refresher on cloud computing - . cloud... · 1 refresher on cloud computing cloud computing is a...

Download Refresher on cloud computing - . Cloud... · 1 Refresher on cloud computing Cloud computing is a form…

Post on 21-Jul-2018

212 views

Category:

Documents

0 download

Embed Size (px)

TRANSCRIPT

  • 1

    Refresher on cloud computing

    Cloud computing is a form of outsourcing where the organization outsources data processing to

    computers owned by the vendor. Outsourcing may also include utilizing the vendors computers to

    store, backup, and provide online access to the organization data. The organization will need to have a

    robust access to the internet if they want their staff or users to have ready access to the data or even

    the application that process the data. In the current environment, the data or applications are also

    available from mobile platforms (laptops with Wi-Fi or cell/mobile cards, smart phones, and tablets).

    Risks for the audited entity

    When an agency chooses to utilize cloud computing, they need to be aware of risks that they may face

    with the service provider, the risk they face if they are unable to effectively oversee the service provider,

    and other risks related to management and security weaknesses in the service providers approach. As

    an auditor you will need to understand what the agency has done to mitigate the risks with cloud

    computing. When we as auditors are asked to appraise whether an entity or organization getting the

    benefits of cloud computing are managing the vendor to ensure that they get the required services we

    need to be aware of the risks that they may face. In order analyze whether the audit entity is both

    aware of and is managing or mitigating the common risks with cloud computing the following matrix

    provides a way to look for certain documents and activities that will provide the data that the auditor

    can analyze.

    A representative set of audit related questions if provided here in this guide. The auditor may augment

    these with other questions as appropriate. For example, managing cloud computing also requires

    project management discipline similar to those when managing any other contractor. However, since

    cloud computing does not typically entail development of new capability the management activities are

    more specific to monitoring Service Level Agreement (SLA) requirements and taking action when the

    vendor is not performing to contractual requirements.

  • 2

    1 if possible the source of info should be indicated 2 Audit conclusions could lead to possible audit recommendations. For further guidance see Chapter ____( Reporting)

    Audit Issues Criteria (Basis of

    evaluation)

    Information

    required 1

    Analysis

    Method

    Audit

    Conclusion 2

    Cloud Computing Policy (Ref: IT Governance Issues)

    Audit Objective: To assess whether the organization has a policy on cloud computing or has given it some

    thought prior to engaging in the activity.

    Does the organization have a

    policy on whether they will

    utilize cloud computing?

    Is there an organizational policy

    that addresses the use of cloud

    computing? This may also be

    called a policy on outsourcing.

    Who approved the policy?

    Does the policy lay out which

    functions or services can be

    performed utilizing cloud

    computing and which ones should

    be retained via existing IT

    infrastructure?

    How does the organization ensure

    that this policy is enforced?

    Organizational

    policy on cloud

    computing or

    outsourcing

    Organizational IT

    Policy or other

    which addresses

    cloud computing.

    Interviews

    and review

    of

    documents

    Whether the

    organization has

    considered

    cloud computing

    as an option and

    whether they

    have decided

    what can and

    cannot be

    implemented via

    the cloud.

  • 3

    Who approves the solicitation of

    cloud computing services?

    CSP Selection (Ref: 1 Service Provider, 2 Technical, 5 Security Risks)

    Audit Objective: To assess how the agency selected the CSP who is most qualified and is able to meet their

    specific requirements.

    How did you ensure that the

    Cloud Service Provider (CSP) is

    best qualified to meet your

    requirements?

    What data do you have on the

    Cloud Service Providers (CSP)

    past experience?

    Have you received a list of the

    CSP's current or past customers?

    Have you discussed the CSP's

    performance with their customers

    or references?

    How did you determine whether

    the CSP is able to meet your data

    security, integrity, protection,

    backup, privacy, and other critical

    requirements?

    All services must

    be ensured its

    continuity by the

    provision of

    adequate

    resources and

    supported by

    adequate

    proficiency

    CSP contract or

    SLA.

    Agency Data

    Protection Policy,

    IT governance

    Data on the CSP

    past performance

    on other contracts

    for other customers

    (this may not

    always be available

    to the audited

    entity but talk to

    the contracting

    officer who should

    know the vendors

    track record).

    Agency document

    of requirements,

    visit vendor and or

    conduct audit, look

    at vendor controls,

    etc

    Interview

    and

    document

    review.

    Whether the

    organization has

    reviewed the

    CSPs past

    performance

    prior to

    selecting them

    as their vendor.

  • 4

    CSP Monitoring (Ref: 4 Management/Oversight Risks, 3 Overseas Risks)

    Audit Objective: To assess that the selected CSP is meeting the requirements of the agency.

    What are you doing to ensure

    that the CSP is providing services

    that are responsive to your

    needs?

    What are some key parameters

    that you have defined for the CSP

    vendor? Examples include, up

    time, mobile access interface,

    simultaneous users, and data

    transfer rates, etc.

    Have you defined how often they

    will be measured and reported?

    Have you defined how they will

    be measured?

    How often does your team meet

    to discuss the vendor's

    performance?

    What actions have you taken

    when a performance deviations

    occurs?

    What is your strategy if the CSP

    sub-contracts some of the work?

    All works must be

    supervised to

    ensure full

    compliance with

    the SLAs

    requirements

    CSP contract or

    SLA.

    SLA with key

    parameters or

    indicators, monthly

    or other periodic

    reports from the

    CSP on the

    reportable

    parameters,

    Review and actions

    items or notices to

    CSP on non-

    compliant issues.

    Agency strategy or

    view on use of

    Assess the

    adequacy of

    SLA

    parameter

    Whether the

    organization has

    specific

    requirements in

    the SLA for the

    cloud service.

    Whether the

    organization is

    monitoring and

    taking action

    when SLA

    parameters are

    not being met.

    Whether the

    agency has

    stipulated that

  • 5

    What is your strategy if the CSP is

    acquired by a different company

    during the performance period of

    your contract?

    What is your strategy for

    contracting for services to an

    overseas vendor?

    Are you aware of the laws and

    regulations that regulate the

    vendor in the foreign country?

    What have you done to ensure

    that your data is secure and that

    you have ready access when your

    data is resident in an overseas

    location?

    IT Policy, IT

    Strategy

    Security Policy,

    data integrity

    requirements

    IT Risk

    management,

    Data security and

    access

    requirements

    subcontractors by

    the CSP, (get by

    interviewing

    officials, this may or

    may not be

    documented)

    Record of

    analysis of

    interview or

    documentati

    on of

    strategy in

    meeting

    minutes.

    the vendor not

    subcontract any

    of the services

    to another

    vendor without

    notifying the

    agency.

    Whether the

    organization has

    considered the

    risks of

    contracting with

    an overseas

    vendor or one

    who may choose

    to host and

    store data

    overseas

  • 6

    Security (Ref: 5 Security Risks)

    Audit Objective: To assess whether the agency is periodically monitoring the vendor to ensure that security

    requirements are being met.

    What are your security

    requirements and how are you

    ensuring that the CSP is meeting

    them?

    What security standards are you

    requiring that the CSP follow?

    What portions of your data

    requires encryption?

    Who is responsible for this

    encryption?

    Have you tested security controls

    at the CSP?

    How often does the CSP report to

    you if there is a security issue

    with your data?

    What actions have you taken

    when such items are reported?

    Security

    requirements ,

    CSP Infomartion

    security

    management

    policy and

    procedures

    Agency adopted

    security standards.

    Contract or SLA

    CSP audit reports.

    Whether t

Recommended

View more >