Add to collection(s) Add to saved
  1. Social Science
  2. Law
  3. Contract Law

Domain 4: Compliance and Audit Management

advertisement 
CSA Guidance Version 3
Domain 4: Compliance and Audit Management
As organizations are migrating from traditional data centers to the Cloud, they are facing a
number of challenges. Maintaining compliance with a multitude of relevant regulations and
security policies is one of them. All parties need to understand and appreciate the differences
and the impact on existing compliance and audit procedures, standards, and best practice.
Cloud computing permits the centralization of security, audit and compliance this enables
end users to achieve greater degrees of assurance than the simple adoption of best practice.
Non-corporate entities normally excluded from lines of business with strict compliance
burdens may now enter markets that were once cost prohibitive. In audit and compliance it is
not possible to transfer the operational risk but it is possible to leverage those more expert
and educated to ease the burden.
Regulators and auditors are still learning about Cloud Computing and its impact on new and
existing auditing activities. Of the many regulations touching upon information technology
with which organizations must comply, few were written with Cloud Computing in mind. How
should a cloud consumer go about demonstrating to auditors that their company is in
compliance? Understanding the nuances of the cloud environment and operational
regulatory constrain is a key component of any business strategy.
It is important that cloud customers understand the following:

Regulatory applicability for the use of a given cloud service, paying attention to cross
boarder or multi jurisdictions when relevant

Division of compliance responsibilities between cloud provider and cloud customer. This is
even more important when third parties are involved. Cloud customers need to clearly
understand such responsibilities

Cloud provider’s ability to produce evidence needed for compliance. Some customer
requirements such as demonstrating compliance will depend on the Cloud service provider

Cloud customer’s role in bridging the gap between cloud provider and auditor/assessor.
Audits and assessments are key component of governance and Cloud customers need to
make sure these activities are not constrained with the chosen service provider.
Overview.

This domain addresses Compliance and Audit.
Compliance
Copyright © 2011 Cloud Security Alliance
CSA Guidance Version 3

Audit
1.1 Compliance
With the Cloud, information technology is increasingly subject to various policies and
regulations. Customers, investors, shareholders, employees, partners, regulators and
auditors all expect organizations to proactively comply with regulatory requirements and
across all jurisdictions. Information technology governance is critical and all companies need
a strategy in order to compete in this global market.
Governance is the art of establishing processes and policies that enable the smooth
execution of business objectives within the constraints of the environment governing the
business operations. Governance requires compliance activities to ensure that the policies
and processes established to secure operations are followed to the best ability of the people
who are task with running the daily operations. For this work, compliance is focused on
aligning with external requirements (e.g., law, regulation, industry standards) while
governance is focused on aligning with internal requirements (e.g., board decisions,
corporate policy)
Compliance is the set of processes of complying with customs, guidelines, policies, laws, and
institutions affecting the way an enterprise is directed, administered or controlled.
Compliance is both about 'following the rules' and showing that the company has done so. In
some environments, such as regulated cloud, the transparency aspect can even be dominant,
sometimes at the expense of 'actual' compliance. Most IT activities (monitoring, managing,
protecting, and disclosing) are requirements for most major guidelines and regulations. IT
governance is a supporting element to overall corporate governance and compliance. In this
role the cloud permits the ability to centralize IT governance and consolidate the information
gathering element of governance and compliance. Compliance should not cause an
organization to fail in conducting its business in a productive way. By leveraging a cloud
services non-corporate users can achieve the same level of compliance as larger more
resourced entities. In this way cloud computing, through Security as a service offering,
recognizes the role that third-party organizations play in assessing and communicating
compliance. Compliance plays an important role in making sure the organization is able to
compete within the rules of its jurisdictions. Compliance should not be ignored. Information
technology will continue to play a key role in implementing compliance and delivering on its
requirements across all relevant jurisdictions. With Cloud, IT will have a permanent seat at
the table; the organization will need to have a cross-functional representation in order to
deliver a good compliance strategy.
Copyright © 2011 Cloud Security Alliance
CSA Guidance Version 3
1.2 Audit
Audit is an important component of the proper governance of any organization. Audit has
to be conducted in an independent way and has to be robust based on best practice,
allocated budget, and test protocols and standards. Both internal and external
audit/controls have legitimate role to play for cloud, for both the customer and for the
provider. Cloud brings these roles in to crystal focus. In fact, greater transparency may be
the best approach while cloud is relatively new, to raise comfort levels for all parties. An
audit must provide an assurance that all activities supporting operational risk have been
tested and reviewed.
An audit plan must be in place and supported by the Board and management. It is
important to have regular independent audits of all critical systems and internal controls
as well as a complete audit trail with documented recommendations in order to improve
efficiency and reliability. To analyze the effectiveness of an audit process, many
companies use a maturity model. In some cases a more statistical approach to risk is
being adoptied such as that used in the Basil and Solvency accords on financial services
and as the field matures more specialized models for risk will be adopted based on the
line of business.
In the Cloud, these practices will need to be enhanced to fit the requirements of Cloud
environments. The business and management will need assurances that strategic
initiatives and objectives will be accomplished on the Cloud just like they may have been
used to in previous models.
1.3 Recommendations

Involve Legal and Contracts Teams together with your IT. The cloud provider’s
standard terms of service may not address your compliance needs; therefore it is
beneficial to have both legal and contracts personnel involved early to ensure that
cloud services contract provisions are adequate for compliance and audit obligations

Specialized compliance requirements for highly regulated industries (e.g., finance,
health care): organizations need to consider what are current requirements? How
well are they meeting them now? What geographic- or jurisdiction specific
requirements may make leveraging true cloud scale difficult?

Analyze Compliance Scope. Determining whether the compliance regulations which
the organization is subject to will be impacted by the use of cloud services, for a
given set of applications and data. This is especially important for organizations
operating in multiple jurisdictions
Copyright © 2011 Cloud Security Alliance
CSA Guidance Version 3

Analyze Impact of Regulations on Data Security. Potential end users of Cloud
Computing services should consider which applications and data they are
considering moving to cloud services, and the extent to which they are subject to
compliance regulations.

Review Relevant Partners and Services Providers. This is general guidance for
ensuring that service provider relationships do not negatively impact compliance.
Assessing which service providers are processing data that is subject to compliance
regulations, and then assessing the security controls provided by those service
providers, is fundamental. Several compliance regulations have specific language
about assessing and managing third party vendor risk. As with non-cloud IT and
business services, organizations need to understand which of their cloud business
partners are processing data subject to compliance regulations.

Understand Contractual Data Protection Responsibilities and Related Contracts.
The cloud service model to an extent dictates whether the customer or the cloud
service provider is responsible for deploying security controls. In an IaaS
deployment scenario, the customer has a greater degree of control and
responsibility than in a SaaS scenario. From a security control standpoint, this
means that IaaS customers will have to deploy many of the security controls for
regulatory compliance. In a SaaS scenario, the Cloud service provider must provide
the necessary controls. From a contractual perspective, understanding the specific
requirements, and ensuring that the cloud services contract and service level
agreements adequately address them, are key.

Analyze Impact of Regulations on Provider Infrastructure. In the area of
infrastructure, moving to cloud services requires careful analysis as well. Some
regulatory requirements specify controls that are difficult or impossible to achieve
in certain cloud service types. Analyze Impact of Regulations on Policies and
Procedures. Moving data and applications to cloud services will likely have an
impact on policies and procedures. Customers should assess which policies and
procedures related to regulations will have to change. Examples of impacted
policies and procedures include activity reporting, logging, data retention, incident
response, controls testing, and privacy policies.

Prepare Evidence of How Each Requirement Is Being Met. Collecting evidence of
compliance across the multitude of compliance regulations and requirements is a
challenge. Customers of cloud services should develop processes to collect and
store compliance evidence including audit logs and activity reports, copies of
system configurations, change management reports, and other test procedure
output. Depending on the cloud service model, the cloud provider may need to
provide much of this information.
Copyright © 2011 Cloud Security Alliance
CSA Guidance Version 3

Auditor Qualification and Selection. In many cases the organization has no say in
selecting auditors or security assessors. If an organization does have selection
input, it is highly advisable to pick a “cloud aware” auditor since many might not be
familiar with cloud and virtualization challenges. Asking their familiarity with the
IaaS, PaaS, and SaaS nomenclature is a good starting point.

Cloud Provider’s SSAE 16 SOC2 Providers should have this audit statement at a
minimum, as it will provide a recognizable point of reference for auditors and
assessors.
1.3 Requirements

Right to Audit Clause. Customers will need the ability to audit the cloud provider,
given the dynamic natures of both the cloud and the regulatory environment. This
is one of the most important components of the relationship as it will affect
traceability and transparency. A Right to Audit clause should be a requirement of
any service level agreement

Use of a normative audit specification in the right to audit. A right to audit contract
clause should be obtained, particularly when using the cloud provider for a service
for which the customer has regulatory compliance responsibilities. Over time, the
this right should be supplemented by appropriate cloud provider certifications,
related to the recommendation for ISO/IEC 27001/27017-1 certification.

Right to Transparency Clause should be obtained when using the cloud provider for
a service for which the customer has regulatory compliance responsibilities for
which criminal prosecution is a possibility. A contract should distinguish between
automated/direct access to information (e.g., logs, reports) and 'pushed'
information (e.g., system architectures, audit reports)

Mutual selection of third party auditors and SLA metrics to be audited. Third-party
auditors should be mutually selected in advance, jointly between provider and
customer. Mediators should evaluate service level agreements (SLA) for metrics
and audit events that embody the intent of the SLA and those SLA metric
interpretations should be contractually agreed to by both parties when
implementing and engaging the third party auditor.
Copyright © 2011 Cloud Security Alliance
Related documents
Slide - People
Slide - People
Cloud Computing - Lutheran Services in America
Cloud Computing - Lutheran Services in America
Lisa Neal-Graves, Director Technology Insights, Intel
Lisa Neal-Graves, Director Technology Insights, Intel
Cisco Video Strategy - Distributed Computing Industry Association
Cisco Video Strategy - Distributed Computing Industry Association
Document
Document
MSc Internet and Database Systems
MSc Internet and Database Systems
More on the project
More on the project
Earth Science January 22, 2014 17.3 RCQ Pg 488 List 3 factors that
Earth Science January 22, 2014 17.3 RCQ Pg 488 List 3 factors that
Download
advertisement