refresher on cloud computing - . cloud... · 1 refresher on cloud computing cloud computing is a...
Post on 21-Jul-2018
Embed Size (px)
Refresher on cloud computing
Cloud computing is a form of outsourcing where the organization outsources data processing to
computers owned by the vendor. Outsourcing may also include utilizing the vendors computers to
store, backup, and provide online access to the organization data. The organization will need to have a
robust access to the internet if they want their staff or users to have ready access to the data or even
the application that process the data. In the current environment, the data or applications are also
available from mobile platforms (laptops with Wi-Fi or cell/mobile cards, smart phones, and tablets).
Risks for the audited entity
When an agency chooses to utilize cloud computing, they need to be aware of risks that they may face
with the service provider, the risk they face if they are unable to effectively oversee the service provider,
and other risks related to management and security weaknesses in the service providers approach. As
an auditor you will need to understand what the agency has done to mitigate the risks with cloud
computing. When we as auditors are asked to appraise whether an entity or organization getting the
benefits of cloud computing are managing the vendor to ensure that they get the required services we
need to be aware of the risks that they may face. In order analyze whether the audit entity is both
aware of and is managing or mitigating the common risks with cloud computing the following matrix
provides a way to look for certain documents and activities that will provide the data that the auditor
A representative set of audit related questions if provided here in this guide. The auditor may augment
these with other questions as appropriate. For example, managing cloud computing also requires
project management discipline similar to those when managing any other contractor. However, since
cloud computing does not typically entail development of new capability the management activities are
more specific to monitoring Service Level Agreement (SLA) requirements and taking action when the
vendor is not performing to contractual requirements.
1 if possible the source of info should be indicated 2 Audit conclusions could lead to possible audit recommendations. For further guidance see Chapter ____( Reporting)
Audit Issues Criteria (Basis of
Cloud Computing Policy (Ref: IT Governance Issues)
Audit Objective: To assess whether the organization has a policy on cloud computing or has given it some
thought prior to engaging in the activity.
Does the organization have a
policy on whether they will
utilize cloud computing?
Is there an organizational policy
that addresses the use of cloud
computing? This may also be
called a policy on outsourcing.
Who approved the policy?
Does the policy lay out which
functions or services can be
performed utilizing cloud
computing and which ones should
be retained via existing IT
How does the organization ensure
that this policy is enforced?
policy on cloud
Policy or other
as an option and
what can and
Who approves the solicitation of
cloud computing services?
CSP Selection (Ref: 1 Service Provider, 2 Technical, 5 Security Risks)
Audit Objective: To assess how the agency selected the CSP who is most qualified and is able to meet their
How did you ensure that the
Cloud Service Provider (CSP) is
best qualified to meet your
What data do you have on the
Cloud Service Providers (CSP)
Have you received a list of the
CSP's current or past customers?
Have you discussed the CSP's
performance with their customers
How did you determine whether
the CSP is able to meet your data
security, integrity, protection,
backup, privacy, and other critical
All services must
be ensured its
continuity by the
CSP contract or
Data on the CSP
on other contracts
for other customers
(this may not
always be available
to the audited
entity but talk to
officer who should
know the vendors
visit vendor and or
conduct audit, look
at vendor controls,
as their vendor.
CSP Monitoring (Ref: 4 Management/Oversight Risks, 3 Overseas Risks)
Audit Objective: To assess that the selected CSP is meeting the requirements of the agency.
What are you doing to ensure
that the CSP is providing services
that are responsive to your
What are some key parameters
that you have defined for the CSP
vendor? Examples include, up
time, mobile access interface,
simultaneous users, and data
transfer rates, etc.
Have you defined how often they
will be measured and reported?
Have you defined how they will
How often does your team meet
to discuss the vendor's
What actions have you taken
when a performance deviations
What is your strategy if the CSP
sub-contracts some of the work?
All works must be
CSP contract or
SLA with key
or other periodic
reports from the
CSP on the
Review and actions
items or notices to
CSP on non-
Agency strategy or
view on use of
the SLA for the
not being met.
What is your strategy if the CSP is
acquired by a different company
during the performance period of
What is your strategy for
contracting for services to an
Are you aware of the laws and
regulations that regulate the
vendor in the foreign country?
What have you done to ensure
that your data is secure and that
you have ready access when your
data is resident in an overseas
IT Policy, IT
Data security and
the CSP, (get by
officials, this may or
may not be
the vendor not
of the services
vendor or one
who may choose
to host and
Security (Ref: 5 Security Risks)
Audit Objective: To assess whether the agency is periodically monitoring the vendor to ensure that security
requirements are being met.
What are your security
requirements and how are you
ensuring that the CSP is meeting
What security standards are you
requiring that the CSP follow?
What portions of your data
Who is responsible for this
Have you tested security controls
at the CSP?
How often does the CSP report to
you if there is a security issue
with your data?
What actions have you taken
when such items are reported?
Contract or SLA
CSP audit reports.