290 likes | 441 Views
Auditing Cloud Computing: Adapting to Changes in Data Management. IIA and ISACA Joint Meeting March 12, 2013 Presented by: Jay Hoffman (AEP), John Didlott (AEP), and Charles Saunders (Franklin University). Overview of Presentation.
E N D
Auditing Cloud Computing: Adapting to Changes in Data Management IIA and ISACA Joint Meeting March 12, 2013 Presented by: Jay Hoffman (AEP), John Didlott (AEP), and Charles Saunders (Franklin University)
Overview of Presentation • Charles: Do internal audit fundamentals apply to cloud computing? • Jay: How does cloud computing make it into my audit universe? • John: How do you execute and sustain the audit plan?
Do internal audit fundamentals apply to cloud computing? • In a word, YES! • Cloud computing is a significant strategic decision. • Cloud computing has significant financial impact. • Cloud computing has significant risk implications. • Cloud computing has significant control considerations. • Cloud computing requires significant management involvement, oversight, and governance.
COSO Definition of Internal Control • A process, effected by an entity’s board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories: • Effectiveness and efficiency of operations • Reliability of financial reporting • Compliance with applicable laws and regulations.
COSO Definition of Enterprise Risk Management • Enterprise Risk Management is a process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.
Ten Principles of Cloud Computing RiskSource: Vohradsky, D. (2012). Cloud risk—10 principles and a framework for assessment. ISACA Journal, 5, 31-41. • Executives must have oversight over the cloud. • Management must own the risks in the cloud. • All necessary staff must have knowledge of the cloud. • Management must know who is using the cloud. • Management must authorize what is put in the cloud. • Mature IT processes must be followed in the cloud. • Management must buy or build management and security in the cloud. • Management must ensure cloud use is compliant. • Management must monitor risk in the cloud. • Best practices must be followed in the cloud.
Risk Implications and ResponsesSource: The Committee of Sponsoring Organizations of the Treadway Commission (COSO), 2012. • Unauthorized cloud activity Cloud policies and controls • Lack of transparency Assessments of cloud service provider (CSP) control environment • Security, compliance, data leakage, data jurisdiction Data classification policies and processes • Transparency and relinquishing direct control Management oversight, operations monitoring controls • Reliability, performance, high-value cyber-attack target Preventative measures; incident management • Non-compliance with regulations Monitoring of the external environment • Vendor lock-in Preparation of an exit strategy • Non-compliance with disclosure requirements New disclosures in financial reporting • All risks ERM; Internal Audit; Board oversight; management awareness and involvement
Selected Sources of Information about Cloud Computing Risks and Controls • COSO • IIA • ISACA (e.g., COBIT 5, other publications and guidance) • IEEE (Institute of Electrical and Electronic Engineers ) • ENISA (European Network and Information Security Agency) • OWASP (Open Web Application Security Project) • CSA (Cloud Security Alliance) • NIST (National Institute of Standards and Technology) • ISO 27001 • ISO/IEC 9126 • AICPA
Audit Plan Development Process • External Influences • News/Events • Deloitte Input • Regulatory Compliance Rules & Laws AUDIT UNIVERSE • Internal Influences • AEP Strategy • Enterprise Risk • Management Interviews • Prior Audits Risk-Based Prioritization Audit Strategy • Professional Influences • Trade/EEI • Institute of Internal Auditors • Audit Directors Roundtable • Etc. Preliminary Audit Plan
John DidlottMarch 2013 Auditing Cloud Computing
Agenda • Cloud Audit Drivers • Audit Planning • Cloud Drivers • Audit Planning • Scope and Objectives • Risks Assessment • Engagement Risks • Risk Factors • Mitigating Risk • Risks not Specific to the Cloud • Security Benefits • Cloud Audit Program Resources • Questions?
Our Audit and Why Data Ownership Third party relationship Cyber Security
Audit Planning • Preparing for the audit • What do you really have in the “Cloud”? • What types of clouds are utilized within your organization? • Where do you start?
Objectives and Scope • Objectives • Data Security • Control Deficiencies • Service Provider Reliability/System Availability • Scope • Governance • Contractual Compliance • Control Issues specific to Cloud Computing
Risk Assessment • What is involved in creating the Risk Assessment for a cloud environment? • What are the risk factors that apply to cloud computing?
Engagement Risks • Risks based on Managements Objectives • Security, Cost and System Availability • Efficiency/Effectiveness of operations • Access to data • System Failure • Reliability of information • Data Security and Availability
Risk Factors • The Audit Clause • How important is the audit clause? • Before you can look at the risk, you need to determine the following question. • What does the cloud contracts allow me to do?
Risk Factors Cont… • Governance and Compliance • A cloud solution moves control over governance and compliance to the cloud provider • Conflicting Security Procedures of Provider • The security procedures at both the provider and customer’s end • Abuse of Privilege at Provider’s End • How is access granted at the clouds provider?
Risk Factors Cont… • Data Security • What are the data protection risks I am facing • Ineffective deletion of data • When I delete data, is the data actually being deleted? • Lock In/Service portability • Data formats and interfaces could make if difficult for data portability
Risk Factors Cont… • Multi-tenancy environment • If you data contains information that needs to be protected, do you want the data stored in a public (shared) cloud? • Lack of Compliance Assurance • Does your provider meet industry standards and security requirements? • Lack of Transparency in Supply Chain • What are the services the third party is providing
Risk Factors Cont… • Resource Limitations • Inaccurate modeling and planning • Remote Access Vulnerabilities • How can your data be accessed? • Business Continuity (BC) Planning and Disaster Recovery (DR) • What does your cloud providers provider have in place?
Strategies for Mitigating Risk • Get involved at the beginning • Start before a contact is signed • Use encryption in the cloud • Prevention of disclosure • Develop a stronger auditing approach around the providers facilities and logs • Ensure that access to facilities and logs is available
Strategies for Mitigating Risk Cont… • Leverage Expertise • Determine how data is handled at the providers end • Security Certificates • Do they confirm to industry standards? • Data Breaches • What actions can you take to protect yourself monetarily?
Risks not specific to the Cloud • Network Breaks • How would this effect your business? • Network Management • Can effect Company reputation • Customer Trust
Risks not specific to the Cloud Cont… • Unauthorized access to facilities • What could happen if a unauthorized access occurred? • Natural Disasters • Can effect Company reputation • Along with Customer Trust
Security Benefits • Security and the benefits of scale • cheaper when implemented on a larger scale • Security as a market differentiator • Reputation or Provider • Standardized interfaces for managed security services • Open interface to managed security
Security Benefits Cont… • Rapid, smart scaling of resources • Reallocation of resources • Audit and evidence-gathering • Dedicated forensic images of virtual machines • More timely, effective and efficient updates and defaults • More efficient around updates
Cloud Audit Program Resources ISACA – Cloud Computing Management Audit/Assurance Program http://www.isaca.org/Knowledge-Center/ITAF-IT-Assurance-Audit-/Audit-Programs/Pages/ICQs-and-Audit-Programs.aspx Cloud Federal Privacy Recommendations http://www.privacylives.com/wp-content/uploads/2010/08/Privacy-Recommendations-Cloud-Computing-8-19-2010.pdf CSA Cloud Security Guidance http://www.cloudsecurityalliance.org/csaguide.pdf NIST Cloud Presentations http://csrc.nist.gov/groups/SNS/cloud-computing/index.html GSA Cloud Guidance http://www.gao.gov/new.items/d10855t.pdf