ethics - The Institute of Internal Auditors South Africa

More documents

Recommendations

Info

AUDITING THE THUNDERS IN THE CLOUD Figure.4 Security concerns Data privacy concerns Compliance concerns Reliability concerns Legacy infrastructure investments tries, 10 large and small industries shows data privacy issues as the major concern in cloud computing adoption. The following are cloud challenges highlighted by EGIT – statistically depicted in Figure.4. Moving to the cloud means that the client cedes on a number of security critical areas highlighted below aff ecting security: • External penetration testing not permitted • Limited verifi cation of logs available • Usually no forensics service off ered • Not possible to inspect hardware • No information on location/jurisdiction of data • Outsource or sub-contract services to third-parties. CLOUD COMPUTING ASSURANCE AND ADVISORY: Providing assurance in the cloud requires an understanding of the Cloud Client (CC) business requirements, objectives and strategy, the CSP, scope of cloud services provided, obtaining and evaluating third party assurance reports such as Service Organisation Control (SOC) 1, 2 and 3 under the Statements of Standards for Attestation Engagements SSAE 28 | IA ADVISER September 2011 Other 15.7% 25.2% 41.7% 34.6% 47.2% 49.6% 0% 20% 40% 60% 80% 100% number 16, evaluating residual risk and determining whether an onsite visit to the CSP is required. CSP onsite visit is governed by the Service Level Agreement (SLA) or the legal cloud agreement (LCA) – cloud contract. Assurance should be aligned with overall business strategy objectives and Enterprise’s risk management framework. The scope of assurance can include reference to: • Specifi c criteria, such as reliability, eff ectiveness, effi ciency, availability and confi dentiality, • Technical standards, guidance and practices which include the Committee of the Sponsoring Organisations of the Treadway Commission (COSO), BITS Shared Assessment, International Organisation for Standardisation (ISO) and Control Objectives for Information and Related Technology (COBIT), • Professional working standards, guidelines and practices, such as: a) ISACA – Val IT, IT Audit Framework (ITAF), the Business Model for Information Security (BMIS), Risk IT, b) Payment Card Industry Data Security Standard (PCI DSS), c) US Federal Risk and Authorisation Management Programme (FedRAMP), d) The Cloud Security Alliance (CSA) Control Matrix, e) The American Institute of Certifi ed Public Accountants (AICPA), f) NIST, g) Jericho Forum Self Assessment Scheme, h) Health Information Trust Alliance (HITRUST) and the i) European Network and Information Security Agency (ENISA). Auditing in the cloud can either be from the CSP or CC point of view. This article focuses on CC assurance. Cloud computing scope auditing approach and scope include but is not limited to the following: 1. EARLY INVOLVEMENT Assurance and advisory professionals (compliance, risk, security and auditors) should be involved early in the process to ensure that complete due-diligence of the CSP, CSP capabilities and procurement procedures comply with company outsourcing
equirements and regulatory requirements. Due diligence and review of CSP capabilities should include: Strategy Cloud transition and adoption should be treated as a strategic business decision. Assurance should ensure that the CSP align business strategy and goals with cloud delivery strategies and service provider governance and management is part of the cloud strategy. Governance and management of the cloud should include establishing cloud service management committee (CSMC) that are charged with ensuring continuous alignment of the cloud services with the business strategy, establishing policies, processes, procedures and structures, measuring cloud performance, benefi ts realization and vendor governance to ensure that the cloud sustain and extend business strategy and objectives. Service and Infrastructure robustness Ensure that infrastructure and service delivery provided by CSP has capacity to meet business requirements, objectives and strategy. Skills Ensure that CSP staffi ng is adequate to support dynamic business needs, maintain the technical environment and that personnel understand information security requirements and are capable of discharging their protection responsibilities. 2. GOVERNANCE OF CLOUD SERVICE LEVELS The governance of service levels is the backbone of eff ective cloud computing. The fi duciary responsibility of cloud services remain with the CC. According to the GEIT research some enterprises have put in place external service management committee (ESMC) for governance of external service levels SLAs to report on, oversee and co-ordinate third-party services to ensure compliance with corporate and regulatory requirements, prevent value leakage and mitigate outsourcing risks. The ESMC and the CSMCs in conjunction with business stakeholders should defi ne cloud service requirements for cloud in a in a cloud service catalogue (CSC). The services documented in the CSC should be used as the basis for selecting the CSP and formulating the SLAs and contracts. The SLAs should be clear, reviewed and ratifi ed by legal, signed off by all parties (CC and CSP representatives) and document key business functional and technical requirements. They should include termination, credit and penalty, right to audit and data privacy and security clauses and billing terms, defi ne business and technology related KGI's, KPI's and establish a continuous monitoring program to ensure expectations are consistently met. The ESMC and the CSMC need to continuously monitor service levels to ensure that cloud service delivery is aligned to meet changing business requirements, objectives and strategy. 3. RISK MANAGEMENT The decision to move to the cloud is a strategic decision and should be business driven. Management of risk in the cloud should consider technical and business risks. It should be governed by the principles of effective risk management namely: a. Maintaining business objectives focus b. Integrating IT (cloud) risk into Enterprise Risk Management (ERM) c. Balancing the costs and benefi ts of managing risk d. Promotion of fair and open risk communication e. Establishing ‘tone at the top’ and assigning personal accountabilities f. Promotion of continuous improvement as part of daily activities. AUDITING THE THUNDERS IN THE CLOUD Risks must be addressed from a purely business perspective and not from a pure IT view point. A thorough risk assessment should be completed before migrating services to the cloud and should be continuous throughout the cloud placement period. The following risks should be considered in the review of cloud risk: Information Assets Resources (data, infrastructure and applications) on the cloud should be categorised and classifi ed with appropriate parameters and rated based on their criticality/severity to the achievement of business goals and objectives. The categorisation and classifi - cation of outsourced resources will ensure appropriate risks response. Processes and Procedures The transition to cloud computing will result in changes to the way business operations are carried out. Day to day IT and business operations would require to be reengineered to suit the cloud arrangements. The transition should be used as an opportunity to restructure business processes procedures and IT service management to bring value. Business processes activities and fl ows should be revised to maximize benefi t from cloud services. The revised processes and procedures should be formalised (documented and signed off by senior executives) and should be continuously reviewed to ensure alignment with changing business goals and cloud services. Cost The true cost provided by the CSP should be continual to ensure maximization on total value, balance cost with functionality, resiliency, and business value and to provide assurance over accuracy of cloud usage metering and billing processes so that they are not overbilled. IA ADVISER September 2011 | 29
Page 1 and 2: SEPTEMBER 2011 I A ADVISER ETHICS-
Page 3 and 4: BOARD OF DIRECTORS e-mail: director
Page 5 and 6: Institute of Internal Auditors Sout
Page 7 and 8: BORDER KEI WELCOME TO NEW MEMBERS A
Page 9 and 10: Limpopo Provincial Treasury TT Muda
Page 11 and 12: IIA Membership Ask more than 170 00
Page 13 and 14: ��
Page 15 and 16: Internal audit professionals gather
Page 17 and 18: The Johannesburg Region hosted a br
Page 20 and 21: THE AUDITORS ARE BACK! During the a
Page 22 and 23: ETHICS- BUSINESS VS. PERSONAL VS. P
Page 24 and 25: In a complicated world, we can help
Page 26 and 27: AUDITING THE THUNDERS IN THE CLOUD
Page 30 and 31: AUDITING THE THUNDERS IN THE CLOUD
Page 32 and 33: WHY THE CURRENT FOCUS ON RISK? Rece
Page 34 and 35: ADVISER RISK SOUND BITES Solvency I
Page 36 and 37: QUALITY ASSURANCE OF THE INSTITUTE
Page 38 and 39: A keen focus on supply chAin mAnAge
Page 40: CCSA Anthony Brink Asma Ayob Daya E
Page 43 and 44: ADVISER IA ADVISER September 2011 |

ethics - The Institute of Internal Auditors South Africa

Create successful ePaper yourself

Delete template?

Save as template?