Download presentation
Presentation is loading. Please wait.
Published byLiliana Henderson Modified over 9 years ago
1
Auditing Cloud Computing: Adapting to Changes in Data Management IIA and ISACA Joint Meeting March 12, 2013 Presented by: Jay Hoffman (AEP), John Didlott (AEP), and Charles Saunders (Franklin University)
2
Overview of Presentation 1.Charles: Do internal audit fundamentals apply to cloud computing? 2.Jay: How does cloud computing make it into my audit universe? 3.John: How do you execute and sustain the audit plan?
3
Do internal audit fundamentals apply to cloud computing? In a word, YES! – Cloud computing is a significant strategic decision. – Cloud computing has significant financial impact. – Cloud computing has significant risk implications. – Cloud computing has significant control considerations. – Cloud computing requires significant management involvement, oversight, and governance.
4
COSO Definition of Internal Control A process, effected by an entity’s board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories: Effectiveness and efficiency of operations Reliability of financial reporting Compliance with applicable laws and regulations.
5
COSO Definition of Enterprise Risk Management Enterprise Risk Management is a process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.
6
Ten Principles of Cloud Computing Risk Source: Vohradsky, D. (2012). Cloud risk—10 principles and a framework for assessment. ISACA Journal, 5, 31-41. 1.Executives must have oversight over the cloud. 2.Management must own the risks in the cloud. 3.All necessary staff must have knowledge of the cloud. 4.Management must know who is using the cloud. 5.Management must authorize what is put in the cloud. 6.Mature IT processes must be followed in the cloud. 7.Management must buy or build management and security in the cloud. 8.Management must ensure cloud use is compliant. 9.Management must monitor risk in the cloud. 10.Best practices must be followed in the cloud.
7
Risk Implications and Responses Source: The Committee of Sponsoring Organizations of the Treadway Commission (COSO), 2012. 1.Unauthorized cloud activity Cloud policies and controls 2.Lack of transparency Assessments of cloud service provider (CSP) control environment 3.Security, compliance, data leakage, data jurisdiction Data classification policies and processes 4.Transparency and relinquishing direct control Management oversight, operations monitoring controls 5.Reliability, performance, high-value cyber-attack target Preventative measures; incident management 6.Non-compliance with regulations Monitoring of the external environment 7.Vendor lock-in Preparation of an exit strategy 8.Non-compliance with disclosure requirements New disclosures in financial reporting 9.All risks ERM; Internal Audit; Board oversight; management awareness and involvement
8
Selected Sources of Information about Cloud Computing Risks and Controls 1.COSO 2.IIA 3.ISACA (e.g., COBIT 5, other publications and guidance) 4.IEEE (Institute of Electrical and Electronic Engineers ) 5.ENISA (European Network and Information Security Agency) 6.OWASP (Open Web Application Security Project) 7.CSA (Cloud Security Alliance) 8.NIST (National Institute of Standards and Technology) 9.ISO 27001 10.ISO/IEC 9126 11.AICPA
9
9 Audit Plan Development Process External Influences News/Events Deloitte Input Regulatory Compliance Rules & Laws External Influences News/Events Deloitte Input Regulatory Compliance Rules & Laws Internal Influences AEP Strategy Enterprise Risk Management Interviews Prior Audits Internal Influences AEP Strategy Enterprise Risk Management Interviews Prior Audits Professional Influences Trade/EEI Institute of Internal Auditors Audit Directors Roundtable Etc. Professional Influences Trade/EEI Institute of Internal Auditors Audit Directors Roundtable Etc. AUDIT UNIVERSE AUDIT UNIVERSE Risk-Based Prioritization Risk-Based Prioritization Emerging Risks Ongoing Risks Reactive Risks Preliminary Audit Plan Preliminary Audit Plan Audit Strategy Audit Strategy
10
10 John Didlott March 2013 Auditing Cloud Computing
11
11 Agenda Cloud Audit Drivers Audit Planning Cloud Drivers Audit Planning Scope and Objectives Risks Assessment Engagement Risks Risk Factors Mitigating Risk Risks not Specific to the Cloud Security Benefits Cloud Audit Program Resources Questions?
12
12 Our Audit and Why Data Ownership Third party relationship Cyber Security
13
13 Audit Planning Preparing for the audit What do you really have in the “Cloud”? What types of clouds are utilized within your organization? Where do you start?
14
14 Objectives and Scope Objectives Data Security Control Deficiencies Service Provider Reliability/System Availability Scope Governance Contractual Compliance Control Issues specific to Cloud Computing
15
15 Risk Assessment What is involved in creating the Risk Assessment for a cloud environment? What are the risk factors that apply to cloud computing ?
16
16 Engagement Risks Risks based on Managements Objectives Security, Cost and System Availability Efficiency/Effectiveness of operations Access to data System Failure Reliability of information Data Security and Availability
17
17 Risk Factors The Audit Clause How important is the audit clause? Before you can look at the risk, you need to determine the following question. What does the cloud contracts allow me to do?
18
18 Risk Factors Cont… Governance and Compliance A cloud solution moves control over governance and compliance to the cloud provider Conflicting Security Procedures of Provider The security procedures at both the provider and customer’s end Abuse of Privilege at Provider’s End How is access granted at the clouds provider?
19
19 Risk Factors Cont… Data Security What are the data protection risks I am facing Ineffective deletion of data When I delete data, is the data actually being deleted? Lock In/Service portability Data formats and interfaces could make if difficult for data portability
20
20 Risk Factors Cont… Multi-tenancy environment If you data contains information that needs to be protected, do you want the data stored in a public (shared) cloud? Lack of Compliance Assurance Does your provider meet industry standards and security requirements? Lack of Transparency in Supply Chain What are the services the third party is providing
21
21 Risk Factors Cont… Resource Limitations Inaccurate modeling and planning Remote Access Vulnerabilities How can your data be accessed? Business Continuity (BC) Planning and Disaster Recovery (DR) What does your cloud providers provider have in place?
22
22 Strategies for Mitigating Risk Get involved at the beginning Start before a contact is signed Use encryption in the cloud Prevention of disclosure Develop a stronger auditing approach around the providers facilities and logs Ensure that access to facilities and logs is available
23
23 Strategies for Mitigating Risk Cont… Leverage Expertise Determine how data is handled at the providers end Security Certificates Do they confirm to industry standards? Data Breaches What actions can you take to protect yourself monetarily?
24
24 Risks not specific to the Cloud Network Breaks How would this effect your business? Network Management Can effect Company reputation Customer Trust
25
25 Risks not specific to the Cloud Cont… Unauthorized access to facilities What could happen if a unauthorized access occurred? Natural Disasters Can effect Company reputation Along with Customer Trust
26
26 Security Benefits Security and the benefits of scale cheaper when implemented on a larger scale Security as a market differentiator Reputation or Provider Standardized interfaces for managed security services Open interface to managed security
27
27 Security Benefits Cont… Rapid, smart scaling of resources Reallocation of resources Audit and evidence-gathering Dedicated forensic images of virtual machines More timely, effective and efficient updates and defaults More efficient around updates
28
28 Cloud Audit Program Resources ISACA – Cloud Computing Management Audit/Assurance Program http://www.isaca.org/Knowledge-Center/ITAF-IT-Assurance-Audit-/Audit- Programs/Pages/ICQs-and-Audit-Programs.aspx Cloud Federal Privacy Recommendations http://www.privacylives.com/wp-content/uploads/2010/08/Privacy-Recommendations-Cloud- Computing-8-19-2010.pdf CSA Cloud Security Guidance http://www.cloudsecurityalliance.org/csaguide.pdf NIST Cloud Presentations http://csrc.nist.gov/groups/SNS/cloud-computing/index.html GSA Cloud Guidance http://www.gao.gov/new.items/d10855t.pdf
29
29 Questions?
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.