Embed Size (px)
Citation preview
1
Refresher on cloud computing
Cloud computing is a form of outsourcing where the organization outsources data processing to
computers owned by the vendor. Outsourcing may also include utilizing the vendor’s computers to
store, backup, and provide online access to the organization data. The organization will need to have a
robust access to the internet if they want their staff or users to have ready access to the data or even
the application that process the data. In the current environment, the data or applications are also
available from mobile platforms (laptops with Wi-Fi or cell/mobile cards, smart phones, and tablets).
Risks for the audited entity
When an agency chooses to utilize cloud computing, they need to be aware of risks that they may face
with the service provider, the risk they face if they are unable to effectively oversee the service provider,
and other risks related to management and security weaknesses in the service providers approach. As
an auditor you will need to understand what the agency has done to mitigate the risks with cloud
computing. When we as auditors are asked to appraise whether an entity or organization getting the
benefits of cloud computing are managing the vendor to ensure that they get the required services we
need to be aware of the risks that they may face. In order analyze whether the audit entity is both
aware of and is managing or mitigating the common risks with cloud computing the following matrix
provides a way to look for certain documents and activities that will provide the data that the auditor
can analyze.
A representative set of audit related questions if provided here in this guide. The auditor may augment
these with other questions as appropriate. For example, managing cloud computing also requires
project management discipline similar to those when managing any other contractor. However, since
cloud computing does not typically entail development of new capability the management activities are
more specific to monitoring Service Level Agreement (SLA) requirements and taking action when the
vendor is not performing to contractual requirements.
2
1 if possible the source of info should be indicated 2 Audit conclusions could lead to possible audit recommendations. For further guidance see Chapter ____( Reporting)
Audit Issues Criteria (Basis of
evaluation)
Information
required 1
Analysis
Method
Audit
Conclusion 2
Cloud Computing Policy (Ref: IT Governance Issues)
Audit Objective: To assess whether the organization has a policy on cloud computing or has given it some
thought prior to engaging in the activity.
Does the organization have a
policy on whether they will
utilize cloud computing?
Is there an organizational policy
that addresses the use of cloud
computing? This may also be
called a policy on outsourcing.
Who approved the policy?
Does the policy lay out which
functions or services can be
performed utilizing cloud
computing and which ones should
be retained via existing IT
infrastructure?
How does the organization ensure
that this policy is enforced?
Organizational
policy on cloud
computing or
outsourcing
Organizational IT
Policy or other
which addresses
cloud computing.
Interviews
and review
of
documents
Whether the
organization has
considered
cloud computing
as an option and
whether they
have decided
what can and
cannot be
implemented via
the cloud.
3
Who approves the solicitation of
cloud computing services?
CSP Selection (Ref: 1 Service Provider, 2 Technical, 5 Security Risks)
Audit Objective: To assess how the agency selected the CSP who is most qualified and is able to meet their
specific requirements.
How did you ensure that the
Cloud Service Provider (CSP) is
best qualified to meet your
requirements?
What data do you have on the
Cloud Service Provider’s (CSP)
past experience?
Have you received a list of the
CSP's current or past customers?
Have you discussed the CSP's
performance with their customers
or references?
How did you determine whether
the CSP is able to meet your data
security, integrity, protection,
backup, privacy, and other critical
requirements?
All services must
be ensured its
continuity by the
provision of
adequate
resources and
supported by
adequate
proficiency
CSP contract or
SLA.
Agency Data
Protection Policy,
IT governance
Data on the CSP
past performance
on other contracts
for other customers
(this may not
always be available
to the audited
entity but talk to
the contracting
officer who should
know the vendor’s
track record).
Agency document
of requirements,
visit vendor and or
conduct audit, look
at vendor controls,
etc
Interview
and
document
review.
Whether the
organization has
reviewed the
CSP’s past
performance
prior to
selecting them
as their vendor.
4
CSP Monitoring (Ref: 4 Management/Oversight Risks, 3 Overseas Risks)
Audit Objective: To assess that the selected CSP is meeting the requirements of the agency.
What are you doing to ensure
that the CSP is providing services
that are responsive to your
needs?
What are some key parameters
that you have defined for the CSP
vendor? Examples include, up
time, mobile access interface,
simultaneous users, and data
transfer rates, etc.
Have you defined how often they
will be measured and reported?
Have you defined how they will
be measured?
How often does your team meet
to discuss the vendor's
performance?
What actions have you taken
when a performance deviations
occurs?
What is your strategy if the CSP
sub-contracts some of the work?
All works must be
supervised to
ensure full
compliance with
the SLA’s
requirements
CSP contract or
SLA.
SLA with key
parameters or
indicators, monthly
or other periodic
reports from the
CSP on the
reportable
parameters,
Review and actions
items or notices to
CSP on non-
compliant issues.
Agency strategy or
view on use of
Assess the
adequacy of
SLA
parameter
Whether the
organization has
specific
requirements in
the SLA for the
cloud service.
Whether the
organization is
monitoring and
taking action
when SLA
parameters are
not being met.
Whether the
agency has
stipulated that
5
What is your strategy if the CSP is
acquired by a different company
during the performance period of
your contract?
What is your strategy for
contracting for services to an
overseas vendor?
Are you aware of the laws and
regulations that regulate the
vendor in the foreign country?
What have you done to ensure
that your data is secure and that
you have ready access when your
data is resident in an overseas
location?
IT Policy, IT
Strategy
Security Policy,
data integrity
requirements
IT Risk
management,
Data security and
access
requirements
subcontractors by
the CSP, (get by
interviewing
officials, this may or
may not be
documented)
Record of
analysis of
interview or
documentati
on of
strategy in
meeting
minutes.
the vendor not
subcontract any
of the services
to another
vendor without
notifying the
agency.
Whether the
organization has
considered the
risks of
contracting with
an overseas
vendor or one
who may choose
to host and
store data
overseas
6
Security (Ref: 5 Security Risks)
Audit Objective: To assess whether the agency is periodically monitoring the vendor to ensure that security
requirements are being met.
What are your security
requirements and how are you
ensuring that the CSP is meeting
them?
What security standards are you
requiring that the CSP follow?
What portions of your data
requires encryption?
Who is responsible for this
encryption?
Have you tested security controls
at the CSP?
How often does the CSP report to
you if there is a security issue
with your data?
What actions have you taken
when such items are reported?
Security
requirements ,
CSP Infomartion
security
management
policy and
procedures
Agency adopted
security standards.
Contract or SLA
CSP audit reports.
Whether the
agency has
thought about
security controls
and standards
and has
required the CSP
to follow the
same.
Data Access (Ref: 2 Technical Risks)
Audit Objective: To assess whether the agency has plans in place for data access if there are issues with the
vendor or connectivity.
7
What have you done to ensure
that you do not lose access to
your organizational data in a
cloud computing environment?
How are you ensuring that your
data and applications are
portable if you switch CSP?
What are your plans for service
continuity if you are unable to
access the CSP’s site for an
extended period?
Have you tested your (or the
CSP’s if they are responsible)
backup and archive retrieval
processes?
How often do you test the
systems reliability and
performance?
Do you have access to the data?
Where are the data backups
located?
Do you have a non-disclosure
agreement with your CSP to
ensure your data and other
information assets are suitably
protected?
Use of cloud
computing must
satisfy the
principle of
reliability,
integrity, and
availability, as well
as ensuring that
the information is
not disseminated
deliberately
Continuity of cloud
computing
environment
should be covered
by a BCP / DRP
Applicable laws
and regulations on
data protection,
privacy, etc.
SLA or contract.
CSP reports on DRP
testing, reports on
periodic backup
and other reports
or information on
data backup or
retention.
Review
contract or
SLA. Look for
what is
stated about
access to
data and
how readily
it can be
made
available to
be moved to
new location
or vendor as
appropriate.
Whether the
agency is able to
access their data
if they switch
contracts or are
locked in for a
single CSP for an
extended time.
8
Acronyms:
BCP/DRP Business Continuity Plan / Disaster Recovery Plan
CSP Cloud Service Provider
IaaS Infrastructure-as-a-Service
IT I Information Technology
PaaS Platform-as-a-Service
SaaS Software-as-a-Service
SAI Supreme Audit Institution
SLA Service Level Agreement
