Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Information Security

VT PowerPoint Template - Information Technology Services

advertisement 
Auditing Cloud Services
Brian Daniels, CISA, GCFA
David Crotts, CISA
April 8, 2015
Overview
• Introduction to cloud services in a
decentralized environment
• Audit perspective of cloud service risks
• Conducting the audit
• Outcomes
• Questions or comments
2
Why Utilize Cloud Services?
Who Uses Cloud Services?
How Can You Identify Cloud Service Implementations?
What is Virginia Tech’s Cloud Service Environment Like?
INTRODUCTION
3
Why Use Cloud Services
•
•
•
•
4
Collaboration
Need for excess storage
Lack of resources to manage internally
Cost effective
Who Uses Cloud Services
•
•
•
•
•
•
5
Researchers
IT Professionals
Administrators
Students
Alumni
EVERYONE!
How to Identify Cloud Services
• Request info from Central IT
• Request info from Departments
• Query technology related expenditures
• Account Codes
• MCC
• Unlikely to identify all
6
Control Environment at VT
• Departmental purchasing authority.
• Difficult to identify all purchases.
• Purchase records only show vendor, not
product detail.
• What about free services?
• Mobile device apps?
7
Control Environment at VT
• Guidelines suggest reviews by:
• Central IT (Security, Network)
• Data Stewards
• Legal Counsel
• Is it realistic?
8
Risk Environment
Risk Assessment
Contract Risks
CLOUD SERVICES RISKS
9
Risk Environment
• Risks of outsourcing are similar to risks
of operating internally .
• Additional risks exist when the system is
outside of your control.
• Low cost/free services vs. high cost?
• How do you monitor these risks?
10
Risk Assessment
• A need has been identified.
• What could go wrong utilizing a cloud
service provider?
• What is the worst possible outcome?
• What is a more likely outcome?
• What am I exposing myself to?
11
Risk Assessment
• What data elements will be utilized?
• Are there any regulatory requirements?
•
•
•
•
•
12
FERPA
HIPAA
ITAR
PCI
PII
Risk Assessment
• What risks are significant enough to
warrant special consideration in contract
negotiations?
13
Contract Risks
• Who has signature authority?
• Click through agreements?
• Does the defined service adequately
represent the identified need?
• How complete is the audit clause?
• Client access to audit vendor performance.
• Client access to review third party audits.
14
Contract Risks
• Does the agreement require
acknowledgement of regulatory
compliance?
• Who owns the data once it’s in the
cloud?
15
Contract Risks
• What invokes the termination clause
and what does it address?
•
•
•
•
16
Access to data upon termination.
Secure removal of data.
Termination fees or waiver of fees.
Responsibilities of each party upon
termination.
Contract Risks
• Service Level Agreements
•
•
•
•
17
Are they complete?
Are they reasonable?
What is the measurement period?
What is the penalty for non-compliance?
Contract Risks
• Are the specific obligations explicitly
stated in the contract?
• If not, where are they located?
• Policies, procedures, or privacy statements
are typically subject to change without
notice.
• Click through agreements may also
change without notice.
18
Contract Risks
• Do the elements of the contract apply to
any subcontracted vendors?
• Negotiation of appropriate contract
terms is an effective means to reducing
risk exposure.
• It is often not possible to get all desired
terms and conditions in the contract.
19
Sampling
Document Requests
Audit Testing
CONDUCTING THE AUDIT
20
Sampling
• What factors exist in the population?
•
•
•
•
21
Users
Type of service
Functional Use
Cost
Sampling
• Select a cross section
•
•
•
•
22
Single user to organization wide
Application or storage
Administrative, teaching, research
High cost, low cost
Documentation Request
• Planning Documentation
•
•
•
•
23
Risk assessments
Steering committee minutes
Product reviews
Security reviews
Documentation Request
• Original and most recently executed
contract.
• Most recent SLA performance review
• Most recent third party audit report
• Preferred report is the SOC 2 Type 2
24
Testing
• Risk assessment
• Centrally created questionnaire
• Only required for purchases greater than
$2,000
• Yes/No responses
• Developed in 2011
25
Testing
• Steering Committee Minutes
• No steering committee for most
department specific purchases
• Expected for central systems purchases
(i.e. email, business intelligence software)
26
Testing
• Security Reviews
• Performed on 4 of 5 services with a cost
greater than $2,000
• Not performed on smaller dollar purchases
• IT Security Office provides an opinion on
the security architecture of the service
• Has resulted in corrective action by the
vendor.
27
Testing
• Signature Authority
• Department and Central authorization OK
• Data steward review was often absent
• Based on the data utilized by the service
• Legal Counsel review was often absent
28
Testing
• Terms and Conditions
• Audit Clauses
• One audit clause gave the vendor the right
to audit Virginia Tech!
• Termination agreements
• Beware of data retrieval and removal provisions
• Definition of adequate and robust SLAs
29
Testing
• Terms and Conditions
• Subcontractors
• Use of subcontractors permitted?
• Enforcement of parent contract to
subcontractors?
• Regulatory compliance requirements?
• Personnel vetting?
30
Testing
• Contract Monitoring
• Periodic review of Terms and Conditions
• Still reflect current operating environment?
• What changes have occurred?
• SLA Performance
• Third party audit reviews
• Identified one subcontractor who had significant
data breaches occur in 2009.
31
OUTCOMES
32
Outcomes
• Risk assessment questionnaire
• Revised questions to target specific risks
and help assess data elements used and
need for ongoing monitoring.
• Expanded scope to include items under
$2,000.
33
Outcomes
• Communication and Training
• Ensure adequate knowledge of the risks of
outsourcing for department staff.
• Focus on training business staff and IT
professionals.
34
Outcomes
• Assess the impact of restricting use of
certain MCC codes on selected Pcard
holders.
• Manage the risk at the point of
procurement by limiting the number of
people able to purchase such services.
35
Outcomes
• Establishment of preferred standard
contract language.
• Joint effort led by IT Acquisitions in
collaboration with Procurement, Legal
Counsel, and Central IT.
36
Outcomes
• Processes and procedures designed to
help manage and monitor contracts.
• Led by IT Acquisitions with input from
Central IT or other administrative functions.
37
QUESTIONS OR COMMENTS?
38
Related documents
Document
Document
More on the project
More on the project
Document
Document
Audit Poster - BSG Colonoscopy Audit
Audit Poster - BSG Colonoscopy Audit
- Krest Technology
- Krest Technology
Van as-a-Service naar at-your-Service
Van as-a-Service naar at-your-Service
Chapter 11: Ascending and Descending Air
Chapter 11: Ascending and Descending Air
- Krest Technology
- Krest Technology
Click Here to the Presentation
Click Here to the Presentation
Past Practices Managing Government Records Directive
Past Practices Managing Government Records Directive
TPR Cloud Computing SOC 2x
TPR Cloud Computing SOC 2x
Download
advertisement