《必看部分-从审计角度看云安全-(2012年新增知识考点)》由会员分享,可在线阅读,更多相关《必看部分-从审计角度看云安全-(2012年新增知识考点)(43页珍藏版)》请在金锄头文库上搜索。
1、Cloud Computing An Internal Audit Perspective Heather Paquette, Partner Tom Humbert, Manager March10 2011 2010 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG Internation
2、al”), a Swiss entity. All rights reserved. The KPMG name, logo and “cutting through complexity” are registered trademarks or trademarks of KPMG International. 43713CHI Discussion Agenda Introduction to cloud computing Types of cloud services Benefits, challenges, and risks Questions for auditors Eme
3、rging good practices User auditor assurance and Other approaches Risk-based Audit Scoping Utilizing RiskIT and COBIT References Cloud Computing An Internal Audit Perspective1 2010 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member fi
4、rms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. The KPMG name, logo and “cutting through complexity” are registered trademarks or trademarks of KPMG International. 43713CHI Tremendous Buzz Around Cloud Computing “Spending on IT cloud se
5、rvices to grow almost threefold over the next five years” Gartner EXP Worldwide Survey of 1600 CIOs “By 2012, 20 percent of businesses will own no IT assets” Gartners top predictions for 2010 and beyond “60% of virtualized servers will be less secure than the physical servers they replace through 20
6、12” Gartner Press Release March 2010 Cloud Computing An Internal Audit Perspective2 2010 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity.
7、All rights reserved. The KPMG name, logo and “cutting through complexity” are registered trademarks or trademarks of KPMG International. 43713CHI What is Cloud Computing? Cloud Computing An Internal Audit Perspective3 http:/ availability) -Workday (15 hours Payroll / HR) Customer Service -Availabili
8、ty expectations inquire whether the design is likely to meet the security and availability requirements. Findings: Proactive monitoring of the cloud application is not performed. This is particularly relevant for the end-user facing components of the cloud. Cloud Computing An Internal Audit Perspect
9、ive26 2010 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. The KPMG name, logo and “cutting through complexity” are
10、registered trademarks or trademarks of KPMG International. 43713CHI Audit Program : Technology Selection (continued) High-level Risk Scenario: Technology Selection Relevant COBIT Control Objective: AI 5.2 COBIT Control Objective: Supplier Contract Management Set up a procedure for establishing, modi
11、fying and terminating contracts for all suppliers. The procedure should cover, at a minimum, legal, financial, organizational, documentary, performance, security, intellectual property, and termination responsibilities and liabilities (including penalty clauses). Audit Procedure: Confirm through int
12、erviews with key staff members that the policies and standards are in place for establishing contracts with suppliers. Contracts should also include legal, financial, organizational, documentary, performance, security, auditability, intellectual property, responsibility and liability aspects. Findin
13、gs: Cloud provider contract does not include certain critical elements to help protect security and privacy requirements. The contract does not include a non- disclosure agreement, right-to-audit clause, does not address requirements of the state breach notification laws. There is no process for mon
14、itoring of potential vendor failure (e.g., Coghead, MediaMax). Cloud Computing An Internal Audit Perspective27 2010 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG Intern
15、ational”), a Swiss entity. All rights reserved. The KPMG name, logo and “cutting through complexity” are registered trademarks or trademarks of KPMG International. 43713CHI Audit Program : Third-party Performance High-level Risk Scenario: Third-party Performance Relevant COBIT Control Objective: DS
16、2.4 COBIT Control Objective: Supplier Performance Monitoring Establish a process to monitor service delivery to ensure that the supplier is meeting current business requirements and continuing to adhere to the contract agreements and SLAs, and that performance is competitive with alternative suppliers and market conditions. Audit Procedure: Inspect a sample of supplier service reports to determine if the supplier regu
