iia2013 ppt slides deck

ConfidentGovernance.com- Award winning Cloud migration expertsPatent pending “Governance as a Service®” innovators

Auditing in the Subscription Economy– CAE Overview

Implementing the next generation best practices in Governance and Risk

Mr. Bhavesh BhagatFounder - EnCrisp – ConfidentGovernance.com

Founding Chair - CSADC


“Clouds come floating into my life, no longer to carry rain or storm, but to add color to my sunset sky.”

– Rabindranath Tagore, Nobel Laureate Literature -150 year Anniversary


Agenda

• Understand Subscription Economy

• Cloud Computing concepts• Risks and challenges• “Democratizing Governance”

use case• Role of CAE and Internal Audit


TenYear Computing Cycles10X more users with each cycle

2000s Mobile Cloud Computing

1990s Desktop Cloud Computing

1980s Client/server Computing

1970s Mini Computing

1960s Mainframe Computing


Global Users (MM)

1,000

11/06 5/07 11/07 5/08 11/08 5/09 11/09 5/10 11/10

Social Networking Surpasses Email

Social Networking Users

Facebook has reached its half-billion member mark, with an online populationlarger than the combined population of the U.S., Mexico, and France.

Email Users750

Inflection Point

500

250


Broad Change in Internet Usage

Top Internet Users

22% of Internet time is social.


Next Generation Devices Changing How We Access the Internet

2000

1000

Annual unit shipments(MM)

2007 2008 2oo9 2010 2011E 2012E 2013E 2014E


Cloud ComputingNIST Definition

• National Institute of Standards and Technology (NIST) Special Publication 800-145

– Model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources,(e.g., networks, servers, storage, applications, and services)

– Rapidly provisioned and released with minimal management effort or service provider interaction

– Composed of 5 essential characteristics, 3 service models, and 4 deployment models

– Source: http://www.nist.gov/itl/csd/cloud-020111.cfm

http://www.nist.gov/itl/csd/cloud-020111.cfm


Cloud Computing

Five Essential Characteristics:

• On-demand self-service: Get it when you need it

• Measured service: Pay for what you use

• Rapid elasticity: Increase and decrease capacity quickly

• Broad network access: Access it from any Internet connection

• Resource pooling: Share fixed costs, which lowers individual costs


Cloud ComputingThree Service Models

• Software as a Service (SaaS)– Capability made available to tenant (or consumer) to use provider’s applications

running on cloud infrastructure, accessible via web browser, mobile apps, and system interfaces

– Examples: Salesforce.com, Drop Box, Box.net, Google Docs, WebEx

• Platform as a Service (PaaS)– Capability made available to tenant to deploy tenant owned (created or acquired)

applications using programming languages and tools supported by provider– Examples: Force.com, Microsoft Azure, Amazon Web Services

• Infrastructure as a Service (IaaS) / Datacenter as a Service (DaaS)– Capability made available to tenant to provision processing, storage, networks or

other fundamental computing resources to host and run tenant’s apps– Examples: Rackspace, Terremark (Verizon), Savvis, AT&T


Four Deployment Models

(1) PRIVATE (2) COMMUNITY (3)PUBLIC

ACCESSIBILITY Single OrganizationShared with

Common Interests / Requirements

General Public / Large Industry Group

MANAGEMENT Organization or Third Party

Organization or Third Party Cloud Provider

HOST On or Off Premise On or Off Premise On or Off Premise

Cloud Computing

(4) HYBRID


Why cloud – Business Impact and Use Case Considerations

Data Infrastructure Access Method

Virtualized Technology

Local Data On or Off premises Off premises On or Off Premises

Virtualized Processes and Data

Local Data plus BIG DATA (social media

domain)Shared local and

Cloud On or Off Premises

Virtualized Organizations On or Off Premise On or Off Premise BYOD

Cloud Computing

Virtualized Business Models


Cloud ComputingCAEs need to think from CFOs perspective

• Faster Time to Results

• Better Working Capital cycle

• Reduced CAPEX

• Reduced CGS

• Reduced SG&A

• Environmental Sustainability as byproduct

Virtualized Business Models


CAE’s guide to Cloud Use Cases Source CIO.com Annual CIO survey 2010-2011

Plans to Use Cloud Services Currently using, Actively Researching, Planning to use in one to three years

Planning to use three to five years

No plans to use

Application platforms and development software

68% 2% 30%

Collaboration tools 79% 4% 17%

Enterprise application software

63% 3% 34%

Personal productivity software

53% 4% 43%

Utilities / management software

66% 2% 32%

Networks 52% 2% 45%

Storage 63% 7% 30%

Servers 59% 2% 39%


CAE decision enablers Evaluating the Cloud Model

CAE Cloud Vendor Considerations How Does our Enterprise Benefit From Cloud Opportunity?

Do they understand our business and needs?

Can they provide support that we are used to?

How does it fit with my existing architecture?

Who else has adopted within my industry - relevant references?

How do the new entrants in the enterprise IT market (Amazon, Google, etc) view the enterprise market?

What are the new Risk Domains?

What are the Regulatory, Compliance and Risk mitigation guidelines?

How do we reduce complexity of my Business process and IT footprint by taking non-core computing to the cloud, Transfer non-core applications to the cloud or outsource to the cloud?

Can we improve the efficiency of my development organization through speedy access to computing resources?

Can we make IT more responsive/nimble by using cloud computing architectures?

Can we assist in reduced CAPEX spend in line with CFO needs?

Can we get higher availability and recovery at lower price?


• Security - New ways of thinking about Security need to evolve for new issues - Cloud computing presents new security challenges– Trusting vendor's security model– Customer inability to respond to audit findings – Obtaining support for investigations – Indirect administrator accountability – Proprietary implementations cannot be examined – Loss of physical control– Attraction to hackers (high value target)

• Privacy Issues moving PII and sensitive data into the cloud• Fear of mass outages Fueled by high-profile outages of many popular cloud services (i.e., Gmail, Google

Apps, Apple's Mobile Me, Amazon's S3)

New Opportunities - New Challenges

New Risk Mitigating Strategies


• Cultural and organizational barriers Organization must acquire new core capabilities Cloud skepticism

• Difficulty tracking and delivering against defined SLAs Especially significant in the federal government, where a data breach

could constitute a violation of the law

• International sovereignty / cooperation Cloud computing could involve the movement of data

between countries with differing laws regarding technology and property. Determining jurisdiction and facilitating cross-border cooperation

on these matters may prove challenging.

New Opportunities - New Challenges

New Risk Mitigating Strategies


What is Different about Cloud?


GRC-XML: What is it?• Standard language for Risks and Controls definition/exchange• One language for many areas:

– Security risk– IT risk– Financial risk– Operational risk, etc.

• Visibility across silos• Eliminate redundancy and duplication• Facilitate effective continuous monitoring and audit of controls• Extensible: Companies can add their own

– Activities– Risks– Control Objectives– Control Activities, etc.


GRC Applications & Systems

Enterprise GRC,Operational GRC,IT GRC, Cloud GRC,etc.

Controls Testing & Monitoring

Risk & Controls Repository

GRC-XML

Automated Control Tests Transactions Configurations User access Manual Control Tests Surveys Sampling

Risk modelsControls documentation Organization / Process Test Procedures Test Results

GRC-XML

GRC-XML: Illustrated Business Integration


Cloud Governance

Practical approach with CSA and other third party tools


Security Framework (ISO-27002)

IT Audit Framew

ork

(COBIT)

Legislative Framework

(PCI, SOX, Etc.)

S-P-I Framework

Your Cloud Controls

Matrix

Trusted Cloud Initiative

Holistic Approach Around Controls . . .


• Security Patterns • Guidelines• Vendor Certification

BOSS ITOS Presentation SRM

Application

Information

Infrastructure

• Control Mapping• Operational Checklists

Assess the opportunity

• Capability mapping• Strategy alignment• Use Cases (OSA)

Roadmap

Reuse

Reference ArchitectureCSA Controls MatrixCSA Questionnaire

Security Framework and Patterns

Trusted Cloud Initiative

Suggested Approach to Use the CSA Cloud Audit Guideline


How it Works (A Simplified View) . . .

Third Party Assurance Centre

Maturity

Maturity

Maturity

Third party requesting access

Cloud provider

Internal hosting provider

Risk Appetite

1. Business sets level of risk they are willing to tolerate (number of levels

depending on the data). Maturity will include CAMM plus possible bespoke

modules. 2.Level of risk management maturity is

communicated to business partners (and

possible partners)

3. Evidence of compliance may be uploaded to central repository that can

be used by numerous customers.

4. Leverage existing expenditure and remove need for duplicate verification (note: May remove audit requirement altogether)


Governance-Subcontractor due diligence-Risk Management

Human Resources

Physical Security-Site security-Environmental Protection

IT Services-Networks-Change Management-Service Management-Development, etc

Incident Management

Business Continuity

5

4

3

2

1

ISO 27001

NIST SP800-53

PCI

CSA Controls Matrix

COBIT

ENISA Cloud doc.

ITIL

BS25999

Source Domains Maturity

Evaluate Key Control Domains


Mapping ExampleCloud Matrix FedRAMP


Cloud Audit AutomationLeveraging CSA CAIQ Example

CSA Cloud Audit modules bit.ly/ClearGRC


CAMM & CAIQ Data Governance RiskRISK: Inadequate Cloud Data Governance

Results: Benchmarking vendors based on CSA standards


Aggregate CSA Analytic Dashboards


CAE Leadership in Internal Auditor assured

Cloud Governance and Emerging Technologies adoption


3 Things CAEs will need to understand

Cloud Computing

Big DATA

Mobility


Cloud Governance Internal Audit Leadership

Business Advisor

•Advise on benefits, risks, and mitigation techniques•Create awareness•Participate in cloud conversion activities•Study and measure opportunities for increase efficiency and cost-savings



Auditor

•Interact with cloud provider to understand operation of key controls and monitoring program•Participate in SLA and contract development•Review service organization reports and determine assurance needs•Audit end-user control responsibilities (browser and device security, APIs, admin access)•Monitor changes and update risk assessment



User

•Collaboration - Email, Documents•Application Development-Audit Document Repositories, Tools•Mobility- Improve connections, monitoring•Back-office - Transparent use for data storage


About EnCrisp is an INC 500 award winning global leader in providing

“business driven” solutions enhancing trust, governance, and transparency

since 2004.

EnCrisp is a “Governance and Compliance Niche” specialist and its

efforts result in strategic Increases in Trust, Efficiency, Compliance and Less

Risks Without the complexities and overburdened capital costs for leaders in

IT, finance, business, quality, security and audit.

AWARDS – INC 500 2009, NVTC Hot Ticket Tech 2007,2009,2011 –

Hottest Bootstrap Category


Three Take-aways• Define your AUDIT challenges

– Technological as well as do not ignore Process• Set realistic MANAGEMENT expectation

– Start using technology first then AUDIT – Expertise is not instantaneous

• Keep your eye on the BUSINESS goal– Mentorship programs– Work with SME and third party experts


RESOURCES• NIST - http://www.nist.gov/itl/csd/cloud-020111.cfm • CSA - Cloudsecurityalliance.org• GRCXchange Executive LinkedIN Group• CIO.com• http://Trust.Salesforce.com• http://

www.google.com/apps/intl/en-GB/trust/data_protection.html

• http://aws.amazon.com/security/



http://www.google.com/apps/intl/en-GB/trust/data_protection.html



http://aws.amazon.com/security/


Mr. Bhavesh Bhagat703.728.2493

[email protected]

EnCrisp PresidentFounding Chair - CSA Washington DC federal center

Chairman - GRCXchange Global Policy Thinktank

Thank You!

Hopefully you have found new appreciation for CLOUDY days!

mailto:[email protected]