Your company’s audit and risk profile for data systems will change because of
cloud computing the process of storing, accessing and sharing company data and
processes remotely over the internet.
Generally speaking there are four main cloud services that companies of all
sizes are looking for applications, data storage, infrastructure and platform
and they all are linked.
When contemplating any of these types of services for your organisation,
questions such as where your data is being stored, who can access it, when it
is deleted, what actually happens to that data are questions that need to be
asked by the audit team before negotiations with the cloud service provider
Most cloud services are offered on a shared server basis, that is, the IT
resources on a given server are shared between multiple organisations. Some
companies are going down the route of signing up for non-shared cloud services
that are offered on a secure basis by the likes of IBM and Unisys.
Even though this effectively means a company’s data storage facilities are
installed remotely, the economies of scale of major data centres make such
services cost-effective though not as highly cost-effective and
environmentally friendly as shared cloud services.
Remember the risks
Even secure cloud services have an increased risk of data going walkabout than
having your organisation’s data neatly tucked up on your own servers.
To counter these issues, it is necessary to employ a carefully defined risk
analysis of IT systems and procedures before a decision on which cloud
technology and service is the best option for the business.
The four main stages in this analysis are as follows:
* ID management and access control. Who is authorised to do what and when?
* Regulatory requirements. Does it comply with Basel II, SOX, PCI, SAS70, etc?
* Data handling processes. Where is the company’s data located and how is it
* Staff management. When someone leaves, comes on board or changes roles, what
As always with IT systems, implementing good data security practices,
processes and technology at a grass roots level can help to reduce the
operational risk profile of cloud computing.
It is, however, important to understand the need for a risk analysis audit of
your cloud service provider, before later steps such as the creation of service
level agreements, remediation procedures and penalty clauses are started.
What is required is an assessment of the expectations that management and the
business have for the cloud outsourcing contract’s terms and conditions.
What precise functions are required to be completed by the outsourcing
company and what are the performance and security criteria that you will be able
to hold the provider to.
Adam Bosnian is vice president of products, strategy and sales at Cyber
Who can see my information? Data loss is now a reality and a
sizeable chunk of all data loss incidents are down to third party providers. As
a result, you need to know whether the service provider, who is the
administrator of the system, can see your data. Most IT administrators have this
ability. Therefore, do they have the controls in place to avoid sending, copying
or emailing your data?
What happens if the service provider loses some of your
data? You need to ask your cloud service provider what their data
protection policy is and what their audit procedures are. And then you should
perform due diligence on those procedures.
Are you happy with data co-location? What does the third
party organisation do to separate information and systems? Could your
competitor, who is also using the service, get their hands on your data?
Remember that, in the cloud, you cannot tell whether your data is copied. So you
really need to get this one answered!
What happens in the event of data corruption? How many
copies of your data does the third party have? Do they use incremental backups
and can they reconstruct an image of your data at a given point in the past from
these partial backups. How far back to their backups go in calendar terms?
How easy is it to migrate to another cloud service provider?
This is a question few companies ask until it’s too late. Porting data between
cloud service providers is a relatively new capability and only a small number
of service providers have implemented what will become a very necessary service.
Are you relying too much on service level agreements? A
service level agreement (SLA) is the contract between you and the cloud service
provider. While figures are usually central to most SLAs, you need a remediation
process in the event the service provider does not meet their agreement. Things
can, and do, go wrong, so it is important to agree the remediation process, as
the fate of your company could rest on the integrity of the agreement.
Compensation is only part of the equation as, by the time the money is paid, you
could be out of business.
Driving opportunity for all and empowering businesses for success are the key themes for the Sage Summit UK this year, which takes place on 5-6 April
The partnership will see PwC have 'physical presence' at CodeBase in Edinburgh
Unincorporated businesses under the VAT threshold given an extra year to prepare before MTD becomes mandatory
Simon Wright of CareersinAudit.com discusses how an effective cyber defence force is critical to businesses worldwide and how internal auditors can make the transition to a new career in cyber security