Presentation is loading. Please wait.

Presentation is loading. Please wait.

Auditing Cloud Services

Published byWarren James Modified over 5 years ago

Similar presentations

Presentation on theme: "Auditing Cloud Services"— Presentation transcript:

1 Auditing Cloud Services
Brian Daniels, CISA, GCFA David Crotts, CISA June 27, 2018

2 Overview Introduction to cloud services in a decentralized environment
Audit perspective of cloud service risks Conducting the audit Outcomes Questions or comments

3 Introduction Why Utilize Cloud Services? Who Uses Cloud Services?
How Can You Identify Cloud Service Implementations? What is Virginia Tech’s Cloud Service Environment Like? Introduction

4 Why Use Cloud Services Collaboration Need for excess storage
Lack of resources to manage internally Cost effective

5 Who Uses Cloud Services
Researchers IT Professionals Administrators Students Alumni EVERYONE!

6 How to Identify Cloud Services
Request info from Central IT Request info from Departments Query technology related expenditures Account Codes MCC Unlikely to identify all

7 Control Environment at VT
Departmental purchasing authority. Difficult to identify all purchases. Purchase records only show vendor, not product detail. What about free services? Mobile device apps?

8 Control Environment at VT
Guidelines suggest reviews by: Central IT (Security, Network) Data Stewards Legal Counsel Is it realistic?

9 Risk Environment Risk Assessment Contract Risks Cloud Services Risks

10 Risk Environment Risks of outsourcing are similar to risks of operating internally . Additional risks exist when the system is outside of your control. Low cost/free services vs. high cost? How do you monitor these risks?

11 Risk Assessment A need has been identified.
What could go wrong utilizing a cloud service provider? What is the worst possible outcome? What is a more likely outcome? What am I exposing myself to?

12 Risk Assessment What data elements will be utilized?
Are there any regulatory requirements? FERPA HIPAA ITAR PCI PII

13 Risk Assessment What risks are significant enough to warrant special consideration in contract negotiations?

14 Contract Risks Who has signature authority?
Click through agreements? Does the defined service adequately represent the identified need? How complete is the audit clause? Client access to audit vendor performance. Client access to review third party audits.

15 Contract Risks Does the agreement require acknowledgement of regulatory compliance? Who owns the data once it’s in the cloud?

16 Contract Risks What invokes the termination clause and what does it address? Access to data upon termination. Secure removal of data. Termination fees or waiver of fees. Responsibilities of each party upon termination.

17 Contract Risks Service Level Agreements Are they complete?
Are they reasonable? What is the measurement period? What is the penalty for non-compliance?

18 Contract Risks Are the specific obligations explicitly stated in the contract? If not, where are they located? Policies, procedures, or privacy statements are typically subject to change without notice. Click through agreements may also change without notice.

19 Contract Risks Do the elements of the contract apply to any subcontracted vendors? Negotiation of appropriate contract terms is an effective means to reducing risk exposure. It is often not possible to get all desired terms and conditions in the contract.

20 Sampling Document Requests Audit Testing Conducting the audit

21 Sampling What factors exist in the population? Users Type of service
Functional Use Cost

22 Sampling Select a cross section Single user to organization wide
Application or storage Administrative, teaching, research High cost, low cost

23 Documentation Request
Planning Documentation Risk assessments Steering committee minutes Product reviews Security reviews

24 Documentation Request
Original and most recently executed contract. Most recent SLA performance review Most recent third party audit report Preferred report is the SOC 2 Type 2

25 Testing Risk assessment Centrally created questionnaire
Only required for purchases greater than $2,000 Yes/No responses Developed in 2011

26 Testing Steering Committee Minutes
No steering committee for most department specific purchases Expected for central systems purchases (i.e. , business intelligence software)

27 Testing Security Reviews
Performed on 4 of 5 services with a cost greater than $2,000 Not performed on smaller dollar purchases IT Security Office provides an opinion on the security architecture of the service Has resulted in corrective action by the vendor.

28 Testing Signature Authority Department and Central authorization OK
Data steward review was often absent Based on the data utilized by the service Legal Counsel review was often absent

29 Testing Terms and Conditions Audit Clauses Termination agreements
One audit clause gave the vendor the right to audit Virginia Tech! Termination agreements Beware of data retrieval and removal provisions Definition of adequate and robust SLAs

30 Testing Terms and Conditions Subcontractors
Use of subcontractors permitted? Enforcement of parent contract to subcontractors? Regulatory compliance requirements? Personnel vetting?

31 Testing Contract Monitoring Periodic review of Terms and Conditions
Still reflect current operating environment? What changes have occurred? SLA Performance Third party audit reviews Identified one subcontractor who had significant data breaches occur in 2009.

32 outcomes

33 Outcomes Risk assessment questionnaire
Revised questions to target specific risks and help assess data elements used and need for ongoing monitoring. Expanded scope to include items under $2,000.

34 Outcomes Communication and Training
Ensure adequate knowledge of the risks of outsourcing for department staff. Focus on training business staff and IT professionals.

35 Outcomes Assess the impact of restricting use of certain MCC codes on selected Pcard holders. Manage the risk at the point of procurement by limiting the number of people able to purchase such services.

36 Outcomes Establishment of preferred standard contract language.
Joint effort led by IT Acquisitions in collaboration with Procurement, Legal Counsel, and Central IT.

37 Outcomes Processes and procedures designed to help manage and monitor contracts. Led by IT Acquisitions with input from Central IT or other administrative functions.

38 Questions or comments?

Download ppt "Auditing Cloud Services"

Similar presentations

SERVICE LEVEL AGREEMENTS The Technical Contract Within the Master Agreement.

SERVICE LEVEL AGREEMENTS The Technical Contract Within the Master Agreement.
Health Insurance Portability and Accountability Act (HIPAA)HIPAA.

Health Insurance Portability and Accountability Act (HIPAA)HIPAA.
COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.

COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.
2014 HIPAA Refresher Omnibus Rule & HIPAA Security.

2014 HIPAA Refresher Omnibus Rule & HIPAA Security.
Developing a Records & Information Retention & Disposition Program:

Developing a Records & Information Retention & Disposition Program:
Performance Monitoring All All Contracts require basic monitoring once awarded. The Goal of contract monitoring is to ensure that the contract is satisfactorily.

Performance Monitoring All All Contracts require basic monitoring once awarded. The Goal of contract monitoring is to ensure that the contract is satisfactorily.
Purpose of the Standards

Purpose of the Standards
Network security policy: best practices

Network security policy: best practices
Department of Economic Opportunity WelcomeTo Contract Review Form Training.

Department of Economic Opportunity WelcomeTo Contract Review Form Training.
Internal Auditing and Outsourcing

Internal Auditing and Outsourcing
COMPLYING WITH HIPAA BUSINESS ASSOCIATE REQUIREMENTS Quick, Cost Effective Solutions for HIPAA Compliance: Business Associate Agreements.

COMPLYING WITH HIPAA BUSINESS ASSOCIATE REQUIREMENTS Quick, Cost Effective Solutions for HIPAA Compliance: Business Associate Agreements.
A SOUND INVESTMENT IN SUCCESSFUL VR OUTCOMES FINANCIAL MANAGEMENT FINANCIAL MANAGEMENT.

A SOUND INVESTMENT IN SUCCESSFUL VR OUTCOMES FINANCIAL MANAGEMENT FINANCIAL MANAGEMENT.
Due Diligence - The Regulator’s Perspective ABA Telephone/Webcast Briefing August 14, 2001 Cynthia Bonnette, Assistant Director FDIC Bank Technology Group.

Due Diligence - The Regulator’s Perspective ABA Telephone/Webcast Briefing August 14, 2001 Cynthia Bonnette, Assistant Director FDIC Bank Technology Group.
MnSCU Audit Reports Presentation to the MnSCU Audit Committee Office of the Legislative Auditor September 21, 2004.

MnSCU Audit Reports Presentation to the MnSCU Audit Committee Office of the Legislative Auditor September 21, 2004.
Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.

Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.
Creating an Effective Email Policy Central Missouri Chapter Jesse Wilkins April 16, 2009.

Creating an Effective Policy Central Missouri Chapter Jesse Wilkins April 16, 2009.
Managing the Privacy Function at a Large Company Kimberly S. Gray, Esq., CIPP Chief Privacy Officer Highmark Inc.

Managing the Privacy Function at a Large Company Kimberly S. Gray, Esq., CIPP Chief Privacy Officer Highmark Inc.
James Aiello PricewaterhouseCoopers Africa Utility Week 06 International Good Practice in Procurement.

James Aiello PricewaterhouseCoopers Africa Utility Week 06 International Good Practice in Procurement.
Assistant VP of IT *Cloud Computing* Some Guidelines Kelly McDonald Dec. 8, 2011.

Assistant VP of IT *Cloud Computing* Some Guidelines Kelly McDonald Dec. 8, 2011.
Why the Office of Compliance and Ethics was Created

Why the Office of Compliance and Ethics was Created

Similar presentations

Ads by Google