refresher on cloud computing - . cloud... · 1 refresher on cloud computing cloud computing is a...

Download Refresher on cloud computing - . Cloud... · 1 Refresher on cloud computing Cloud computing is a form…

Post on 21-Jul-2018




0 download

Embed Size (px)


  • 1

    Refresher on cloud computing

    Cloud computing is a form of outsourcing where the organization outsources data processing to

    computers owned by the vendor. Outsourcing may also include utilizing the vendors computers to

    store, backup, and provide online access to the organization data. The organization will need to have a

    robust access to the internet if they want their staff or users to have ready access to the data or even

    the application that process the data. In the current environment, the data or applications are also

    available from mobile platforms (laptops with Wi-Fi or cell/mobile cards, smart phones, and tablets).

    Risks for the audited entity

    When an agency chooses to utilize cloud computing, they need to be aware of risks that they may face

    with the service provider, the risk they face if they are unable to effectively oversee the service provider,

    and other risks related to management and security weaknesses in the service providers approach. As

    an auditor you will need to understand what the agency has done to mitigate the risks with cloud

    computing. When we as auditors are asked to appraise whether an entity or organization getting the

    benefits of cloud computing are managing the vendor to ensure that they get the required services we

    need to be aware of the risks that they may face. In order analyze whether the audit entity is both

    aware of and is managing or mitigating the common risks with cloud computing the following matrix

    provides a way to look for certain documents and activities that will provide the data that the auditor

    can analyze.

    A representative set of audit related questions if provided here in this guide. The auditor may augment

    these with other questions as appropriate. For example, managing cloud computing also requires

    project management discipline similar to those when managing any other contractor. However, since

    cloud computing does not typically entail development of new capability the management activities are

    more specific to monitoring Service Level Agreement (SLA) requirements and taking action when the

    vendor is not performing to contractual requirements.

  • 2

    1 if possible the source of info should be indicated 2 Audit conclusions could lead to possible audit recommendations. For further guidance see Chapter ____( Reporting)

    Audit Issues Criteria (Basis of



    required 1




    Conclusion 2

    Cloud Computing Policy (Ref: IT Governance Issues)

    Audit Objective: To assess whether the organization has a policy on cloud computing or has given it some

    thought prior to engaging in the activity.

    Does the organization have a

    policy on whether they will

    utilize cloud computing?

    Is there an organizational policy

    that addresses the use of cloud

    computing? This may also be

    called a policy on outsourcing.

    Who approved the policy?

    Does the policy lay out which

    functions or services can be

    performed utilizing cloud

    computing and which ones should

    be retained via existing IT


    How does the organization ensure

    that this policy is enforced?


    policy on cloud

    computing or


    Organizational IT

    Policy or other

    which addresses

    cloud computing.


    and review



    Whether the

    organization has


    cloud computing

    as an option and

    whether they

    have decided

    what can and

    cannot be

    implemented via

    the cloud.

  • 3

    Who approves the solicitation of

    cloud computing services?

    CSP Selection (Ref: 1 Service Provider, 2 Technical, 5 Security Risks)

    Audit Objective: To assess how the agency selected the CSP who is most qualified and is able to meet their

    specific requirements.

    How did you ensure that the

    Cloud Service Provider (CSP) is

    best qualified to meet your


    What data do you have on the

    Cloud Service Providers (CSP)

    past experience?

    Have you received a list of the

    CSP's current or past customers?

    Have you discussed the CSP's

    performance with their customers

    or references?

    How did you determine whether

    the CSP is able to meet your data

    security, integrity, protection,

    backup, privacy, and other critical


    All services must

    be ensured its

    continuity by the

    provision of


    resources and

    supported by



    CSP contract or


    Agency Data

    Protection Policy,

    IT governance

    Data on the CSP

    past performance

    on other contracts

    for other customers

    (this may not

    always be available

    to the audited

    entity but talk to

    the contracting

    officer who should

    know the vendors

    track record).

    Agency document

    of requirements,

    visit vendor and or

    conduct audit, look

    at vendor controls,






    Whether the

    organization has

    reviewed the

    CSPs past


    prior to

    selecting them

    as their vendor.

  • 4

    CSP Monitoring (Ref: 4 Management/Oversight Risks, 3 Overseas Risks)

    Audit Objective: To assess that the selected CSP is meeting the requirements of the agency.

    What are you doing to ensure

    that the CSP is providing services

    that are responsive to your


    What are some key parameters

    that you have defined for the CSP

    vendor? Examples include, up

    time, mobile access interface,

    simultaneous users, and data

    transfer rates, etc.

    Have you defined how often they

    will be measured and reported?

    Have you defined how they will

    be measured?

    How often does your team meet

    to discuss the vendor's


    What actions have you taken

    when a performance deviations


    What is your strategy if the CSP

    sub-contracts some of the work?

    All works must be

    supervised to

    ensure full

    compliance with

    the SLAs


    CSP contract or


    SLA with key

    parameters or

    indicators, monthly

    or other periodic

    reports from the

    CSP on the



    Review and actions

    items or notices to

    CSP on non-

    compliant issues.

    Agency strategy or

    view on use of

    Assess the

    adequacy of



    Whether the

    organization has


    requirements in

    the SLA for the

    cloud service.

    Whether the

    organization is

    monitoring and

    taking action

    when SLA

    parameters are

    not being met.

    Whether the

    agency has

    stipulated that

  • 5

    What is your strategy if the CSP is

    acquired by a different company

    during the performance period of

    your contract?

    What is your strategy for

    contracting for services to an

    overseas vendor?

    Are you aware of the laws and

    regulations that regulate the

    vendor in the foreign country?

    What have you done to ensure

    that your data is secure and that

    you have ready access when your

    data is resident in an overseas


    IT Policy, IT


    Security Policy,

    data integrity


    IT Risk


    Data security and



    subcontractors by

    the CSP, (get by


    officials, this may or

    may not be


    Record of

    analysis of

    interview or


    on of

    strategy in



    the vendor not

    subcontract any

    of the services

    to another

    vendor without

    notifying the


    Whether the

    organization has

    considered the

    risks of

    contracting with

    an overseas

    vendor or one

    who may choose

    to host and

    store data


  • 6

    Security (Ref: 5 Security Risks)

    Audit Objective: To assess whether the agency is periodically monitoring the vendor to ensure that security

    requirements are being met.

    What are your security

    requirements and how are you

    ensuring that the CSP is meeting


    What security standards are you

    requiring that the CSP follow?

    What portions of your data

    requires encryption?

    Who is responsible for this


    Have you tested security controls

    at the CSP?

    How often does the CSP report to

    you if there is a security issue

    with your data?

    What actions have you taken

    when such items are reported?


    requirements ,

    CSP Infomartion



    policy and


    Agency adopted

    security standards.

    Contract or SLA

    CSP audit reports.

    Whether t


View more >