Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Information Security

Cloud Computing Handbook

advertisement 
Refresher on cloud computing
Cloud computing is a form of outsourcing where the organization outsources data processing to
computers owned by the vendor. Outsourcing may also include utilizing the vendor’s computers to
store, backup, and provide online access to the organization data. The organization will need to have a
robust access to the internet if they want their staff or users to have ready access to the data or even
the application that process the data. In the current environment, the data or applications are also
available from mobile platforms (laptops with Wi-Fi or cell/mobile cards, smart phones, and tablets).
Risks for the audited entity
When an agency chooses to utilize cloud computing, they need to be aware of risks that they may face
with the service provider, the risk they face if they are unable to effectively oversee the service provider,
and other risks related to management and security weaknesses in the service providers approach. As
an auditor you will need to understand what the agency has done to mitigate the risks with cloud
computing. When we as auditors are asked to appraise whether an entity or organization getting the
benefits of cloud computing are managing the vendor to ensure that they get the required services we
need to be aware of the risks that they may face. In order analyze whether the audit entity is both
aware of and is managing or mitigating the common risks with cloud computing the following matrix
provides a way to look for certain documents and activities that will provide the data that the auditor
can analyze.
A representative set of audit related questions if provided here in this guide. The auditor may augment
these with other questions as appropriate. For example, managing cloud computing also requires
project management discipline similar to those when managing any other contractor. However, since
cloud computing does not typically entail development of new capability the management activities are
more specific to monitoring SLA requirements and taking action when the vendor is not performing to
contractual requirements.
Audit Issues
Criteria (Basis of
evaluation)
Information
required 1
Analysis
Method
Audit
Conclusion 2
Cloud Computing Policy
Audit Objective: To assess whether the organization has a policy on cloud computing or has given it some
thought prior to engaging in the activity.
Does the organization have a
policy on whether they will
utilize cloud computing?
Is there an organizational policy
that addresses the use of cloud
computing? This may also be
called a policy on outsourcing.
Who approved the policy?
Does the policy lay out which
functions or services can be
performed utilizing cloud
computing and which ones should
be retained via existing IT
infrastructure?
Organizational IT
Policy or other
which addresses
cloud computing.
Organizational
policy on cloud
computing or
outsourcing
Interviews
and review
of
documents
Whether the
organization has
considered
cloud computing
as an option and
whether they
have decided
what can and
cannot be
implemented via
the cloud.
How does the organization ensure
that this policy is enforced?
1
if possible the source of info should be indicated
Audit conclusions could lead to possible audit recommendations. For further guidance see
Chapter ____( Reporting)
2
Who approves the solicitation of
cloud computing services?
CSP Selection
Audit Objective: To assess how the agency selected the CSP who is most qualified and is able to meet their
specific requirements.
How did you ensure that the
Cloud Service Provider (CSP) is
best qualified to meet your
requirements?
What data do you have on the
Cloud Service Provider’s (CSP)
past experience?
All services must
be ensured its
continuity by the
provision of
adequate
resources and
supported by
adequate
proficiency
Have you received a list of the
CSP's current or past customers?
Have you discussed the CSP's
performance with their customers
or references?
CSP contract or
SLA.
How did you determine whether
the CSP is able to meet your data
security, integrity, protection,
backup, privacy, and other critical
requirements?
Agency Data
Protection Policy,
IT governance
Data on the CSP
past performance
on other contracts
for other customers
(this may not
always be available
to the audited
entity but talk to
the contracting
officer who should
know the vendor’s
track record).
Agency document
of requirements,
visit vendor and or
conduct audit, look
at vendor controls,
etc
Interview
and
document
review.
Whether the
organization has
reviewed the
CSP’s past
performance
prior to
selecting them
as their vendor.
CSP Monitoring
Audit Objective: To assess that the selected CSP is meeting the requirements of the agency.
What are you doing to ensure
that the CSP is providing services
that are responsive to your
needs?
What are some key parameters
that you have defined for the CSP
vendor? Examples include, up
time, mobile access interface,
simultaneous users, and data
transfer rates, etc.
Have you defined how often they
will be measured and reported?
Have you defined how they will
be measured?
All works must be
supervised to
ensure full
compliance with
the SLA’s
requirements
CSP contract or
SLA.
Assess the
adequacy of
SLA
parameter
SLA with key
parameters or
indicators, monthly
or other periodic
reports from the
CSP on the
reportable
parameters,
Whether the
organization has
specific
requirements in
the SLA for the
cloud service.
Whether the
organization is
monitoring and
taking action
when SLA
parameters are
not being met.
Review and actions
items or notices to
CSP on noncompliant issues.
How often does your team meet
to discuss the vendor's
performance?
What actions have you taken
when a performance deviations
occurs?
What is your strategy if the CSP
sub-contracts some of the work?
Agency strategy or
view on use of
Whether the
agency has
stipulated that
What is your strategy if the CSP is
acquired by a different company
during the performance period of
your contract?
subcontractors by
the CSP, (get by
interviewing
officials, this may or
may not be
documented)
the vendor not
subcontract any
of the services
to another
vendor without
notifying the
agency.
Record of
analysis of
interview or
documentati
on of
strategy in
meeting
minutes.
Security
Audit Objective: To assess whether the agency is periodically monitoring the vendor to ensure that security
requirements are being met.
What are your security
requirements and how are you
ensuring that the CSP is meeting
them?
What security standards are you
requiring that the CSP follow?
Security
requirements ,
CSP Infomartion
security
management
policy and
procedures
What portions of your data
requires encryption?
Who is responsible for this
encryption?
Agency adopted
security standards.
Whether the
agency has
thought about
security controls
and standards
and has
required the CSP
to follow the
same.
Have you tested security controls
at the CSP?
Contract or SLA
CSP audit reports.
How often does the CSP report to
you if there is a security issue
with your data?
What actions have you taken
when such items are reported?
Data Access
Audit Objective: To assess whether the agency has plans in place for data access if there are issues with the
vendor or connectivity.
What have you done to ensure
that you do not lose access to
your organizational data in a
cloud computing environment?
How are you ensuring that your
data and applications are
portable if you switch CSP?
What are your plans for service
continuity if you are unable to
access the CSP’s site for an
extended period?
Have you tested your (or the
CSP’s if they are responsible)
backup and archive retrieval
processes?
Use of cloud
computing must
satisfy the
principle of
reliability,
integrity, and
availability, as well
as ensuring that
the information is
not disseminated
deliberately
Continuity of cloud
computing
environment
should be covered
by a BCP / DRP
Whether the
agency is able to
access their data
if they switch
contracts or are
locked in for a
single CSP for an
extended time.
SLA or contract.
Review
contract or
SLA. Look for
what is
stated about
access to
data and
how readily
it can be
made
available to
be moved to
new location
How often do you test the
systems reliability and
performance?
CSP reports on DRP
testing, reports on
periodic backup
and other reports
or information on
data backup or
retention.
Do you have access to the data?
Where are the data backups
located?
Do you have a non-disclosure
agreement with your CSP to
ensure your data and other
information assets are suitably
protected?
Applicable laws
and regulations on
data protection,
privacy, etc.
or vendor as
appropriate.
Related documents
Community Support Program (CSP)
Community Support Program (CSP)
CSP Project Development
CSP Project Development
cloud-computing-legal-issues-slides
cloud-computing-legal-issues-slides
Electrorefining
Electrorefining
nsa-dc auction 2015
nsa-dc auction 2015
Cloud Computing Handbook Updated
Cloud Computing Handbook Updated
Extended Abstract Template ()
Extended Abstract Template ()
Temperature and Heat
Temperature and Heat
CPSA PM Form 10.6.1, Transition Checklist
CPSA PM Form 10.6.1, Transition Checklist
Download
advertisement