Cloud Vendor Management

---

Goals

• Analyze risks associated with cloud infrastructure.
• Critique security controls.
• Critique disaster recovery and business continuity management plans.
• Describe legal requirements and unique risks within the cloud environment.
• Describe the implications of cloud to enterprise risk management.
• Describe outsourcing and cloud contract design.
• Describe attributes of vendor management.

Security Policy Framework

• Security Policy Framework
• Developing Policies

Enterprise Risk Management

• Enterprise Risk Management (ERM)
  • ISO 31000 — Risk Management Guidelines
  • NIST SP 800-37
  • European Union Agency for Network and Information Security (ENISA)
• Threats, Vulnerabilities, Risk, and Impact
  • Threat
  • Vulnerability
  • Risk
• Risk Identification
  • Quantitative Risk Analysis
  • Qualitative Risk Analysis
• Key Risk Indicator (KRI)

Risk Treatment and Response

• Risk Management Strategies
  • Risk Mitigation
  • Risk Avoidance
  • Risk Transference
  • Risk Acceptance

Risk Analysis

• Inherent Risk
• Residual Risk
• Risk Appetite
• Risk Reporting
• Risk Register
• Heat Map

Cloud Contract Design

• Business Requirements for Cloud Vendors
• Vendor Management
• Vendor Management Lifecycle
• Vendor Data Protection
• Negotiating Cloud Contracts
• Contracting Documents
  • Master Service Agreement (MSA)
  • Statement of Work (SOW)
  • Service Level Agreement (SLA)
  • Memorandum of Understanding (MOU)
  • Business Partnership Agreement (BPA)
  • Nondisclosure Agreement (NDA)

Government Cloud Standards

• Common Criteria
• Federal Risk and Authorization Management Program (FedRAMP)
• FIPS 140-2

Manage Communications with Relevant Parties

• Vendors and partners
• Customers
• Regulators
• Other stakeholders