Ben Halpert | Reviewed by Larry Marks, CISA, CISM, CGEIT, CRISC, CFE, CISSP, CSTE, ITIL, PMP
Dr. Philip Cao
Dr. Philip Cao (aka #DrTekFarmer), EDBA, MSCS, ZTX-I, CCISO, CISM, CMSC, CCSP, CCSK, CASP, GICSP is a Strategist, Advisor, Contributor, Educator and Motivator. He’s also a Cyber | Zero Trust Strategist & Evangelist and Chief Trust Officer. He has 23 years’ experience in IT/Cybersecurity industry in various sectors & positions.
English
Besides the generic approach to minimizing risk to the organization through a careful review of the contract, supporting appendices and service level agreements (SLAs), and white papers published by the cloud provider, Auditing Cloud Computing recommends that the auditor supplement the review by first identifying the type of cloud that is being contracted. The author suggests that the auditor’s approach cover:
Specifically, Auditing Cloud Computing points to risk related to cloud computing, which enables readers to do a deep dive on business continuity processing for the application. The book further emphasizes the importance of questions on where the data are located, given that business is of a global nature and many countries have their own data privacy requirements. The book recommends that the auditor not shy away from hard questions and ask the questions that matter (e.g., Does the provider regularly back up all data to tape and store it offsite? Can the customer approve any maintenance, updates or changes?). There are usage scenarios to be considered within the context of the cloud that the auditor has to ask as part of due diligence (e.g., When the organization wants to move away from this cloud service, how does it deprovision and transition assets out of the cloud vendor to another location for another context?).
The auditor needs to view the venture and IT risk from a business point of view, not just as boxes on a checklist. Some questions to ask are obvious, such as those regarding the risk to the enterprise if the vendor were to go bankrupt or not be able to continue servicing the client. But high-level business and control questions grouped around categories of governance need to be asked as well. The book also recommends that the checklist the auditor uses to guide the review not be locked in to a style of cloud, deployment model or type of customer. The auditor must have the vision and perform due diligence to ask questions that may not have an answer, and enterprises should be cautious of the questions for which there is no answer.
The book provides an overview of cloud deployment models and other cloud concepts so that the reader has a proper foundation on cloud basics. It does not require that readers have an understanding of cloud computing concepts. The book also provides real-life scenarios that auditors may encounter. Auditing Cloud Computing serves as a practical guide that can apply to other cloud possibilities that any employer may consider.
Editor’s Note
Auditing Cloud Computing: A Security and Privacy Guide is available from the ISACA Bookstore. For more information, visit www.isaca.org/bookstore, email [email protected] or telephone +1.847.660.5650.
Reviewed by Larry Marks, CISA, CISM, CGEIT, CRISC, CFE, CISSP, CSTE, ITIL, PMP, who has extensive experience in implementing IT processes, policies and technology regarding internal controls and information security in the financial services, insurance, health care and telecommunications industries.
[ISACA Journal]