Domain 4 - Compliance and Audit Management

Question 1

How does cloud computing affect compliance and audit?

Answer 1

1. Cross border jurisdictional issues
2. Division of responsibility between provider and customer
3. Inheriting compliance controls from CSPs
4. How evidence is provided

Question 2

What’s the difference between compliance and audits?

Answer 2

• Compliance validates awareness of and adhere to corporate obligations (Corporate Social Responsibility, Laws, Regs, Contracts, Ethics, contracts, strategies and policies. etc.)
• Audits are a key tool for providing compliance.

Question 3

What is Compliance Management?

Answer 3

• A tool of governance
• How organization assesses, remediates, and proves it is meeting internal and external obligations.
• Many regulations and obligations require a certain level of security.
• This is why compliance is so closely tied to security.
• Security controls are an important tool to assure compliance.

Question 4

What’s the impact of cloud on compliance?

Answer 4

• Compliance is a shared responsibility; customer is ultimately responsible for your own compliance.
• Reliance on 3P Audits
• National/International jurisdiction - e.g. a developer can easily deploy service in a different Region without having to get the necessary approvals.
• Not all CSP services may be in scope of compliance.

Question 5

What are audits and assessments?

Answer 5

• Mechanisms to document compliance with internal and external requirements.
• Reporting includes compliance determination, identified issues, risks and remediation recommendations.
• Audits have scope and statement of applicability
• SoA says what is being evaluated (e.g. all systems with financial data)
• Information Security Audits typically focus on effectiveness of security management and controls.