1 / 29

Auditing Cloud Computing: Adapting to Changes in Data Management

Auditing Cloud Computing: Adapting to Changes in Data Management. IIA and ISACA Joint Meeting March 12, 2013 Presented by: Jay Hoffman (AEP), John Didlott (AEP), and Charles Saunders (Franklin University). Overview of Presentation.

fuller
Télécharger la présentation

Auditing Cloud Computing: Adapting to Changes in Data Management

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Auditing Cloud Computing: Adapting to Changes in Data Management IIA and ISACA Joint Meeting March 12, 2013 Presented by: Jay Hoffman (AEP), John Didlott (AEP), and Charles Saunders (Franklin University)

  2. Overview of Presentation • Charles: Do internal audit fundamentals apply to cloud computing? • Jay: How does cloud computing make it into my audit universe? • John: How do you execute and sustain the audit plan?

  3. Do internal audit fundamentals apply to cloud computing? • In a word, YES! • Cloud computing is a significant strategic decision. • Cloud computing has significant financial impact. • Cloud computing has significant risk implications. • Cloud computing has significant control considerations. • Cloud computing requires significant management involvement, oversight, and governance.

  4. COSO Definition of Internal Control • A process, effected by an entity’s board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories: • Effectiveness and efficiency of operations • Reliability of financial reporting • Compliance with applicable laws and regulations.

  5. COSO Definition of Enterprise Risk Management • Enterprise Risk Management is a process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.

  6. Ten Principles of Cloud Computing RiskSource: Vohradsky, D. (2012). Cloud risk—10 principles and a framework for assessment. ISACA Journal, 5, 31-41. • Executives must have oversight over the cloud. • Management must own the risks in the cloud. • All necessary staff must have knowledge of the cloud. • Management must know who is using the cloud. • Management must authorize what is put in the cloud. • Mature IT processes must be followed in the cloud. • Management must buy or build management and security in the cloud. • Management must ensure cloud use is compliant. • Management must monitor risk in the cloud. • Best practices must be followed in the cloud.

  7. Risk Implications and ResponsesSource: The Committee of Sponsoring Organizations of the Treadway Commission (COSO), 2012. • Unauthorized cloud activity  Cloud policies and controls • Lack of transparency  Assessments of cloud service provider (CSP) control environment • Security, compliance, data leakage, data jurisdiction  Data classification policies and processes • Transparency and relinquishing direct control  Management oversight, operations monitoring controls • Reliability, performance, high-value cyber-attack target  Preventative measures; incident management • Non-compliance with regulations  Monitoring of the external environment • Vendor lock-in  Preparation of an exit strategy • Non-compliance with disclosure requirements New disclosures in financial reporting • All risks  ERM; Internal Audit; Board oversight; management awareness and involvement

  8. Selected Sources of Information about Cloud Computing Risks and Controls • COSO • IIA • ISACA (e.g., COBIT 5, other publications and guidance) • IEEE (Institute of Electrical and Electronic Engineers ) • ENISA (European Network and Information Security Agency) • OWASP (Open Web Application Security Project) • CSA (Cloud Security Alliance) • NIST (National Institute of Standards and Technology) • ISO 27001 • ISO/IEC 9126 • AICPA

  9. Audit Plan Development Process • External Influences • News/Events • Deloitte Input • Regulatory Compliance Rules & Laws AUDIT UNIVERSE • Internal Influences • AEP Strategy • Enterprise Risk • Management Interviews • Prior Audits Risk-Based Prioritization Audit Strategy • Professional Influences • Trade/EEI • Institute of Internal Auditors • Audit Directors Roundtable • Etc. Preliminary Audit Plan

  10. John DidlottMarch 2013 Auditing Cloud Computing

  11. Agenda • Cloud Audit Drivers • Audit Planning • Cloud Drivers • Audit Planning • Scope and Objectives • Risks Assessment • Engagement Risks • Risk Factors • Mitigating Risk • Risks not Specific to the Cloud • Security Benefits • Cloud Audit Program Resources • Questions?

  12. Our Audit and Why Data Ownership Third party relationship Cyber Security

  13. Audit Planning • Preparing for the audit • What do you really have in the “Cloud”? • What types of clouds are utilized within your organization? • Where do you start?

  14. Objectives and Scope • Objectives • Data Security • Control Deficiencies • Service Provider Reliability/System Availability • Scope • Governance • Contractual Compliance • Control Issues specific to Cloud Computing

  15. Risk Assessment • What is involved in creating the Risk Assessment for a cloud environment? • What are the risk factors that apply to cloud computing?

  16. Engagement Risks • Risks based on Managements Objectives • Security, Cost and System Availability • Efficiency/Effectiveness of operations • Access to data • System Failure • Reliability of information • Data Security and Availability

  17. Risk Factors • The Audit Clause • How important is the audit clause? • Before you can look at the risk, you need to determine the following question. • What does the cloud contracts allow me to do?

  18. Risk Factors Cont… • Governance and Compliance • A cloud solution moves control over governance and compliance to the cloud provider • Conflicting Security Procedures of Provider • The security procedures at both the provider and customer’s end • Abuse of Privilege at Provider’s End • How is access granted at the clouds provider?

  19. Risk Factors Cont… • Data Security • What are the data protection risks I am facing • Ineffective deletion of data • When I delete data, is the data actually being deleted? • Lock In/Service portability • Data formats and interfaces could make if difficult for data portability

  20. Risk Factors Cont… • Multi-tenancy environment • If you data contains information that needs to be protected, do you want the data stored in a public (shared) cloud? • Lack of Compliance Assurance • Does your provider meet industry standards and security requirements? • Lack of Transparency in Supply Chain • What are the services the third party is providing

  21. Risk Factors Cont… • Resource Limitations • Inaccurate modeling and planning • Remote Access Vulnerabilities • How can your data be accessed? • Business Continuity (BC) Planning and Disaster Recovery (DR) • What does your cloud providers provider have in place?

  22. Strategies for Mitigating Risk • Get involved at the beginning • Start before a contact is signed • Use encryption in the cloud • Prevention of disclosure • Develop a stronger auditing approach around the providers facilities and logs • Ensure that access to facilities and logs is available

  23. Strategies for Mitigating Risk Cont… • Leverage Expertise • Determine how data is handled at the providers end • Security Certificates • Do they confirm to industry standards? • Data Breaches • What actions can you take to protect yourself monetarily?

  24. Risks not specific to the Cloud • Network Breaks • How would this effect your business? • Network Management • Can effect Company reputation • Customer Trust

  25. Risks not specific to the Cloud Cont… • Unauthorized access to facilities • What could happen if a unauthorized access occurred? • Natural Disasters • Can effect Company reputation • Along with Customer Trust

  26. Security Benefits • Security and the benefits of scale • cheaper when implemented on a larger scale • Security as a market differentiator • Reputation or Provider • Standardized interfaces for managed security services • Open interface to managed security

  27. Security Benefits Cont… • Rapid, smart scaling of resources • Reallocation of resources • Audit and evidence-gathering • Dedicated forensic images of virtual machines • More timely, effective and efficient updates and defaults • More efficient around updates

  28. Cloud Audit Program Resources ISACA – Cloud Computing Management Audit/Assurance Program http://www.isaca.org/Knowledge-Center/ITAF-IT-Assurance-Audit-/Audit-Programs/Pages/ICQs-and-Audit-Programs.aspx Cloud Federal Privacy Recommendations http://www.privacylives.com/wp-content/uploads/2010/08/Privacy-Recommendations-Cloud-Computing-8-19-2010.pdf CSA Cloud Security Guidance http://www.cloudsecurityalliance.org/csaguide.pdf NIST Cloud Presentations http://csrc.nist.gov/groups/SNS/cloud-computing/index.html GSA Cloud Guidance http://www.gao.gov/new.items/d10855t.pdf

  29. Questions?

More Related