4. Compliance and Audit Management overview + Compliance Backgrounder - DONE Flashcards

1
Q

Providers will supply you with all sorts of documentation to build trust in an offering, but how are the security statements within these documents verified to ensure that you remain compliant with regulations that affect your company?

A

Remember that audits are a key tool to prove or disprove compliance.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

List some compliance items that you should consider as part of your cloud implementation

A
  • Jurisdictional issues
  • The shared responsibility model inherent in all types of cloud services
  • Compliance inheritance
  • Supply chain complexity
  • Artifacts of compliance from the provider
  • Scope relevance
  • Compliance management
    -Audit performance
  • Provider experience
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Describe the following compliance items that you should consider as part of your cloud implementation:
- Scope relevance

  • Compliance management
  • The shared responsibility model inherent in all types of cloud services
A

*Scope relevance = Are the features and services of a cloud provider within the scope of your previously performed audits and assessments?

*Compliance management = How does the provider manage compliance and audits—not just now, but over time as well?

*Shared responsibility model = shared responsibility will be highly dependent on the service model being consumed

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Describe the following compliance items that you should consider as part of your cloud implementation:
- Audit performance

  • Provider experience
  • Jurisdictional issues
A

*Audit performance = How are audits of cloud computing performed compared to those in a traditional data centre environment?

*Provider experience = Does the provider have experience working with regulatory bodies?

*Jurisdictional issues = Your company may face regulations that forbid the export of data to foreign jurisdictions.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Describe the following compliance items that you should consider as part of your cloud implementation:
- Compliance inheritance

  • Supply chain complexity
  • Artifacts of compliance from the provider
A

*Compliance inheritance = Consider PCI, for example. The IaaS provider you use to host a credit card processing system may be Payment Card Industry (PCI) Level 1 certified, but your application must meet all other PCI requirements as well.

*Supply chain complexity = Consider the complexity of the supply chain. For example, many SaaS providers of all sizes may themselves use an outsourced IaaS solution to store customer data, or SaaS providers that leverage multiple PaaS providers may in turn use different IaaS providers.

*Artifacts of compliance from the provider = All the artefacts of compliance (such as system logs) that you require for traditional systems will still be required in a cloud environment. The real question is whether you can obtain these artefacts and do so promptly.”

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

How can the CCSK be important for auditors?

A

“Earning a CCSK is a great way for auditors to demonstrate their knowledge of cloud services. Remember that customers should work with auditors who know the differences between traditional IT and the cloud.”

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What is the GRC?

A

GRC (governance, risk, and compliance) enables proper oversight of computing—and cloud computing is no different.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

When examining contracts and service agreements between your organization and cloud service providers, list the cloud-specific things you should focus on

A

*Security service level agreements
*Ownership of data
*Right to audit
*Third-party audits
*Conformance to security policies
*Compliance with laws and regulations
*Incident notification
*Liabilities
*Termination

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

When examining contracts and service agreements between your organization and cloud service providers, one of the things you should focus on is:

*Security service level agreements

Explain why

A

The importance of security SLAs is often overlooked when reviewing CSP contracts. Following is a non-exhaustive list of the key items you should look for as part of a security SLA with a cloud provider:

*Specific written compliance commitments for standards that apply to your organization
*Service level commitments and liability terms for a data breach
*Exposure of detailed security monitoring for your organization’s implementation
*Explicit descriptions of security implementations and commitment to compliance

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

When examining contracts and service agreements between your organization and cloud service providers, one of the things you should focus on is:

*Ownership of data

Explain why

A

Believe it or not, some cloud providers have clauses in their contracts that transfer ownership of any data uploaded by a customer to the provider. In turn, the customer gets unlimited access to this data, but the provider is allowed to do whatever they please with said data, including retaining it upon contract termination and/or selling it to others. This is more common with “free” versions of SaaS products.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

When examining contracts and service agreements between your organization and cloud service providers, one of the things you should focus on is:

*Right to audit

Explain why

A

You may see this referred to as a “first-party audit.” Essentially, this is a contractual clause that allows the customer to examine the supplier’s premises and systems upon reasonable notice. You may see this clause in an SLA if the provider sees a reason to take extreme measures to get your business. The reality is that big providers rarely grant this ability to customers

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

When examining contracts and service agreements between your organization and cloud service providers, one of the things you should focus on is:

*Third-party audits

Explain why

A

This clause requires the provider to undergo appropriate and regular audits. Reports from these audits should be made available to customers upon request. The reports should also include remediation plans for any significant issues identified in the reports

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

When examining contracts and service agreements between your organization and cloud service providers, one of the things you should focus on is:

*Conformance to security policies

Explain why

A

You need to understand the security policies in place at the cloud provider and understand how they meet your particular policy requirements. In the likely event that a service provider contract does not fully address your policies, you need to fill the gaps with your controls.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

When examining contracts and service agreements between your organization and cloud service providers, one of the things you should focus on is:

*Compliance with laws and regulations

Explain why

A

Contract clauses should clearly state that the service provider conforms to all relevant laws and regulations that are important to your organization. For example, if you are looking to store healthcare information in a particular provider’s environment, you must ensure that the provider is contractually bound to remain compliant with HIPAA regulations

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

When examining contracts and service agreements between your organization and cloud service providers, one of the things you should focus on is:

*Incident notification

*Liabilities

Explain why

A

You should understand how incidents are declared and how customers are notified by the provider (and vice versa) of incidents. Notifications could be required for service changes, interruptions, and, of course, security incidents. Specific time periods should be stated in the contract for these notifications

Liabilities clauses should clearly state which parties are liable for which actions and activities. Available remedies should also be listed should either party fail to perform adequately.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

When examining contracts and service agreements between your organization and cloud service providers, one of the things you should focus on is:

*Termination terms

Explain why

A

The contract should contain provisions that describe the actions a CSP will perform if the business relationship is terminated. For example, how will customer data be deleted when a customer leaves, and in what time frame?

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

When examining contracts and service agreements between your organization and cloud service providers, list the non-cloud-specific things you should focus on

A

*Service levels
*Quality levels

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Describe quality levels

A

]What remedies are in place if quality standards, such as following best practices and quality control procedures, are not met by the provider? You need to remember that operational procedures performed by the cloud provider in a cloud environment have a direct impact on your company’s ability to operate in that environment.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Describe service levels

A

Understand the CSP’s acceptable service levels and the processes that are followed in the event of service interruptions. Is there an escalation path for notifications, or does the provider supply clients with a status update website?

In the event of a widespread outage, a CSP will likely use a status update page to update customers on outages or system-wide issues. Another aspect you need to understand is that many cloud providers will give customers only “service credits” as a form of penalty if the unavailability is more than stated availability agreements (generally 99.9 per cent uptime).

Some providers will issue these credits only if the customer makes a claim for credits and shows the provider evidence of the outage.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

What are the two biggest terms to remember about compliance in the cloud environment?

A

“compliance inheritance” and “continuous compliance”

21
Q

Going back to the logical model from Chapter 1, infrastructure in particular, you already know that this is completely under the control of the public cloud provider, and you most likely won’t have access to audit that environment. So what’s a company to do to prove compliance?

A

Use of third-party audit results called “pass-through audits” by the CSA, is a form of compliance inheritance. In this case, you confirm that a provider is compliant with the areas for which they are responsible via vendor-supplied audit results or certifications, and then you ensure that your systems running in the cloud environment are also compliant

22
Q

Give an example of compliance inheritance

A

“you build a credit card processing application on top of a Windows server that doesn’t have any form of malware inspection. (Congratulations! You just failed to meet PCI DSS 5.3!) The provider gave you a “PCI DSS Level 1” environment in which to operate your application, and yet you still blew it. This is the shared responsibility model in action. The provider is responsible for the facilities and the hardware, and your organization is responsible for configuring the server instance, the application, and any required logical security controls.”

“CAUTIONIf your SaaS provider claims they are PCI compliant just because they are using a PCI-compliant IaaS provider, there’s only one thing you should do—RUN. That screams to me that they have no idea of proper security or compliance.

23
Q

What are the similarities and differences between continuous monitoring and continuous auditing (continuous compliance)?

A

One commonality they share is that “continuous” doesn’t necessarily mean real-time analysis.

NIST defines Information Security Continuous Monitoring (ISCM) thusly: “Security controls and organizational risks are assessed and analyzed at a frequency sufficient to support risk-based security decisions to adequately protect organization information.

ISACA (Information Systems Audit and Control Association) calls out the distinction between a “traditional” and a “continuous” audit as a short time lapse between the facts to be audited, the collection of evidence, and audit reporting. Techniques to perform continuous auditing are referred to as computer-assisted audit techniques.

The bottom line is that “continuous” does not mean real-time 24×7×365. It addresses performing something at an appropriate frequency, and that is up to the system owner.

24
Q

What does the CSA have to say about continuous compliance?

A

The guidance itself is fairly limited in coverage, as the only reference to continuous compliance, audit, and assurance is the following:

Compliance, audit, and assurance should be continuous. They should not be seen as merely point-in-time activities, and many standards and regulations are moving more“towards this model. This is especially true in cloud computing, where both the provider and customer tend to be in more constant flux and are rarely ever in a static state.

25
Q

How do providers address this continuous compliance initiative?

A

“ Automation, that’s how! Remember that cloud environments are automated environments, to begin with, so why can’t testing of the environment be automated as well and be executed by the provider at an expected testing frequency between the point-in-time audits they currently provide to customers? Of course, not everything can be automated, so additional manual activities will have to be performed as well, but through the use of this STAR Continuous approach, customers will be able to have greater confidence in the security controls in the provider’s environment.

26
Q

The cloud may also change compliance by the introduction of a global network at your disposal. Why may this happen?

A

As you know, all jurisdictions have their own laws and regulations that may cause regulatory issues for your firm if sensitive data is accidentally placed in, or moved to, a different jurisdiction. Additional compliance challenges may arise because not all services and regions offered by a provider may have undergone the same audits and attestations

27
Q

What is the purpose of audit management and what does it include?

A

Audit management ensures that audit directives are implemented properly. This function includes determining appropriate requirements, scope, scheduling, and responsibilities. Audit management uses compliance requirements and risk data to scope, plan, and prioritize audit engagements.

28
Q

Audits are planned events; planning audits is part of the audit management function.

List what you should consider for audit planning when creating audit schedules and assigning resources for audits of cloud environments.

A

*Purpose
*Scope
*Risk analysis
* Audit procedures
* Resources
* Schedule

29
Q

For audit planning when creating audit schedules and assigning resources for audits of cloud environments you should consider the following:
Purpose

Describe this

A

Purpose
What is the goal of the audit? Is it to determine compliance with a particular law, standard, contractual obligation, or internal requirement that has been introduced or changed? It is an initial audit of a service provider to determine appropriateness of use, or is it intended to determine whether a previously discovered deficiency has been remediated?

30
Q

For audit planning when creating audit schedules and assigning resources for audits of cloud environments you should consider the following:
Scope
Describe this

A

*Scope This is the most critical aspect when consuming cloud services. All certifications and audit results supplied by a provider will have a specific scope. The scope can be based on specific services, geography, technology, business processes, or even a segment of the organization. You must understand the scope of an audit report and compare it to what you are consuming.

31
Q

For audit planning when creating audit schedules and assigning resources for audits of cloud environments you should consider the following:
Risk Analysis
Describe this

A

“Risk analysis

This is another area that is directly related to cloud services. What cloud services pose the highest level of risk to your organization based on the criticality of the data being stored in a particular environment? This will ultimately determine the frequency and depth of audits that need to be performed against the wide array of cloud services your company is presently using or will be using in the future. Always remember that this isn’t just a provider issue. You will need to audit your implementation as well in the shared responsibility model of the cloud.”

32
Q

For audit planning when creating audit schedules and assigning resources for audits of cloud environments you should consider the following:
Audit procedures
Describe this

A

Audit procedures

The procedures are the rules and processes defined in the audit methodology and/or standard. Compliance audits may determine the procedures that should be followed and the qualifications of the auditor. Audits of cloud environments should be performed by auditors with knowledge of cloud environments.

33
Q

For audit planning when creating audit schedules and assigning resources for audits of cloud environments you should consider the following:
Resources
Describe this

A

*Resources

The resources that need to be identified include the time that should be allocated for the performance of the audit and the tools that will be required to execute the audit. For a cloud environment that exposes a programmatic interface such as CLIs or APIs, the tools may be developed so they are highly repeatable.

34
Q

For audit planning when creating audit schedules and assigning resources for audits of cloud environments you should consider the following:
Schedule
Describe this

A

Schedule

An audit schedule should be developed that gives the auditor an appropriate amount of time to perform interviews, collect and analyze data, and generate audit reports. The time it takes to perform the audit will depend on multiple factors, such as the size of the scope, the applicable controls (ISO calls this the “Statement of Applicability”), and the complexity of the environment. This can be accelerated for the cloud because your auditors will likely be reviewing third-party audits. Alternatively, determining how often point-in-time audits should be performed can also be considered a function of audit management.

35
Q

Most CSPs will use two primary audit standards to demonstrate that appropriate security is in place for their cloud services.

Please list them

A

Service Organization Control (SOC)
International Standards Organization (ISO) standards

36
Q

Define attestation and certification.

Give examples of each

A

An attestation is a declaration that something exists or is true. Attestations are legal statements from a third party. They are used as a key tool when customers evaluate and work with cloud providers because customers often are not allowed to perform their own assessments. Attestations differ from audits in that audits are generally performed to collect data and information, whereas an attestation checks the validity of this data and information to an agreed-upon procedure engagement (such as SOC). Attestations can be performed by certified public accountants (CPAs)”

Certification is an official document attesting to a status or level of achievement. Both attestations and certifications are based on audit findings.

A SOC 2 report is a primary example of an attestation that’s widely used by CSPs. Primary examples of certifications used by CSPs are ISO/IEC 27001 and ISO/IEC 27017 (among others).

37
Q

How does auditing change in the cloud environment?

A

Auditing changes dramatically in a cloud environment because you will most likely be consuming these aforementioned third-party attestations and certifications rather than performing your own audits (remember these will be viewed as a security issue by the provider).

In many instances, these attestation reports will be available only under a nondisclosure agreement (NDA). This is the case with SOC 2 reports, for example. This is a condition of the AICPA itself, not the provider.”

38
Q

As you are relying on third-party audits and related attestations and certifications what you will you need to ensure?

A

ensuring the scope of the audit and when the audit was performed is more important than ever.

Scope issues you’ll want to address include the data centres, services, and, of course, the controls assessed. All audits and assessments are point-in-time activities. As they say in the financial world, past performance may not be indicative of future results. You always want to obtain the latest attestation or audit report. These reports aren’t released continuously throughout the year, nor are they made available immediately. Don’t be surprised to see that the latest report is a few months old. What you are consuming is the result of an audit that was performed during a certain period.

If you recall from the continuous compliance discussion earlier in this chapter, it is the time gap between audits that CSA STAR attempts to address.”

39
Q

Other than third-party audits how else does the cloud environment change the nature of auditing

A

there’s a shared responsibility model at play with the cloud and it’s not just all about auditing the provider. You will need to collect your artefacts of compliance to address your organizational compliance requirements. T

these artefacts of compliance (e.g. Audit logs, activity reporting, change management details and system configuration details) don’t change as a result of moving to the cloud. What does change is where these artefacts are stored, and how they are controlled may also change. You always want to identify required artefacts and how they can be either generated by your systems or made available by a provider.”

40
Q

Regarding audits of outsourcing providers, it is generally impossible to audit providers unless they have contractually agreed to allow your organization to audit them.

What is this contract clause called?
How do you go about not having that contract?
Why may a provider not allow that contract?

A

This contract clause is known as the right-to-audit clause (aka first-party audit). Without a right-to-audit clause, you will be reliant on published reports such as SOC and ISO/IEC (aka third-party audit).

As a CCSK candidate, you must remember that a provider may see auditors in their data centre as a security risk. I always imagine thousands of auditors standing in a line that stretches around the outside of the data centre, all waiting their turn for access. Now consider the provider with a million customers—would every single one of them have the right to audit? I’m sure you can determine that the result would be mayhem, and that’s why providers generally don’t allow such audits.

41
Q

An Audit scope takes on a dual intent with concern to cloud services. What are they?

A

You have the scope of a third-party audit when dealing with onboarding and maintaining a CSP, and then you have the audit of your usage of a particular cloud service

42
Q

You need to address a few questions as part of the audit scope when you’re assessing providers. Some of the bigger questions are:

A

*What certifications does the cloud service provider have? A SOC 2, Type 2, attestation engagement report will contain detailed information on the system, the tests that were performed, any findings, and management response. On the other hand, an ISO/IEC 27001 certification will generally be a single certification page signed off by the ISO auditor, stating that a part of the organization or the whole organization has obtained its ISO certification for its ISMS and will be good for three years.

*What services is your company consuming, and are they addressed in the report you have access to?

*Are there any subservice organizations used by the provider? For example, if you are researching a SaaS that uses an IaaS provider for storing customer data, you need to examine the IaaS provider as well.”

43
Q

“Above and beyond the auditing of the service provider, you must also consider the auditing of your organization’s use of cloud services.

A

A good place to start with this is the CUECs. These will be focused mainly on metastructure settings, but your audit scope doesn’t end there.

Don’t forget compliance inheritance and shared responsibilities and remember that artifacts of compliance don’t change; what changes is that the provider may need to produce these artifacts, or may need to allow you to maintain these artifacts.

The bottom line for auditing your usage of the cloud is this: you must maintain compliance regardless of where the systems and/or data are held, and this requires you to inspect all facets of your implementations, ranging from the metastructure up to the infostructure layer

44
Q

What are Auditor Requirements to consider?

A

Your company should engage only auditors who have cloud knowledge, such as those who have earned their CCSK. With so many new approaches to implementation in cloud services, the audit function requires an auditor who understands the possibilities available with cloud deployments.

45
Q
A

“*Customers should always review audit results provided by providers with particular attention to the services and jurisdictions in the audit scope.”

.“*Providers should supply customers with commonly needed evidence and artifacts of compliance, such as logs of administrative activity that the customer cannot otherwise collect on their own.”

“*When a provider’s artifacts of compliance are insufficient, customers should create and collect their own artifacts. An example of this is adding logging into an application running in a PaaS that doesn’t offer appropriate logging capabilities.”

46
Q

“What should a customer do when they cannot collect evidence of compliance on their own?”

A

“Providers should supply customers with evidence of compliance and artifacts when customers cannot generate these themselves. All the other answers are just plain wrong.”

47
Q

“What should you pay particular attention to when reviewing previously performed audit reports given to you by a provider?

A

“CSA best practice recommends that particular attention be paid to the services and jurisdictions that are part of the audit scope, so this is the best answer.”

48
Q

“How must audits be conducted?”

“A pass-through audit is a form of what?

“How do audits work with compliance?”

“What is the purpose of audit management?”

A

“Always by an independent auditor”

Compliance inheritance

“Audits are a key tool for proving or disproving compliance.”

“Ensures that audit directives are implemented properly”