IT Audit in the Cloud

Transcription

1 IT Audit in the Cloud Pavlina Ivanova, CISM ISACA-Sofia Chapter

2 Content: o 1. Introduction o 2. Cloud Computing o 3. IT Audit in the Cloud o 4. Residual Risks o Used Resources o Questions

3 1. ISACA Trust in, and value from, information systems o Information Systems Audit and Control Association - ISACA since1967 o Global organization for information governance, control, security and audit professionals o Over 100,000 members in more than 180 countries o IS auditor, consultant, IS security professional, chief information officer and internal auditor

4 2. Back to the Future o Centralized Computing Architecture, Application Service Providers, Virtual Infrastructure and Thin Client Architectures

5 2. Cloud Computing Benefits o Cost reduction compared to in-house technical environment o Automation increase to limit human mistakes o Architecture flexibility to adopt easier to innovations o Location independence to ensure mobility of web users o Information Technologies Risk and Security Controls transfer o Availability improvement via load balancing o Service continuity ensuring

6 Cloud Service Models o Infrastructure as a Service (SaaS) Access through public/private network of hosted by third party IT Operations (application software, operating systems, infrastructure, etc.) o Platform as a Service (Paas) Deployment onto the cloud infrastructure of customer-created or acquired applications using programming languages/tools supported by the vendor o Software as a Service (SaaS) use vendor s applications that run on the cloud infrastructure

7 Cloud Deployment Models o Private operated for one organization o Community shared by several organizations o Public available to a large industry group o Hybrid composed of two or more clouds (private, community or public) that remain unique entities

8 3.IT Audit in the Cloud o Objectives o o o o Scope o o o Efficiency and effectiveness of the internal IT and Security Controls performed by cloud services provider Customer s internal control deficiencies and dependencies with the cloud service provider Quality and reliability assessment report of cloud services provider internal controls Governance of cloud computing at vendor s and customer s side Contractual compliance between the service provider and customer Security Certification of the Cloud Services (ISO27001, PCI-DSS, SOX)

9 General IT Controls Management o Logical Access Control o Network Security o Software Development o Physical and Environmental Security o Data Confidentiality and Protection o Projects and Changes o Vulnerability and Risks o Incidents and Problems o Security Monitoring (IDS/IPS) o Service Continuity

10 CobiT Cross-reference to the Cloud o Define and Management Service Levels (SLA, support, etc.) o Manage Third-party Services (suppliers, partners, etc.) o Ensure Continuous Service (plan, test, restore, recover) o Preserve Information Security (confidentiality, integrity, availability, non-repudiation, proof) o Manage Service Desk and Incidents (register, classify, solve) o Manage the Configuration (updated configuration register) o Manage Data (backup, restoration, destruction, etc.) o Monitor and Evaluate Internal Control (self assessment) o Compliance with External Requirements (legal, contract)

11 Assessment Deliverables DS5.1 Management of IT Security 5 DS5.11 Exchange of Sensitive Data 4 DS5.2 IT Security Plan DS5.10 Network Security 3 2 DS5.3 Identity Management 1 DS5.9 Malicious Software Prevention, Dectection and Correction 0 DS5.4 User Account Management DS5.8 Cryptographic Key Management DS5.5 Security Testing, Surveillance and Monitoring DS5.7 Protection of Security Technology DS5.6 Security Incident Definition Assessment Target

12 4.Residual Risks for Review o Contractual clauses made in interest more for the provider o Provider s connectivity to customer s data security systems o Missing customer s audit clauses o Stored by the provider data encryption keys o Missing or limited access to vendor s audit logs o Weak vendor s change and patch management procedures o Missing or unclear vendor s incident response procedures o Poor or missing physical control of data assets o Personnel Security at a low level

13 Additional Information: o ISACA/ Cloud Computing Management Audit/Assurance Program, 2010 o ISACA/ CobiT v 4.1.;5 o SAS 70 - ISO/IEC 27002:2005 o NIST/ Cloud Computing Forum & Workshop, 2010 o GAO/Information Security Government wide Guidance Needed to Assist Agencies in Implementing Cloud Computing, 2010 o Vmware / VMware vcloud v 1.6, 2009

14 Questions

15 Thank you!