4. Compliance and Audit Management overview + Compliance Backgrounder - DONE Flashcards
Providers will supply you with all sorts of documentation to build trust in an offering, but how are the security statements within these documents verified to ensure that you remain compliant with regulations that affect your company?
Remember that audits are a key tool to prove or disprove compliance.
List some compliance items that you should consider as part of your cloud implementation
- Jurisdictional issues
- The shared responsibility model inherent in all types of cloud services
- Compliance inheritance
- Supply chain complexity
- Artifacts of compliance from the provider
- Scope relevance
- Compliance management
-Audit performance - Provider experience
Describe the following compliance items that you should consider as part of your cloud implementation:
- Scope relevance
- Compliance management
- The shared responsibility model inherent in all types of cloud services
*Scope relevance = Are the features and services of a cloud provider within the scope of your previously performed audits and assessments?
*Compliance management = How does the provider manage compliance and audits—not just now, but over time as well?
*Shared responsibility model = shared responsibility will be highly dependent on the service model being consumed
Describe the following compliance items that you should consider as part of your cloud implementation:
- Audit performance
- Provider experience
- Jurisdictional issues
*Audit performance = How are audits of cloud computing performed compared to those in a traditional data centre environment?
*Provider experience = Does the provider have experience working with regulatory bodies?
*Jurisdictional issues = Your company may face regulations that forbid the export of data to foreign jurisdictions.
Describe the following compliance items that you should consider as part of your cloud implementation:
- Compliance inheritance
- Supply chain complexity
- Artifacts of compliance from the provider
*Compliance inheritance = Consider PCI, for example. The IaaS provider you use to host a credit card processing system may be Payment Card Industry (PCI) Level 1 certified, but your application must meet all other PCI requirements as well.
*Supply chain complexity = Consider the complexity of the supply chain. For example, many SaaS providers of all sizes may themselves use an outsourced IaaS solution to store customer data, or SaaS providers that leverage multiple PaaS providers may in turn use different IaaS providers.
*Artifacts of compliance from the provider = All the artefacts of compliance (such as system logs) that you require for traditional systems will still be required in a cloud environment. The real question is whether you can obtain these artefacts and do so promptly.”
How can the CCSK be important for auditors?
“Earning a CCSK is a great way for auditors to demonstrate their knowledge of cloud services. Remember that customers should work with auditors who know the differences between traditional IT and the cloud.”
What is the GRC?
GRC (governance, risk, and compliance) enables proper oversight of computing—and cloud computing is no different.
When examining contracts and service agreements between your organization and cloud service providers, list the cloud-specific things you should focus on
*Security service level agreements
*Ownership of data
*Right to audit
*Third-party audits
*Conformance to security policies
*Compliance with laws and regulations
*Incident notification
*Liabilities
*Termination
When examining contracts and service agreements between your organization and cloud service providers, one of the things you should focus on is:
*Security service level agreements
Explain why
The importance of security SLAs is often overlooked when reviewing CSP contracts. Following is a non-exhaustive list of the key items you should look for as part of a security SLA with a cloud provider:
*Specific written compliance commitments for standards that apply to your organization
*Service level commitments and liability terms for a data breach
*Exposure of detailed security monitoring for your organization’s implementation
*Explicit descriptions of security implementations and commitment to compliance
When examining contracts and service agreements between your organization and cloud service providers, one of the things you should focus on is:
*Ownership of data
Explain why
Believe it or not, some cloud providers have clauses in their contracts that transfer ownership of any data uploaded by a customer to the provider. In turn, the customer gets unlimited access to this data, but the provider is allowed to do whatever they please with said data, including retaining it upon contract termination and/or selling it to others. This is more common with “free” versions of SaaS products.
When examining contracts and service agreements between your organization and cloud service providers, one of the things you should focus on is:
*Right to audit
Explain why
You may see this referred to as a “first-party audit.” Essentially, this is a contractual clause that allows the customer to examine the supplier’s premises and systems upon reasonable notice. You may see this clause in an SLA if the provider sees a reason to take extreme measures to get your business. The reality is that big providers rarely grant this ability to customers
When examining contracts and service agreements between your organization and cloud service providers, one of the things you should focus on is:
*Third-party audits
Explain why
This clause requires the provider to undergo appropriate and regular audits. Reports from these audits should be made available to customers upon request. The reports should also include remediation plans for any significant issues identified in the reports
When examining contracts and service agreements between your organization and cloud service providers, one of the things you should focus on is:
*Conformance to security policies
Explain why
You need to understand the security policies in place at the cloud provider and understand how they meet your particular policy requirements. In the likely event that a service provider contract does not fully address your policies, you need to fill the gaps with your controls.
When examining contracts and service agreements between your organization and cloud service providers, one of the things you should focus on is:
*Compliance with laws and regulations
Explain why
Contract clauses should clearly state that the service provider conforms to all relevant laws and regulations that are important to your organization. For example, if you are looking to store healthcare information in a particular provider’s environment, you must ensure that the provider is contractually bound to remain compliant with HIPAA regulations
When examining contracts and service agreements between your organization and cloud service providers, one of the things you should focus on is:
*Incident notification
*Liabilities
Explain why
You should understand how incidents are declared and how customers are notified by the provider (and vice versa) of incidents. Notifications could be required for service changes, interruptions, and, of course, security incidents. Specific time periods should be stated in the contract for these notifications
Liabilities clauses should clearly state which parties are liable for which actions and activities. Available remedies should also be listed should either party fail to perform adequately.
When examining contracts and service agreements between your organization and cloud service providers, one of the things you should focus on is:
*Termination terms
Explain why
The contract should contain provisions that describe the actions a CSP will perform if the business relationship is terminated. For example, how will customer data be deleted when a customer leaves, and in what time frame?
When examining contracts and service agreements between your organization and cloud service providers, list the non-cloud-specific things you should focus on
*Service levels
*Quality levels
Describe quality levels
]What remedies are in place if quality standards, such as following best practices and quality control procedures, are not met by the provider? You need to remember that operational procedures performed by the cloud provider in a cloud environment have a direct impact on your company’s ability to operate in that environment.
Describe service levels
Understand the CSP’s acceptable service levels and the processes that are followed in the event of service interruptions. Is there an escalation path for notifications, or does the provider supply clients with a status update website?
In the event of a widespread outage, a CSP will likely use a status update page to update customers on outages or system-wide issues. Another aspect you need to understand is that many cloud providers will give customers only “service credits” as a form of penalty if the unavailability is more than stated availability agreements (generally 99.9 per cent uptime).
Some providers will issue these credits only if the customer makes a claim for credits and shows the provider evidence of the outage.