Professional Documents
Culture Documents
2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public.
July 2015
Page 1 of 4
Based on the risk score, we use an assessment categorization matrix that rates the confidentiality of information against the
business criticality of that information. Using a mechanism and a series of questions that determine business criticality and data
classification, were able to come up with a number for each application and see where it would fall on the matrix. For example,
restricted data with high business criticality will require the highest degree of assessment, while data that is public with low- to midlevel business criticality will require less rigor during the assessment process.
We are currently refining assessment categories to improve efficiency, and save time and resources. The aim is to focus resources
on very high data classifications and business critical items where the risk of exposure is higher than low data classifications with
little business criticality. Were always trying to streamline, make it repeatable, and make it simple, says Hankoff.
Some of the areas we cover include architectural alignment, financial viability (scores help us determine if we are exceeding
thresholds or potential vulnerability), resiliency, and compliance. See Figure 1.
Figure 1.
Why
Balancing Speed and Efficiency with Managing Risk
Understanding how employees use cloud services and applications enables the business to reduce risk and exposure. The nature
of using cloud services is dynamic. Its dynamic because its user-centric and user needs vary. Over the course of a month, the
services being consumed change and new services are constantly being launched. Cisco realized the importance of an automated
software capability that monitors cloud services from popular social media sites to specific business applications (such as
Salesforce, human resource applications, and customer relationship management) that are being consumed from the cloud.
2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public.
July 2015
Page 2 of 4
Once you find out what youre consuming, you can start to look at it as any other asset in which you are investing time, money,
and human resources, explains Dimicco. Its your own traffic that is compelling. It is unique to your company, and that helps your
company figure out where its vulnerable and where the risk to exposure is.
Remaining Compliant
Data sovereignty laws and regulations differ from country to country. In the United States, for example, storing company data on a
third-party cloud service can lessen a companys full property rights to that data. Having a strong legal presence during the process
of getting terms and conditions finalized in contractual agreements with cloud service providers is critical to the company. One of
the most challenging aspects of cloud services is determining what the business risk is for an organization when critical documents
or software code no longer reside in their premises but reside in a storage providers cloud. It is vital for a company to understand
risk that their data is exposed to and how to mitigate that risk through controls, policies, behaviors, and ongoing analysis.
Now, more than ever, its important to make sure youre in compliance, says Dimicco. The key is to do the things you need so
that your employees still have the access they require, while effectively balancing cost and risk.
Discover what cloud service providers you are using to reduce costs, consolidate vendors, and migrate from high-risk
vendors.
Establish cloud governance and risk classification process to help focus resources on very high data classifications
and business-critical items where the risk of exposure is high.
Define cloud use policies to reduce risk. Risk can be mitigated with data policies and employee training and behaviors.
For example, when Cisco realized employees were using cloud services to store data, we enacted a company-wide policy
that the preferred company storage is Box.com and encouraged employees to adopt this service. Users are not prevented
from using other services; however, we use Box.com because we have integrated the service into Cisco, and Box.com has
reduced the business risk of Cisco employees and contractors using the service.
2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public.
July 2015
Page 3 of 4
Note
This publication describes how Cisco has benefited from the deployment of its own products. Many factors may have contributed to
the results and benefits described. Cisco does not guarantee comparable results elsewhere.
CISCO PROVIDES THIS PUBLICATION AS IS WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED,
INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Some jurisdictions do not allow disclaimer of express or implied warranties; therefore, this disclaimer may not apply to you.
2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public.
July 2015
Page 4 of 4