Refresher on cloud computing - . Cloud... · 1 Refresher on cloud computing Cloud computing is a form…

Download Refresher on cloud computing - . Cloud... · 1 Refresher on cloud computing Cloud computing is a form…

Post on 21-Jul-2018




0 download

Embed Size (px)


<ul><li><p>1 </p><p>Refresher on cloud computing </p><p>Cloud computing is a form of outsourcing where the organization outsources data processing to </p><p>computers owned by the vendor. Outsourcing may also include utilizing the vendors computers to </p><p>store, backup, and provide online access to the organization data. The organization will need to have a </p><p>robust access to the internet if they want their staff or users to have ready access to the data or even </p><p>the application that process the data. In the current environment, the data or applications are also </p><p>available from mobile platforms (laptops with Wi-Fi or cell/mobile cards, smart phones, and tablets). </p><p>Risks for the audited entity </p><p>When an agency chooses to utilize cloud computing, they need to be aware of risks that they may face </p><p>with the service provider, the risk they face if they are unable to effectively oversee the service provider, </p><p>and other risks related to management and security weaknesses in the service providers approach. As </p><p>an auditor you will need to understand what the agency has done to mitigate the risks with cloud </p><p>computing. When we as auditors are asked to appraise whether an entity or organization getting the </p><p>benefits of cloud computing are managing the vendor to ensure that they get the required services we </p><p>need to be aware of the risks that they may face. In order analyze whether the audit entity is both </p><p>aware of and is managing or mitigating the common risks with cloud computing the following matrix </p><p>provides a way to look for certain documents and activities that will provide the data that the auditor </p><p>can analyze. </p><p>A representative set of audit related questions if provided here in this guide. The auditor may augment </p><p>these with other questions as appropriate. For example, managing cloud computing also requires </p><p>project management discipline similar to those when managing any other contractor. However, since </p><p>cloud computing does not typically entail development of new capability the management activities are </p><p>more specific to monitoring Service Level Agreement (SLA) requirements and taking action when the </p><p>vendor is not performing to contractual requirements. </p></li><li><p>2 </p><p> 1 if possible the source of info should be indicated 2 Audit conclusions could lead to possible audit recommendations. For further guidance see Chapter ____( Reporting) </p><p> Audit Issues Criteria (Basis of </p><p>evaluation) </p><p>Information </p><p>required 1 </p><p>Analysis </p><p>Method </p><p>Audit </p><p>Conclusion 2 </p><p>Cloud Computing Policy (Ref: IT Governance Issues) </p><p>Audit Objective: To assess whether the organization has a policy on cloud computing or has given it some </p><p>thought prior to engaging in the activity. </p><p>Does the organization have a </p><p>policy on whether they will </p><p>utilize cloud computing? </p><p>Is there an organizational policy </p><p>that addresses the use of cloud </p><p>computing? This may also be </p><p>called a policy on outsourcing. </p><p>Who approved the policy? </p><p>Does the policy lay out which </p><p>functions or services can be </p><p>performed utilizing cloud </p><p>computing and which ones should </p><p>be retained via existing IT </p><p>infrastructure? </p><p>How does the organization ensure </p><p>that this policy is enforced? </p><p>Organizational </p><p>policy on cloud </p><p>computing or </p><p>outsourcing </p><p>Organizational IT </p><p>Policy or other </p><p>which addresses </p><p>cloud computing. </p><p>Interviews </p><p>and review </p><p>of </p><p>documents </p><p>Whether the </p><p>organization has </p><p>considered </p><p>cloud computing </p><p>as an option and </p><p>whether they </p><p>have decided </p><p>what can and </p><p>cannot be </p><p>implemented via </p><p>the cloud. </p></li><li><p>3 </p><p>Who approves the solicitation of </p><p>cloud computing services? </p><p>CSP Selection (Ref: 1 Service Provider, 2 Technical, 5 Security Risks) </p><p>Audit Objective: To assess how the agency selected the CSP who is most qualified and is able to meet their </p><p>specific requirements. </p><p>How did you ensure that the </p><p>Cloud Service Provider (CSP) is </p><p>best qualified to meet your </p><p>requirements? </p><p>What data do you have on the </p><p>Cloud Service Providers (CSP) </p><p>past experience? </p><p>Have you received a list of the </p><p>CSP's current or past customers? </p><p>Have you discussed the CSP's </p><p>performance with their customers </p><p>or references? </p><p>How did you determine whether </p><p>the CSP is able to meet your data </p><p>security, integrity, protection, </p><p>backup, privacy, and other critical </p><p>requirements? </p><p>All services must </p><p>be ensured its </p><p>continuity by the </p><p>provision of </p><p>adequate </p><p>resources and </p><p>supported by </p><p>adequate </p><p>proficiency </p><p>CSP contract or </p><p>SLA. </p><p>Agency Data </p><p>Protection Policy, </p><p>IT governance </p><p>Data on the CSP </p><p>past performance </p><p>on other contracts </p><p>for other customers </p><p>(this may not </p><p>always be available </p><p>to the audited </p><p>entity but talk to </p><p>the contracting </p><p>officer who should </p><p>know the vendors </p><p>track record). </p><p>Agency document </p><p>of requirements, </p><p>visit vendor and or </p><p>conduct audit, look </p><p>at vendor controls, </p><p>etc </p><p>Interview </p><p>and </p><p>document </p><p>review. </p><p>Whether the </p><p>organization has </p><p>reviewed the </p><p>CSPs past </p><p>performance </p><p>prior to </p><p>selecting them </p><p>as their vendor. </p></li><li><p>4 </p><p>CSP Monitoring (Ref: 4 Management/Oversight Risks, 3 Overseas Risks) </p><p>Audit Objective: To assess that the selected CSP is meeting the requirements of the agency. </p><p>What are you doing to ensure </p><p>that the CSP is providing services </p><p>that are responsive to your </p><p>needs? </p><p>What are some key parameters </p><p>that you have defined for the CSP </p><p>vendor? Examples include, up </p><p>time, mobile access interface, </p><p>simultaneous users, and data </p><p>transfer rates, etc. </p><p>Have you defined how often they </p><p>will be measured and reported? </p><p>Have you defined how they will </p><p>be measured? </p><p>How often does your team meet </p><p>to discuss the vendor's </p><p>performance? </p><p>What actions have you taken </p><p>when a performance deviations </p><p>occurs? </p><p>What is your strategy if the CSP </p><p>sub-contracts some of the work? </p><p>All works must be </p><p>supervised to </p><p>ensure full </p><p>compliance with </p><p>the SLAs </p><p>requirements </p><p>CSP contract or </p><p>SLA. </p><p>SLA with key </p><p>parameters or </p><p>indicators, monthly </p><p>or other periodic </p><p>reports from the </p><p>CSP on the </p><p>reportable </p><p>parameters, </p><p>Review and actions </p><p>items or notices to </p><p>CSP on non-</p><p>compliant issues. </p><p>Agency strategy or </p><p>view on use of </p><p>Assess the </p><p>adequacy of </p><p>SLA </p><p>parameter </p><p>Whether the </p><p>organization has </p><p>specific </p><p>requirements in </p><p>the SLA for the </p><p>cloud service. </p><p>Whether the </p><p>organization is </p><p>monitoring and </p><p>taking action </p><p>when SLA </p><p>parameters are </p><p>not being met. </p><p>Whether the </p><p>agency has </p><p>stipulated that </p></li><li><p>5 </p><p>What is your strategy if the CSP is </p><p>acquired by a different company </p><p>during the performance period of </p><p>your contract? </p><p>What is your strategy for </p><p>contracting for services to an </p><p>overseas vendor? </p><p>Are you aware of the laws and </p><p>regulations that regulate the </p><p>vendor in the foreign country? </p><p>What have you done to ensure </p><p>that your data is secure and that </p><p>you have ready access when your </p><p>data is resident in an overseas </p><p>location? </p><p>IT Policy, IT </p><p>Strategy </p><p>Security Policy, </p><p>data integrity </p><p>requirements </p><p>IT Risk </p><p>management, </p><p>Data security and </p><p>access </p><p>requirements </p><p>subcontractors by </p><p>the CSP, (get by </p><p>interviewing </p><p>officials, this may or </p><p>may not be </p><p>documented) </p><p>Record of </p><p>analysis of </p><p>interview or </p><p>documentati</p><p>on of </p><p>strategy in </p><p>meeting </p><p>minutes. </p><p>the vendor not </p><p>subcontract any </p><p>of the services </p><p>to another </p><p>vendor without </p><p>notifying the </p><p>agency. </p><p>Whether the </p><p>organization has </p><p>considered the </p><p>risks of </p><p>contracting with </p><p>an overseas </p><p>vendor or one </p><p>who may choose </p><p>to host and </p><p>store data </p><p>overseas </p></li><li><p>6 </p><p>Security (Ref: 5 Security Risks) </p><p>Audit Objective: To assess whether the agency is periodically monitoring the vendor to ensure that security </p><p>requirements are being met. </p><p>What are your security </p><p>requirements and how are you </p><p>ensuring that the CSP is meeting </p><p>them? </p><p>What security standards are you </p><p>requiring that the CSP follow? </p><p>What portions of your data </p><p>requires encryption? </p><p> Who is responsible for this </p><p>encryption? </p><p>Have you tested security controls </p><p>at the CSP? </p><p>How often does the CSP report to </p><p>you if there is a security issue </p><p>with your data? </p><p>What actions have you taken </p><p>when such items are reported? </p><p>Security </p><p>requirements , </p><p>CSP Infomartion </p><p>security </p><p>management </p><p>policy and </p><p>procedures </p><p>Agency adopted </p><p>security standards. </p><p>Contract or SLA </p><p>CSP audit reports. </p><p>Whether the </p><p>agency has </p><p>thought about </p><p>security controls </p><p>and standards </p><p>and has </p><p>required the CSP </p><p>to follow the </p><p>same. </p><p>Data Access (Ref: 2 Technical Risks) </p><p>Audit Objective: To assess whether the agency has plans in place for data access if there are issues with the </p><p>vendor or connectivity. </p></li><li><p>7 </p><p>What have you done to ensure </p><p>that you do not lose access to </p><p>your organizational data in a </p><p>cloud computing environment? </p><p>How are you ensuring that your </p><p>data and applications are </p><p>portable if you switch CSP? </p><p>What are your plans for service </p><p>continuity if you are unable to </p><p>access the CSPs site for an </p><p>extended period? </p><p>Have you tested your (or the </p><p>CSPs if they are responsible) </p><p>backup and archive retrieval </p><p>processes? </p><p>How often do you test the </p><p>systems reliability and </p><p>performance? </p><p>Do you have access to the data? </p><p>Where are the data backups </p><p>located? </p><p>Do you have a non-disclosure </p><p>agreement with your CSP to </p><p>ensure your data and other </p><p>information assets are suitably </p><p>protected? </p><p>Use of cloud </p><p>computing must </p><p>satisfy the </p><p>principle of </p><p>reliability, </p><p>integrity, and </p><p>availability, as well </p><p>as ensuring that </p><p>the information is </p><p>not disseminated </p><p>deliberately </p><p>Continuity of cloud </p><p>computing </p><p>environment </p><p>should be covered </p><p>by a BCP / DRP </p><p>Applicable laws </p><p>and regulations on </p><p>data protection, </p><p>privacy, etc. </p><p>SLA or contract. </p><p>CSP reports on DRP </p><p>testing, reports on </p><p>periodic backup </p><p>and other reports </p><p>or information on </p><p>data backup or </p><p>retention. </p><p>Review </p><p>contract or </p><p>SLA. Look for </p><p>what is </p><p>stated about </p><p>access to </p><p>data and </p><p>how readily </p><p>it can be </p><p>made </p><p>available to </p><p>be moved to </p><p>new location </p><p>or vendor as </p><p>appropriate. </p><p>Whether the </p><p>agency is able to </p><p>access their data </p><p>if they switch </p><p>contracts or are </p><p>locked in for a </p><p>single CSP for an </p><p>extended time. </p></li><li><p>8 </p><p> Acronyms: </p><p>BCP/DRP Business Continuity Plan / Disaster Recovery Plan </p><p>CSP Cloud Service Provider </p><p>IaaS Infrastructure-as-a-Service </p><p>IT I Information Technology </p><p>PaaS Platform-as-a-Service </p><p>SaaS Software-as-a-Service </p><p>SAI Supreme Audit Institution </p><p>SLA Service Level Agreement </p></li></ul>