Difference between revisions of "User:Shawndouglas/sandbox/sublevel1"

From LIMSWiki
Jump to navigationJump to search
 
(37 intermediate revisions by the same user not shown)
Line 1: Line 1:
Speaking to the broad business level, well-executed integrated risk management programs help limit risks within an organization, in turn helping the organization realize tangible benefits.<ref name="HillsonUsing03">{{cite web |url=https://www.pmi.org/learning/library/risk-management-strategic-advantage-tactics-7727 |title=Using risk management for strategic advantage |author=Hillson, D. |publisher=Project Management Institute |date=25 September 2003 |accessdate=21 August 2021}}</ref> But what are the benefits that arise from an organization that employs integrated risk management efforts? First, by discussing the positive and negative aspects of risks, you potentially discover unintended consequences or new opportunities you may not have at first considered. You may also identify how those risks may extend to other parts of the organization you didn't expect. For example, could a security gap on a remote field sensor lead to a potential attacker finding a way into operational data stores? If you discuss these and other potential situations, the organization also has the added benefit of not being caught off guard since the risk has already been acknowledged. Finally, with quality risk management planning, resources are deployed more optimally and performance becomes more consistent.<ref name="HillsonUsing03" /><ref name="AmatoFive16">{{cite web |url=https://www.fm-magazine.com/news/2016/jul/integrated-risk-management-201614781.html |title=5 benefits of an integrated risk management programme |work=Financial Management |author=Amato, N. |date=12 July 2016 |accessdate=21 August 2021}}</ref>
{{Saved book
|title=Introduction to Quality and Quality Management Systems
|subtitle=
|cover-image=Time-Quality-Money.png
|cover-color=#fffccc
| setting-papersize = A4
| setting-showtoc = 1
| setting-columns = 1
}}


An integrated risk management approach will naturally extend to an organization’s information technology and how it's used. From sticky-noted passwords on monitors to unauthorized USB hard drives, local IT systems and their data can be put at risk. Now imagine extending that risk to public cloud services. Remember, with added complexity comes added risk, and cloud computing is no exception. This requires a concerted effort from all levels of the organization (again, see Figure 4) to address the risks of doing business in the cloud. This effort can be expedited through the use of risk management and cybersecurity frameworks that guide the organization towards better security and data integrity.
==''Introduction to Quality and Quality Management Systems''==
{{ombox
| type      = content
| style    = width: 500px;
| text      = This book should not be considered complete until this message box has been removed. This is a work in progress.
}}
The goal of this short volume is to act as an introduction to the quality management system. It collects several articles related to quality, quality management, and associated systems.


Cloud computing has existed for over a decade now, and many experts have arisen from the rapidly changing field. Some of those experts have contributed their experience and knowledge to the development of risk management and cybersecurity frameworks over the years. The most successful have been widely disseminated (though several may not be free), meaning you don't have to reinvent the wheel when it comes to assessing and managing risk in your existing and upcoming IT systems. Table 7 shows some popular examples of risk management and cybersecurity frameworks that can be applied to provider and customer cloud security efforts.
;1. What is quality?
:''Key terms''
:[[Quality (business)|Quality]]
:[[Quality assurance]]
:[[Quality control]]
:''The rest''
:[[Data quality]]
:[[Information quality]]
:[[Nonconformity (quality)|Nonconformity]]
:[[Service quality]]
;2. Processes and improvement
:[[Business process]]
:[[Process capability]]
:[[Risk management]]
:[[Workflow]]
;3. Mechanisms for quality
:[[Acceptance testing]]
:[[Conformance testing]]
:[[Clinical quality management system]]
:[[Continual improvement process]]
:[[Corrective and preventive action]]
:[[Good manufacturing practice]]
:[[Malcolm Baldrige National Quality Improvement Act of 1987]]
:[[Quality management]]
:[[Quality management system]]
:[[Total quality management]]
;4. Quality standards
:[[ISO 9000]]
:[[ISO 13485]]
:[[ISO 14000|ISO 14001]]
:[[ISO 15189]]
:[[ISO/IEC 17025]]
:[[ISO/TS 16949]]
;5. Quality in software
:[[Software quality]]
:[[Software quality assurance]]
:[[Software quality management]]


{| class="wikitable" border="1" cellpadding="5" cellspacing="0" width="70%"
<!--Place all category tags here-->
|-
  | style="background-color:white; padding-left:10px; padding-right:10px;" colspan="4"|'''Table 7.''' Examples of some common risk management and cybersecurity frameworks for cloud security.
|-
  ! style="background-color:#e2e2e2; padding-left:10px; padding-right:10px;"|Framework
  ! style="background-color:#e2e2e2; padding-left:10px; padding-right:10px;"|Developer
  ! style="background-color:#e2e2e2; padding-left:10px; padding-right:10px;"|Type of framework
  ! style="background-color:#e2e2e2; padding-left:10px; padding-right:10px;"|Details
|-
  | style="background-color:white; padding-left:10px; padding-right:10px;"|[https://www.cisecurity.org/white-papers/cis-controls-cloud-companion-guide/ CIS Controls with Cloud Companion Guide]
  | style="background-color:white; padding-left:10px; padding-right:10px;"|Center for Internet Security (CIS)
  | style="background-color:white; padding-left:10px; padding-right:10px;"|Cybersecurity for cloud
  | style="background-color:white; padding-left:10px; padding-right:10px;"|The CIS Controls are a "prioritized set of actions to protect your organization and data from known cyber-attack vectors."<ref name="CIS_Controls">{{cite web |url=https://www.cisecurity.org/controls/ |title=CIS Controls |publisher=Center for Internet Security |accessdate=21 August 2021}}</ref> The CIS has released a Cloud Companion Guide to accompany their cybersecurity controls, meant to address how to use the CIS Controls in a cloud environment.<ref name="CIS_ControlsCloud">{{cite web |url=https://www.cisecurity.org/white-papers/cis-controls-cloud-companion-guide/ |title=CIS Controls Cloud Companion Guide |publisher=Center for Internet Security |accessdate=21 August 2021}}</ref>
|-
  | style="background-color:white; padding-left:10px; padding-right:10px;"|[https://cloudsecurityalliance.org/research/cloud-controls-matrix/ Cloud Controls Matrix (CCM)]
  | style="background-color:white; padding-left:10px; padding-right:10px;"|Cloud Security Alliance (CSA)
  | style="background-color:white; padding-left:10px; padding-right:10px;"|Cybersecurity for cloud
  | style="background-color:white; padding-left:10px; padding-right:10px;"|"The controls framework is aligned to the CSA Security Guidance for Cloud Computing, and is considered a de-facto standard for cloud security assurance and compliance. Version 4 of the CCM has been updated to ensure coverage of requirements deriving from new cloud technologies, new controls and security responsibility matrix, improved auditability of the controls, and enhanced interoperability and compatibility with other standards."<ref name="CSA_CCM">{{cite web |url=https://cloudsecurityalliance.org/research/cloud-controls-matrix/ |title=Cloud Controls Matrix (CCM) |publisher=Cloud Security Alliance |accessdate=21 August 2021}}</ref>
|-
  | style="background-color:white; padding-left:10px; padding-right:10px;"|[https://www.cyber.gc.ca/en/guidance/cloud-security-risk-management-itsm50062 Cloud Security Risk Management (ITSM.50.062)]
  | style="background-color:white; padding-left:10px; padding-right:10px;"|Canadian Centre for Cyber Security (CCCS)
  | style="background-color:white; padding-left:10px; padding-right:10px;"|Cloud risk management
  | style="background-color:white; padding-left:10px; padding-right:10px;"|"To enable the adoption of cloud computing, the Government of Canada (GC) developed an integrated risk management approach to establish cloud-based services. ITSM.50.062 outlines this approach which can be applied to all cloud based services independently of the cloud service and deployment models."<ref name="CCCSCloud19">{{cite web |url=https://www.cyber.gc.ca/en/guidance/cloud-security-risk-management-itsm50062 |title=Cloud Security Risk Management (ITSM.50.062) |author=Canadian Centre for Cyber Security |publisher=Government of Canada |date=March 2019 |accessdate=21 August 2021}}</ref>
|-
  | style="background-color:white; padding-left:10px; padding-right:10px;"|[https://dx.doi.org/10.14569/IJACSA.2019.0101226 Cloud Security Risk Management Framework (CSRMF)]
  | style="background-color:white; padding-left:10px; padding-right:10px;"|Ahmed E. Youssef
  | style="background-color:white; padding-left:10px; padding-right:10px;"|Cloud risk management
  | style="background-color:white; padding-left:10px; padding-right:10px;"|"In this paper, we propose a novel Cloud Security Risk Management Framework (CSRMF) that helps organizations adopting [cloud computing] identify, analyze, evaluate, and mitigate security risks in their cloud platforms. Unlike traditional risk management frameworks, CSRMF is driven by the business objectives of the organizations. It allows any organization adopting CC to be aware of cloud security risks and align their low-level management decisions according to high-level business objectives."<ref name="YoussefAFrame19">{{cite journal |title=A Framework for Cloud Security Risk Management based on the Business Objectives of Organizations |journal=International Journal of Advanced Computer Science and Applications |author=Youssef, A.E. |volume=10 |issue=12 |pages=186-194 |year=2019 |doi=10.14569/IJACSA.2019.0101226}}</ref>
|-
  | style="background-color:white; padding-left:10px; padding-right:10px;"|[https://carnegieendowment.org/2020/08/31/cloud-security-primer-for-policymakers-pub-82597 Cloud Security Risk Vectors]
  | style="background-color:white; padding-left:10px; padding-right:10px;"|Tim Maurer and Gerrett Hinck
  | style="background-color:white; padding-left:10px; padding-right:10px;"|Cloud risk management
  | style="background-color:white; padding-left:10px; padding-right:10px;"|"The framework ... applies the well-known cybersecurity triad of confidentiality, integrity, and availability to these risk vectors and includes rough guesstimates of the probabilities that various incidents will occur, ranging from more common incidents to potential black swan events. These probabilities are not intended as predictors but rather as a starting point for a discussion of how different risks could be classified that will hopefully be tested and improved with feedback from other experts over time. The notional probabilities were based on the authors’ assessment of the frequency of past occurrences, with events that have not yet occurred being assigned lower probabilities."<ref name="MaurerCloud20">{{cite web |url=https://carnegieendowment.org/2020/08/31/cloud-security-primer-for-policymakers-pub-82597 |title=Cloud Security: A Primer for Policymakers |author=Maurer, T.; Hinck, G. |publisher=Carnegie Endowment for International Peace |date=31 August 2020 |accessdate=21 August 2021}}</ref>
|-
  | style="background-color:white; padding-left:10px; padding-right:10px;"|[https://www.iso.org/standard/43757.html ISO/IEC 27017:2015]
  | style="background-color:white; padding-left:10px; padding-right:10px;"|International Organization for Standardization
  | style="background-color:white; padding-left:10px; padding-right:10px;"|Cybersecurity for cloud
  | style="background-color:white; padding-left:10px; padding-right:10px;"|ISO/IEC 27017:2015 "provides guidelines supporting the implementation of information security controls for cloud service customers and cloud service providers. Some guidelines are for cloud service customers who implement the controls, and others are for cloud service providers to support the implementation of those controls. The selection of appropriate information security controls, and the application of the implementation guidance provided, will depend on a risk assessment and any legal, contractual, regulatory or other cloud-sector specific information security requirements."<ref name="ISO27017">{{cite web |url=https://www.iso.org/obp/ui/#iso:std:iso-iec:27017:ed-1:v1:en |title=ISO/IEC 27017:2015(en) Information technology — Security techniques — Code of practice for information security controls based on ISO/IEC 27002 for cloud services |publisher=International Organization for Standardization |date=July 2015 |accessdate=21 August 2021}}</ref>
|-
  | style="background-color:white; padding-left:10px; padding-right:10px;"|[https://www.nist.gov/cyberframework NIST Cybersecurity Framework]
  | style="background-color:white; padding-left:10px; padding-right:10px;"|National Institute of Standards and Technology (NIST)
  | style="background-color:white; padding-left:10px; padding-right:10px;"|Cybersecurity framework
  | style="background-color:white; padding-left:10px; padding-right:10px;"|This framework "consists of standards, guidelines, and practices to promote the protection of critical infrastructure. The prioritized, flexible, repeatable, and cost-effective approach of the Framework helps owners and operators of critical infrastructure to manage cybersecurity-related risk."<ref name="NIST_NewTo">{{cite web |url=https://www.nist.gov/cyberframework/new-framework |title=Cybersecurity Framework - New to Framework |publisher=National Institute of Standards and Technology |date=23 September 2020 |accessdate=21 August 2021}}</ref> Note, however, that the framework has a couple of weaknesses in regards to cloud computing, including not addressing long-term retention of log files, security gaps with shared responsibility models, virtual tenant delegation, and too-broad role-based privileges.<ref name="HazelmanWhatThe20">{{cite web |url=https://www.infosecurity-magazine.com/opinions/nist-framework-misses-cloud/ |title=What the NIST Framework Misses About Cloud Security |work=InfoSecurity |date=28 December 2020 |accessdate=21 August 2021}}</ref> If this framework is adopted, keep these and other deficiencies in mind when attempting to close any security gaps.
|-
  | style="background-color:white; padding-left:10px; padding-right:10px;"|[https://csrc.nist.gov/projects/risk-management/ NIST Risk Management Framework (RMF)]
  | style="background-color:white; padding-left:10px; padding-right:10px;"|National Institute of Standards and Technology (NIST)
  | style="background-color:white; padding-left:10px; padding-right:10px;"|Cloud and cybersecurity risk management
  | style="background-color:white; padding-left:10px; padding-right:10px;"|"Managing organizational risk is paramount to effective information security and privacy programs; the RMF approach can be applied to new and legacy systems, any type of system or technology (e.g., IoT, control systems), and within any type of organization regardless of size or sector."<ref name="NIST_RMF21">{{cite web |url=https://csrc.nist.gov/projects/risk-management/about-rmf |title=NIST Risk Management Framework - About the Risk Management Framework (RMF) |publisher=National Institute of Standards and Technology |date=21 August 2021 |accessdate=21 August 2021}}</ref> The risk management framework is closely tied to SP 800-53 Rev. 5 ''Security and Privacy Controls for Information Systems and Organizations''.
|-
|}
 
Whether part of an organization’s broad cybersecurity plan development or as an independent effort, the organization should consider turning to the security controls, program development, and risk management aspects of one or more risk management and cybersecurity frameworks for the identification of, protection from, detection of, response to, and recovery from cybersecurity threats and incidents. These frameworks will not only couch risks in terms of threats to confidentiality, integrity, and availability, but many will also contain security controls recommended for implementation to combat those threats.
 
NIST defines a security control as "a safeguard or countermeasure prescribed for an information system or an organization designed to protect the confidentiality, integrity, and availability of its information and to meet a set of defined security requirements."<ref name="NISTSecurity19">{{cite web |url=https://csrc.nist.gov/glossary/term/security_control |title=security control |work=Computer Security Resource Center |publisher=National Institute of Standards and Technology |date=2019 |accessdate=21 August 2021}}</ref> Let's use NIST's SP 800-53 Rev. 5 as an example. One of its security controls is "AC-20(4) Network Accessible Storage Devices - Prohibited Use," which states that users shall not use an organization-defined network accessible storage device in external systems, including "online storage devices in public, hybrid, or community cloud-based systems."<ref name="NISTSP800-53Rev5">{{cite web |url=https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final |title=SP 800-53 Rev. 5 ''Security and Privacy Controls for Information Systems and Organizations'' |publisher=National Institute of Standards and Technology |date=10 December 2020 |accessdate=21 August 2021}}</ref> This control represents a potential safeguard an organization can implement, most likely as part of an enforced organizational security policy. By extension, those stakeholders responsible for configuring security in the cloud may also implement controls in the infrastructure to further discourage such access to those storage devices. 
 
Note, however, that in contrast to using security controls, some frameworks exist to provide a more program-based or risk-based approach to plan development. Instead of using security controls that mandate an action as a base for building security, risk-based frameworks will typically first help the organization identify the potential threats to its goals and resources and define the strategy that will effectively monitor for and minimize the impact of those risks. Security controls can then be selected as part of that risk discovery process, but the overall framework serves as a guide to identifying and prioritizing the risks most likely to affect the organization. Choosing the best frameworks will likely depend on multiple factors, including the organization's industry type, the amount of technical expertise within the organization, the budget, the organizational goals, the amount of buy-in from key organizational stakeholders, and those stakeholders' preferred approach.
 
In 2020, Deloitte's Center for Regulatory Strategy released a document detailing the Federal Financial Institutions Examination Council's (FFIEC's) Joint Statement on Security in a Cloud Computing Environment. Part of that joint statement addressed how financial services institutions should approach risk management through the application of a risk-based framework. Five layered and hierarchical considerations were given for those institutions towards adopting a risk-based framework: governance, cloud security management, change management, resilience and recovery, and audit and controls assessment (from top to bottom). Those considerations are further discussed here<ref name="DeloitteFFIEC20">{{cite web |url=https://www2.deloitte.com/content/dam/Deloitte/us/Documents/financial-services/cloud-security-for-FSI.pdf |format=PDF |title=FFIEC statement on risk management for cloud computing services |author=Bhat, V.; Kapur, S.; Hodgkinson, S. et al. |publisher=Deloitte Development, LLC |date=2020 |accessdate=21 August 2021}}</ref>:
 
* ''Governance'': Similar to NIST SP 800-37 Rev. 2's risk management approach (Figure 4), knowledgeable stakeholders from all levels of the organization work together as a group to provide subject matter expertise towards developing an organizational plan for choosing, implementing, and securing cloud computing infrastructure and services.<ref name="DeloitteFFIEC20" />
* ''Cloud security management'': The group's stakeholders complete due diligence research on identified CSPs and how they can prove their level of enacted compliance and security controls, particularly in regards to the needs of the organization. As the organization dives deeper into this process and begins talking about contracts, the stakeholder group may need to develop a responsibility matrix—a tool for clearly delineating responsibilities, roles, milestones, and accountability for a project<ref name="KantorTheRACI18">{{cite web |url=https://www.cio.com/article/2395825/project-management-how-to-design-a-successful-raci-project-plan.html |title=The RACI matrix: Your blueprint for project success |author=Kantor, B. |work=CIO |date=30 January 2018 |accessdate=21 August 2021}}</ref>—to make clear who is responsible for what, particularly if any initial contract or shared responsibility model isn't clear or appears to neglect certain tasks and responsibilities. Additionally, during discussion of contracts and service-level agreements, the topic of quality assurance reports and "right to audit" systems should be discussed and finalized in writing.<ref name="DeloitteFFIEC20" /><ref name="HeroldWhyYou20">{{cite web |url=https://privacysecuritybrainiacs.com/privacy-professor-blog/why-you-should-use-a-right-to-audit-clause/ |title=Why You Should Use a Right to Audit Clause |author=Herold, R. |work=Privacy Security Brainiacs |date=28 March 2020 |accessdate=21 August 2021}}</ref>
* ''Change management'': When implementing software solutions or standalone code in the cloud, those solutions and code snippets will need to be updated from time to time for security purposes. These sorts of changes may have an impact on other aspects of the overall cloud experience, including security. As such, change management practices that take into consideration the use of cloud-specific testing tools and security knowledge are encouraged. Also consider the use of microservices architecture—which encourages a modular, independently deployable approach to application services<ref name="HustonWhatIs15">{{cite web |url=https://smartbear.com/solutions/microservices/ |title=What is Microservices |author=Huston, T. |work=SmartBear |date=2015 |accessdate=21 August 2021}}</ref>—which, when implemented well, will limit exposure to surface area attacks.<ref name="DeloitteFFIEC20" />
* ''Resilience and recovery'': Business continuity planning (BCP) is a critical part of any overall risk management planning. A BCP document outlines instructional procedures the organization must follow should a major disruption in provided services occur. Those disruptions can be sourced to risks such as natural disasters, [[pandemic]]s, fires, and sabotage. The BCP document should address continuity of service at all levels of the organization, including business processes, assets, human resource management, business partner effects, etc.<ref name="LindrosHowTo17">{{cite web |url=https://www.cio.com/article/2381021/best-practices-how-to-create-an-effective-business-continuity-plan.html |title=How to create an effective business continuity plan |author=Lindros, K.; Tittel, E. |work=CIO |date=18 July 2017 |accessdate=21 August 2021}}</ref> The addition of cloud services to business operations requires renewed examination of the BCP of the organization. Apply "stress test" scenarios to business operations under the scope of a CSP having services disrupted. Keep in mind how agile you expect the CSP to be in restoring service or recovering from a catastrophic event, including a pandemic that forces more staff to work remotely. How does this change your BCP, as well as any related disaster recovery planning documentation?<ref name="DeloitteFFIEC20" />
* ''Audit and controls assessment'': If your organization operates in a highly regulated sector, vetting the CSP as a whole may not be enough. Determine if regular background checks are performed on critical staff supporting regulated data storage and transmission on the cloud service. Know the regulations and standards that affect your industry's data and operations, and ask the CSP for further evidence of how they comply and help you support compliance on their service. From there, taking into account all the information gathered prior, a risk management and/or cybersecurity framework with controls can be selected and adapted to address the specific requirements of cloud service adoption and use within your organization. Be sure to address required [[Information management|data management]] and security monitoring systems and their own security as part of the control selection process. And after security controls are selected, consider the usefulness of an external review of those controls to ensure you haven't missed anything important to your industry or operating environment.<ref name="DeloitteFFIEC20" />
 
While these five considerations were originally described in the context of financial services providers, these considerations can be readily applied to organizations in most any sector. However, as Deloitte notes, these considerations are not a complete checklist for adopting a risk-based framework for cloud security. Organizations should also consider where "additional risk management measures such as ongoing assessments of concentration risk, data privacy and protection, data residency, increased adoption of new cloud services for regulated workloads," and more fit into overall risk management planning.<ref name="DeloitteFFIEC20" /> Your organization—as part of monitoring risk and quality control—will also likely want to adopt consistent periodic tests of the cloud computing security controls implemented into your organizational processes.<ref name="DeloitteFFIEC20" /> Other risk management activities include limiting the effects of employee negligence by providing thorough training and "blocking non-essential IPs from accessing the cloud," as well as having a detailed data loss plan and redundancies in place.<ref name="IFAhelp20">{{cite web |url=https://www.mynewlab.com/blog/a-helpful-guide-to-cloud-computing-in-a-laboratory/ |title=A Helpful Guide to Cloud Computing in a Laboratory |work=InterFocus Blog |publisher=InterFocus Ltd |date=05 October 2020 |accessdate=21 August 2021}}</ref>
 
==References==
{{Reflist|colwidth=30em}}

Latest revision as of 19:46, 9 February 2022

Introduction to Quality and Quality Management Systems
Time-Quality-Money.png
This user book is a user-generated collection of LIMSWiki articles that can be easily saved, rendered electronically, and ordered as a printed book.
If you are the creator of this book and need help, see Help:Books.

Edit this book: Book Creator · Wikitext
Select format to download:

PDF (A4) · PDF (Letter)

Order a printed copy from these publishers: PediaPress
Start ] [ FAQ ] [ Basic help ] [ Advanced help ] [ Feedback ] [ Recent Changes ]


Introduction to Quality and Quality Management Systems

The goal of this short volume is to act as an introduction to the quality management system. It collects several articles related to quality, quality management, and associated systems.

1. What is quality?
Key terms
Quality
Quality assurance
Quality control
The rest
Data quality
Information quality
Nonconformity
Service quality
2. Processes and improvement
Business process
Process capability
Risk management
Workflow
3. Mechanisms for quality
Acceptance testing
Conformance testing
Clinical quality management system
Continual improvement process
Corrective and preventive action
Good manufacturing practice
Malcolm Baldrige National Quality Improvement Act of 1987
Quality management
Quality management system
Total quality management
4. Quality standards
ISO 9000
ISO 13485
ISO 14001
ISO 15189
ISO/IEC 17025
ISO/TS 16949
5. Quality in software
Software quality
Software quality assurance
Software quality management