Refresher on cloud computing Cloud computing is a form of outsourcing where the organization outsources data processing to computers owned by the vendor. Outsourcing may also include utilizing the vendor’s computers to store, backup, and provide online access to the organization data. The organization will need to have a robust access to the internet if they want their staff or users to have ready access to the data or even the application that process the data. In the current environment, the data or applications are also available from mobile platforms (laptops with Wi-Fi or cell/mobile cards, smart phones, and tablets). Risks for the audited entity When an agency chooses to utilize cloud computing, they need to be aware of risks that they may face with the service provider, the risk they face if they are unable to effectively oversee the service provider, and other risks related to management and security weaknesses in the service providers approach. As an auditor you will need to understand what the agency has done to mitigate the risks with cloud computing. When we as auditors are asked to appraise whether an entity or organization getting the benefits of cloud computing are managing the vendor to ensure that they get the required services we need to be aware of the risks that they may face. In order analyze whether the audit entity is both aware of and is managing or mitigating the common risks with cloud computing the following matrix provides a way to look for certain documents and activities that will provide the data that the auditor can analyze. A representative set of audit related questions if provided here in this guide. The auditor may augment these with other questions as appropriate. For example, managing cloud computing also requires project management discipline similar to those when managing any other contractor. However, since cloud computing does not typically entail development of new capability the management activities are more specific to monitoring Service Level Agreement (SLA) requirements and taking action when the vendor is not performing to contractual requirements. 1 Audit Issues Information required 1 Criteria (Basis of evaluation) Analysis Method Audit Conclusion 2 Cloud Computing Policy (Ref: IT Governance Issues) Audit Objective: To assess whether the organization has a policy on cloud computing or has given it some thought prior to engaging in the activity. Does the organization have a policy on whether they will utilize cloud computing? Is there an organizational policy that addresses the use of cloud computing? This may also be called a policy on outsourcing. Who approved the policy? Does the policy lay out which functions or services can be performed utilizing cloud computing and which ones should be retained via existing IT infrastructure? Organizational IT Policy or other which addresses cloud computing. Organizational policy on cloud computing or outsourcing Interviews and review of documents Whether the organization has considered cloud computing as an option and whether they have decided what can and cannot be implemented via the cloud. How does the organization ensure that this policy is enforced? 1 if possible the source of info should be indicated Audit conclusions could lead to possible audit recommendations. For further guidance see Chapter ____( Reporting) 2 2 Who approves the solicitation of cloud computing services? CSP Selection (Ref: 1 Service Provider, 2 Technical, 5 Security Risks) Audit Objective: To assess how the agency selected the CSP who is most qualified and is able to meet their specific requirements. How did you ensure that the Cloud Service Provider (CSP) is best qualified to meet your requirements? What data do you have on the Cloud Service Provider’s (CSP) past experience? All services must be ensured its continuity by the provision of adequate resources and supported by adequate proficiency Data on the CSP past performance on other contracts for other customers (this may not always be available to the audited entity but talk to the contracting officer who should know the vendor’s track record). Have you received a list of the CSP's current or past customers? Have you discussed the CSP's performance with their customers or references? CSP contract or SLA. How did you determine whether the CSP is able to meet your data security, integrity, protection, backup, privacy, and other critical requirements? Agency Data Protection Policy, IT governance Agency document of requirements, visit vendor and or conduct audit, look at vendor controls, etc 3 Interview and document review. Whether the organization has reviewed the CSP’s past performance prior to selecting them as their vendor. CSP Monitoring (Ref: 4 Management/Oversight Risks, 3 Overseas Risks) Audit Objective: To assess that the selected CSP is meeting the requirements of the agency. What are you doing to ensure that the CSP is providing services that are responsive to your needs? What are some key parameters that you have defined for the CSP vendor? Examples include, up time, mobile access interface, simultaneous users, and data transfer rates, etc. Have you defined how often they will be measured and reported? All works must be supervised to ensure full compliance with the SLA’s requirements Assess the adequacy of SLA parameter SLA with key parameters or indicators, monthly or other periodic reports from the CSP on the reportable parameters, CSP contract or SLA. Whether the organization has specific requirements in the SLA for the cloud service. Whether the organization is monitoring and taking action when SLA parameters are not being met. Review and actions items or notices to CSP on noncompliant issues. Have you defined how they will be measured? How often does your team meet to discuss the vendor's performance? What actions have you taken when a performance deviations occurs? What is your strategy if the CSP sub-contracts some of the work? Agency strategy or view on use of 4 Whether the agency has stipulated that What is your strategy if the CSP is acquired by a different company during the performance period of your contract? subcontractors by the CSP, (get by interviewing officials, this may or may not be documented) the vendor not subcontract any of the services to another vendor without notifying the agency. Record of analysis of interview or documentati on of strategy in meeting minutes. What is your strategy for contracting for services to an overseas vendor? Are you aware of the laws and regulations that regulate the vendor in the foreign country? What have you done to ensure that your data is secure and that you have ready access when your data is resident in an overseas location? IT Policy, IT Strategy Whether the organization has considered the risks of contracting with an overseas vendor or one who may choose to host and store data overseas Security Policy, data integrity requirements IT Risk management, Data security and access requirements 5 Security (Ref: 5 Security Risks) Audit Objective: To assess whether the agency is periodically monitoring the vendor to ensure that security requirements are being met. What are your security requirements and how are you ensuring that the CSP is meeting them? What security standards are you requiring that the CSP follow? Security requirements , Whether the agency has thought about security controls and standards and has required the CSP to follow the same. CSP Infomartion security management policy and procedures What portions of your data requires encryption? Who is responsible for this encryption? Agency adopted security standards. Have you tested security controls at the CSP? Contract or SLA CSP audit reports. How often does the CSP report to you if there is a security issue with your data? What actions have you taken when such items are reported? Data Access (Ref: 2 Technical Risks) Audit Objective: To assess whether the agency has plans in place for data access if there are issues with the vendor or connectivity. 6 What have you done to ensure that you do not lose access to your organizational data in a cloud computing environment? How are you ensuring that your data and applications are portable if you switch CSP? What are your plans for service continuity if you are unable to access the CSP’s site for an extended period? Have you tested your (or the CSP’s if they are responsible) backup and archive retrieval processes? Use of cloud computing must satisfy the principle of reliability, integrity, and availability, as well as ensuring that the information is not disseminated deliberately Whether the agency is able to access their data if they switch contracts or are locked in for a single CSP for an extended time. SLA or contract. Continuity of cloud computing environment should be covered by a BCP / DRP How often do you test the systems reliability and performance? CSP reports on DRP testing, reports on periodic backup and other reports or information on data backup or retention. Do you have access to the data? Where are the data backups located? Do you have a non-disclosure agreement with your CSP to ensure your data and other information assets are suitably protected? Applicable laws and regulations on data protection, privacy, etc. 7 Review contract or SLA. Look for what is stated about access to data and how readily it can be made available to be moved to new location or vendor as appropriate. Acronyms: BCP/DRP Business Continuity Plan / Disaster Recovery Plan CSP Cloud Service Provider IaaS Infrastructure-as-a-Service IT I Information Technology PaaS Platform-as-a-Service SaaS Software-as-a-Service SAI Supreme Audit Institution SLA Service Level Agreement 8