Friday, August 23, 2013


Enterprise Governance Risk and Compliance: New Standard to Meet Customer Demands
Abstract
        To bring governance, risk and compliance together in an integrated program where policies, data and controls are strategically managed and visible throughout the enterprise. An enterprise governance, risk and compliance (Enterprise GRC) strategy, supported by a common technology platform, creates consistency and transparency, enables collaboration, fosters operational efficiencies, and ensures the continuity and success of the business.
Problem statement
Treating each risk and compliance issue as an individual problem, organizations must look for a common approach to managing risk and compliance across the hyper-extended enterprise. Organizations that don’t achieve this level of collaboration are paying a significant cost in terms of wasted resource, increased complexity, decreased flexibility and, and even greater exposure to risk that threatens business performance and growth.

Explore each cost briefly:

Wasted resource: Instead of prioritizing how resources can be leveraged to meet a range of needs, organizations tackle issues one-by-one, resulting in varying processes, systems, controls and technologies. The excessive time and expense required to do this tasks the focus away from business initiatives that can improve the bottom line.

Increased complexity: Inconsistent risk and compliance approaches introduce greater complexity to the business environment and with complexity comes increased inherent risk. When controls are not streamlined and managed consistently, there are more points of control failure and compliance gaps. Furthermore, inconsistency in controls means inconsistency in documentation of risk and compliance, which can further confuse the organization, regulators and business partners.

Decreased flexibility: When an organization is spinning multiple risk and compliance plates, its ability to respond to other issues is compromised. The organization ends up doing a substandard job on the plate-spinning and sees its own business performance suffer because it is less able to respond to emerging opportunities.

Greater exposure:  With the focus on what is immediately at hand and not on what the business needs to protect itself in the long run, an organization will find itself facing more present threats rather than fewer. Duplication of process and gaps in coverage are bad enough, but when they aren’t visible at the governance layer, the business is at the brink of exposure to serious risk.

Our solution
Organizations frequently rely on a document-centric, paper-based approach to risk and compliance management, rarely attaining sophistication beyond electronic documents and spreadsheets. Aside from being error-prone and inefficient, this approach makes it difficult to share information, thereby reinforcing silos. Today’s business requires a technology architecture that integrates with other systems and provides for a cohesive and common Enterprise GRC platform. This platform should tie into enterprise applications and infrastructure, consolidating the information necessary to manage risk and compliance throughout the organization. 


Centralized views: A central view of risk and compliance activities provides a single lens through which stakeholders can identify threats early and prioritize issues, as well as improve efficiencies by applying a single process to multiple regulations

Automation: Through automation, organizations achieve continuous risk and continuous risk and controls monitoring as opposed to the point-in-time spot checks of the past. Technological capabilities required include advanced risk analytics and modeling, automated controls tied to business rules engines, advanced content and process management capabilities, and embedded Enterprise GRC control points.

Integrated systems: Multiple point solutions that span different areas of the infrastructure are costly to manage, fail to deliver a holistic view of the enterprise and cannot correlate analysis to provide reliable conclusions. Integration enables management and reporting across the enterprise.

Flexibility: An Enterprise GRC platform must be adaptable in order to evolve as business evolves. Furthermore, business users must be able to make changes and build out applications to solve business problems without relying on costly, time-intensive custom development. Every business has different risk management and compliance requirements, so the Enterprise GRC platform must be tailored to and organization’s specific needs and structure.

Evidence the solution works
Single, consolidated platform with configured modules to manage GRC initiatives:
·         Facilitates shared practices and reuse of work, resulting in efficiency and cost savings
·         Provides greater visibility of enterprise-wide GRC programs
·         Provides greater flexibility for users to configure modules to meet their needs without imposing a one size fits all approach
Role-based dashboards:
·         Increases productivity because users know what they need to do from a single place with notifications and tasks clearly identified
·         Reduces the need have to navigate to multiple pages; with a single click, users can perform assessment activities
User-scalable qualitative and quantitative analysis models that provide scores on risk:
·         Allows risks to be understood from the perspective of the entire enterprise
·         Allows each line of business or risk discipline to determine its individual criteria for scoring risk significance
Criteria Based Thresholds:
·         Allows management to set risk tolerances and decide the best course of action when risks exceed tolerances
Competitive approaches
Our Enterprise GRC solution will helps clients develop a broad vision and approach to clearly articulate, quantify, and proactively manage risk, while assessing potential performance impact. We also help manage expectations about risk management effectiveness for internal and external stakeholders. GRC approach, enabled and helps improve the sustainability, effectiveness, efficiency, and transparency align the processes with the organization’s strategic goals and objectives; and drive competitive advantage and shareholder value.
Entraprise GRC service is an integrated framework that unifies governance, organization and infrastructure, enterprise assurance, culture and behavior, and risk profile functions to achieve a consistent and holistic vision across the organization. This integrated approach for developing and establishing a successful and sustainable GRC framework effectively replaces existing piecemeal approaches with more wide-ranging GRC solutions, builds scalable enterprise frameworks, and enhances responsiveness to risks and opportunities

Current status
It is important to note that Enterprise GRC isn’t just a technology buy. The success of an Enterprise GRC program depends on how well organizational stakeholders work together to share information and integrate their efforts to enable a holistic view of risk and compliance across the enterprise. Therefore, it is a combination of people, processes and technologies that all must be aligned behind a common goal and commitment. To sum up, the Enterprise GRC strategy roadmap includes these key phases:

Inventory: Take an inventory of individual risk and compliance processes across the organization. This requires that the organization step outside of internal silos and collaborate on a range of risk and compliance issues.

Analysis: Identify which parts of the organization have strong processes and where processes can be improved, specifically by introducing automation and eliminating redundancy.

Goal-setting: Outline where you want to be in three years and model the ideal Enterprise GRC strategy and implementation approach. Think outside of box so you are not locked into current approaches and processes-many of which may be failing.

Planning: Build the plan to achieve the desired Enterprise GRC strategy and implementation approach. Identify the biggest Enterprise GRC issues and address the most visible and inefficient issues first. Think big picture, but start in areas that can provide quick wins.

               Of course, prioritization of risk and compliance activates must be decided at the business level to ensure maximum impact and sustainability. An Enterprise GRC strategy roadmap requires executive buy-in and support, which provides endorsement of the effort and overcomes obstacles of solid entities wanting to work independently and do things their own way. As with any new paradigm, implementing Enterprise GRC requires a committed change management program.  
Next steps
One thing is certain: risk and compliance burdens are not going away. Government regulators continue to influence control upon organizational practices through tighter regulation, and business partners are requiring stronger controls within their relationships. The globalization of business introduces significant risk with more points of vulnerability and exposure. The time is now for organizations to define and implement an Enterprise GRC strategy that drives accountability, sustainability, consistency, efficiency, security and transparency. Selecting the right technology vender that provides for enterprise-level control and integration of risk and compliance is critical step that organizations should not lightl
y.

That said,
organizations face an array of technologies to consider as the foundation of their Enterprise GRC program, and the process of selecting the right vendor to build a sustainable Enterprise GRC program can be overwhelming. When evaluating IT vendors, organizations should consider the range of risk and compliance requirements impacting the business and select a vendor that has the strongest integrated solution to manage these requirements on a consistent, ongoing basis, the right technology plat form lays a strong foundation for an effective Enterprise GRC strategy.         

References

Sunday, February 10, 2013

Application Security Auditing: Threat Modeling, Vulnerability Assessment and Penetration Testing


Introduction

      Threat modeling is a powerful tool that identifies the highest risk areas within an application and ties them to known  attacks and countermeasures. By leveraging a deep understanding of the application's business logic and design, organizations that employ threat modeling can significantly reduce attack vectors before ever coding an application. Additionally, threat modeling is used extensively with existing applications to prioritize in-scope components for code review and application penetration testing.

Overview

  • Find possible vulnerabilities in the design of an application
  • Determine necessary countermeasures to potential attacks
  • Prioritize components for run-time and source code analysis in large applications
Key Business Benefits

  • Cost reduction through prioritization of other application security testing activities
  • Threat modeling also allows architects and designers to evaluate the design of the application for vulnerabilities in the design phase
  • Threat modeling can be perceived as an asset, as it can be used in future releases to evaluate whether new security controls need to be put in place or whether existing controls are sufficient
Methodology

  • Gather Information: Understand the application's use cases, business requirements, data types, technical design, and other information by interviewing key stakeholders and analyzing diagrams
  • Decompose Application: Break application out into user roles, data types, and hardware/software components used
  • Data Flow Diagram (DFD): Map out data flow between logical components at various levels of granularity. This demonstrates a strong awareness of application flow and serves as a base for understanding the root cause of vulnerabilities found in testing activities of the application security program.
  • Debug and Reverse Engineering: One of the most powerful tools in the arsenal of a security application developer. It will give an insight into the code and functions especially when manipulated with memory heaps or processing loops.
  • Security Source Code Review: Provides a deep analysis of software source code to search for accidental and malicious inbuilt security weaknesses. A security source code review enables a scrutiny of application code to detect accidental security vulnerabilities and deliberate application back-doors.
  • Identify Risk: By either leveraging previous application/data classification efforts, or creating them for the first time in this application, consultants identify varying levels of risk for data types used in the application
  • Use Cases: Outline the major uses cases for the application and analyze each for potential threats to confidentiality, integrity, and availability
  • Attack Trees: Determine possible attacks for each attack vector outlined in the use case, prioritized by risk. Determine countermeasures for each attack and use this as either a basis for application design or as a checklist during penetration testing / source code review.

Wednesday, February 6, 2013

Audit Challenges in Cloud Computing


Executive Summary
        Cloud computing can provide major benefits to organizations from a cost, flexibility and scalability perspective, but serious concerns have been raised about the security measures used to protect Cloud environments. This is because the threat landscape associated with this form of IT provision is so different to that associated with traditional dedicated hosting. If organizations no longer have direct control over the hardware or physical locations of their servers, data segregation becomes harder to achieve and regulatory compliance far more difficult to guarantee.

Introduction
       Cloud computing shifts the responsibility of configuring, deploying and maintaining computing infrastructure from clients to Cloud providers. Providers generally expose an interface for clients to interact with their resources as if they were their own standalone resource; however often a number of resources may be aggregated on the same computer or cluster of computers. The user does not necessarily know the details of the location, equipment or configuration of their resources, rather they are provided with a “virtualized” computer resource hosted in “the Cloud”.
With cloud computing, applications and data are available to an organization’s user base, wherever and whenever users choose to connect and access the service and data.
This means the business does not have to maintain the hardware and software require delivering those services. 

Types of Cloud Providers
      Cloud services are usually divided in the three main types, Software-as-a-Service (SaaS), Platform-as-a-Service (PaaS) and Infrastructure-as-a-Service (IaaS).

Software as a Service (SaaS)

Dedicated
Company 1
Company 2
Company 3
Company 4
Data
Data
Data
Data

Shared
Application
Database (RDBMS)
Middle-ware
OS (Operating System)
Network
Physical
    SaaS clients rent usage of applications running within the Clouds provider infrastructure. The applications are typically offered to the clients via the Internet and are managed completely by the Cloud provider. That means that the administration of these services such as updating and patching are in the providers responsibility. One big benefit of SaaS is that all clients are running the same software version and new functionality can be easily integrated by the provider and is therefore available to all clients.

Platform as a Service (PaaS)

Dedicated
Company 1
Company 2
Company 3
Company 4
Data
Data
Data
Data
Application
Application
Application
Application
Shared
Database (RDBMS)
Middleware
OS (Operating System)
Network
Physical
    PaaS Cloud providers offer an application platform as a service, for example Google App Engine. This enables clients to deploy custom software using the tools and programming languages offered by the provider. Clients have control over the deployed applications and environment-related settings. As with SaaS, the management of the underlying infrastructure lies within the responsibility of the provider.

Infrastructure as a Service (IaaS)

Dedicated
Company 1
Company 2
Company 3
Company 4
Data
Data
Data
Data
Application
Application
Application
Application
Database (RDBMS)

Database (RDBMS)

Database (RDBMS)

Database (RDBMS)

Middleware

Middleware

Middleware

Middleware

OS (Operating System)

OS (Operating System)

OS (Operating System)

OS (Operating System)

Shared
Network
Physical
    IaaS delivers hardware resources such as CPU, disk space or network components as a service. These resources are usually delivered as a virtualization platform by the Cloud provider and can be accessed across the Internet by the client. The client has full control of the virtualized platform and is not responsible for managing the underlying infrastructure.

Types of Cloud Computing

Public Cloud
    Public cloud (also referred to as ‘external’ cloud) describes the conventional meaning of cloud computing: scalable, dynamically provisioned, often virtualized resources available over the Internet from an off-site third-party provider, which divides up resources and bills its customers on a ‘utility’ basis.

Private Cloud
   Private cloud (also referred to as ‘corporate’ or ‘internal’ cloud) is a term used to denote a proprietary computing architecture providing hosted services on private networks. This type of cloud computing is generally used by large companies, and allows their corporate network and data center administrators to effectively become in-house ‘service providers’ catering to ‘customers’ within the corporation. However, it negates many of the benefits of cloud computing, as organizations still need to purchase, set up and manage their own clouds.

Hybrid Cloud
    It has been suggested that a hybrid cloud environment combining resources from both internal and external providers will become the most popular choice for enterprises. For example, a company could choose to use a public cloud service for general computing, but store its business-critical data within its own data center. This may be because larger organizations are likely to have already invested heavily in the infrastructure required to provide resources in-house – or they may be concerned about the security of public clouds.      

Cloud Computing implementation Road - map
    The following diagram, SaaS is consumed by end users (employees, clients, and partners), PaaS is consumed by software developers and IaaS is consumed by IT administrators and all those components must be managed either by your company or by a third-party solution provider.
 

Benefits
    There are many reasons why organizations of all sizes and types are adopting this model of IT. It provides a way to increase capacity or add capabilities on the fly without investing in new infrastructure, training new personnel, or licensing new software. Ultimately, it can save companies a considerable amount of money...

Removal / reduction of capital expenditure
      Customers can avoid spending large amounts of capital on purchasing and installing their IT infrastructure or applications by moving to the cloud model. Capital expenditure on IT reduces available working capital for other critical operations and business investments. Cloud computing offers a simple operational expense that is easier to budget for month-by-month, and prevents money being wasted on depreciating assets. Additionally, customers do not need to pay for excess resource capacity in-house to meet fluctuating demand.

Reduced administration costs
    IT solutions can be deployed extremely quickly and managed, maintained, patched and upgraded remotely by your service provider. Technical support is provided round the clock by reputable providers, for no extra charge, reducing the burden on IT staff. This means that they are free to focus on business-critical tasks, and businesses can avoid incurring additional manpower and training costs.

Improved resource utilization
    Combining resources into large clouds reduces costs and maximizes utilization by delivering resources only when they are needed. Businesses needn’t worry about over-provisioning for a service whose use does not meet their predictions, or under-provisioning for one that becomes unexpectedly popular. Moving more and more applications, infrastructure, and even support into the cloud can free up precious time, effort and budgets to concentrate on the real job of exploiting technology to improve the mission of the company. It really comes down to making better use of your time – focusing on your business and allowing cloud providers to manage the resources to get you to where you need to go. Sharing computing power among multiple tenants can improve utilization rates, as servers are not left idle, which can reduce costs significantly while increasing the speed of application development. A side effect of this approach is that computer capacity rises dramatically, as customers do not have to engineer for peak loads.

Economies of scale
    Cloud computing customers can benefit from the economies of scale enjoyed by providers, who typically use very large-scale data centers operating at much higher efficiency levels, and multi-tenant architecture to share resources between many different customers. This model of IT provision allows them to pass on savings to their customers.

Scalability on demand
    Scalability and flexibility are highly valuable advantages offered by cloud computing, allowing customers to react quickly to changing IT needs, adding or subtracting capacity and users as and when required and responding to real rather than projected requirements. Even better, because cloud-computing follows a utility model in which service costs are based on actual consumption, you only pay for what you use. Customers benefit from greater elasticity of resources, without paying a premium for large scale.

Quick and easy implementation
    Without the need to purchase hardware, software licenses or implementation services, a company can get its cloud-computing arrangement off the ground in minutes.

Helps smaller businesses compete
   Historically, there has been a huge disparity between the IT resources available to small businesses and to enterprises. Cloud computing has made it possible for smaller companies to compete on an even playing field with much bigger competitors. ‘Renting’ IT services instead of investing in hardware and software makes them much more affordable, and means that capital can instead be used for other vital projects.

Quality of service
    Your selected vendor should offer 24/7 customer support and an immediate response to emergency situations.

Guaranteed uptime, SLAs
    Always ask a prospective provider about reliability and guaranteed service levels – ensure your applications and/or services are always online and accessible.

Anywhere Access
    Cloud-based IT services let you access your applications and data securely from any location via an internet connection. It’s easier to collaborate too; with both the application and the data stored in the cloud, multiple users can work together on the same project, share calendars and contacts etc. It has been pointed out that if your internet connection fails, you will not be able to access your data. However, due to the ‘anywhere access’ nature of the cloud, users can simply connect from a different location – so if your office connection fails and you have no redundancy, you can access your data from home or the nearest Wi-Fi enabled point. Because of this, flexible / remote working is easily enabled, allowing you to cut overheads, meet new working regulations and keep your staff happy!

Technical Support
     A good cloud computing provider will offer round the clock technical support. The customers, for instance, are assigned one of our support pods, and all subsequent contact is then handled by the same small group of skilled engineers, who are available 24/7. This type of support model allows a provider to build a better understanding of your business requirements, effectively becoming an extension of your team.

Disaster recovery / backup
   Recent research has indicated that around 90% of businesses do not have adequate disaster recovery or business continuity plans, leaving them vulnerable to any disruptions that might occur. Providers can provide an array of disaster recovery services, from cloud backup (allowing you to store important files from your desktop or office network within their data centers) to having ready-to-go desktops and services in case your business is hit by problems. Don’t have worry about data backup or disaster recovery, as this is taken care of as part of the service. Files are stored twice at different remote locations to ensure that there’s always a copy available 24 hours a day, 7 days per week.

The Potential Risks of Cloud Computing
     The use of cloud computing does pose risks to the enterprise; but if key risks to the business are understood and planed for from the outset, they can be managed. Before moving to the cloud companies should evaluate the below following areas.
  Privileged user access – How will provider control access to our data? How can we be assured they will not abuse that access?
  Regulatory compliance – Our business must adhere to regulatory requirements? How will know if the provider is complying with these requirements?
  Data location and ownership – Once our data is “in the cloud,” where exactly will it reside? Is the provider’s data center located in a jurisdiction in which we don’t currently operate? Do we understand the requirements of that jurisdiction? Do we have contracts with any customers that prohibit our company from storing data in certain jurisdictions? If there is a problem, or legal matter, what rights do we have to that data?
  Data segregation – If the same servers are used to store data from multiple customers, how will be provider ensure other customers cannot see our data – and that we will not see theirs? Can other people access and change our data once it is in the cloud?
  Recovery – Can the cloud go offline? If so, who is responsible for getting it back online? How quickly can that be done? What happens while we are waiting? Could our data be lost in the process? Do recovery capabilities support our obligations to stakeholders and /or customers?
  Investigative support – What happens if we receive a legal hold notice? Will the cloud service provider help us secure the data? How do we know legal holds will be properly processed? What about other types of investigations?
  Long-term viability – If our cloud service provider goes out of business, how do we get our data back? If our provider is a startup, do they have the long-term funding and business model to serve us? And if we are fully leveraging the cloud (SaaS, PaaS and IaaS), do we even have the capability to get the data back? How would we restore our data and applications if we get it back?
 IT general controls – Will our cloud environment be supported by fundamental IT general controls? How do we know the environment is secure? What is our provider doing to protect us from third parties hacking into our data? Can we perform periodic audits of the vendor’s environment? What if we need to perform testing to support Sarbanes-Oxley or other regulatory requirements?
 Unknown cloud services – Dow we know all the cloud services already in use in our organization? Due to increasing consumers (employees’ introducing and adopting technology in the enterprise) of cloud services, business units already may be using these services without IT knowledge – or any thought of data security.

Audit’s Role in the Cloud Computing
     The risks outlined above are generally applicable throughout the cloud computing life cycle, whether an organization is thinking about moving to the cloud, is in the process of implementing a cloud-based solution, or is already working in a cloud environment. (Some companies may be in various stages of all three.) Regardless of which stage your company is in, internal audit is well positioned through its role as an assurance function of the organization to help management and the board identifies and considers the key risks of leveraging cloud computing technology. Internal audit also can help the business determine whether those risks are being appropriately mitigated.

Defining a Cloud Strategy
    Internal audit should engage company management to determine if a cloud computing strategy has been defined and communicated. If not, internal audit may be able to assist management in this process by helping to address the following questions:

What is the business case for moving to the cloud? Organizations need a true understanding of the value they seek to gain by moving to the cloud, and determine if they can fully mitigate or accept the risks associated with working in this environment. Consider the following: Does your organization have a complex application infrastructure? Are your applications no longer supported by the vendor or reliant upon legacy systems? If so, cloud vendors may not be able to support these applications or the servers on which they run. However, if your business looks to become increasingly scalable and efficient while reducing costs, a cloud hosting solution may be appropriate.
Would this decision align with business needs? Before migrating to a cloud environment, companies should determine if such a move would align with their overall business strategy and objectives. Are your IT assets aging or reaching the point of retirement? Is there a strategy in place to reduce the cost of IT assets? If your organization is looking for ways to decrease operational or labor costs, the business may be able to realize some cost benefits by selecting a cloud solution.
    Do we understand the current state of systems and data to be moved to the cloud? It is important to understand what exactly is being moved to the cloud. Would your company be moving sensitive and/or critical data? Will the business be able to continue complying with data retention requirements? Are there other applications or infrastructure that will have to be re-architected from a communications standpoint? Is your transaction volume going to exceed your (or the provider’s) available bandwidth?

Evaluating Vendors
     After weighing the potential benefits and risks of moving to the cloud computing model, the next step is to select the right vendor. Companies are often tempted to leverage the first cloud vendor they identify, or opt for the most popular provider. However, as is the case with any vendor relationship, many risks merit attention to help ensure your organization’s specific risks and controls are addressed. When evaluating potential cloud providers, companies should consider the following questions:

   Who will manage the vendor relationship? Companies that use third-party cloud providers should determine who will act as the liaison between the company and the vendor. This will help to ensure there are clear lines of communication between your company and the vendor’s legal department, IT organizations and account managers.
  How are assets protected? Information is arguably an organization’s most valuable asset – as well as a potential liability. Cloud vendors should be able to describe the internal data security controls in place to protect data – from intellectual property to customer information to internal bank account numbers. Your company should understand how the vendor manages its own security – both physical security and logical security (e.g., access rights, user identification) – by requesting security policies, vulnerability and penetration test results, and attestations on internal control environments. SSAE 16s (new industry standard that replaces the legacy SAS 70) and reports on compliance often provide insight into the vendor’s control environment and any considerations a prospective client might need to address. Where SSAE 16s or other assessment reports are not available, it is still important to determine how you will obtain assurance that the vendor’s security practices meet your business needs.
  How is responsibility divided? Your company needs a clear understanding of which party is operationally responsible for data stored in the cloud. Determine up front who is responsible for monitoring and controlling the servers, applications and data hosted in the cloud. Monitoring activities may include measuring bandwidth, monitoring server performance, applying patches and updates, managing network infrastructure, monitoring backups and providing intrusion detection services. Also, determine who is financially and legally responsible for the data, security and uptime.
  How will moving to the cloud impact disaster recovery planning? Disaster preparedness is growing in priority and significance for businesses of all types. One benefit of a cloud computing model is that many providers guarantee defined uptime and failover capabilities as a component of their business model and signed contract. Your company should request the prospective vendor’s business continuity and disaster recovery plans and determine if they align with your business needs and recovery objectives.
  How does the vendor manage multiple tenants? In the cloud, your data may be stored on the same physical machine with other clients’ data. Your company should know what controls are in place to logically and even physically (whether on separate devices, sectioned off in separate cages or in completely separate bays) separate your data from other clients’ data.
  How would this change the technology environment? Implementing a cloud solution may change your organization’s technology environment, including network topology, interaction between systems and the flow of data. It is necessary for your company to understand which data sits on and flows between which devices. Also, determine who owns each of those components and who is responsible for governing the environment in each step along the way.
 Where is data physically stored? Cloud hosting providers can host data in a variety of locations, and your company should understand where your data will reside. If the vendor hosts data internationally, this may impose additional regulatory, international and ownership risks, depending on the country in which the vendor maintains its servers.
 How do the company’s risks and controls align with the prospective vendor’s? By performing a gap analysis, your company will be able to determine if there are any control or process gaps in place, which may expose your organization to additional risks. Reports on compliance, SSAE 16s or other assessment reports from the vendor can provide additional insight into known deficiencies, operational risks and user control considerations.

Implementing a Cloud Computing Model
      Once due diligence activities are complete, and a cloud service provider that aligns with the company’s strategy, objectives and control framework has been selected, internal audit may shift to evaluating the implementation process. Internal audit can be integral in determining whether the level of planning was adequate to reduce project risk, while also providing independent feedback about the migration process. Internal audit should evaluate implementation activities for adherence to the company’s system development life cycle, project management and change management methodologies. Where deviations from these internal policies, processes and methodologies are required, it should be confirmed that all updates follow expected approval procedures. In addition to ensuring that fundamental cloud computing risk areas have been identified, this evaluation may provide an opportunity for internal audit to help assess the effectiveness of mitigation strategies/controls prior to implementing a cloud computing model.

Questions the business should consider when implementing a cloud computing model include:

  What are the service level and operating level agreements (SLAs and OLAs)? While SLAs and OLAs are important for services hosted internally, these agreements have additional significance when the service is hosted in the cloud. With this objective measurement, there is a defined expectation of the level of service being provided. When the SLAs and OLAs were drafted, was the business involved in the decision-making process, or did IT unilaterally decide what was acceptable? Are there any legal, regulatory or contractual compliance requirements that must be taken into account? As the amount of permitted downtime (or other measure) decreases, the cost to the provider – and presumably, the customer – increases.
  What are our (and our cloud provider’s) compliance responsibilities? There are many legal (e.g., legal hold, e-discovery), regulatory (e.g., Payment Card Industry Data Security Standard, Health Insurance Portability and Accountability Act, Gramm-Leach-Bliley Act, the European Union’s Data Protection Directive, UK Data Protection Act, FSA Data Security Guidelines), and contractual compliance requirements that organizations need to consider when moving to the cloud. Outsourcing the hosting of a service to a third party does not change these requirements, which should be incorporated into the contract to provide a solid base for establishing necessary controls. How does the vendor prove compliance with relevant regulatory requirements? How will customers be notified of a security breach?
  How are incidents managed? What is the process for identifying and escalating an issue (e.g., a data breach) in a timely and efficient manner? Are you responsible for initiating contact with the vendor, or does the service provider have proactive monitoring in place so that it knows when something goes wrong? Establishing these basic processes and understanding escalation procedures and expected time to resolution are important.
  Who determines user access rights to data? Depending on the type of service purchased, user provisioning may be automated or manual. If it is a manual process, it may be executed by the organization, the provider or both. Developing and defining a process for all situations, including end users and administrators, is important so that expectations are universally understood. While the process may not be identical to that of your organization’s internally hosted services, the same core principles should exist.
  How often is data backed up? Who is responsible for that process? Depending on the responsibilities defined between your organization and the cloud vendor, backup and recovery processes that formally assign responsibility for monitoring backups; identifying, resolving and escalating errors and failures; and rotating data and media to a separate location for recovery purposes should be defined. If a daily backup routine fails, what happens?
  How will we inform and train end users? As with any significant change to an IT environment, end-user training is critical for ensuring process owners and other users in the organization have adequate knowledge of newly defined processes and fully understand their roles in helping the business to meet data security and compliance expectations.

Monitoring the Vendor

Once your company integrates the planned systems and data into a cloud environment, internal audit may evaluate whether the defined owner is adequately monitoring and controlling the vendor relationship. By this time, the organization should be formally monitoring and reporting on the agreed-upon service levels, while investigating and resolving any variances. As a component of monitoring activities, your company should routinely review any documentation provided by the vendor relating to internal control assessments (whether from SSAE 16s, vulnerability scans or penetration tests). Additionally, internal audit should routinely evaluate regulatory requirements and determine if they are being addressed adequately by the cloud vendor and the company.

In monitoring the cloud vendor relationship, the following should be confirmed:

  How the company’s relationship with the vendor is managed – A single person (i.e., relationship manager) should be identified as the primary point of contact with the cloud provider. That person (and any necessary backups) should regularly communicate with a counterpart at the provider. This existing relationship should be used to address issues that arise with the service (e.g., the breach of an SLA or OLA) and to reach resolution.
  Who is confirming the accuracy of invoices – Prior to being paid, invoices should be reviewed to confirm pricing terms are consistent with the contract and the quantity of services being billed is accurate. Independent reports should be obtained to confirm the accuracy of any quantity on the invoice.
  Whether SLAs and/or OLAs are being monitored and reviewed – Where SLAs and OLAs have been agreed to, they should be recalculated to confirm that the values provided by the cloud vendor are accurate. Additionally, penalties or incentives obtained due to SLA/OLA deviations should be recalculated to confirm the accuracy of the resulting payments and/or credits.
  How contractual control requirements (e.g., regulatory, security, privacy) are being monitored – Contractual control requirements should be evaluated using the means made available through the contract, including “right to audit,” assessment reports (e.g., SSAE 16s, reports on compliance) and other evaluations. These methods should be used as frequently as possible, based on the terms of the contract, and the evaluation should be documented.


Conclusion
   Cloud computing will continue to transform the way organizations manage IT – increasing efficiencies while reducing costs – but there are risks. Proactively identifying and understanding relevant risks before signing a contract and committing to a cloud hosting implementation is essential for success and for ensuring both data security and adherence to compliance demands.

Organizations should establish processes to routinely re-evaluate and monitor risks once the business is working “in the cloud.” Internal audit should consider the risks and controls outlined in this paper and ensure management has evaluated potential risks and taken steps to address them proactively.

Further, it is the responsibility of the chief audit executive to understand the security risks facing the organization, and to work as a conduit to ensure the audit committee understands the risks and how well management is mitigating them.