Transforming IT
Showing results for 
Search instead for 
Do you mean 

Crazy Eights: Are You Discarding Your Due Diligence?

TSchreider on ‎03-31-2014 11:55 AM

Eight of Spades.jpgWithout proper due diligence, there can be no expectation or assurance of security and resiliency in the cloud.  CSA’s report The Notorious Nine Cloud Computing Top Threats in 2013 provides an object lesson of this in their eighth highest rated threat “Insufficient Due Diligence.” Moreover, I cite "…too many enterprises jump into the cloud without understanding the full scope of the undertaking.”


How can companies with seemingly all the financial and personnel resources necessary to create and support world-class security organizations continually have corporate and customer data compromised?  Moreover, why do these same companies continually point toward their recent passed audit reports or positive industry attestation of compliance that they were doing everything possible?


These are not easy questions to answer, unless you are one of the unfortunate CIOs, CTOs or CISOs who were fired for failing to “maintain command and control of their organization” and/or “failure to exercise appropriate due diligence.” These are actual reasons used in termination documents in several high-profile security breach cases.  An unsettling fact is that as most companies perform an insufficient level of due diligence within their own organizations, they do even less on their cloud service providers.


Answer yes or no to the following CSA control checklist to verify that each one of these areas have been addressed not only for your own organization’s cloud infrastructure but also for all of your critical cloud service providers as well:

(Check your score below)


Cloud Security Control

Yes or No

CCM DG-08: Data Governance - Risk Assessments


CCM IS-04: Information Security - Baseline Requirements


CCM IS-12: Information Security - Industry Knowledge / Benchmarking


CCM OP-03: Operations Management - Capacity / Resource Planning


CCM RI-01: Risk Management - Program


CCM RI-02: Risk Management - Assessments


CCM RS-01: Resiliency - Management Program


CCM RS-02: Resiliency - Impact Analysis


CCM RS -03: Resiliency - Business Continuity Planning


CCM SA-03: Security Architecture - Data Security / Integrity


CCM SA-04: Security Architecture - Application Security


CCM SA-08: Security Architecture - Network Security


CCM SA-09: Security Architecture - Segmentation






If you scored 0 to 4, be ashamed, very ashamed. If you scored 5 to 9, keep one eye open at night. However, if you scored 10+ you are heading in the right direction, but do not let your guard down.  


I would like to hear how your company scored, drop me a line.  Alternatively, if you are interested in getting a second opinion on your organization’s cloud security due diligence, check out HP’s Cloud Protection Program and Consulting Services.  

0 Kudos
About the Author


Tari is a Distinguished Technologist with 30 years of IT and cyber security experience. He is dual board certified in information security/business continuity and is responsible for a wide range of management and technology consulting services encompassing information security, disaster recovery, privacy, and risk management. His problem-solving skills, knowledge of various technology platforms, compliance statutes, industries, as well as his experience in deploying defense-in-depth and InfoSec Program solution architectures is commonly applied when advising CIOs/CISOs as well as leveraged in numerous HP client engagements throughout the world. Tari has designed, built, and managed some of the world’s largest InfoSec programs allowing them to defend against even the most aggressive attackers.

Leave a Comment

We encourage you to share your comments on this post. Comments are moderated and will be reviewed
and posted as promptly as possible during regular business hours

To ensure your comment is published, be sure to follow the Community Guidelines.

Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
Jun 7-9
Las Vegas
Discover 2016 Las Vegas
Discover 2016 in Las Vegas, the ultimate showcase technology event for business and IT professionals to learn, connect, and grow.
Read more
Sep 13-16
National Harbor, MD
HPE Protect 2016
Protect 2016 is our annual conference and is the place to meet the world’s top information security talent, discuss new products and share information...
Read more
View all