Day: October 1, 2015

Auditing Cloud Computing offers an independent supplement to Security Considerations for Cloud Computing, part of ISACA’s Cloud Computing Vision Series, which provides guidance to the auditor on how to help IT and business professionals who are considering the possibility of moving to the cloud.

Besides the generic approach to minimizing risk to the organization through a careful review of the contract, supporting appendices and service level agreements (SLAs), and white papers published by the cloud provider, Auditing Cloud Computing recommends that the auditor supplement the review by first identifying the type of cloud that is being contracted. The author suggests that the auditor’s approach cover:

• Cloud-based governance of enterprise IT (GEIT)
• Cloud-based IT service delivery and support
• System and infrastructure life cycle management for the cloud
• Global regulation and cloud computing
• Business continuity and disaster recovery

Specifically, Auditing Cloud Computing points to risk related to cloud computing, which enables readers to do a deep dive on business continuity processing for the application. The book further emphasizes the importance of questions on where the data are located, given that business is of a global nature and many countries have their own data privacy requirements. The book recommends that the auditor not shy away from hard questions and ask the questions that matter (e.g., Does the provider regularly back up all data to tape and store it offsite? Can the customer approve any maintenance, updates or changes?). There are usage scenarios to be considered within the context of the cloud that the auditor has to ask as part of due diligence (e.g., When the organization wants to move away from this cloud service, how does it deprovision and transition assets out of the cloud vendor to another location for another context?).

The auditor needs to view the venture and IT risk from a business point of view, not just as boxes on a checklist. Some questions to ask are obvious, such as those regarding the risk to the enterprise if the vendor were to go bankrupt or not be able to continue servicing the client. But high-level business and control questions grouped around categories of governance need to be asked as well. The book also recommends that the checklist the auditor uses to guide the review not be locked in to a style of cloud, deployment model or type of customer. The auditor must have the vision and perform due diligence to ask questions that may not have an answer, and enterprises should be cautious of the questions for which there is no answer.

The book provides an overview of cloud deployment models and other cloud concepts so that the reader has a proper foundation on cloud basics. It does not require that readers have an understanding of cloud computing concepts. The book also provides real-life scenarios that auditors may encounter. Auditing Cloud Computing serves as a practical guide that can apply to other cloud possibilities that any employer may consider.

Editor’s Note

Auditing Cloud Computing: A Security and Privacy Guide is available from the ISACA Bookstore. For more information, visit www.isaca.org/bookstore, email bookstore@isaca.org or telephone +1.847.660.5650.

Reviewed by Larry Marks, CISA, CISM, CGEIT, CRISC, CFE, CISSP, CSTE, ITIL, PMP, who has extensive experience in implementing IT processes, policies and technology regarding internal controls and information security in the financial services, insurance, health care and telecommunications industries.

[ISACA Journal]

Many students and young professionals want to know which topics they should master in the information security field. The answer is contained in the two volumes of theComputer Security Handbook, which has 75 chapters, written by industry professionals. The sixth edition provides an update to the content of each chapter while maintaining the structure of the previous edition, which was released in 2009.

The book covers the 10 domains of the Common Body of Knowledge by the International Information Systems Security Certification Consortium, Inc., (ISC)². It is divided into eight parts, starting with the foundations of computer security and going from the typical security life cycle to the identification of preventive measures, which may be both technical and organizational. In case preventive measures have been bypassed or breached, readers can focus on the sections about detecting security breaches and preparing for response and remediation. The handbook also covers management’s role in security, public policy and other related considerations. Because of the way this book is written, understanding these topics requires minimal technical knowledge.

In the era of Wikipedia and Google, one might ask whether there is any need for reference work such as this book. Indeed, it is possible get an overview of most of the topics mentioned in this book, including biometric authentication or business continuity planning, just by surfing the Internet, but it might be a bit harder to find comprehensive articles on issues such as using social psychology to implement security policy or other complex topics covered by this book.

One shortcoming of this handbook is that it tends to focus primarily on US laws, regulations and standards (e.g., US legal and regulatory security issues, working with law enforcement). However, it does provide some coverage of the European legal framework. Another shortcoming is that for some topics, readers may need to jump from chapter to chapter to get a full understanding of the subject. This happens, for instance, with discussions on operating systems such as Microsoft Windows or Unix. To facilitate this process, readers can refer to the index at the end of volume 2.

In a business world where security professionals are required to master—in breadth and in depth—a wide range of security-related technologies, methodologies and techniques, having a sound and trustworthy point of reference to guide them through the variety of topics and expertise required is essential. Computer Security Handbook, with its more than 2,000 pages and abundance of referential material, is just the right book for the job.

Editor’s Note

Computer Security Handbook, 6^th Edition is available from the ISACA Bookstore. For information, visitwww.isaca.org/bookstore, email bookstore@isaca.org or telephone +1.847.660.5650.

Reviewed by Dino Ippoliti, CISA, CISM, an expert consultant at inspearit. He has been a practitioner in information and computer security, IT system auditing, and software and system engineering process improvement for more than 17 years in multiple industries. Ippoliti is a member of the ISACA Publications Subcommittee and a mentor in ISACA’s Pilot Mentoring Program.

[ISACA Journal]