ethics - The Institute of Internal Auditors South Africa
ethics - The Institute of Internal Auditors South Africa
ethics - The Institute of Internal Auditors South Africa
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
AUDITING THE THUNDERS IN THE CLOUD<br />
Figure.4<br />
Security concerns<br />
Data privacy concerns<br />
Compliance concerns<br />
Reliability concerns<br />
Legacy infrastructure<br />
investments<br />
tries, 10 large and small industries shows<br />
data privacy issues as the major concern in<br />
cloud computing adoption. <strong>The</strong> following<br />
are cloud challenges highlighted by EGIT –<br />
statistically depicted in Figure.4.<br />
Moving to the cloud means that the client<br />
cedes on a number <strong>of</strong> security critical areas<br />
highlighted below aff ecting security:<br />
• External penetration testing not<br />
permitted<br />
• Limited verifi cation <strong>of</strong> logs available<br />
• Usually no forensics service <strong>of</strong>f ered<br />
• Not possible to inspect hardware<br />
• No information on location/jurisdiction<br />
<strong>of</strong> data<br />
• Outsource or sub-contract services to<br />
third-parties.<br />
CLOUD COMPUTING ASSURANCE AND<br />
ADVISORY:<br />
Providing assurance in the cloud requires an<br />
understanding <strong>of</strong> the Cloud Client (CC) business<br />
requirements, objectives and strategy,<br />
the CSP, scope <strong>of</strong> cloud services provided, obtaining<br />
and evaluating third party assurance<br />
reports such as Service Organisation Control<br />
(SOC) 1, 2 and 3 under the Statements <strong>of</strong><br />
Standards for Attestation Engagements SSAE<br />
28 | IA ADVISER September 2011<br />
Other<br />
15.7%<br />
25.2%<br />
41.7%<br />
34.6%<br />
47.2%<br />
49.6%<br />
0% 20% 40% 60% 80% 100%<br />
number 16, evaluating residual risk and determining<br />
whether an onsite visit to the CSP<br />
is required. CSP onsite visit is governed by the<br />
Service Level Agreement (SLA) or the legal<br />
cloud agreement (LCA) – cloud contract. Assurance<br />
should be aligned with overall business<br />
strategy objectives and Enterprise’s risk<br />
management framework.<br />
<strong>The</strong> scope <strong>of</strong> assurance can include reference<br />
to:<br />
• Specifi c criteria, such as reliability,<br />
eff ectiveness, effi ciency, availability<br />
and confi dentiality,<br />
• Technical standards, guidance and<br />
practices which include the Committee<br />
<strong>of</strong> the Sponsoring Organisations <strong>of</strong><br />
the Treadway Commission (COSO),<br />
BITS Shared Assessment, International<br />
Organisation for Standardisation (ISO)<br />
and Control Objectives for Information<br />
and Related Technology (COBIT),<br />
• Pr<strong>of</strong>essional working standards,<br />
guidelines and practices, such as:<br />
a) ISACA – Val IT, IT Audit Framework<br />
(ITAF), the Business Model for<br />
Information Security (BMIS), Risk IT,<br />
b) Payment Card Industry Data<br />
Security Standard (PCI DSS),<br />
c) US Federal Risk and Authorisation<br />
Management Programme<br />
(FedRAMP),<br />
d) <strong>The</strong> Cloud Security Alliance (CSA)<br />
Control Matrix,<br />
e) <strong>The</strong> American <strong>Institute</strong> <strong>of</strong> Certifi ed<br />
Public Accountants (AICPA),<br />
f) NIST,<br />
g) Jericho Forum Self Assessment<br />
Scheme,<br />
h) Health Information Trust Alliance<br />
(HITRUST) and the<br />
i) European Network and Information<br />
Security Agency (ENISA).<br />
Auditing in the cloud can either be from the<br />
CSP or CC point <strong>of</strong> view. This article focuses<br />
on CC assurance.<br />
Cloud computing scope auditing approach<br />
and scope include but is not limited to the<br />
following:<br />
1. EARLY INVOLVEMENT<br />
Assurance and advisory pr<strong>of</strong>essionals<br />
(compliance, risk, security and auditors)<br />
should be involved early in the process to<br />
ensure that complete due-diligence <strong>of</strong> the<br />
CSP, CSP capabilities and procurement procedures<br />
comply with company outsourcing