Auditing&AssessingTheRiskOfCloudServicesProviders

Speaker :Alan Yau Ti Dun CISA, CISM, CGEIT, CRISC, CISSP, CSXF, ITIL

ISACA Malaysia, Director 2015/2016ISACA Malaysia, Special Interest Group 1, Cybersecurity

When weighing options for increasing enterprise computing capabilities or seeking ways to improve IT operational efficiency, the prevailing method is to integrate an external IT services vendor, commonly referred to as a cloud service provider (CSP). There is a high probability that audit clients will engage this CSP service to manage their IT needs. Learn how to cope with the audit and risk assessment challenges related to this emerging technology trend in this key session.

•Understanding the various Cloud Service Levels and Implementation Types•Identifying Compliance, Service Level Agreement and other Important Duties each party must perform•Understand the Complexities of Auditing internal controls, data security, privacy and performancerelated to cloud•Mitigating the underlying Business Risks associated with adopting a cloud-based IT model

1. Implementation Types2. Compliance3. Service Level Agreement4. Complexities of Auditing

• is a model for enabling ubiquitous, convenient, on-demandnetwork access to a shared pool of configurable computingresources (e.g., networks, servers, storage, applications, andservices).

• enhance collaboration, agility, scaling, and availability• cost reduction through optimized and efficient computing• components can be rapidly provisioned and scaled up or down

1. Implementation Types

1. Implementation Types

NIST defines cloudcomputing by describing

five essentialcharacteristics,three cloud servicemodelsfour cloud deploymentmodels

They are summarized invisual form in Figure 1and explained in detailbelow.

2. Compliance

The ISO/IEC 27002, section 6.2, “External Parties” control objective states: “…thesecurity of the organization’s information and information processing facilities shouldnot be reduced by the introduction of external party products or services…”

• Managing Cyber Risks Circular (31 July 2015) • Distributed Denial of Service Attack (2011) • Circular on Managing Inherent Risk of Internet Banking Kiosk (2011) • Guidelines on the Provision of E-Banking Services by Financial Institutions (2010) • Guideline On Data Mgmt. and MIS Framework• Guidelines on Management of IT Environment aka (GPIS) (2004)

• Industry Communication On Steps To Enhance Cybersecurity Measures (27 Feb 2015)• Guidance Note On Cybersecurity (30 January 2014)• Directives On The Participating Organizations’ Disaster Recovery Code And The IT Security Code

(2013)

ASSURANCE REQUIRED BY REGULATOR

• SLA’s will differ across providers, and there is a need to understand howthis may affect your ability to change providers.

• Security departments should be engaged during the establishment ofService Level Agreements (SLA’s) and contractual obligations to ensure thatsecurity requirements are contractually enforceable.

• Establish SLA’s that require the inheritance of employment securityobligations and responsibilities by service level.

• The ability to access logs, especially in a shared public cloud, is more difficult and should be specified as a part of the service level agreement.

• Providers should supply secured logging of internal operations for service level agreement compliance.

• Another important element is Standard Storage ,Extended Storage, Preservation of Storage

3. Service Level Agreement

• Adequate and reasonable level of assurance will complete the security perspective when combined with governance and management.

• Assurance ensures that cyber security is designed, implemented, maintained and transformed in a manner consistent with all aspects of Governance, Risk and Compliance.

• To provide assurance – a comprehensive set of controls that covers risk and management processes is required.

• Review is required to validate the controls are designed and operating effectively.

• Audit & review universe is distributed across all 3 lines of defense, which provides the required degree of independence needed.

4. Complexity of Auditing

• Include all control sets, management practices and GRC provisions in force.

• Possible to be extended to 3rd parties – contract with audit rights.

• Keep within the right boundaries –

Ø Corporate sphere of influence vs private sphere of controls.

Ø Private Cloud vs Public Cloud.

Ø Corporate sovereignty vs legal provisions.

• Can range from high-level governance reviews to technical reviews.

• Needs to be clearly defined and concise manner.

• Consider time and effort.

• Audit objectives are best defined in line with the governance andmanagement activities defined for your enterprise.

• For complex audits, the underlying audit program may spans severalyears.

• Legal consideration

• Privacy and data protection

• Logging, data retention and archiving

• Audit data storage and archiving. Should be within the standardcriteria:

• Confidentiality

• Integrity

• Availability

20

TRANSFORMING CYBERSECURITY – COBIT 5Eight Key Principles:1.Understand the potential impact of cybercrime and warfare on your enterprise.2.Understand end users, their cultural values and their behavior patterns.3.Clearly state the business case for cybersecurity and the risk appetite of theenterprise.4.Establish cybersecurity governance.5.Manage cybersecurity using principles and enablers. (The principles andenablers found in COBIT 5 will help your organization ensure end-to-endgovernance that meets stakeholder needs, covers the enterprise to end andprovides a holistic approach, among other benefits. The processes, controls,activities and key performance indicators associated with each enabler will providethe enterprise with a comprehensive picture of cybersecurity.)6.Know the cybersecurity assurance universe and objectives.7.Provide reasonable assurance over cybersecurity. (This includes monitoring,internal reviews, audits and, as needed, investigative and forensic analysis.)8.Establish and evolve systemic cybersecurity.

21

CYBERSECURITY ASSURANCE– COBIT 5

22

AP003 MANAGE ENTERPRISE ARCHITECTURE (ARCHITECTURE REVIEW)

23

SUMMARY• Understand Cloud via CyberSecurity perspective from

a holistic, organizational perspective • Understand the approach to Cloud Security Assurance• Develop audit programmes by identifying risks and

relevant controls• Know how to test controls related to Cloud Security

THANKYOU

Jointly Organised By: