Ben Halpert | Reviewed by Larry Marks, CISA, CISM, CGEIT, CRISC, CFE, CISSP, CSTE, ITIL, PMP
Auditing Cloud Computing offers an independent supplement to Security Considerations for Cloud Computing, part of ISACA’s Cloud Computing Vision Series, which provides guidance to the auditor on how to help IT and business professionals who are considering the possibility of moving to the cloud.
Besides the generic approach to minimizing risk to the organization through a careful review of the contract, supporting appendices and service level agreements (SLAs), and white papers published by the cloud provider, Auditing Cloud Computing recommends that the auditor supplement the review by first identifying the type of cloud that is being contracted. The author suggests that the auditor’s approach cover:
Cloud-based governance of enterprise IT (GEIT)
Cloud-based IT service delivery and support
System and infrastructure life cycle management for the cloud
Global regulation and cloud computing
Business continuity and disaster recovery
Specifically, Auditing Cloud Computing points to risk related to cloud computing, which enables readers to do a deep dive on business continuity processing for the application. The book further emphasizes the importance of questions on where the data are located, given that business is of a global nature and many countries have their own data privacy requirements. The book recommends that the auditor not shy away from hard questions and ask the questions that matter (e.g., Does the provider regularly back up all data to tape and store it offsite? Can the customer approve any maintenance, updates or changes?). There are usage scenarios to be considered within the context of the cloud that the auditor has to ask as part of due diligence (e.g., When the organization wants to move away from this cloud service, how does it deprovision and transition assets out of the cloud vendor to another location for another context?).
The auditor needs to view the venture and IT risk from a business point of view, not just as boxes on a checklist. Some questions to ask are obvious, such as those regarding the risk to the enterprise if the vendor were to go bankrupt or not be able to continue servicing the client. But high-level business and control questions grouped around categories of governance need to be asked as well. The book also recommends that the checklist the auditor uses to guide the review not be locked in to a style of cloud, deployment model or type of customer. The auditor must have the vision and perform due diligence to ask questions that may not have an answer, and enterprises should be cautious of the questions for which there is no answer.
The book provides an overview of cloud deployment models and other cloud concepts so that the reader has a proper foundation on cloud basics. It does not require that readers have an understanding of cloud computing concepts. The book also provides real-life scenarios that auditors may encounter. Auditing Cloud Computing serves as a practical guide that can apply to other cloud possibilities that any employer may consider.
Reviewed by Larry Marks, CISA, CISM, CGEIT, CRISC, CFE, CISSP, CSTE, ITIL, PMP, who has extensive experience in implementing IT processes, policies and technology regarding internal controls and information security in the financial services, insurance, health care and telecommunications industries.