Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

IIA2013 PPT SLIDES DECK

1,363 views

Published on

IIA 2013, Auditing , Auditors , Conference , Presentations

  • Be the first to comment

  • Be the first to like this

IIA2013 PPT SLIDES DECK

  1. 1. Auditing in the Subscription Economy – CAE Overview Implementing the next generation best practices in Governance and Risk Mr. Bhavesh Bhagat Founder - EnCrisp – ConfidentGovernance.com Founding Chair - CSADCConfidentGovernance.com- Award winning Cloud migration expertsPatent pending “Governance as a Service®” innovators
  2. 2. “Clouds come floating into my life, no longer to carry rain or storm, but to add color to my sunset sky.” – Rabindranath Tagore, Nobel Laureate Literature -150 year AnniversaryConfidentGovernance.com- Award winning Cloud migration expertsPatent pending “Governance as a Service®” innovators
  3. 3. Agenda • Understand Subscription Economy • Cloud Computing concepts • Risks and challenges • “Democratizing Governance” use case • Role of CAE and Internal AuditConfidentGovernance.com- Award winning Cloud migration expertsPatent pending “Governance as a Service®” innovators
  4. 4. TenYear Computing Cycles 10X more users with each cycle 2000s Mobile Cloud Computing 1990s Desktop Cloud Computing 1980s Client/server Computing 1970s Mini Computing 1960s Mainframe ComputingConfidentGovernance.com- Award winning Cloud migration expertsPatent pending “Governance as a Service®” innovators
  5. 5. Social Networking Surpasses Email 1,000 Social Networking Users Email Users 750 Inflection Point Global Users (MM) 500 250 11/06 5/07 11/07 5/08 11/08 5/09 11/09 5/10 11/10 Facebook has reached its half-billion member mark, with an online population larger than the combined population of the U.S., Mexico, and France.ConfidentGovernance.com- Award winning Cloud migration expertsPatent pending “Governance as a Service®” innovators
  6. 6. Broad Change in Internet Usage Top Internet Users 22% of Internet time is social.ConfidentGovernance.com- Award winning Cloud migration expertsPatent pending “Governance as a Service®” innovators
  7. 7. Next Generation Devices Changing How We Access the Internet 2000 1000 Annual unit shipments(MM) 2007 2008 2oo9 2010 2011E 2012E 2013E 2014EConfidentGovernance.com- Award winning Cloud migration expertsPatent pending “Governance as a Service®” innovators
  8. 8. Cloud Computing NIST Definition • National Institute of Standards and Technology (NIST) Special Publication 800-145 – Model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources, (e.g., networks, servers, storage, applications, and services) – Rapidly provisioned and released with minimal management effort or service provider interaction – Composed of 5 essential characteristics, 3 service models, and 4 deployment models – Source: http://www.nist.gov/itl/csd/cloud-020111.cfmConfidentGovernance.com- Award winning Cloud migration expertsPatent pending “Governance as a Service®” innovators
  9. 9. Cloud Computing Five Essential Characteristics: • On-demand self-service: Get it when you need it • Measured service: Pay for what you use • Rapid elasticity: Increase and decrease capacity quickly • Broad network access: Access it from any Internet connection • Resource pooling: Share fixed costs, which lowers individual costsConfidentGovernance.com- Award winning Cloud migration expertsPatent pending “Governance as a Service®” innovators
  10. 10. Cloud Computing Three Service Models • Software as a Service (SaaS) – Capability made available to tenant (or consumer) to use provider’s applications running on cloud infrastructure, accessible via web browser, mobile apps, and system interfaces – Examples: Salesforce.com, Drop Box, Box.net, Google Docs, WebEx • Platform as a Service (PaaS) – Capability made available to tenant to deploy tenant owned (created or acquired) applications using programming languages and tools supported by provider – Examples: Force.com, Microsoft Azure, Amazon Web Services • Infrastructure as a Service (IaaS) / Datacenter as a Service (DaaS) – Capability made available to tenant to provision processing, storage, networks or other fundamental computing resources to host and run tenant’s apps – Examples: Rackspace, Terremark (Verizon), Savvis, AT&TConfidentGovernance.com- Award winning Cloud migration expertsPatent pending “Governance as a Service®” innovators
  11. 11. Cloud Computing Four Deployment Models (1) PRIVATE (2) COMMUNITY (3)PUBLIC Shared with General Public / ACCESSIBILITY Single Organization Common Interests / Large Industry Group Requirements Organization or Third Organization or Third MANAGEMENT Cloud Provider Party Party HOST On or Off Premise On or Off Premise On or Off Premise (4) HYBRIDConfidentGovernance.com- Award winning Cloud migration expertsPatent pending “Governance as a Service®” innovators
  12. 12. Cloud Computing Why cloud – Business Impact and Use Case Considerations Data Infrastructure Access Method Virtualized Local Data On or Off Off premises On or Off Premises Technology premises Local Data plus BIG Virtualized Processes Shared local and DATA (social media On or Off Premises and Data Cloud domain) Virtualized On or Off Premise On or Off Premise BYOD Organizations Virtualized Business ModelsConfidentGovernance.com- Award winning Cloud migration expertsPatent pending “Governance as a Service®” innovators
  13. 13. Cloud Computing CAEs need to think from CFOs perspective Virtualized Business Models • Faster Time to Results • Better Working Capital cycle • Reduced CAPEX • Reduced CGS • Reduced SG&A • Environmental Sustainability as byproductConfidentGovernance.com- Award winning Cloud migration expertsPatent pending “Governance as a Service®” innovators
  14. 14. CAE’s guide to Cloud Use Cases Source CIO.com Annual CIO survey 2010-2011 Plans to Use Cloud Services Currently using, Actively Planning to use No plans to use Researching, Planning to three to five years use in one to three years Application platforms and 68% 2% 30% development software Collaboration tools 79% 4% 17% Enterprise application 63% 3% 34% software Personal productivity 53% 4% 43% software Utilities / management 66% 2% 32% software Networks 52% 2% 45% Storage 63% 7% 30% Servers 59% 2% 39%ConfidentGovernance.com- Award winning Cloud migration expertsPatent pending “Governance as a Service®” innovators
  15. 15. CAE decision enablers Evaluating the Cloud Model CAE Cloud Vendor Considerations How Does our Enterprise Benefit From Cloud Opportunity? Do they understand our business and needs? How do we reduce complexity of my Business process and IT footprint by taking non-core Can they provide support that we are used to? computing to the cloud, Transfer non-core applications to the cloud or outsource to the How does it fit with my existing architecture? cloud? Who else has adopted within my industry - Can we improve the efficiency of my relevant references? development organization through speedy access to computing resources? How do the new entrants in the enterprise IT market (Amazon, Google, etc) view the Can we make IT more responsive/nimble by enterprise market? using cloud computing architectures? What are the new Risk Domains? Can we assist in reduced CAPEX spend in line with CFO needs? What are the Regulatory, Compliance and Risk mitigation guidelines? Can we get higher availability and recovery at lower price?ConfidentGovernance.com- Award winning Cloud migration expertsPatent pending “Governance as a Service®” innovators
  16. 16. New Opportunities - New Challenges New Risk Mitigating Strategies • Security - New ways of thinking about Security need to evolve for new issues - Cloud computing presents new security challenges – Trusting vendors security model – Customer inability to respond to audit findings – Obtaining support for investigations – Indirect administrator accountability – Proprietary implementations cannot be examined – Loss of physical control – Attraction to hackers (high value target) • Privacy Issues moving PII and sensitive data into the cloud • Fear of mass outages Fueled by high-profile outages of many popular cloud services (i.e., Gmail, Google Apps, Apples Mobile Me, Amazons S3)ConfidentGovernance.com- Award winning Cloud migration expertsPatent pending “Governance as a Service®” innovators
  17. 17. New Opportunities - New Challenges New Risk Mitigating Strategies • Cultural and organizational barriers Organization must acquire new core capabilities Cloud skepticism • Difficulty tracking and delivering against defined SLAs Especially significant in the federal government, where a data breach could constitute a violation of the law • International sovereignty / cooperation Cloud computing could involve the movement of data between countries with differing laws regarding technology and property. Determining jurisdiction and facilitating cross-border cooperation on these matters may prove challenging.ConfidentGovernance.com- Award winning Cloud migration expertsPatent pending “Governance as a Service®” innovators
  18. 18. What is Different about Cloud?ConfidentGovernance.com- Award winning Cloud migration expertsPatent pending “Governance as a Service®” innovators
  19. 19. GRC-XML: What is it? • Standard language for Risks and Controls definition/exchange • One language for many areas: – Security risk – IT risk – Financial risk – Operational risk, etc. • Visibility across silos • Eliminate redundancy and duplication • Facilitate effective continuous monitoring and audit of controls • Extensible: Companies can add their own – Activities – Risks – Control Objectives – Control Activities, etc.ConfidentGovernance.com- Award winning Cloud migration expertsPatent pending “Governance as a Service®” innovators
  20. 20. GRC-XML: Illustrated Business Integration Risk & Controls Controls GRC Repository Testing & Monitoring Applications & Systems GRC-XML GRC-XML Risk models Automated Control Tests Transactions Enterprise GRC, Controls documentation Configurations Operational GRC, Organization / Process User access IT GRC, Test Procedures Manual Control Tests Cloud GRC, Test Results Surveys etc. SamplingConfidentGovernance.com- Award winning Cloud migration expertsPatent pending “Governance as a Service®” innovators
  21. 21. Cloud Governance Practical approach with CSA and other third party toolsConfidentGovernance.com- Award winning Cloud migration expertsPatent pending “Governance as a Service®” innovators
  22. 22. Holistic Approach Around Controls . . . Your Cloud Controls Matrix Trusted Cloud InitiativeConfidentGovernance.com- Award winning Cloud migration expertsPatent pending “Governance as a Service®” innovators
  23. 23. Suggested Approach to Use the CSA Cloud Audit Guideline Roadmap • Security Patterns • Control Mapping • Guidelines • Operational Checklists • Capability mapping • Vendor Certification Assess the • Strategy alignment • Use Cases (OSA) Reuse opportunity BOSS ITOS Presentation SRM Application Information Infrastructure CSA Controls Matrix Security Framework CSA Questionnaire Reference Architecture and Patterns Trusted Cloud InitiativeConfidentGovernance.com- Award winning Cloud migration expertsPatent pending “Governance as a Service®” innovators
  24. 24. How it Works (A Simplified View) . . . Risk Maturity  Third party requesting access Appetite Third Party Assurance Centre Maturity  Cloud provider 1. Business sets level of risk they are willing to tolerate (number of levels depending on the data). Maturity will include CAMM plus possible bespoke Maturity  Internal hosting provider modules. 2.Level of risk management maturity is 4. Leverage existing expenditure 3. Evidence of compliance may be communicated to and remove need for duplicate uploaded to central repository that can business partners (and verification (note: May remove be used by numerous customers. possible partners) audit requirement altogether)ConfidentGovernance.com- Award winning Cloud migration expertsPatent pending “Governance as a Service®” innovators
  25. 25. Evaluate Key Control Domains Source Domains Maturity Governance -Subcontractor due diligence ISO 27001 -Risk Management 5 NIST SP800-53 Human Resources 4 PCI Physical Security -Site security 3 CSA Controls Matrix -Environmental Protection COBIT IT Services 2 -Networks ENISA Cloud doc. -Change Management -Service Management 1 ITIL -Development, etc Incident Management BS25999 Business ContinuityConfidentGovernance.com- Award winning Cloud migration expertsPatent pending “Governance as a Service®” innovators
  26. 26. Mapping Example Cloud Matrix FedRAMPConfidentGovernance.com- Award winning Cloud migration expertsPatent pending “Governance as a Service®” innovators
  27. 27. Cloud Audit Automation Leveraging CSA CAIQ Example CSA Cloud Audit modules bit.ly/ClearGRCConfidentGovernance.com- Award winning Cloud migration expertsPatent pending “Governance as a Service®” innovators
  28. 28. CAMM & CAIQ Data Governance Risk RISK: Inadequate Cloud Data Governance Results: Benchmarking vendors based on CSA standardsConfidentGovernance.com- Award winning Cloud migration expertsPatent pending “Governance as a Service®” innovators
  29. 29. Aggregate CSA Analytic DashboardsConfidentGovernance.com- Award winning Cloud migration expertsPatent pending “Governance as a Service®” innovators
  30. 30. CAE Leadership in Internal Auditor assured Cloud Governance and Emerging Technologies adoptionConfidentGovernance.com- Award winning Cloud migration expertsPatent pending “Governance as a Service®” innovators
  31. 31. 3 Things CAEs will need to understand Cloud Computing Big DATA MobilityConfidentGovernance.com- Award winning Cloud migration expertsPatent pending “Governance as a Service®” innovators
  32. 32. Cloud Governance Internal Audit Leadership Business Advisor •Advise on benefits, risks, and mitigation techniques •Create awareness •Participate in cloud conversion activities •Study and measure opportunities for increase efficiency and cost-savingsConfidentGovernance.com- Award winning Cloud migration expertsPatent pending “Governance as a Service®” innovators
  33. 33. Cloud Governance Internal Audit Auditor Leadership •Interact with cloud provider to understand operation of key controls and monitoring program •Participate in SLA and contract development •Review service organization reports and determine assurance needs •Audit end-user control responsibilities (browser and device security, APIs, admin access) •Monitor changes and update risk assessmentConfidentGovernance.com- Award winning Cloud migration expertsPatent pending “Governance as a Service®” innovators
  34. 34. Cloud Governance Internal Audit Leadership User •Collaboration - Email, Documents •Application Development-Audit Document Repositories, Tools •Mobility- Improve connections, monitoring •Back-office - Transparent use for data storageConfidentGovernance.com- Award winning Cloud migration expertsPatent pending “Governance as a Service®” innovators
  35. 35. About EnCrisp is an INC 500 award winning global leader in providing “business driven” solutions enhancing trust, governance, and transparency since 2004. EnCrisp is a “Governance and Compliance Niche” specialist and its efforts result in strategic Increases in Trust, Efficiency, Compliance and Less Risks Without the complexities and overburdened capital costs for leaders in IT, finance, business, quality, security and audit. AWARDS – INC 500 2009, NVTC Hot Ticket Tech 2007,2009,2011 – Hottest Bootstrap CategoryConfidentGovernance.com- Award winning Cloud migration expertsPatent pending “Governance as a Service®” innovators
  36. 36. Three Take-aways • Define your AUDIT challenges – Technological as well as do not ignore Process • Set realistic MANAGEMENT expectation – Start using technology first then AUDIT – Expertise is not instantaneous • Keep your eye on the BUSINESS goal – Mentorship programs – Work with SME and third party expertsConfidentGovernance.com- Award winning Cloud migration expertsPatent pending “Governance as a Service®” innovators
  37. 37. RESOURCES • NIST - http://www.nist.gov/itl/csd/cloud-020111.cfm • CSA - Cloudsecurityalliance.org • GRCXchange Executive LinkedIN Group • CIO.com • http://Trust.Salesforce.com • http://www.google.com/apps/intl/en- GB/trust/data_protection.html • http://aws.amazon.com/security/ConfidentGovernance.com- Award winning Cloud migration expertsPatent pending “Governance as a Service®” innovators
  38. 38. Thank You! Hopefully you have found new appreciation for CLOUDY days! Mr. Bhavesh Bhagat 703.728.2493 bb@EnCrisp.com EnCrisp President Founding Chair - CSA Washington DC federal center Chairman - GRCXchange Global Policy ThinktankConfidentGovernance.com- Award winning Cloud migration expertsPatent pending “Governance as a Service®” innovators

×