2nd IIA / ISACA Zambia 2015 Governance, Risk and Control ... · PDF file2nd IIA / ISACA Zambia 2015 Governance, Risk and Control (GRC) Conference ... and developers creating new customer-

Francis Kabaso

Thursday, 27 August 2015

Zambezi Sun International Hotel

Livingstone, Zambia

2nd IIA / ISACA Zambia 2015 Governance, Risk

and Control (GRC) Conference

Cloud Computing: Governance, Risk and Control

Agenda

Cloud Computing: What is it?

Cloud Computing Service Models

Cloud Computing Deployment Models

Cloud Computing Feasibility

Cloud Computing Benefits

Cloud Computing Challenges

Cloud Computing Risks in Business Terms

Cloud Outsourcing Lifecycle

Company XYZ SaaS Cloud Strategy Adoption: Risk-

Based Audit Assurance using Risk IT and COBIT

Conclusions and Recommendations

Q&A

Cloud Computing: What is it?

Gartner defines cloud computing as a style of computing in

which scalable and elastic IT-enabled capabilities are delivered

as a service to external customers using Internet technologies.

Utility Computing refers to the ability to meter the offered

services and charge customers for exact usage.

The five attributes of cloud computing (Gartner, 2016) are:

Service-based

Elastic and Scalable

Shared

Metered by Use (Fixed, Subscription, Pay-As-You-Go and

Fee Plans).

Used Internet Technologies / Self-Service

Cloud Computing Service Models

Infrastructure-as-a-Service (IaaS) is a standardized, highly

automated offering, where compute resources, complemented by storage and

networking capabilities are owned and hosted by a service provider and offered

to customers on-demand (Gartner, 2015).

Platform-as-a-Service (PaaS) offering, usually depicted in all-

cloud diagrams between the SaaS layer above it and the IaaS layer below, is a

broad collection of application infrastructure (middleware) services (including

application platform, integration, business process management and database

services) (Gartner, 2015).

Software-as-a-Service (SaaS) is software that is owned, delivered

and managed remotely by one or more providers. The provider delivers software

based on one set of common code and data definitions that is consumed in a

one-to-many model by all contracted customers at anytime on a pay-for-use

basis or as a subscription based on use metrics (Gartner, 2015).

Data-as-a-Service (DaaS) for Business empowers businesses to use

data as a standalone asset and connect with partner data to make smarter

decisions. DaaS offers the variety, scale, and connectivity in the industry

including cross-channel, cross-device, and known and anonymous data (Oracle,

2015).

Cloud Computing Deployment Models

Private Cloud is a form of cloud computing that is used by only one organization, or that

ensures that an organization is completely isolated from others. On-premise cloud is an

example of private cloud; not all private clouds are on-premise (Gartner, 2015).

Self-service agility, Standardization, IT as a Business, Chargeback

(Usage Metering)

Public Cloud computing uses internet technologies to support customers that are

external to the provider’s organization (Gartner, 2015).

Increased flexibility (elastic and scalable), Economies of Scale /

Reduced Unit Cost

Hybrid Cloud refers to policy-based and coordinated service provisioning, use and

management across a mixture of internally and externally controlled cloud services (Gartner,

2015).

Cost for Peak Loads, Flexibility for Peak Loads

Community Cloud is a shared (multi-tenancy) cloud computing service environment

that is targeted at a community with similar computing concerns (Gartner, 2015).

Mission, Policy, Security, Privacy, Performance and Compliance

requirements.

Feasibility

“Cloud computing has reached an inflection

point for enterprises — a comprehensive

strategy for broad adoption and use is now

required. Until now, most companies had

adopted public cloud services in an adhoc

fashion, driven mostly by business leaders

and developers creating new customer-

facing systems that corporate IT could not

deliver quickly enough” (Forrester Research,

2015).

Feasibility …. Cont’d

Every complex global and connected world (Truly CNN’s Becky

Anderson Connect the World)

Fast Paced Technological Era of The Big Five Trends: Cloud,

Social, Mobile, Commoditization and Big Data

Nexus of Forces (Internet of Things (IoT), Information Society,

Social Media, Big Data, Cloud and Enterprise Mobility)

From Technical-centric to Business-centric organizations. From

BYOD to BYOx. It’s a about CHOICE!!!

Virtualization / Compartmentalization and Consolidation

Era of customer choice; failure to give customers choice can mean

doom to your business


Industries and companies of all sizes can connect to customers

directly using the latest innovations in mobile, social, and cloud

technology

Cloud Computing is not just a good idea but THEE Good Idea

Cloud Applications, Platforms and Business Services are now

used as strategic resources in the business technology

portfolio.

Cloud-based services being offered as Utility or Commoditized

Service

Caveat: Business must strike right balance between Agility,

Efficiency, Security, Compliance and Integration for a

successful cloud strategy

Cloud Computing has moved beyond the pure hype stage and

into the beginning of mainstream adoption


The technology of Cloud-based Services offered as a Utility is becoming

mature

Mature B2B, B2P, B2C, C2C and P2P Cloud platforms and solution offerings

available:

Examples of Cloud-Service Providers:

salesforce.com. Leading provider of CRM in the enterprise cloud

ecosystem

Oracle Fusion Applications. Oracle ERP in the Cloud (Financials, GRC,

HCM, SCM, Procurement, CRM, PPM). Runs on On-Premise, in hosted

environment or through mix of each option. Oracle’s claim of the New

Standard for Business

Microsoft Online Services (Data and Insights, Cloud Platform,

Enterprise Social & Productivity, Mobility, Cybersecurity and Piracy,

Email, Collaboration and Conferencing). Office 365, Exchange,

SharePoint, Skype for Business, Project, Visio, Yammer, Power BI,

Dynamics CRM



Amazon Elastic Compute Cloud (E2C). A Web service that provides

resizable compute capacity in the cloud. EC2 changes the economics

of computing by allowing you to pay only for capacity that you

actually use.

Paypal is Cloud Payment Services providing Person-to-Person (P2P)

card-based payment services

Google Cloud Platform Services - SQL and NoSQL, IaaS (Virtual

Machines), PaaS, Application Services, Big Data Solutions and

Object Storage

KYC Managed Services: Managed Service Model and Shared Utility

Service Model such as SWIFT’s KYC Registry used for KYC

compliance due diligence management in the financial sector



SWIFT Alliance Lite2 provides a cloud-based connection to the SWIFT

network and related applications and services

Alliance Lite2 meets the needs of lower volume SWIFT customers,

including banks, corporates, investment and funds managers, and

brokers/dealers. Alliance Lite 2 brings the following benefits:

Little upfront investment

Minimized operational costs and overheads

Connect directly to SWIFT without a third party

No SWIFT infrastructure maintained at your site

N/B Lower volume SWIFT Customers are those that send and receive

up to 10,000 messages per day with standard throughput

expectations.

BenefitsOrganizations move from traditional IT infrastructure models to

Cloud Computing for many reasons:

Economics of the Cloud

Four distinct mechanisms through which these cost savings are

generated:

Lower opportunity cost of running technology

Cloud Computing provides a shift from the CapEx to OpEx

model. Cloud Computing typically provides outsourcing leasing

options.

Lowering total cost of ownership (TCO) of technology (Full Life

Cycle Costs of IT investment over a predefined period)

Focus on core business and competencies. Strong Business and

Customer Focus overcomes the inherent organizational inability

to quickly respond to changing business circumstances

Probably one of the only strategies able to keep up with pace of

rapid technological change

Real Benefit is Agility (adjusting quickly) and speed (of deployment)

Challenges

The adoption of the Cloud Computing model creates an

enormous threat landscape that poses all sorts of strategic,

financial, regulatory and operational challenges.

Strategic: The Cloud Service Provider has little

understanding of the organization’s business

Financial: Hidden costs arising from unexpectedly high

‘extras’ to the contract

Regulatory: Comply with diverse regulations across different

jurisdictions

Operational: The service levels are not as good as anticipated

Challenges

Efficiency, effectiveness, confidentiality, integrity, availability, reliability and

compliance

Loss of Operational and Security Control

Reliance of Third Party Cloud Service Providers

Switchover Costs / Cost of Transition

Uncertainty of Long Term Benefits

Privileged User Access

Regulatory Compliance

Privacy Issues / Personal Identifiable Information (PII) Protection

Data Location

Data Segregation because of co-location/multi-tenancy

Business Continuity and Recovery

Investigative Support

Long-term viability of the Cloud Service Providers

Data Security: Data-at-rest, Data-in-Process and Data-in-Transit

In this part of the word, bandwidth, performance and reliability considerations are

real

IT Audit Universe has just grown a whole lot bigger. Audit coverage includes

aspects that may not be directly under the control of the organization

Cloud Computing Risks in Business Terms

IT-related events and conditions could potentially impact the business. IT risk is

pervasive and a component of the overall risk universe of the enterprise.

Enterprise Risk: Strategic Risk, Environmental Risk (Internal and External), Market

Risk, Credit Risk, Operational Risk, Compliance Risk

In many enterprises (and dangerously so), IT-related risks are considered as part

of operational risks, eg. in the financial industry in the Basel II framework.

Prolonged downtime of the core business cloud system can infect huge and

irreparable reputational damage to an organization.

Figure 1. Examples of IT-related risks expressed in Business Terms:

Cloud Outsourcing Lifecycle

Phase 1: Business Case

Phase 2: Due Diligence

Phase 3: Establishing vendor engagement

Phase 4: Ongoing monitoring and review

Phase 5: Evaluate the relationship

Map Risk IT Framework IT risk scenarios and COBIT Processes to

establish end-to-end comprehensive view of risk types (Figure 2).

Prepare risk-based audit programme (Tables 1 to 8) for high-risk areas in

Figure 2

Analyse and Evaluate All Mapped Risks

Risk Consequence:

Negligible, Minor, Major, Significant, Catastrophic

Risk Likelihood:

Rare, Unlikely, Probable, Likely, Very Likely

Risk Rating = Consequence/Impact x Likelihood/Frequency

Very Low, Low, Medium, High and Very High

Prepare Risk Heat Map (Figure 3)

Prioritise high risks (Figure 4) and recommend appropriate risk treatment

Residual Risk = Inherent Risk (Risk IT) – Controls (COBIT)

Risk treatment actions by Company XYZ: Additional mitigating controls,

Transfer, Avoidance and Acceptance of risks.

Company XYZ SaaS Cloud Adoption Strategy:Risk-Based Audit Assurance using Risk IT and CoBIT


Generic risk frameworks such as ISO 31000:2009 ERM (adopted

from AS/NZS 4360:2006 ERM) and COSO ERM – Integrated

Framework

IT domain-specific risk frameworks, practices and process models

such as ISO 27001:2013 for Information Security Management

Systems (ISMS) and IT Infrastructure Library (ITIL) for IT Security

Delivery and Support

Risk IT framework fills the gap between generic risk management

frameworks and domain-specific frameworks based on premise that

IT risk is both a business and technical issue.

Risk IT is about IT risk – business risk related to the use of IT.

Risk IT provides a list of 36 organizational-adaptable generic high-

level risk scenarios

Risk IT provides a toolkit for IS auditors to come up with a

comprehensive and end-to-end enterprise view of IT risk


Risk IT is used in conjunction with CoBIT, the comprehensive

business framework for the governance and management of

enterprise IT, to efficiently identify, analyze and evaluate risks

(Risk Assessment).

Risk IT and CoBIT mapping provides alignment for the

management of IT-related business risk within the overall

enterprise risk management structure


Figure 2 – Mapping Between High-Level Risk Scenarios and Corresponding COBIT Control Objectives

COBIT Processes and Corresponding Control Objectives

Risk IT

Reference

No.

High-level Risk ScenariosPlan and

Organize (PO)

Acquire and

Implement (IA)

Deliver and

Support (DS)

Monitor and

Evaluate (ME)

3 Technology selection PO3.2 AI1.2, AI5.2

16 Selection/performance of third-party suppliers PO5.2 DS2.4 ME3.4

27 Logical attacks AI2.4 DS5.3, DS5.10

28 Information media DS5.11

31 Database security DS11.6

32 Logical trespassing DS5.4, DS5.5

34 Contractual compliance ME3.4

Source: ISACA, ISACA Journal Volume 4, 2011; The Risk IT Practitioner Guide, USA, 2015, http://www.isaca.org/knowledge-

center/research/documents/risk-it-framework-excerpt_fmk_eng_0109.pdf

http://www.isaca.org/knowledge-center/research/documents/risk-it-framework-excerpt_fmk_eng_0109.pdf


Table 1. Audit Programme: Technology Selection (AI5.2)Table 2. Audit Programme: Selection/Performance of Third-party

Suppliers (ME3.4)

Relevant COBIT Control Objective

AI5.2 Supplier contract management—Set up a procedure for

establishing, modifying and terminating contracts for all suppliers.

The procedure should cover, at a minimum, legal, financial,

organizational, documentary, performance, security, intellectual

property, and termination responsibilities and liabilities (including

penalty clauses). All contracts and contract changes should be

reviewed by legal advisors.


ME3.4 Positive assurance of compliance—Obtain and report assurance of

compliance and adherence to all internal policies derived from internal

directives or external legal, regulatory or contractual requirements,

confirming that any corrective actions to address any compliance gaps

have been taken by the responsible process owner in a timely manner.

Audit Procedure

Confirm, through interviews with key staff members, that the policies

and standards are in place for establishing contracts with suppliers.

Contracts should also include legal, financial, organizational,

documentary, performance, security, auditability, intellectual

property, responsibility and liability aspects.

Audit Procedure

Inquire whether procedures are in place to regularly assess levels of

compliance with legal and regulatory requirements by independent parties.

Review policies and procedures to ensure that contracts with third party

service providers require regular confirmation of compliance (e.g., receipt

of assertions) with applicable laws, regulations and contractual

commitments.

Findings

The cloud provider contract does not include certain critical

elements to help protect security and privacy requirements. The

contract does not include a nondisclosure agreement or a right-to-

audit clause. There is no process for the monitoring of potential

vendor failure.

An independent auditor’s report (e.g., ISAE 3402/SOC 1/SSAE16/SAS

70 report, WebTrust report, SysTrust report) was not reviewed. A

review of the report would allow the user organization to understand

the controls at the service provider and the nature and extent of

controls required to implement.

Findings

Monitoring of the quality of service (QoS) provided by the CSP needs to

be strengthened. Degradation in the QoS may have a significant impact on

Company XYZ’s ability to meet its obligations to its customers.

In future years, an independent auditor’s report (e.g., ISAE

3402/SOC1/SSAE16/SAS70 report, WebTrust report, SysTrust report)

would need to be reviewed. A review of the report would help the user

organization understand the state of controls at the CSP and whether the

user organization needs to add compensating controls.

Source: ISACA, ISACA Journal Volume 4, 2011


Table 3. Audit Programme: Logical Attacks (DS5.3) Table 4. Audit Programme: Local Attacks (DS5.10)


DS5.3 Identity management—Ensure that all users (internal, external

and temporary) and their activity on IT systems (business

application, IT environment, system operations, development and

maintenance) are uniquely identifiable. Enable user identities via

authentication mechanisms. Confirm that user access rights to

systems and data are in line with defined and documented business

needs and that job requirements are attached to user identities.

Ensure that user access rights are requested by user management,

approved by system owners and implemented by the security-

responsible person. Maintain user identities and access rights in a

central repository. Deploy cost effective

technical and procedural measures, and keep them current

to establish user identification, implement authentication and

enforce access rights.


DS5.10 Network security—Use security techniques and related management

procedures (e.g., firewalls, security appliances, network segmentation,

intrusion detection) to authorize access and control information flows from

and to networks.

Audit Procedure

Determine whether access provisioning and authentication control

mechanisms are utilized for controlling logical access across all

users, system processes and IT resources for in-house and remotely

managed users, processes and systems

Audit Procedure

Inquire whether and confirm that a network security policy (e.g., provided

services, allowed traffic, types of connections permitted) has been

established and is maintained.

Inquire whether and confirm that procedures and guidelines for administering

all critical networking components (e.g., core routers, DMZ, virtual private

network [VPN] switches) are established and updated regularly by the key

administration personnel and that changes to the documentation are tracked

in the document history.

Findings

Generic user identifications (IDs) are used to access the virtual

servers in the cloud. Multifactor authentication is not utilized for the

cloud management console.

Findings

Application teams currently manage the configuration of the cloud firewall

instead of relying on the network engineering team.



Table 5. Audit Programme: Information Media (DS5.11) Table 6. Audit Programme: Data(base) Integrity (DS11.6)


DS5.11 Exchange of sensitive data—Exchange sensitive transaction

data only over a trusted path or medium with controls to provide

authenticity of content, proof of submission, proof of receipt and

nonrepudiation of origin.

COBIT Control Objective

DS11.6 Security requirements for data management—Define and

implement policies and procedures to identify and apply security

requirements applicable to the receipt, processing, storage and output of

data to meet business objectives, the organization’s security policy and

regulatory requirements.

Audit Procedure

Inquire whether and confirm that data transmissions outside the

organization require an encrypted format prior to transmission.

Inquire whether and confirm that sensitive data processing is

controlled through application controls that validate the transaction

prior to transmission.

Audit Procedure

Determine whether a policy has been defined and implemented to protect

sensitive data and messages from unauthorized access and incorrect

transmission and transport, including, but not limited to, encryption,

message authentication codes, hash totals, bonded couriers and tamper-

resistant packaging for physical transport.

Findings

Exchange of sensitive data and administration of cloud instances are

done via a regular Internet connection instead of a secure channel

such as Secure Sockets Layer (SSL) or Secure Shell (SSH).

The organization utilizes an outdated version of Internet Explorer

browser software to access and administer the cloud.

According to the US Sarbanes-Oxley Act, there need to be proper

controls over the initiation, authorization and recording of

transactions relevant for financial reporting.

Findings

Personally identifiable information (PII) is stored in clear text at the CSP.



Table 7. Audit Programme: Logical Trespassing (DS5.5) Table 8. Audit Programme: Contractual Compliance (ME3.4)


DS5.5 Security testing, surveillance and monitoring—Test

and monitor the IT security implementation in a proactive

way. IT security should be reaccredited in a timely manner to

ensure that the approved enterprise’s information security

baseline is maintained. A logging and monitoring function

will enable the early prevention and/or detection and

subsequent timely reporting of unusual and/or abnormal

activities that may need to be addressed.


ME3.4 Positive assurance of compliance—Obtain and report

assurance of compliance and adherence to all internal policies

derived from internal directives or external legal, regulatory or

contractual requirements, confirming that any corrective actions

to address any compliance gaps have been taken by the

responsible process owner in a timely manner.

Audit Procedure

Determine whether the IT security management function has

been integrated within the organization’s project

management initiatives to ensure that security is considered

in development, design and testing requirements to

minimize the risk of new or existing systems introducing

security vulnerabilities.

Audit Procedure

Inquire whether procedures are in place to regularly assess

levels of compliance with legal and regulatory requirements by

independent parties.

Review policies and procedures to ensure that contracts with

third-party service providers require regular confirmation of

compliance (e.g., receipt of assertions) with applicable laws,

regulations and contractual commitments.

Findings

Network diagrams have not been updated to reflect

connectivity with the CSP. As a result, the last network

penetration testing did not include this as part of the scope.

Findings

The cloud computing vendor does not have an independent

auditor’s report (e.g., ISAE3402/SOC1/SSAE 16 report).



Figure 3. Risk Assessment Head Map



Figure 4. Summary of Risks and Gaps

Risk IT

Reference

No.

High-level Risk Scenarios Specific Risks and Gaps

3 Technology selection

The cloud provider contract does not include certain critical elements to

help protect security and privacy requirements and lacks a technology

infrastructure plan and a cost/benefit analysis (CBA). An independent

auditor’s report was not reviewed.

16Selection/performance of third-

party suppliers

Monitoring of the QoS, including availability, needs to be improved.

Service level agreements (SLAs) are vague.

27 Logical attacks

The business owner of the IaaS arrangement has not been defined yet.

IaaS firewalls are managed by the application team instead of the

network administrators. Multifactor authentication is not utilized to

administer the cloud.

28 Information mediaTLS and SSL are not used to exchange sensitive information with the

CSP.

31 Data(base) integrity PII is stored in clear text at the cloud provider.

32 Logical trespassingCompany XYZ’s network diagrams have not been updated to reflect the

IaaS arrangement.

34 Contractual complianceThe CSP does not go through an independent service auditor’s

examination


Conclusions and Recommendations

Cloud Computing is mature and commoditized

Cloud Computing brings agility and speed to business

Leveraging Risk IT and a well known business governance and

management framework for enterprise IT such as COBIT makes

risk identification robust and the risk assessment process

efficient and effective.

The Risk IT and COBIT risk mapping process creates a model

that is extensible and reusable and that can be scaled up right

across the enterprise to assess IT-related business risks.

Cloud Computing Strategy is not a quick-fix solution: Cloud

computing strategy must be implemented within a wider context

of a well ochestrated IT strategy with clearly defined benefits

and managed pitfalls (risks).

The Cloud Computing adoption strategy must informed by a

comprehensive due diligence and risk assessment process.

Q&A

Thank You!!!!!

Documents

2nd IIA / ISACA Zambia 2015 Governance, Risk and Control ... · PDF file2nd IIA / ISACA Zambia 2015 Governance, Risk and Control (GRC) Conference ... and developers creating new customer-