When weighing options for increasing enterprise computing capabilities or seeking ways to improve IT operational efficiency, the prevailing method is to integrate an external IT services vendor, commonly referred to as a cloud service provider (CSP). There is a high probability that audit clients will engage this CSP service to manage their IT needs. Learn how to cope with the audit and risk assessment challenges related to this emerging technology trend in this key session. •Understanding the various Cloud Service Levels and Implementation Types •Identifying Compliance, Service Level Agreement and other Important Duties each party must perform •Understand the Complexities of Auditing internal controls, data security, privacy and performancerelated to cloud •Mitigating the underlying Business Risks associated with adopting a cloud-based IT model

1. Auditing & Assessing The Risk Of
Cloud Services Providers
Speaker :
Alan Yau Ti Dun CISA, CISM, CGEIT, CRISC, CISSP, CSXF, ITIL
ISACA Malaysia, Director 2015/2016
ISACA Malaysia, Special Interest Group 1, Cybersecurity

2. When weighing options for increasing enterprisecomputing capabilities or seekingways
to improve IT operationalefficiency,the prevailing method is to integrate an externalIT
services vendor,commonlyreferred to as a cloud service provider(CSP).There is a
high probability that audit clients will engage this CSP service to manage their IT needs.
Learn how to cope with the audit and risk assessmentchallenges related to this
emerging technologytrend in this key session.
•Understanding the various Cloud Service Levels and Implementation Types
•Identifying Compliance,Service LevelAgreementand other ImportantDuties each
party must perform
•Understand the Complexities ofAuditing internalcontrols,data security,privacy and
performancerelated to cloud
•Mitigating the underlyingBusiness Risks associatedwith adopting a cloud-based IT
model

3. 1. Implementation Types
2. Compliance
3. Service Level Agreement
4. Complexities of Auditing

4. • is a model for enabling ubiquitous, convenient, on-demand
network access to a shared pool of configurable computing
resources (e.g., networks, servers, storage, applications, and
services).
• enhance collaboration, agility, scaling, and availability
• cost reduction through optimized and efficient computing
• components can be rapidly provisioned and scaled up or down
1. Implementation Types

5. 1. Implementation Types
NIST defines cloud
computing by describing
five essential
characteristics,
three cloud service
models
four cloud deployment
models
They are summarized in
visual form in Figure 1
and explained in detail
below.

7. 2. Compliance
The ISO/IEC 27002, section 6.2, “External Parties” control objective states: “…the
security of the organization’s information and information processing facilities should
not be reduced by the introduction of externalparty products or services…”

8. • Managing Cyber Risks Circular (31 July 2015)
• Distributed Denial of ServiceAttack (2011)
• Circular on Managing Inherent Risk of Internet Banking Kiosk (2011)
• Guidelines on the Provision of E-Banking Services by Financial Institutions (2010)
• Guideline On Data Mgmt. and MIS Framework
• Guidelines on Management of IT Environment aka (GPIS) (2004)
• Industry Communication On Steps To Enhance Cybersecurity Measures (27 Feb 2015)
• Guidance Note On Cybersecurity (30 January 2014)
• Directives On The Participating Organizations’ Disaster Recovery CodeAnd The IT Security Code
(2013)
ASSURANCE REQUIRED BY REGULATOR

9. • SLA’s will differ across providers, and there is a need to understand how
this may affect your ability to change providers.
• Security departments should be engaged during the establishment of
Service Level Agreements (SLA’s) and contractual obligations to ensure that
security requirements are contractually enforceable.
• Establish SLA’s that require the inheritance of employment security
obligations and responsibilities by service level.
• The ability to access logs, especially in a shared public cloud, is more
difficult and should be specified as a part of the service level agreement.
• Providers should supply secured logging of internal operations for
service level agreement compliance.
• Another important element is Standard Storage ,Extended Storage,
Preservation of Storage
3. Service Level Agreement

10. • Adequate and reasonable level of assurance will complete the security
perspective when combined with governance and management.
• Assurance ensures that cyber security is designed, implemented,
maintained and transformed in a manner consistent with all aspects of
Governance, Risk and Compliance.
• To provide assurance – a comprehensive set of controls that covers risk
and management processes is required.
• Review is required to validate the controls are designed and operating
effectively.
• Audit & review universe is distributed across all 3 lines of defense, which
provides the required degree of independence needed.
4. Complexity of Auditing

12. • Include all control sets, management practices and GRC provisions in
force.
• Possible to be extended to 3rd parties – contract with audit rights.
• Keep within the right boundaries –
Ø Corporate sphere of influence vs private sphere of controls.
Ø Private Cloud vs Public Cloud.
Ø Corporate sovereignty vs legal provisions.

14. • Can range from high-level governance reviews to technical reviews.
• Needs to be clearly defined and concise manner.
• Consider time and effort.
• Audit objectives are best defined in line with the governance and
management activities defined for your enterprise.
• For complex audits, the underlying audit program may spans several
years.

15. • Legal consideration
• Privacy and data protection
• Logging, data retention and archiving
• Audit data storage and archiving. Should be within the standard
criteria:
• Confidentiality
• Integrity
• Availability

20. 20
TRANSFORMING CYBERSECURITY – COBIT 5
Eight Key Principles:
1.Understand the potential impact of cybercrime and warfare on your enterprise.
2.Understand end users, their cultural values and their behavior patterns.
3.Clearly state the business case for cybersecurity and the risk appetite of the
enterprise.
4.Establish cybersecuritygovernance.
5.Manage cybersecurity using principles and enablers. (The principles and
enablers found in COBIT 5 will help your organization ensure end-to-end
governance that meets stakeholder needs, covers the enterprise to end and
provides a holistic approach, among other benefits. The processes, controls,
activities and key performance indicators associated with each enabler will provide
the enterprise with a comprehensive picture of cybersecurity.)
6.Know the cybersecurity assurance universe and objectives.
7.Provide reasonable assurance over cybersecurity. (This includes monitoring,
internal reviews, audits and, as needed, investigative and forensic analysis.)
8.Establish and evolvesystemic cybersecurity.

21. 21
CYBERSECURITY ASSURANCE– COBIT 5

22. 22
AP003 MANAGE ENTERPRISE ARCHITECTURE(ARCHITECTURE REVIEW)

23. 23
SUMMARY
• Understand Cloud via CyberSecurity perspective from
a holistic, organizational perspective
• Understand the approach to Cloud Security Assurance
• Develop audit programmes by identifying risks and
relevant controls
• Know how to test controls related to Cloud Security

24. THANK YOU
Jointly Organised By: