ethics - The Institute of Internal Auditors South Africa

AUDITING THE THUNDERS IN THE CLOUD
Business Continuity
The CC should clearly defi ne business continuity
needs, evaluate provider capabilities
to meet the requirements and ensure that
data is not co-mingled in off site storage or
back up facility. Requirements for future
growth and the ability of service providers
to meet growth demands should be fully
considered. Business continuity and disaster
recovery plans should be formalized,
tested and coordinated with CSPs to address
how events that can lead to incidents
can be identifi ed and communicated and
how incident response activities will be coordinated.
A Blackout Plan to address situations
where problems arise that cannot be
corrected and service disruptions or quality
of service is threatened should be in place.
Legal and Regulatory Environment
Adopting the cloud may mean that data of
the CC will reside in a diff erent country. This
is problematic especially for multinational
companies operating in diff erent cities,
countries and continents. Diff erent cities,
countries and continents have diff erent
legal and regulatory requirements pertaining
to data privacy and intellectual property.
These means that CC or the CSP has
to comply with both the country for which
Cloud Security Alliance Security (2009) Guidance for Critical Areas of
Focus in Cloud Computing V2.1
Cloud Computing: Business Benefi ts With Security, Governance and
Assurance Perspectives (2009), www.isaca.org
Carl Cadregari & Alfnzo Cutaia, Every Silver Cloud Has a Dark Lining: A
Primer on Cloud Computing, Regulatory and Data Security Risk (2011),
ISACA Jounal.
Liam Lynch Chief Security Strategist. eBay Marketplaces, Integration with
legacy systems in the cloud 2011 ISACA Webinar Program
www.itnewsafrica.com, T Systems Cloud Computing in South Africa
February 2011
www.isaca.org, Cloud Computing: Business Benefi ts With Security
Governance and Assurance Perspectives. 2009
www.isaca.org, IT Control Objectives for Cloud Computing: Controls and
Assurance in the Cloud. 2011
30 | IA ADVISER September 2011
the data is hosting and where the data is located.
The challenge arises in cases where
the regulations are contradictory. Both the
CC and the CSP should understand the legal
landscape of the diff erent cities, countries
and continents of operation. In most
instances non-compliance risk is huge.
Exit /Termination Strategy
The CC should develop plans for ending
service provider service arrangements in
particular to address sensitive data recovery
or deletion. The plan should include data
retrieval and retention in the event of cloud
contract terminations or moving to another
CSP. This should be documented in the LCA.
Identity Access Management (Logical
access)
Moving to a cloud increases the risk of data
manipulation and unauthorised access. A
proper inventory, categorization and classifi
cation of the data sitting on the cloud
coupled with an eff ective Identity Access
Management system will ensure that access
is based on a need-to-do and least
privilege basis. The IAM should ensure that
proper access monitoring and reporting
capabilities are available under normal and
exceptional conditions.
REFERENCE
Skills
Placement of a cloud will require a paradigm
shift in the business governance and
management of IT. Senior Management
should ensure that internal staff is engaged
in cloud service acquisition and management,
has the skill and expertise to support
the CC business cloud needs and to coordinate
activities with cloud providers.
CONCLUSION
The level and type of auditing is driven by
the type of the cloud service model (SaaS,
IaaS or PaaS), cloud deployment model
(public, private, community or hybrid), CSP
(size, service maturity etc), CC (business requirements,
objectives and strategy) and
contractual agreements governing the
cloud engagement. Assurance professionals
can use the various standards, guidance
and practices available. One size fi ts all in
the use of the standards, guidance and
practices is not recommended. The standards,
guidance and practices should be
adapted and adopted in a way that enables
the CC to achieve its strategic objectives
namely value creation, resource and risk
optimisation.
www.isaca.org, Cloud Computing Benefi ts and Risks Detailed in New
ISACA Guidance. 29 October 2009
Shackleford_CloudModelSec_2011_Cloud delivery models and security
Dr. Giles Hogben, Perspectives on Cloud Security in the European
Landscape, April 2011,
Defence Information Systems Agency, A Support Agency, Mr. Henry J
Sienkiewicz. April 2009
GSA, February 2010, Cloud Computing Initiative Vision and Strategy
Document.
The Future of Cloud computing, Expert Group Report, Opportunities for
European Cloud Computing Beyond 2010.
Primer, Shedding Light on Cloud Computing, Gregor Petri, October 2010
http://www.techcentral.co.za/inside-standard-banks-giant-datacentre/19705/
www.economist.com
Tichaona Zororo CISA, CISM, CGEIT, Portfolio Manager IT Audit: Standard Bank Group and Founder of Enterprise Governance IT (EGIT)