IIA2013 PPT SLIDES DECK

1,117 views
983 views

Published on

IIA 2013, Auditing , Auditors , Conference , Presentations

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,117
On SlideShare
0
From Embeds
0
Number of Embeds
209
Actions
Shares
0
Downloads
22
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • What will the audience be able to do after this training is complete? Briefly describe each objective how the audience will benefit from this presentation.
  • What will the audience be able to do after this training is complete? Briefly describe each objective how the audience will benefit from this presentation.
  • On-demand self-service. A consumer can unilaterally provision computing capabilities, such as server time and network storage, as needed automatically without requiring human interaction with each service’s provider.Broad network access. Capabilities are available over the network and accessed through standard mechanisms that promote use by heterogeneous thin or thick client platforms (e.g., mobile phones, laptops, and PDAs).Resource pooling. The provider’s computing resources are pooled to serve multiple consumers using a multi-tenant model, with different physical and virtual resources dynamically assigned and reassigned according to consumer demand. There is a sense of locationindependence in that the customer generally has no control or knowledge over the exact location of the provided resources but may be able to specify location at a higher level of abstraction (e.g., country, state, or datacenter). Examples of resources include storage, processing, memory, network bandwidth, and virtual machines.Rapid elasticity. Capabilities can be rapidly and elastically provisioned, in some cases automatically, to quickly scale out, and rapidly released to quickly scale in. To the consumer, the capabilities available for provisioning often appear to be unlimited and can be purchased in any quantity at any time.Measured Service. Cloud systems automatically control and optimize resource use by leveraging a metering capability at some level of abstraction appropriate to the type of service (e.g., storage, processing, bandwidth, and active user accounts). Resource usage can be monitored, controlled, and reported, providing transparency for both the provider and consumer of the utilized service.
  • Cloud Software as a Service (SaaS). The capability provided to the consumer is to use the provider’s applications running on a cloud infrastructure. The applications are accessible from various client devices through a thin client interface such as a web browser (e.g., web-based email). The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, storage, or even individual application capabilities, with the possible exception of limited user-specific application configuration settings.Cloud Platform as a Service (PaaS). The capability provided to the consumer is to deploy onto the cloud infrastructure consumer-created or acquired applications created using programming languages and tools supported by the provider. The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, or storage, but has control over the deployed applications and possibly application hosting environment configurations, typically through a pay-per-use business model.Cloud Infrastructure as a Service (IaaS). The capability provided to the consumer is to provision processing, storage, networks, and other fundamental computing resources where the consumer is able to deploy and run arbitrary software, which can include operating systems and applications. The consumer does not manage or control the underlying cloud infrastructure but has control over operating systems, storage, deployed applications, and possibly limited control of select networking components (e.g., host firewalls).
  • Private cloud. The cloud infrastructure is operated solely for an organization. It may be managed by the organization or a third party and may exist on premise or off premise.Community cloud. The cloud infrastructure is shared by several organizations and supports a specific community that has shared concerns (e.g., mission, security requirements, policy, and compliance considerations). It may be managed by the organizations or a third party and may exist on premise or off premise.Public cloud. The cloud infrastructure is made available to the general public or a large industry group and is owned by an organization selling cloud services.Hybrid cloud. The cloud infrastructure is a composition of two or more clouds (private, community, or public) that remain unique entities but are bound together by standardized or proprietary technology that enables data and application portability (e.g., cloud bursting for load balancing between clouds).
  • Private cloud. The cloud infrastructure is operated solely for an organization. It may be managed by the organization or a third party and may exist on premise or off premise.Community cloud. The cloud infrastructure is shared by several organizations and supports a specific community that has shared concerns (e.g., mission, security requirements, policy, and compliance considerations). It may be managed by the organizations or a third party and may exist on premise or off premise.Public cloud. The cloud infrastructure is made available to the general public or a large industry group and is owned by an organization selling cloud services.Hybrid cloud. The cloud infrastructure is a composition of two or more clouds (private, community, or public) that remain unique entities but are bound together by standardized or proprietary technology that enables data and application portability (e.g., cloud bursting for load balancing between clouds).
  • On-demand self-service. A consumer can unilaterally provision computing capabilities, such as server time and network storage, as needed automatically without requiring human interaction with each service’s provider.Broad network access. Capabilities are available over the network and accessed through standard mechanisms that promote use by heterogeneous thin or thick client platforms (e.g., mobile phones, laptops, and PDAs).Resource pooling. The provider’s computing resources are pooled to serve multiple consumers using a multi-tenant model, with different physical and virtual resources dynamically assigned and reassigned according to consumer demand. There is a sense of locationindependence in that the customer generally has no control or knowledge over the exact location of the provided resources but may be able to specify location at a higher level of abstraction (e.g., country, state, or datacenter). Examples of resources include storage, processing, memory, network bandwidth, and virtual machines.Rapid elasticity. Capabilities can be rapidly and elastically provisioned, in some cases automatically, to quickly scale out, and rapidly released to quickly scale in. To the consumer, the capabilities available for provisioning often appear to be unlimited and can be purchased in any quantity at any time.Measured Service. Cloud systems automatically control and optimize resource use by leveraging a metering capability at some level of abstraction appropriate to the type of service (e.g., storage, processing, bandwidth, and active user accounts). Resource usage can be monitored, controlled, and reported, providing transparency for both the provider and consumer of the utilized service.
  • Add slides to each topic section as necessary, including slides with tables, graphs, and images. See next section for sample table, graph, image, and video layouts.
  • This is a screen shot of some of the CSA assessment questions integrated in Archer’s questionnaire workflow. Again, the CSA Consensus Assessment Initiative Questionnaire (CAI) has been developed specifically to provide organizations and auditors with a standard framework of metrics for the assessments of cloud service providers and has been built into the Archer platform as standard content as you can see here.
  • This shows you a scorecard for a fictitious cloud service provider called “newcloud.com” created by using the Archer questionnaire workflow together with the CSA Assessment Questionnaire included in Archer. The questionnaire may be used to evaluate external vendors as part of a vendor management program or even to evaluate internal cloud infrastructure against those standards and offerings. So you could compile a number of these scorecards across several service providers and compare results to assess which vendor best fits your requirements. <Brian, I am getting definition of “Inherent Score” and “Residual Score” – all other columns self explanatory.>>
  • Keep it brief. Make your text as brief as possible to maintain a larger font size.
  • Summarize presentation content by restating the important points from the lessons.What do you want the audience to remember when they leave your presentation?Save your presentation to a video for easy distribution (To create a video, click the File tab, and then click Share.  Under File Types, click Create a Video.)
  • Summarize presentation content by restating the important points from the lessons.What do you want the audience to remember when they leave your presentation?Save your presentation to a video for easy distribution (To create a video, click the File tab, and then click Share.  Under File Types, click Create a Video.)
  • IIA2013 PPT SLIDES DECK

    1. 1. Auditing in the Subscription Economy – CAE Overview Implementing the next generation best practices in Governance and Risk Mr. Bhavesh Bhagat Founder - EnCrisp – ConfidentGovernance.com Founding Chair - CSADCConfidentGovernance.com- Award winning Cloud migration expertsPatent pending “Governance as a Service®” innovators
    2. 2. “Clouds come floating into my life, no longer to carry rain or storm, but to add color to my sunset sky.” – Rabindranath Tagore, Nobel Laureate Literature -150 year AnniversaryConfidentGovernance.com- Award winning Cloud migration expertsPatent pending “Governance as a Service®” innovators
    3. 3. Agenda • Understand Subscription Economy • Cloud Computing concepts • Risks and challenges • “Democratizing Governance” use case • Role of CAE and Internal AuditConfidentGovernance.com- Award winning Cloud migration expertsPatent pending “Governance as a Service®” innovators
    4. 4. TenYear Computing Cycles 10X more users with each cycle 2000s Mobile Cloud Computing 1990s Desktop Cloud Computing 1980s Client/server Computing 1970s Mini Computing 1960s Mainframe ComputingConfidentGovernance.com- Award winning Cloud migration expertsPatent pending “Governance as a Service®” innovators
    5. 5. Social Networking Surpasses Email 1,000 Social Networking Users Email Users 750 Inflection Point Global Users (MM) 500 250 11/06 5/07 11/07 5/08 11/08 5/09 11/09 5/10 11/10 Facebook has reached its half-billion member mark, with an online population larger than the combined population of the U.S., Mexico, and France.ConfidentGovernance.com- Award winning Cloud migration expertsPatent pending “Governance as a Service®” innovators
    6. 6. Broad Change in Internet Usage Top Internet Users 22% of Internet time is social.ConfidentGovernance.com- Award winning Cloud migration expertsPatent pending “Governance as a Service®” innovators
    7. 7. Next Generation Devices Changing How We Access the Internet 2000 1000 Annual unit shipments(MM) 2007 2008 2oo9 2010 2011E 2012E 2013E 2014EConfidentGovernance.com- Award winning Cloud migration expertsPatent pending “Governance as a Service®” innovators
    8. 8. Cloud Computing NIST Definition • National Institute of Standards and Technology (NIST) Special Publication 800-145 – Model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources, (e.g., networks, servers, storage, applications, and services) – Rapidly provisioned and released with minimal management effort or service provider interaction – Composed of 5 essential characteristics, 3 service models, and 4 deployment models – Source: http://www.nist.gov/itl/csd/cloud-020111.cfmConfidentGovernance.com- Award winning Cloud migration expertsPatent pending “Governance as a Service®” innovators
    9. 9. Cloud Computing Five Essential Characteristics: • On-demand self-service: Get it when you need it • Measured service: Pay for what you use • Rapid elasticity: Increase and decrease capacity quickly • Broad network access: Access it from any Internet connection • Resource pooling: Share fixed costs, which lowers individual costsConfidentGovernance.com- Award winning Cloud migration expertsPatent pending “Governance as a Service®” innovators
    10. 10. Cloud Computing Three Service Models • Software as a Service (SaaS) – Capability made available to tenant (or consumer) to use provider’s applications running on cloud infrastructure, accessible via web browser, mobile apps, and system interfaces – Examples: Salesforce.com, Drop Box, Box.net, Google Docs, WebEx • Platform as a Service (PaaS) – Capability made available to tenant to deploy tenant owned (created or acquired) applications using programming languages and tools supported by provider – Examples: Force.com, Microsoft Azure, Amazon Web Services • Infrastructure as a Service (IaaS) / Datacenter as a Service (DaaS) – Capability made available to tenant to provision processing, storage, networks or other fundamental computing resources to host and run tenant’s apps – Examples: Rackspace, Terremark (Verizon), Savvis, AT&TConfidentGovernance.com- Award winning Cloud migration expertsPatent pending “Governance as a Service®” innovators
    11. 11. Cloud Computing Four Deployment Models (1) PRIVATE (2) COMMUNITY (3)PUBLIC Shared with General Public / ACCESSIBILITY Single Organization Common Interests / Large Industry Group Requirements Organization or Third Organization or Third MANAGEMENT Cloud Provider Party Party HOST On or Off Premise On or Off Premise On or Off Premise (4) HYBRIDConfidentGovernance.com- Award winning Cloud migration expertsPatent pending “Governance as a Service®” innovators
    12. 12. Cloud Computing Why cloud – Business Impact and Use Case Considerations Data Infrastructure Access Method Virtualized Local Data On or Off Off premises On or Off Premises Technology premises Local Data plus BIG Virtualized Processes Shared local and DATA (social media On or Off Premises and Data Cloud domain) Virtualized On or Off Premise On or Off Premise BYOD Organizations Virtualized Business ModelsConfidentGovernance.com- Award winning Cloud migration expertsPatent pending “Governance as a Service®” innovators
    13. 13. Cloud Computing CAEs need to think from CFOs perspective Virtualized Business Models • Faster Time to Results • Better Working Capital cycle • Reduced CAPEX • Reduced CGS • Reduced SG&A • Environmental Sustainability as byproductConfidentGovernance.com- Award winning Cloud migration expertsPatent pending “Governance as a Service®” innovators
    14. 14. CAE’s guide to Cloud Use Cases Source CIO.com Annual CIO survey 2010-2011 Plans to Use Cloud Services Currently using, Actively Planning to use No plans to use Researching, Planning to three to five years use in one to three years Application platforms and 68% 2% 30% development software Collaboration tools 79% 4% 17% Enterprise application 63% 3% 34% software Personal productivity 53% 4% 43% software Utilities / management 66% 2% 32% software Networks 52% 2% 45% Storage 63% 7% 30% Servers 59% 2% 39%ConfidentGovernance.com- Award winning Cloud migration expertsPatent pending “Governance as a Service®” innovators
    15. 15. CAE decision enablers Evaluating the Cloud Model CAE Cloud Vendor Considerations How Does our Enterprise Benefit From Cloud Opportunity? Do they understand our business and needs? How do we reduce complexity of my Business process and IT footprint by taking non-core Can they provide support that we are used to? computing to the cloud, Transfer non-core applications to the cloud or outsource to the How does it fit with my existing architecture? cloud? Who else has adopted within my industry - Can we improve the efficiency of my relevant references? development organization through speedy access to computing resources? How do the new entrants in the enterprise IT market (Amazon, Google, etc) view the Can we make IT more responsive/nimble by enterprise market? using cloud computing architectures? What are the new Risk Domains? Can we assist in reduced CAPEX spend in line with CFO needs? What are the Regulatory, Compliance and Risk mitigation guidelines? Can we get higher availability and recovery at lower price?ConfidentGovernance.com- Award winning Cloud migration expertsPatent pending “Governance as a Service®” innovators
    16. 16. New Opportunities - New Challenges New Risk Mitigating Strategies • Security - New ways of thinking about Security need to evolve for new issues - Cloud computing presents new security challenges – Trusting vendors security model – Customer inability to respond to audit findings – Obtaining support for investigations – Indirect administrator accountability – Proprietary implementations cannot be examined – Loss of physical control – Attraction to hackers (high value target) • Privacy Issues moving PII and sensitive data into the cloud • Fear of mass outages Fueled by high-profile outages of many popular cloud services (i.e., Gmail, Google Apps, Apples Mobile Me, Amazons S3)ConfidentGovernance.com- Award winning Cloud migration expertsPatent pending “Governance as a Service®” innovators
    17. 17. New Opportunities - New Challenges New Risk Mitigating Strategies • Cultural and organizational barriers Organization must acquire new core capabilities Cloud skepticism • Difficulty tracking and delivering against defined SLAs Especially significant in the federal government, where a data breach could constitute a violation of the law • International sovereignty / cooperation Cloud computing could involve the movement of data between countries with differing laws regarding technology and property. Determining jurisdiction and facilitating cross-border cooperation on these matters may prove challenging.ConfidentGovernance.com- Award winning Cloud migration expertsPatent pending “Governance as a Service®” innovators
    18. 18. What is Different about Cloud?ConfidentGovernance.com- Award winning Cloud migration expertsPatent pending “Governance as a Service®” innovators
    19. 19. GRC-XML: What is it? • Standard language for Risks and Controls definition/exchange • One language for many areas: – Security risk – IT risk – Financial risk – Operational risk, etc. • Visibility across silos • Eliminate redundancy and duplication • Facilitate effective continuous monitoring and audit of controls • Extensible: Companies can add their own – Activities – Risks – Control Objectives – Control Activities, etc.ConfidentGovernance.com- Award winning Cloud migration expertsPatent pending “Governance as a Service®” innovators
    20. 20. GRC-XML: Illustrated Business Integration Risk & Controls Controls GRC Repository Testing & Monitoring Applications & Systems GRC-XML GRC-XML Risk models Automated Control Tests Transactions Enterprise GRC, Controls documentation Configurations Operational GRC, Organization / Process User access IT GRC, Test Procedures Manual Control Tests Cloud GRC, Test Results Surveys etc. SamplingConfidentGovernance.com- Award winning Cloud migration expertsPatent pending “Governance as a Service®” innovators
    21. 21. Cloud Governance Practical approach with CSA and other third party toolsConfidentGovernance.com- Award winning Cloud migration expertsPatent pending “Governance as a Service®” innovators
    22. 22. Holistic Approach Around Controls . . . Your Cloud Controls Matrix Trusted Cloud InitiativeConfidentGovernance.com- Award winning Cloud migration expertsPatent pending “Governance as a Service®” innovators
    23. 23. Suggested Approach to Use the CSA Cloud Audit Guideline Roadmap • Security Patterns • Control Mapping • Guidelines • Operational Checklists • Capability mapping • Vendor Certification Assess the • Strategy alignment • Use Cases (OSA) Reuse opportunity BOSS ITOS Presentation SRM Application Information Infrastructure CSA Controls Matrix Security Framework CSA Questionnaire Reference Architecture and Patterns Trusted Cloud InitiativeConfidentGovernance.com- Award winning Cloud migration expertsPatent pending “Governance as a Service®” innovators
    24. 24. How it Works (A Simplified View) . . . Risk Maturity  Third party requesting access Appetite Third Party Assurance Centre Maturity  Cloud provider 1. Business sets level of risk they are willing to tolerate (number of levels depending on the data). Maturity will include CAMM plus possible bespoke Maturity  Internal hosting provider modules. 2.Level of risk management maturity is 4. Leverage existing expenditure 3. Evidence of compliance may be communicated to and remove need for duplicate uploaded to central repository that can business partners (and verification (note: May remove be used by numerous customers. possible partners) audit requirement altogether)ConfidentGovernance.com- Award winning Cloud migration expertsPatent pending “Governance as a Service®” innovators
    25. 25. Evaluate Key Control Domains Source Domains Maturity Governance -Subcontractor due diligence ISO 27001 -Risk Management 5 NIST SP800-53 Human Resources 4 PCI Physical Security -Site security 3 CSA Controls Matrix -Environmental Protection COBIT IT Services 2 -Networks ENISA Cloud doc. -Change Management -Service Management 1 ITIL -Development, etc Incident Management BS25999 Business ContinuityConfidentGovernance.com- Award winning Cloud migration expertsPatent pending “Governance as a Service®” innovators
    26. 26. Mapping Example Cloud Matrix FedRAMPConfidentGovernance.com- Award winning Cloud migration expertsPatent pending “Governance as a Service®” innovators
    27. 27. Cloud Audit Automation Leveraging CSA CAIQ Example CSA Cloud Audit modules bit.ly/ClearGRCConfidentGovernance.com- Award winning Cloud migration expertsPatent pending “Governance as a Service®” innovators
    28. 28. CAMM & CAIQ Data Governance Risk RISK: Inadequate Cloud Data Governance Results: Benchmarking vendors based on CSA standardsConfidentGovernance.com- Award winning Cloud migration expertsPatent pending “Governance as a Service®” innovators
    29. 29. Aggregate CSA Analytic DashboardsConfidentGovernance.com- Award winning Cloud migration expertsPatent pending “Governance as a Service®” innovators
    30. 30. CAE Leadership in Internal Auditor assured Cloud Governance and Emerging Technologies adoptionConfidentGovernance.com- Award winning Cloud migration expertsPatent pending “Governance as a Service®” innovators
    31. 31. 3 Things CAEs will need to understand Cloud Computing Big DATA MobilityConfidentGovernance.com- Award winning Cloud migration expertsPatent pending “Governance as a Service®” innovators
    32. 32. Cloud Governance Internal Audit Leadership Business Advisor •Advise on benefits, risks, and mitigation techniques •Create awareness •Participate in cloud conversion activities •Study and measure opportunities for increase efficiency and cost-savingsConfidentGovernance.com- Award winning Cloud migration expertsPatent pending “Governance as a Service®” innovators
    33. 33. Cloud Governance Internal Audit Auditor Leadership •Interact with cloud provider to understand operation of key controls and monitoring program •Participate in SLA and contract development •Review service organization reports and determine assurance needs •Audit end-user control responsibilities (browser and device security, APIs, admin access) •Monitor changes and update risk assessmentConfidentGovernance.com- Award winning Cloud migration expertsPatent pending “Governance as a Service®” innovators
    34. 34. Cloud Governance Internal Audit Leadership User •Collaboration - Email, Documents •Application Development-Audit Document Repositories, Tools •Mobility- Improve connections, monitoring •Back-office - Transparent use for data storageConfidentGovernance.com- Award winning Cloud migration expertsPatent pending “Governance as a Service®” innovators
    35. 35. About EnCrisp is an INC 500 award winning global leader in providing “business driven” solutions enhancing trust, governance, and transparency since 2004. EnCrisp is a “Governance and Compliance Niche” specialist and its efforts result in strategic Increases in Trust, Efficiency, Compliance and Less Risks Without the complexities and overburdened capital costs for leaders in IT, finance, business, quality, security and audit. AWARDS – INC 500 2009, NVTC Hot Ticket Tech 2007,2009,2011 – Hottest Bootstrap CategoryConfidentGovernance.com- Award winning Cloud migration expertsPatent pending “Governance as a Service®” innovators
    36. 36. Three Take-aways • Define your AUDIT challenges – Technological as well as do not ignore Process • Set realistic MANAGEMENT expectation – Start using technology first then AUDIT – Expertise is not instantaneous • Keep your eye on the BUSINESS goal – Mentorship programs – Work with SME and third party expertsConfidentGovernance.com- Award winning Cloud migration expertsPatent pending “Governance as a Service®” innovators
    37. 37. RESOURCES • NIST - http://www.nist.gov/itl/csd/cloud-020111.cfm • CSA - Cloudsecurityalliance.org • GRCXchange Executive LinkedIN Group • CIO.com • http://Trust.Salesforce.com • http://www.google.com/apps/intl/en- GB/trust/data_protection.html • http://aws.amazon.com/security/ConfidentGovernance.com- Award winning Cloud migration expertsPatent pending “Governance as a Service®” innovators
    38. 38. Thank You! Hopefully you have found new appreciation for CLOUDY days! Mr. Bhavesh Bhagat 703.728.2493 bb@EnCrisp.com EnCrisp President Founding Chair - CSA Washington DC federal center Chairman - GRCXchange Global Policy ThinktankConfidentGovernance.com- Award winning Cloud migration expertsPatent pending “Governance as a Service®” innovators

    ×