ethics - The Institute of Internal Auditors South Africa
ethics - The Institute of Internal Auditors South Africa
ethics - The Institute of Internal Auditors South Africa
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
AUDITING THE THUNDERS IN THE CLOUD<br />
Business Continuity<br />
<strong>The</strong> CC should clearly defi ne business continuity<br />
needs, evaluate provider capabilities<br />
to meet the requirements and ensure that<br />
data is not co-mingled in <strong>of</strong>f site storage or<br />
back up facility. Requirements for future<br />
growth and the ability <strong>of</strong> service providers<br />
to meet growth demands should be fully<br />
considered. Business continuity and disaster<br />
recovery plans should be formalized,<br />
tested and coordinated with CSPs to address<br />
how events that can lead to incidents<br />
can be identifi ed and communicated and<br />
how incident response activities will be coordinated.<br />
A Blackout Plan to address situations<br />
where problems arise that cannot be<br />
corrected and service disruptions or quality<br />
<strong>of</strong> service is threatened should be in place.<br />
Legal and Regulatory Environment<br />
Adopting the cloud may mean that data <strong>of</strong><br />
the CC will reside in a diff erent country. This<br />
is problematic especially for multinational<br />
companies operating in diff erent cities,<br />
countries and continents. Diff erent cities,<br />
countries and continents have diff erent<br />
legal and regulatory requirements pertaining<br />
to data privacy and intellectual property.<br />
<strong>The</strong>se means that CC or the CSP has<br />
to comply with both the country for which<br />
Cloud Security Alliance Security (2009) Guidance for Critical Areas <strong>of</strong><br />
Focus in Cloud Computing V2.1<br />
Cloud Computing: Business Benefi ts With Security, Governance and<br />
Assurance Perspectives (2009), www.isaca.org<br />
Carl Cadregari & Alfnzo Cutaia, Every Silver Cloud Has a Dark Lining: A<br />
Primer on Cloud Computing, Regulatory and Data Security Risk (2011),<br />
ISACA Jounal.<br />
Liam Lynch Chief Security Strategist. eBay Marketplaces, Integration with<br />
legacy systems in the cloud 2011 ISACA Webinar Program<br />
www.itnewsafrica.com, T Systems Cloud Computing in <strong>South</strong> <strong>Africa</strong><br />
February 2011<br />
www.isaca.org, Cloud Computing: Business Benefi ts With Security<br />
Governance and Assurance Perspectives. 2009<br />
www.isaca.org, IT Control Objectives for Cloud Computing: Controls and<br />
Assurance in the Cloud. 2011<br />
30 | IA ADVISER September 2011<br />
the data is hosting and where the data is located.<br />
<strong>The</strong> challenge arises in cases where<br />
the regulations are contradictory. Both the<br />
CC and the CSP should understand the legal<br />
landscape <strong>of</strong> the diff erent cities, countries<br />
and continents <strong>of</strong> operation. In most<br />
instances non-compliance risk is huge.<br />
Exit /Termination Strategy<br />
<strong>The</strong> CC should develop plans for ending<br />
service provider service arrangements in<br />
particular to address sensitive data recovery<br />
or deletion. <strong>The</strong> plan should include data<br />
retrieval and retention in the event <strong>of</strong> cloud<br />
contract terminations or moving to another<br />
CSP. This should be documented in the LCA.<br />
Identity Access Management (Logical<br />
access)<br />
Moving to a cloud increases the risk <strong>of</strong> data<br />
manipulation and unauthorised access. A<br />
proper inventory, categorization and classifi<br />
cation <strong>of</strong> the data sitting on the cloud<br />
coupled with an eff ective Identity Access<br />
Management system will ensure that access<br />
is based on a need-to-do and least<br />
privilege basis. <strong>The</strong> IAM should ensure that<br />
proper access monitoring and reporting<br />
capabilities are available under normal and<br />
exceptional conditions.<br />
REFERENCE<br />
Skills<br />
Placement <strong>of</strong> a cloud will require a paradigm<br />
shift in the business governance and<br />
management <strong>of</strong> IT. Senior Management<br />
should ensure that internal staff is engaged<br />
in cloud service acquisition and management,<br />
has the skill and expertise to support<br />
the CC business cloud needs and to coordinate<br />
activities with cloud providers.<br />
CONCLUSION<br />
<strong>The</strong> level and type <strong>of</strong> auditing is driven by<br />
the type <strong>of</strong> the cloud service model (SaaS,<br />
IaaS or PaaS), cloud deployment model<br />
(public, private, community or hybrid), CSP<br />
(size, service maturity etc), CC (business requirements,<br />
objectives and strategy) and<br />
contractual agreements governing the<br />
cloud engagement. Assurance pr<strong>of</strong>essionals<br />
can use the various standards, guidance<br />
and practices available. One size fi ts all in<br />
the use <strong>of</strong> the standards, guidance and<br />
practices is not recommended. <strong>The</strong> standards,<br />
guidance and practices should be<br />
adapted and adopted in a way that enables<br />
the CC to achieve its strategic objectives<br />
namely value creation, resource and risk<br />
optimisation.<br />
www.isaca.org, Cloud Computing Benefi ts and Risks Detailed in New<br />
ISACA Guidance. 29 October 2009<br />
Shackleford_CloudModelSec_2011_Cloud delivery models and security<br />
Dr. Giles Hogben, Perspectives on Cloud Security in the European<br />
Landscape, April 2011,<br />
Defence Information Systems Agency, A Support Agency, Mr. Henry J<br />
Sienkiewicz. April 2009<br />
GSA, February 2010, Cloud Computing Initiative Vision and Strategy<br />
Document.<br />
<strong>The</strong> Future <strong>of</strong> Cloud computing, Expert Group Report, Opportunities for<br />
European Cloud Computing Beyond 2010.<br />
Primer, Shedding Light on Cloud Computing, Gregor Petri, October 2010<br />
http://www.techcentral.co.za/inside-standard-banks-giant-datacentre/19705/<br />
www.economist.com<br />
Tichaona Zororo CISA, CISM, CGEIT, Portfolio Manager IT Audit: Standard Bank Group and Founder <strong>of</strong> Enterprise Governance IT (EGIT)