際際滷

際際滷Share a Scribd company logo

Rob kloots auditoutsourcedit

Robert Kloots
Robert Kloots

The document discusses how to audit outsourced IT environments. It provides guidance on: - Key challenges when auditing outsourced IT, such as lack of transparency. - Using the Cloud Security Alliance's (CSA) Cloud Controls Matrix (CCM) to include outsourced IT controls in audits. The CCM contains 98 controls mapped to standards. - The CSA's Cloud Audit Initiative which provides questionnaires to help assess outsourced IT vendor controls and compliance.

1 of 21
Downloaded 13 times
How to Audit Outsourced IT Environments? What are the challenges when auditing outsourced IT environments? How to include outsourced IT environments in your audit? Rob Kloots CISA CISM CRISC, Owner, TrustingtheCloud CSA-BE volunteer Berlin, June 2012
Topics Key Cloud Security Problems The GRC Stack CSA Guidance Research Transparancy Cloud Controls Matrix (CCM) CCM 98 Controls Guidance The CAI Questionnaire CloudAudit Objectives & Alignment Berlin, June 2012 2
Key Cloud Security Problems From CSA Top Threats Research: Trust: Lack of Provider transparency, impacts Governance, Risk Management, Compliance, and the capture of real value Data: Leakage, Loss or Storage in unfriendly geography Insecure Cloud software Malicious use of Cloud services Account/Service Hijacking Malicious Insiders Cloud-specific attacks Berlin, June 2012 3
4 The GRC Stack Provides trust in the Cloud GRC Stack Needs and Evidence and Payoffs and Claims Assurance Protection Security Security Compliance Requirements and Transparency and Capabilities and Visibility Trust Delivering evidence-based confidence with compliance-supporting data & artifacts. Berlin, June 2012 4
A Complete Cloud Security Governance, Risk, and Compliance (GRC) Stack Delivering Stack Pack Description Common technique and nomenclature to Continuous monitoring request and receive evidence and affirmation with a purpose of current cloud service operating circumstances from cloud providers Claims, offers, and the Common interface and namespace to basis for auditing service automate the Audit, Assertion, Assessment, delivery and Assurance (A6) of cloud environments Pre-audit checklists and Industry-accepted ways to document what questionnaires to security controls exist inventory controls Fundamental security principles in specifying The recommended the overall security needs of a cloud foundations for controls consumers and assessing the overall security risk of a cloud provider Berlin, June 2012 5
A Headstart for Control and Compliance Forged by the Global Marketplace; Ready for All Professional Government Commercial Legend In place Offered Common technique and Continuous monitoring nomenclature to request and ??? with a purpose receive evidence and affirmation of controls from cloud providers Common interface and namespace Claims, offers, and the to automate the Audit, Assertion, ??? basis for auditing service delivery Assessment, and Assurance (A6) of cloud environments FedRAMP Pre-audit checklists and Industry-accepted ways to DIACAP questionnaires to document what security controls inventory controls exist Other C&A standards NIST 800-53, HITRUST CSF, SSAE SOC2 control ISO 27001/27002, ISACA Fundamental security principles in A recommended assessment COBIT, PCI, HIPAA, SOX, assessing the overall security risk foundations for controls criteria GLBA, STIG, NIST 800-144, of a cloud provider SAS 70, Berlin, June 2012 6
CSA Guidance Research Cloud Architecture Popular best Governance and Enterprise Risk Management Governing the Legal and Electronic Discovery practices for Cloud Compliance and Audit securing cloud Information Lifecycle Management Portability and Interoperability computing T c n e a p n a y s r r 14 Domains of Security, Bus. Cont,, and Disaster Recovery Operating in the Cloud Data Center Operations concern Incident Response, Notification, Remediation Application Security governing & Encryption and Key Management operating groupings Identity and Access Management Virtualization Berlin, June 2012 7
Transparancy Transparency Source: NIST SP500-291-v1.0, p. 42, Figure 12 Berlin, June 2012 8
Cloud Controls Matrix (CCM) Leadership Team Becky Swain EKKO Consulting Philip Agcaoili Cox Communications Marlin Pohlman EMC, RSA Kip Boyle CSA V1.0 (Apr 2010), v1.1 (Dec 2010, v1.2 (Aug 2011), V2.0 (2012) Controls baselined and mapped to: COBIT BITS Shared Assessments HIPAA/HITECH Act Jericho Forum ISO/IEC 27001-2005 NERC CIP NISTSP800-53 FedRAMP PCI DSSv2.0 Berlin, June 2012 9
CCM 98 Controls Berlin, June 2012 10
CCM 98 Controls (cont.) Berlin, June 2012 11
CCM 98 Controls (cont.) Berlin, June 2012 12
CCM 98 Controls (cont.) Berlin, June 2012 13
Control Matrix >> Guidance >> ISO Berlin, June 2012 14
The CAI Questionnaire Berlin, June 2012 15
Sample Questions to Vendors Compliance - CO-02 CO-02a - Do you allow tenants to view your SAS70 Type II/SSAE 16 SOC2/ISAE3402 or Independent Audits similar third party audit reports? CO-02b - Do you conduct network penetration tests of your cloud service infrastructure regularly as prescribed by industry best practices and guidance? CO-02c - Do you conduct application penetration tests of your cloud service infrastructure regularly as prescribed by industry best practices and guidance? CO-02d - Do you conduct internal audits regularly as prescribed by industry best practices and guidance? CO-02e - Do you conduct external audits regularly as prescribed by industry best practices and guidance? CO-02f - Are the results of the network penetration tests available to tenants at their request? CO-02g - Are the results of internal and external audits available to tenants at their request? Data Governance - DG-02 DG-02a - Do you provide a capability to identify virtual machines via policy tags/metadata Classification (ex. Tags can be used to limit guest operating systems from booting/instanciating/transporting data in the wrong country, etc.?) DG-02b - Do you provide a capability to identify hardware via policy tags/metadata/hardware tags (ex. TXT/TPM, VN-Tag, etc.)? DG-02c - Do you have a capability to use system geographic location as an authentication factor? DG-02d - Can you provide the physical location/geography of storage of a tenants data upon request? DG-02e - Do you allow tenants to define acceptable geographical locations for data routing or resource instantiation? Berlin, June 2012 16
CloudAudit Objectives Provide a common interface and namespace that allows cloud computing providers to automate collection of Audit, Assertion, Assessment, and Assurance Artifacts (A6) of their operating environments Allow authorized consumers of services and concerned parties to do likewise via an open, extensible and secure interface and methodology. Berlin, June 2012 17
Aligned to CSA Control Matrix Officially folded CloudAudit under the Cloud Security Alliance in October, 2010 First efforts aligned to compliance frameworks as established by CSA Control Matrix: PCI DSS NIST 800-53 HIPAA COBIT ISO 27002 Incorporate CSAs CAI and additional CompliancePacks Expand alignment to infrastructure and operations -centric views also Berlin, June 2012 18
Holistic approach around controls https://cloudsecurityalliance.org/research/projects/cloud-controls-matrix-ccm/ Berlin, June 2012 19
and Architecture best practices https://cloudsecurityalliance.org/research/projects/cloud-controls-matrix-ccm/ Berlin, June 2012 20
Any Questions? Rob Kloots CISA CISM CRISC, Owner, TrustingtheCloud volunteer CSA-BE M +32.499-374713 e rob.kloots@trustingthecloud.eu Berlin, June 2012 21

More Related Content

Rob kloots auditoutsourcedit

  • 1. How to Audit Outsourced IT Environments? What are the challenges when auditing outsourced IT environments? How to include outsourced IT environments in your audit? Rob Kloots CISA CISM CRISC, Owner, TrustingtheCloud CSA-BE volunteer Berlin, June 2012
  • 2. Topics Key Cloud Security Problems The GRC Stack CSA Guidance Research Transparancy Cloud Controls Matrix (CCM) CCM 98 Controls Guidance The CAI Questionnaire CloudAudit Objectives & Alignment Berlin, June 2012 2
  • 3. Key Cloud Security Problems From CSA Top Threats Research: Trust: Lack of Provider transparency, impacts Governance, Risk Management, Compliance, and the capture of real value Data: Leakage, Loss or Storage in unfriendly geography Insecure Cloud software Malicious use of Cloud services Account/Service Hijacking Malicious Insiders Cloud-specific attacks Berlin, June 2012 3
  • 4. 4 The GRC Stack Provides trust in the Cloud GRC Stack Needs and Evidence and Payoffs and Claims Assurance Protection Security Security Compliance Requirements and Transparency and Capabilities and Visibility Trust Delivering evidence-based confidence with compliance-supporting data & artifacts. Berlin, June 2012 4
  • 5. A Complete Cloud Security Governance, Risk, and Compliance (GRC) Stack Delivering Stack Pack Description Common technique and nomenclature to Continuous monitoring request and receive evidence and affirmation with a purpose of current cloud service operating circumstances from cloud providers Claims, offers, and the Common interface and namespace to basis for auditing service automate the Audit, Assertion, Assessment, delivery and Assurance (A6) of cloud environments Pre-audit checklists and Industry-accepted ways to document what questionnaires to security controls exist inventory controls Fundamental security principles in specifying The recommended the overall security needs of a cloud foundations for controls consumers and assessing the overall security risk of a cloud provider Berlin, June 2012 5
  • 6. A Headstart for Control and Compliance Forged by the Global Marketplace; Ready for All Professional Government Commercial Legend In place Offered Common technique and Continuous monitoring nomenclature to request and ??? with a purpose receive evidence and affirmation of controls from cloud providers Common interface and namespace Claims, offers, and the to automate the Audit, Assertion, ??? basis for auditing service delivery Assessment, and Assurance (A6) of cloud environments FedRAMP Pre-audit checklists and Industry-accepted ways to DIACAP questionnaires to document what security controls inventory controls exist Other C&A standards NIST 800-53, HITRUST CSF, SSAE SOC2 control ISO 27001/27002, ISACA Fundamental security principles in A recommended assessment COBIT, PCI, HIPAA, SOX, assessing the overall security risk foundations for controls criteria GLBA, STIG, NIST 800-144, of a cloud provider SAS 70, Berlin, June 2012 6
  • 7. CSA Guidance Research Cloud Architecture Popular best Governance and Enterprise Risk Management Governing the Legal and Electronic Discovery practices for Cloud Compliance and Audit securing cloud Information Lifecycle Management Portability and Interoperability computing T c n e a p n a y s r r 14 Domains of Security, Bus. Cont,, and Disaster Recovery Operating in the Cloud Data Center Operations concern Incident Response, Notification, Remediation Application Security governing & Encryption and Key Management operating groupings Identity and Access Management Virtualization Berlin, June 2012 7
  • 8. Transparancy Transparency Source: NIST SP500-291-v1.0, p. 42, Figure 12 Berlin, June 2012 8
  • 9. Cloud Controls Matrix (CCM) Leadership Team Becky Swain EKKO Consulting Philip Agcaoili Cox Communications Marlin Pohlman EMC, RSA Kip Boyle CSA V1.0 (Apr 2010), v1.1 (Dec 2010, v1.2 (Aug 2011), V2.0 (2012) Controls baselined and mapped to: COBIT BITS Shared Assessments HIPAA/HITECH Act Jericho Forum ISO/IEC 27001-2005 NERC CIP NISTSP800-53 FedRAMP PCI DSSv2.0 Berlin, June 2012 9
  • 10. CCM 98 Controls Berlin, June 2012 10
  • 11. CCM 98 Controls (cont.) Berlin, June 2012 11
  • 12. CCM 98 Controls (cont.) Berlin, June 2012 12
  • 13. CCM 98 Controls (cont.) Berlin, June 2012 13
  • 14. Control Matrix >> Guidance >> ISO Berlin, June 2012 14
  • 15. The CAI Questionnaire Berlin, June 2012 15
  • 16. Sample Questions to Vendors Compliance - CO-02 CO-02a - Do you allow tenants to view your SAS70 Type II/SSAE 16 SOC2/ISAE3402 or Independent Audits similar third party audit reports? CO-02b - Do you conduct network penetration tests of your cloud service infrastructure regularly as prescribed by industry best practices and guidance? CO-02c - Do you conduct application penetration tests of your cloud service infrastructure regularly as prescribed by industry best practices and guidance? CO-02d - Do you conduct internal audits regularly as prescribed by industry best practices and guidance? CO-02e - Do you conduct external audits regularly as prescribed by industry best practices and guidance? CO-02f - Are the results of the network penetration tests available to tenants at their request? CO-02g - Are the results of internal and external audits available to tenants at their request? Data Governance - DG-02 DG-02a - Do you provide a capability to identify virtual machines via policy tags/metadata Classification (ex. Tags can be used to limit guest operating systems from booting/instanciating/transporting data in the wrong country, etc.?) DG-02b - Do you provide a capability to identify hardware via policy tags/metadata/hardware tags (ex. TXT/TPM, VN-Tag, etc.)? DG-02c - Do you have a capability to use system geographic location as an authentication factor? DG-02d - Can you provide the physical location/geography of storage of a tenants data upon request? DG-02e - Do you allow tenants to define acceptable geographical locations for data routing or resource instantiation? Berlin, June 2012 16
  • 17. CloudAudit Objectives Provide a common interface and namespace that allows cloud computing providers to automate collection of Audit, Assertion, Assessment, and Assurance Artifacts (A6) of their operating environments Allow authorized consumers of services and concerned parties to do likewise via an open, extensible and secure interface and methodology. Berlin, June 2012 17
  • 18. Aligned to CSA Control Matrix Officially folded CloudAudit under the Cloud Security Alliance in October, 2010 First efforts aligned to compliance frameworks as established by CSA Control Matrix: PCI DSS NIST 800-53 HIPAA COBIT ISO 27002 Incorporate CSAs CAI and additional CompliancePacks Expand alignment to infrastructure and operations -centric views also Berlin, June 2012 18
  • 19. Holistic approach around controls https://cloudsecurityalliance.org/research/projects/cloud-controls-matrix-ccm/ Berlin, June 2012 19
  • 20. and Architecture best practices https://cloudsecurityalliance.org/research/projects/cloud-controls-matrix-ccm/ Berlin, June 2012 20
  • 21. Any Questions? Rob Kloots CISA CISM CRISC, Owner, TrustingtheCloud volunteer CSA-BE M +32.499-374713 e rob.kloots@trustingthecloud.eu Berlin, June 2012 21