Your SlideShare is downloading. ×
  • Like
Rob kloots auditoutsourcedit
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.


Now you can save presentations on your phone or tablet

Available for both IPhone and Android

Text the download link to your phone

Standard text messaging rates apply

Rob kloots auditoutsourcedit



  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads


Total Views
On SlideShare
From Embeds
Number of Embeds



Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

    No notes for slide


  • 1. How to Audit Outsourced ITEnvironments?• What are the challenges when auditing outsourced IT environments?• How to include outsourced IT environments in your audit? Rob Kloots – CISA CISM CRISC, Owner, TrustingtheCloud CSA-BE volunteer Berlin, June 2012
  • 2. TopicsKey Cloud Security ProblemsThe GRC StackCSA Guidance ResearchTransparancyCloud Controls Matrix (CCM)CCM – 98 ControlsGuidanceThe CAI QuestionnaireCloudAudit Objectives & Alignment Berlin, June 2012 2
  • 3. Key Cloud Security ProblemsFrom CSA Top Threats Research: Trust: Lack of Provider transparency, impacts Governance, Risk Management, Compliance, and the capture of real value Data: Leakage, Loss or Storage in unfriendly geography Insecure Cloud software Malicious use of Cloud services Account/Service Hijacking Malicious Insiders Cloud-specific attacks Berlin, June 2012 3
  • 4. 4The GRC StackProvides trust in the Cloud GRC Stack Needs and Evidence and Payoffs and Claims Assurance Protection Security Security Compliance Requirements and Transparency and Capabilities and Visibility Trust Delivering evidence-based confidence… with compliance-supporting data & artifacts. Berlin, June 2012 4
  • 5. A Complete Cloud Security Governance,Risk, and Compliance (GRC) Stack Delivering  Stack Pack  Description • Common technique and nomenclature to Continuous monitoring … request and receive evidence and affirmation with a purpose of current cloud service operating circumstances from cloud providers Claims, offers, and the • Common interface and namespace to basis for auditing service automate the Audit, Assertion, Assessment, delivery and Assurance (A6) of cloud environments Pre-audit checklists and • Industry-accepted ways to document what questionnaires to security controls exist inventory controls • Fundamental security principles in specifying The recommended the overall security needs of a cloud foundations for controls consumers and assessing the overall security risk of a cloud provider Berlin, June 2012 5
  • 6. A Headstart for Control and ComplianceForged by the Global Marketplace; Ready for All Professional Government Commercial Legend  In place  Offered • Common technique and Continuous monitoring … nomenclature to request and ??? with a purpose receive evidence and affirmation of controls from cloud providers • Common interface and namespace Claims, offers, and the to automate the Audit, Assertion, ??? basis for auditing service delivery Assessment, and Assurance (A6) of cloud environments  FedRAMP Pre-audit checklists and • Industry-accepted ways to  DIACAP questionnaires to document what security controls inventory controls exist  Other C&A standards NIST 800-53, HITRUST CSF, SSAE SOC2 control ISO 27001/27002, ISACA • Fundamental security principles in A recommended assessment COBIT, PCI, HIPAA, SOX, assessing the overall security risk foundations for controls criteria GLBA, STIG, NIST 800-144, of a cloud provider SAS 70, … Berlin, June 2012 6
  • 7. CSA Guidance Research Cloud Architecture Popular best Governance and Enterprise Risk Management Governing the Legal and Electronic Discovery practices for Cloud Compliance and Audit securing cloud Information Lifecycle Management Portability and Interoperability computing T c n e a p n a y s r r 14 Domains of Security, Bus. Cont,, and Disaster Recovery Operating in the Cloud Data Center Operations concern Incident Response, Notification, Remediation Application Security governing & Encryption and Key Management operating groupings Identity and Access Management Virtualization Berlin, June 2012 7
  • 8. Transparancy TransparencySource: NIST SP500-291-v1.0, p. 42, Figure 12 Berlin, June 2012 8
  • 9. Cloud Controls Matrix (CCM)Leadership TeamBecky Swain – EKKO ConsultingPhilip Agcaoili – Cox CommunicationsMarlin Pohlman – EMC, RSAKip Boyle – CSAV1.0 (Apr 2010), v1.1 (Dec 2010, v1.2 (Aug 2011),V2.0 (2012)Controls baselined and mapped to:COBIT BITS Shared AssessmentsHIPAA/HITECH Act Jericho ForumISO/IEC 27001-2005 NERC CIPNISTSP800-53FedRAMPPCI DSSv2.0 Berlin, June 2012 9
  • 10. CCM – 98 Controls Berlin, June 2012 10
  • 11. CCM – 98 Controls (cont.) Berlin, June 2012 11
  • 12. CCM – 98 Controls (cont.) Berlin, June 2012 12
  • 13. CCM – 98 Controls (cont.) Berlin, June 2012 13
  • 14. Control Matrix >> Guidance >> ISO Berlin, June 2012 14
  • 15. The CAI Questionnaire Berlin, June 2012 15
  • 16. Sample Questions to VendorsCompliance - CO-02 CO-02a - Do you allow tenants to view your SAS70 Type II/SSAE 16 SOC2/ISAE3402 orIndependent Audits similar third party audit reports? CO-02b - Do you conduct network penetration tests of your cloud service infrastructure regularly as prescribed by industry best practices and guidance? CO-02c - Do you conduct application penetration tests of your cloud service infrastructure regularly as prescribed by industry best practices and guidance? CO-02d - Do you conduct internal audits regularly as prescribed by industry best practices and guidance? CO-02e - Do you conduct external audits regularly as prescribed by industry best practices and guidance? CO-02f - Are the results of the network penetration tests available to tenants at their request? CO-02g - Are the results of internal and external audits available to tenants at their request?Data Governance - DG-02 DG-02a - Do you provide a capability to identify virtual machines via policy tags/metadataClassification (ex. Tags can be used to limit guest operating systems from booting/instanciating/transporting data in the wrong country, etc.?) DG-02b - Do you provide a capability to identify hardware via policy tags/metadata/hardware tags (ex. TXT/TPM, VN-Tag, etc.)? DG-02c - Do you have a capability to use system geographic location as an authentication factor? DG-02d - Can you provide the physical location/geography of storage of a tenant’s data upon request? DG-02e - Do you allow tenants to define acceptable geographical locations for data routing or resource instantiation? Berlin, June 2012 16
  • 17. CloudAudit Objectives  Provide a common interface and namespace that allows cloud computing providers to automate collection of Audit, Assertion, Assessment, and Assurance Artifacts (A6) of their operating environments  Allow authorized consumers of services and concerned parties to do likewise via an open, extensible and secure interface and methodology. Berlin, June 2012 17
  • 18. Aligned to CSA Control Matrix Officially folded CloudAudit under the Cloud Security Alliance in October, 2010 First efforts aligned to compliance frameworks as established by CSA Control Matrix:  PCI DSS  NIST 800-53  HIPAA  COBIT  ISO 27002 Incorporate CSA’s CAI and additional CompliancePacks Expand alignment to “infrastructure” and “operations” -centric views also Berlin, June 2012 18
  • 19. Holistic approach aroundcontrols… Berlin, June 2012 19
  • 20. … and Architecture best practices Berlin, June 2012 20
  • 21. Any Questions?Rob Kloots – CISA CISM CRISC,Owner, TrustingtheCloudvolunteer CSA-BEM +32.499-374713 e Berlin, June 2012 21