Business Enablement J Requirements Design Security Testing Certification and Accreditation Project Delivery lifecycle on Network Segmentati Application protect Defense-in- dep Remote Acee Encryption Technolog Backup/ Replication/ t..iultiple Si Cloud/ Hybrid/ Multiple Cloud Vend ion th SS ies res ors PCI SOX HIPAA di ts Regul ar Au SSAE 16 ery cts Data Discov Vendor Contra Investigations/Forensics - Security Architecture { Compliance and Aud its J - Legal and Human Resources l. CISO Job ) I ' Security / Operations - r Threat Prevention 7 I Threat Detection I - I- Network/ Application I- Log Anatysis/ correlation/ SIEfvlj Firewalls Alerting (IDS/ IPS, FIM. I- I- Vulnerabil ity WAF, Antivirus, etc) Management I- Netf lo\Vanalysisl ii 'H Scopej L DLPl e f-{ldentifv] 0 H Classifyj 0 K Mitigation] I 0 'i Mnsurej 0 Application Security - - Application Development Standards Secure Code Training and Review Application Vulnerabili ty Testing Change Control File Integrity Web Application Firewall Integrat ion t o SDLC and Proj ect Delivery 1-@J H Identi ty H Information Security Policy f-{DLP f{ Anti Malware 1-(Pcoxy/ Content Filtering J !{Patching J I{ DDoS Protection J H Hardening guidelines J H Desktop security J L[ Encryption. SSL Credentialing Account Creation/ Deletions Si ngle Sign On (SSD. Simplified sign on) Repository <LDAP/Active Directory) ( Identity Management } - Federation 2-Factor Authentication Risk Management - Role-Based Access Control Ecommerce and Mobile Apps Pass\vord resets/ self-service HR Process Integration Physical Security Vulnerability Managen1ent Ongoing risk assessments/ pen testing Integration to Project Delivery Code Reviews Risk Assessment Methodology Policies and Procedures Associate A\vareness Data Centric Approach - Data Discovery Data Classification Access Control Data loss Prevention OLP Partner Access Encryption/ Maski ng Monitor ing and Alerting l Incident Managementj - I- I- I- I- L. Incident Media Re Response lations Readiness Investigation ach Incident Forensic Data Bre Preparati on - I- I- I- I- I- I- y Update and Test Incident Response Plan Set leadership Expectations Media Relations Business Continuity Plan Forensic and IR Partner Insurance Policy Adequate l ogging I