COMPLIANCE AND AUDIT MANAGEMENT
2) Customers and providers alike need to understand and appreciate the differences and implications on existing compliance and audit standards, processes, and practices.
3) The distributed and virtualized nature of cloud requires significant framework adjustment from approaches based on definite and physical instantiations of information and processes.
4) Cloud has the potential to improve transparency and assurance, through its more centralized and consolidated management platforms.
5) Moreover, the outsourced solutions from cloud providers reduce the scale-dependency of compliance.
6) With providers able to deliver first-day compliant solutions, new firms (for-profit and non-profit) would be able to enter markets and take actions that would have been cost-prohibitive in a pre-cloud era.
7) Governments and other organizations previously reluctant to outsource IT operations due to issues of security and compliance may be more ready to adopt a cloud model, where compliance can be partly addressed through contractual delegation.
8) In addition to providers and customers, regulators and auditors are also adjusting to the new world of cloud computing.
9) A cloud consumer can be challenged to show auditors that the organization is in compliance.
10) Understanding the interaction of cloud computing and the regulatory environment is a key component of any cloud strategy.
Cloud customers must consider and understand the following:
A) Regulatory implications for using a particular cloud service or providers, giving particular attention to any cross-border or multi-jurisdictional issues when applicable
B) Assignment of compliance responsibilities between the provider and customer, including indirect providers (i.e., the cloud provider of your cloud provider)
C) Provider capabilities for demonstrating compliance, including document generation, evidence production, and process compliance, in a timely manner
D) Relationships between customer, providers and auditors (both the customer's and provider's) to ensure required (and appropriately restricted) access and alignment with governance requirements
4.1 Compliance
I) Corporate Governance: the balance of control between stakeholders, directors and managers of an organization providing consistent management, cohesive application of policies, guidance and controls, and enabling effective decision-making.
II) Enterprise Risk Management: methods and processes (framework) used by organizations to balance decision-making based on identifying particular events or circumstances relevant to the organization's objectives (risks and opportunities), assessing them in terms of likelihood and magnitude of impact, determining a response strategy, and monitoring progress to protect and create value for their stakeholders
III) Compliance and Audit Assurance: awareness and adherence to corporate obligations (e.g., corporate social responsibility, ethics, applicable laws, regulations, contracts, strategies and policies) by assessing the state of compliance, assessing the risks and potential costs of non-compliance against the costs to achieve compliance, and hence prioritize, fund, and initiate any corrective actions deemed necessary
1) Information technology in the cloud is increasingly subject to a plethora of policies and regulations.
2) All stakeholders expect organizations to proactively comply with regulatory guidelines and requirements across multiple jurisdictions.
3) IT governance is a necessity to deliver against these requirements and all organizations need a strategy to deliver.
4) Governance includes the processes and policies that enable the smooth execution of organizational objectives within the constraints of the external environment.
5) Governance requires compliance activities to ensure that operations are fully aligned with those processes and policies.
6) In this sense, compliance is focused on aligning with external requirements (e.g., law, regulation, industry standards) while governance is focused on aligning with internal requirements (e.g., board decisions, corporate policy).
7) Compliance can be defined as the awareness and adherence to obligations (e.g., corporate social responsibility, applicable laws, ethical guidelines), including the assessment and prioritization of corrective actions deemed necessary and appropriate.
8) In some environments, particularly those highly regulated, the transparency aspect can even be dominant with reporting requirements getting more attention than compliance itself.
9) In the best circumstances, compliance is not an inhibitor of organizational effectiveness, but a complement to internally determined policies.
10) Regulations typically have strong implications for information technology and its governance,particularly in terms of monitoring, management, protection, and disclosure).
11) IT governance is a supporting element in overall corporate governance, enterprise risk management, compliance, and audit/assurance.
12) Cloud can be an enabling technology for governance and compliance, centralizing control and transparency through its management platforms, particularly for internally management cloud.
13) By leveraging cloud services, sub-scale organizations can achieve the same level of compliance as much larger and highly resources entities.
14) Security and assurance services are one way third-parties can play a role in compliance assessment and communication.
15) Any compliance approach will need to include participation across the organization, including IT.
16) The role of external providers needs to be carefully considered, and responsibility for including them in governance, indirectly or directly, should be explicitly assigned within the customer organization.
In addition, the following represent a number of cloud security standards that are in development within ISO/IEC and ITU-T:
I) ISO/IEC 27017: Cloud Computing Security and Privacy Management System-Security Controls
II) ISO/IEC 27036-x: Multipart standard for the information security of supplier relationship management that is planned to include a part relevant to the cloud supply chain
III) ITU-T X.ccsec: Security guideline for cloud computing in telecommunication area
IV) ITU-T X.srfcts: Security requirements and framework of cloud-based telecommunication service environment (X.srfcts)
ITU-T X.sfcse: Security functional requirements for Software as a Service (SaaS) application environment
4.2 Audit
Proper organizational governance naturally includes audit and assurance.
1) Audit must be independently conducted and should be robustly designed to reflect best practice, appropriate resources, and tested protocols and standards.
2) Both internal and external audit and controls have legitimate roles to play for cloud, for both the customer and provider.
3) Greater transparency may be best during initial stages of cloud introduction, to increase stakeholder comfort levels.
4) An audit is one method to provide assurance that operational risk management activities are thoroughly tested and reviewed.
4.3 Recommendations
When engaging a provider, involve the appropriate legal, procurement, and contracts teams within the customer organization.
1) The standard terms of services may not address compliance needs, and would need to be negotiated.
2) Determine how existing compliance requirements will be impacted by the use of cloud services, for each workload (i.e., set of applications and data), in particular as they relate to information security.
3) Particularly important is chained requirements and obligations – not just the customer to their direct cloud provider, but between the end customer and the provider’s cloud provider.
4) Some regulatory requirements specify controls that are difficult or impossible to achieve in certain cloud service types (e.g., geographic requirements may be inconsistent with distribute storage).
5) Customers and providers must agree how to collect, store, and share compliance evidence (e.g., audit logs, activity reports, system configurations).
(a) Prefer auditors that are "cloud aware" that will be familiar with the assurance challenges (and advantages) of virtualization and cloud.
(b) Request cloud Provider’s SSAE 16 SOC2 or ISAE 3402 Type 2 report. These will provide a recognizable starting point of reference for auditors and assessors.
(c) Contracts should provide for third-party review of SLA metrics and compliance (e.g., by a mutually-selected mediator).
4.4 Requirements
(a) A right to audit clause gives customers the ability to audit the cloud provider, which supports traceability and transparency in the frequently evolving environments of cloud computing and regulation. Use a normative specification in the right to audit to ensure mutual understanding of expectations. In time, this right should be supplanted by third-party certifications (e.g., driven by ISO/IEC 27001/27017).
(b) A right to transparency clause with specified access rights can provide customers in highly regulated industries (including those in which non-compliance can be grounds for criminal prosecution) with required information. The agreement should distinguish between automated/direct access to information (e.g., logs, reports) and 'pushed' information (e.g., system architectures, audit reports).
(c) Providers should review, update, and publish their information security documents and GRC processes regularly (or as required). These should include vulnerability analysis and related remediation decisions and activities.
(d) Third-party auditors should be mutually disclosed or selected in advance, jointly by provider and customer.
(e) All parties should agree to use a common certification assurance framework (e.g., from ISO, COBIT) for IT governance and security controls.
-== || END || ==-
No comments:
Post a Comment