Auditing Cloud Computing: A Security and Privacy Guide
Format: PDF / Kindle (mobi) / ePub
The auditor's guide to ensuring correct security and privacy practices in a cloud computing environment
Many organizations are reporting or projecting a significant cost savings through the use of cloud computing—utilizing shared computing resources to provide ubiquitous access for organizations and end users. Just as many organizations, however, are expressing concern with security and privacy issues for their organization's data in the "cloud." Auditing Cloud Computing provides necessary guidance to build a proper audit to ensure operational integrity and customer data protection, among other aspects, are addressed for cloud based resources.
- Provides necessary guidance to ensure auditors address security and privacy aspects that through a proper audit can provide a specified level of assurance for an organization's resources
- Reveals effective methods for evaluating the security and privacy practices of cloud services
- A cloud computing reference for auditors and IT security professionals, as well as those preparing for certification credentials, such as Certified Information Systems Auditor (CISA)
Timely and practical, Auditing Cloud Computing expertly provides information to assist in preparing for an audit addressing cloud computing security and privacy for both businesses and cloud based service providers.
Cloud-Computing-Management-Audit-Assurance-Program.aspx. 8. www.cloudsecurityalliance.org/csaguide.pdf. 9. Review A6/CloudAudit at http://cloudaudit.org/ and also on the CSA web site. Also review effort by NIST to set guidance and standards through recently set up NIST working groups on cloud computing (http://collaborate.nist.gov/ twiki-cloud-computing/bin/view/CloudComputing/WebHome). 10. Taken from ECIIA/FERMA—Guidance 8th EU. 11. ENISA: Cloud Computing: Benefits, risks and recommendations for
Sometimes you’ll find an acceptable level of risk. Sometimes you’ll find the risk is too high and you will need to seek an alternate solution that meets your critical requirements. Either way, your organization can move forward with buy-in from key stakeholders. THE SYSTEM AND MANAGEMENT LIFECYCLE ONION Given the layered models around which cloud computing has coalesced, we present the system and infrastructure management lifecycle onion. Why an onion, rather than something more pleasingly
services to be monitored, metered, and used. This makes the driving criteria interoperability and consistency of the service offering (implying a limitation of customization for consumers). For regulators, the implications are the need for the ability to review and validate the policies (constraints) for the service, and audit of the usage in terms of protection and privacy. Associated characteristics are on-demand self-service, and broad network access. On-Demand Self-Service From a provider
stakeholders across the organization. BCP and DRP activities should be performed as a formal project, with a project manager and a cross-functional team. An organization may appoint an individual as a BCP and/or DRP coordinator to provide technical leadership. Smaller organizations may consider utilizing a consultant in this role during the initial development, testing, and training of the plans. Other team participants should include engineering, research and development, marketing, supply chain
vacuum; rather, they looked to the best practice framework (COSO) already in place. This allowed the PCAOB the ability to work quickly to set the guidelines and rules for audit; the use of existing best practices allowed for rapid adoption and buy-in. Ease of implementation is important when a security team is looking for widespread adoption of a framework across its business. What was the result? The development of a SOX compliance program and supporting industry, as well as a sense that the