Thursday, August 8, 2013

CCSK Study - Domain 4: Compliance and Audit Management

Notes
  • Corporate Governance: The balance of control between stakeholders, directors and manages to provide consistent management, cohesive application of policies, and enable effective decision making.
  • Enterprise Risk Management: Methods and processes (frameworks) used by organizations to balance decision making based on risks and opportunities
  • Compliance and Audit Assurance: Awareness and adherence to corporate obligations
  • Audit
    • key component to any proper organizational governance strategy
    • should be conducted independantly
    • should be robustly designed
    • should take into consideration the cloud
      • scale and services provided
  • Recommendations
    • Understand that audit processes change when moving to the cloud
    • Understand the contractual responsibilities of each party
    • Determine how existing compliance requirements will be impacted by the use of cloud services
      • Who does what?
    • Be careful with PII data
    • Customers and CSPs must agree on how to collect, store, and share compliance evidence
      • Select auditors that are "cloud aware"
      • request SSAE 16 SOC2 or ISAE 3402 Type 2 Report
      • Understand how audits will be conducted
  • Requirements
    • Ensure a  "right to audit" clause
      • Audit framework may be adapted to use 3rd party frameworks such as ISO, IEC, etc
    • Ensure a "right to transparency" clause
      • should include provisions for automated information such as logs, reports and pushed information such as diagrams, architectures and schematics
    • mutually selected 3rd party auditors
    • some agreement on common certification assurance framework (ISO,COBIT,etc)
Summary
I'm glad this was a short section!  I think that definitions used in this section are fairly common and apply to any organization, not just one using cloud.  The points made in this section seem fairly straightforward.  Basically, make sure the audit process takes into account the cloud.  Make sure that you have provisions in your contract that allow you to be compliant and force the CSP to do it's share.   All these things should be discussed up front with the CSP and the risk/benefits should be weighed if the contract is just a "click-wrapper" or non-negotiable.