4. Compliance and Audit Management overview + Compliance Backgrounder - DONE

Question 1

Providers will supply you with all sorts of documentation to build trust in an offering, but how are the security statements within these documents verified to ensure that you remain compliant with regulations that affect your company?

Answer 1

Remember that audits are a key tool to prove or disprove compliance.

Question 2

List some compliance items that you should consider as part of your cloud implementation

Answer 2

• Jurisdictional issues
• The shared responsibility model inherent in all types of cloud services
• Compliance inheritance
• Supply chain complexity
• Artifacts of compliance from the provider
• Scope relevance
• Compliance management
  -Audit performance
• Provider experience

Question 3

Describe the following compliance items that you should consider as part of your cloud implementation:
- Scope relevance

• Compliance management
• The shared responsibility model inherent in all types of cloud services

Answer 3

*Scope relevance = Are the features and services of a cloud provider within the scope of your previously performed audits and assessments?

*Compliance management = How does the provider manage compliance and audits—not just now, but over time as well?

*Shared responsibility model = shared responsibility will be highly dependent on the service model being consumed

Question 4

Describe the following compliance items that you should consider as part of your cloud implementation:
- Audit performance

• Provider experience
• Jurisdictional issues

Answer 4

*Audit performance = How are audits of cloud computing performed compared to those in a traditional data centre environment?

*Provider experience = Does the provider have experience working with regulatory bodies?

*Jurisdictional issues = Your company may face regulations that forbid the export of data to foreign jurisdictions.

Question 5

Describe the following compliance items that you should consider as part of your cloud implementation:
- Compliance inheritance

• Supply chain complexity
• Artifacts of compliance from the provider

Answer 5

*Compliance inheritance = Consider PCI, for example. The IaaS provider you use to host a credit card processing system may be Payment Card Industry (PCI) Level 1 certified, but your application must meet all other PCI requirements as well.

*Supply chain complexity = Consider the complexity of the supply chain. For example, many SaaS providers of all sizes may themselves use an outsourced IaaS solution to store customer data, or SaaS providers that leverage multiple PaaS providers may in turn use different IaaS providers.

*Artifacts of compliance from the provider = All the artefacts of compliance (such as system logs) that you require for traditional systems will still be required in a cloud environment. The real question is whether you can obtain these artefacts and do so promptly.”

Question 6

How can the CCSK be important for auditors?

Answer 6

“Earning a CCSK is a great way for auditors to demonstrate their knowledge of cloud services. Remember that customers should work with auditors who know the differences between traditional IT and the cloud.”

Question 7

What is the GRC?

Answer 7

GRC (governance, risk, and compliance) enables proper oversight of computing—and cloud computing is no different.

Question 8

When examining contracts and service agreements between your organization and cloud service providers, list the cloud-specific things you should focus on

Answer 8

*Security service level agreements
*Ownership of data
*Right to audit
*Third-party audits
*Conformance to security policies
*Compliance with laws and regulations
*Incident notification
*Liabilities
*Termination

Question 9

When examining contracts and service agreements between your organization and cloud service providers, one of the things you should focus on is:

*Security service level agreements

Explain why

Answer 9

The importance of security SLAs is often overlooked when reviewing CSP contracts. Following is a non-exhaustive list of the key items you should look for as part of a security SLA with a cloud provider:

*Specific written compliance commitments for standards that apply to your organization
*Service level commitments and liability terms for a data breach
*Exposure of detailed security monitoring for your organization’s implementation
*Explicit descriptions of security implementations and commitment to compliance

Question 10

When examining contracts and service agreements between your organization and cloud service providers, one of the things you should focus on is:

*Ownership of data

Explain why

Answer 10

Believe it or not, some cloud providers have clauses in their contracts that transfer ownership of any data uploaded by a customer to the provider. In turn, the customer gets unlimited access to this data, but the provider is allowed to do whatever they please with said data, including retaining it upon contract termination and/or selling it to others. This is more common with “free” versions of SaaS products.

Question 11

When examining contracts and service agreements between your organization and cloud service providers, one of the things you should focus on is:

*Right to audit

Explain why

Answer 11

You may see this referred to as a “first-party audit.” Essentially, this is a contractual clause that allows the customer to examine the supplier’s premises and systems upon reasonable notice. You may see this clause in an SLA if the provider sees a reason to take extreme measures to get your business. The reality is that big providers rarely grant this ability to customers

Question 12

When examining contracts and service agreements between your organization and cloud service providers, one of the things you should focus on is:

*Third-party audits

Explain why

Answer 12

This clause requires the provider to undergo appropriate and regular audits. Reports from these audits should be made available to customers upon request. The reports should also include remediation plans for any significant issues identified in the reports

Question 13

When examining contracts and service agreements between your organization and cloud service providers, one of the things you should focus on is:

*Conformance to security policies

Explain why

Answer 13

You need to understand the security policies in place at the cloud provider and understand how they meet your particular policy requirements. In the likely event that a service provider contract does not fully address your policies, you need to fill the gaps with your controls.

Question 14

When examining contracts and service agreements between your organization and cloud service providers, one of the things you should focus on is:

*Compliance with laws and regulations

Explain why

Answer 14

Contract clauses should clearly state that the service provider conforms to all relevant laws and regulations that are important to your organization. For example, if you are looking to store healthcare information in a particular provider’s environment, you must ensure that the provider is contractually bound to remain compliant with HIPAA regulations

Question 15

When examining contracts and service agreements between your organization and cloud service providers, one of the things you should focus on is:

*Incident notification

*Liabilities

Explain why

Answer 15

You should understand how incidents are declared and how customers are notified by the provider (and vice versa) of incidents. Notifications could be required for service changes, interruptions, and, of course, security incidents. Specific time periods should be stated in the contract for these notifications

Liabilities clauses should clearly state which parties are liable for which actions and activities. Available remedies should also be listed should either party fail to perform adequately.

Question 16

When examining contracts and service agreements between your organization and cloud service providers, one of the things you should focus on is:

*Termination terms

Explain why

Answer 16

The contract should contain provisions that describe the actions a CSP will perform if the business relationship is terminated. For example, how will customer data be deleted when a customer leaves, and in what time frame?

Question 17

When examining contracts and service agreements between your organization and cloud service providers, list the non-cloud-specific things you should focus on

Answer 17

*Service levels
*Quality levels

Question 18

Describe quality levels

Answer 18

]What remedies are in place if quality standards, such as following best practices and quality control procedures, are not met by the provider? You need to remember that operational procedures performed by the cloud provider in a cloud environment have a direct impact on your company’s ability to operate in that environment.

Question 19

Describe service levels

Answer 19

Understand the CSP’s acceptable service levels and the processes that are followed in the event of service interruptions. Is there an escalation path for notifications, or does the provider supply clients with a status update website?

In the event of a widespread outage, a CSP will likely use a status update page to update customers on outages or system-wide issues. Another aspect you need to understand is that many cloud providers will give customers only “service credits” as a form of penalty if the unavailability is more than stated availability agreements (generally 99.9 per cent uptime).

Some providers will issue these credits only if the customer makes a claim for credits and shows the provider evidence of the outage.

Question 20

What are the two biggest terms to remember about compliance in the cloud environment?

Answer 20

“compliance inheritance” and “continuous compliance”

Question 21

Going back to the logical model from Chapter 1, infrastructure in particular, you already know that this is completely under the control of the public cloud provider, and you most likely won’t have access to audit that environment. So what’s a company to do to prove compliance?

Answer 21

Use of third-party audit results called “pass-through audits” by the CSA, is a form of compliance inheritance. In this case, you confirm that a provider is compliant with the areas for which they are responsible via vendor-supplied audit results or certifications, and then you ensure that your systems running in the cloud environment are also compliant

Question 22

Give an example of compliance inheritance

Answer 22

“you build a credit card processing application on top of a Windows server that doesn’t have any form of malware inspection. (Congratulations! You just failed to meet PCI DSS 5.3!) The provider gave you a “PCI DSS Level 1” environment in which to operate your application, and yet you still blew it. This is the shared responsibility model in action. The provider is responsible for the facilities and the hardware, and your organization is responsible for configuring the server instance, the application, and any required logical security controls.”

“CAUTIONIf your SaaS provider claims they are PCI compliant just because they are using a PCI-compliant IaaS provider, there’s only one thing you should do—RUN. That screams to me that they have no idea of proper security or compliance.

Question 23

What are the similarities and differences between continuous monitoring and continuous auditing (continuous compliance)?

Answer 23

One commonality they share is that “continuous” doesn’t necessarily mean real-time analysis.

NIST defines Information Security Continuous Monitoring (ISCM) thusly: “Security controls and organizational risks are assessed and analyzed at a frequency sufficient to support risk-based security decisions to adequately protect organization information.

ISACA (Information Systems Audit and Control Association) calls out the distinction between a “traditional” and a “continuous” audit as a short time lapse between the facts to be audited, the collection of evidence, and audit reporting. Techniques to perform continuous auditing are referred to as computer-assisted audit techniques.

The bottom line is that “continuous” does not mean real-time 24×7×365. It addresses performing something at an appropriate frequency, and that is up to the system owner.

Question 24

What does the CSA have to say about continuous compliance?

Answer 24

The guidance itself is fairly limited in coverage, as the only reference to continuous compliance, audit, and assurance is the following:

Compliance, audit, and assurance should be continuous. They should not be seen as merely point-in-time activities, and many standards and regulations are moving more“towards this model. This is especially true in cloud computing, where both the provider and customer tend to be in more constant flux and are rarely ever in a static state.

Question 25

How do providers address this continuous compliance initiative?

Answer 25

“ Automation, that’s how! Remember that cloud environments are automated environments, to begin with, so why can’t testing of the environment be automated as well and be executed by the provider at an expected testing frequency between the point-in-time audits they currently provide to customers? Of course, not everything can be automated, so additional manual activities will have to be performed as well, but through the use of this STAR Continuous approach, customers will be able to have greater confidence in the security controls in the provider’s environment.

Question 26

The cloud may also change compliance by the introduction of a global network at your disposal. Why may this happen?

Answer 26

As you know, all jurisdictions have their own laws and regulations that may cause regulatory issues for your firm if sensitive data is accidentally placed in, or moved to, a different jurisdiction. Additional compliance challenges may arise because not all services and regions offered by a provider may have undergone the same audits and attestations

Question 27

What is the purpose of audit management and what does it include?

Answer 27

Audit management ensures that audit directives are implemented properly. This function includes determining appropriate requirements, scope, scheduling, and responsibilities. Audit management uses compliance requirements and risk data to scope, plan, and prioritize audit engagements.

Question 28

Audits are planned events; planning audits is part of the audit management function.

List what you should consider for audit planning when creating audit schedules and assigning resources for audits of cloud environments.

Answer 28

*Purpose
*Scope
*Risk analysis
* Audit procedures
* Resources
* Schedule

Question 29

For audit planning when creating audit schedules and assigning resources for audits of cloud environments you should consider the following:
Purpose

Describe this

Answer 29

Purpose
What is the goal of the audit? Is it to determine compliance with a particular law, standard, contractual obligation, or internal requirement that has been introduced or changed? It is an initial audit of a service provider to determine appropriateness of use, or is it intended to determine whether a previously discovered deficiency has been remediated?

Question 30

For audit planning when creating audit schedules and assigning resources for audits of cloud environments you should consider the following:
Scope
Describe this

Answer 30

*Scope This is the most critical aspect when consuming cloud services. All certifications and audit results supplied by a provider will have a specific scope. The scope can be based on specific services, geography, technology, business processes, or even a segment of the organization. You must understand the scope of an audit report and compare it to what you are consuming.

Question 31

For audit planning when creating audit schedules and assigning resources for audits of cloud environments you should consider the following:
Risk Analysis
Describe this

Answer 31

“Risk analysis

This is another area that is directly related to cloud services. What cloud services pose the highest level of risk to your organization based on the criticality of the data being stored in a particular environment? This will ultimately determine the frequency and depth of audits that need to be performed against the wide array of cloud services your company is presently using or will be using in the future. Always remember that this isn’t just a provider issue. You will need to audit your implementation as well in the shared responsibility model of the cloud.”

Question 32

For audit planning when creating audit schedules and assigning resources for audits of cloud environments you should consider the following:
Audit procedures
Describe this

Answer 32

Audit procedures

The procedures are the rules and processes defined in the audit methodology and/or standard. Compliance audits may determine the procedures that should be followed and the qualifications of the auditor. Audits of cloud environments should be performed by auditors with knowledge of cloud environments.

Question 33

For audit planning when creating audit schedules and assigning resources for audits of cloud environments you should consider the following:
Resources
Describe this

Answer 33

*Resources

The resources that need to be identified include the time that should be allocated for the performance of the audit and the tools that will be required to execute the audit. For a cloud environment that exposes a programmatic interface such as CLIs or APIs, the tools may be developed so they are highly repeatable.

Question 34

For audit planning when creating audit schedules and assigning resources for audits of cloud environments you should consider the following:
Schedule
Describe this

Answer 34

Schedule

An audit schedule should be developed that gives the auditor an appropriate amount of time to perform interviews, collect and analyze data, and generate audit reports. The time it takes to perform the audit will depend on multiple factors, such as the size of the scope, the applicable controls (ISO calls this the “Statement of Applicability”), and the complexity of the environment. This can be accelerated for the cloud because your auditors will likely be reviewing third-party audits. Alternatively, determining how often point-in-time audits should be performed can also be considered a function of audit management.

Question 35

Most CSPs will use two primary audit standards to demonstrate that appropriate security is in place for their cloud services.

Please list them

Answer 35

Service Organization Control (SOC)
International Standards Organization (ISO) standards

Question 36

Define attestation and certification.

Give examples of each

Answer 36

An attestation is a declaration that something exists or is true. Attestations are legal statements from a third party. They are used as a key tool when customers evaluate and work with cloud providers because customers often are not allowed to perform their own assessments. Attestations differ from audits in that audits are generally performed to collect data and information, whereas an attestation checks the validity of this data and information to an agreed-upon procedure engagement (such as SOC). Attestations can be performed by certified public accountants (CPAs)”

Certification is an official document attesting to a status or level of achievement. Both attestations and certifications are based on audit findings.

A SOC 2 report is a primary example of an attestation that’s widely used by CSPs. Primary examples of certifications used by CSPs are ISO/IEC 27001 and ISO/IEC 27017 (among others).

Question 37

How does auditing change in the cloud environment?

Answer 37

Auditing changes dramatically in a cloud environment because you will most likely be consuming these aforementioned third-party attestations and certifications rather than performing your own audits (remember these will be viewed as a security issue by the provider).

In many instances, these attestation reports will be available only under a nondisclosure agreement (NDA). This is the case with SOC 2 reports, for example. This is a condition of the AICPA itself, not the provider.”

Question 38

As you are relying on third-party audits and related attestations and certifications what you will you need to ensure?

Answer 38

ensuring the scope of the audit and when the audit was performed is more important than ever.

Scope issues you’ll want to address include the data centres, services, and, of course, the controls assessed. All audits and assessments are point-in-time activities. As they say in the financial world, past performance may not be indicative of future results. You always want to obtain the latest attestation or audit report. These reports aren’t released continuously throughout the year, nor are they made available immediately. Don’t be surprised to see that the latest report is a few months old. What you are consuming is the result of an audit that was performed during a certain period.

If you recall from the continuous compliance discussion earlier in this chapter, it is the time gap between audits that CSA STAR attempts to address.”

Question 39

Other than third-party audits how else does the cloud environment change the nature of auditing

Answer 39

there’s a shared responsibility model at play with the cloud and it’s not just all about auditing the provider. You will need to collect your artefacts of compliance to address your organizational compliance requirements. T

these artefacts of compliance (e.g. Audit logs, activity reporting, change management details and system configuration details) don’t change as a result of moving to the cloud. What does change is where these artefacts are stored, and how they are controlled may also change. You always want to identify required artefacts and how they can be either generated by your systems or made available by a provider.”

Question 40

Regarding audits of outsourcing providers, it is generally impossible to audit providers unless they have contractually agreed to allow your organization to audit them.

What is this contract clause called?
How do you go about not having that contract?
Why may a provider not allow that contract?

Answer 40

This contract clause is known as the right-to-audit clause (aka first-party audit). Without a right-to-audit clause, you will be reliant on published reports such as SOC and ISO/IEC (aka third-party audit).

As a CCSK candidate, you must remember that a provider may see auditors in their data centre as a security risk. I always imagine thousands of auditors standing in a line that stretches around the outside of the data centre, all waiting their turn for access. Now consider the provider with a million customers—would every single one of them have the right to audit? I’m sure you can determine that the result would be mayhem, and that’s why providers generally don’t allow such audits.

Question 41

An Audit scope takes on a dual intent with concern to cloud services. What are they?

Answer 41

You have the scope of a third-party audit when dealing with onboarding and maintaining a CSP, and then you have the audit of your usage of a particular cloud service

Question 42

You need to address a few questions as part of the audit scope when you’re assessing providers. Some of the bigger questions are:

Answer 42

*What certifications does the cloud service provider have? A SOC 2, Type 2, attestation engagement report will contain detailed information on the system, the tests that were performed, any findings, and management response. On the other hand, an ISO/IEC 27001 certification will generally be a single certification page signed off by the ISO auditor, stating that a part of the organization or the whole organization has obtained its ISO certification for its ISMS and will be good for three years.

*What services is your company consuming, and are they addressed in the report you have access to?

*Are there any subservice organizations used by the provider? For example, if you are researching a SaaS that uses an IaaS provider for storing customer data, you need to examine the IaaS provider as well.”

Question 43

“Above and beyond the auditing of the service provider, you must also consider the auditing of your organization’s use of cloud services.

Answer 43

A good place to start with this is the CUECs. These will be focused mainly on metastructure settings, but your audit scope doesn’t end there.

Don’t forget compliance inheritance and shared responsibilities and remember that artifacts of compliance don’t change; what changes is that the provider may need to produce these artifacts, or may need to allow you to maintain these artifacts.

The bottom line for auditing your usage of the cloud is this: you must maintain compliance regardless of where the systems and/or data are held, and this requires you to inspect all facets of your implementations, ranging from the metastructure up to the infostructure layer

Question 44

What are Auditor Requirements to consider?

Answer 44

Your company should engage only auditors who have cloud knowledge, such as those who have earned their CCSK. With so many new approaches to implementation in cloud services, the audit function requires an auditor who understands the possibilities available with cloud deployments.

Answer 45

“*Customers should always review audit results provided by providers with particular attention to the services and jurisdictions in the audit scope.”

.“*Providers should supply customers with commonly needed evidence and artifacts of compliance, such as logs of administrative activity that the customer cannot otherwise collect on their own.”

“*When a provider’s artifacts of compliance are insufficient, customers should create and collect their own artifacts. An example of this is adding logging into an application running in a PaaS that doesn’t offer appropriate logging capabilities.”

Question 46

“What should a customer do when they cannot collect evidence of compliance on their own?”

Answer 46

“Providers should supply customers with evidence of compliance and artifacts when customers cannot generate these themselves. All the other answers are just plain wrong.”

Question 47

“What should you pay particular attention to when reviewing previously performed audit reports given to you by a provider?

Answer 47

“CSA best practice recommends that particular attention be paid to the services and jurisdictions that are part of the audit scope, so this is the best answer.”

Question 48

“How must audits be conducted?”

“A pass-through audit is a form of what?

“How do audits work with compliance?”

“What is the purpose of audit management?”

Answer 48

“Always by an independent auditor”

Compliance inheritance

“Audits are a key tool for proving or disproving compliance.”

“Ensures that audit directives are implemented properly”