DOMAIN 4 - RIGHT TO AUDIT, AUDIT SCOPE, AUDITOR REQUIREMENTS Flashcards
Reporting needs to include a compliance determination, as well as a list of identified issues, risks, and ________
remediation recommendation
Audits and assessments aren’t limited to information security, but those related to information security typically focus on evaluating the ______ of security management and controls.
effectiveness
All ______ have variable scope and statement of applicability, which defines what is evaluated (e.g.,
all systems with financial data) and to which controls (e.g., an industry standard, custom scope, or both).
audits
An _______ is a legal statement from a third party, which can be used as their statement of audit findings
attestation
_________ includes the management of all activities related to audits and assessments, such as determining requirements, scope, scheduling, and responsibilities.
Audit management
Customers should understand that providers can (and often should) consider _______ audits a security risk when providing multitenant services
on-premises
Customers working with these providers will have to rely more on third-party attestations rather
than audits they perform themselves. Depending on the audit standard, actual results may only be releasable under a ________
nondisclosure agreement (NDA
Publishing certifications and attestations (to the degree legally allowed) will greatly assist cloud customers in evaluating providers. ________ offers a central repository for providers to publicly release these documents
The Cloud Security Alliance STAR Registry
Some standards, such as ______, attest that documented controls work as designed/required. The
standard doesn’t necessarily define the scope of controls, so both are needed to perform a full evaluation.
SSAE 16
It’s important to remember that attestations and certifications are ________
point-in-time activities
________are the logs, documentation, and other materials needed for audits and compliance; they are the evidence to support compliance activities
Artifacts
______ are ultimately responsible for the artifacts to support their own audits, and thus need to know what the provider offers, and create their own artifacts to cover any gaps.
Customers