Auditing the Cloud

Given the coverage that Cloud technology is getting, it is important to consider how to approach an audit of a Cloud service or infrastructure. Many do see this as one of the top focus points for IT Audit in 2011.

At the heart I believe this should follow a similar method to auditing Outsource relationships (depending on the nature of the Cloud service of course). There are a couple of good reference points on the Web to help get started:

http://www.cloudsecurityalliance.org/topthreats.html – The CSA is a great place to start researching about Cloud technologies and threats

http://cloudaudit.org/ – Relatively new volunteer-based resource to address auditing, assurance and assertion for Cloud providers and consumers

http://searchfinancialsecurity.techtarget.com/news/article/0,289142,sid185_gci1524267,00.html – Recent article on TechTarget discussing Cloud Computing and Financial Services

It is important to know concepts and terminology right from the start. As an IT Auditor you may need to explain to business the implications of using external Cloud services. Most are immediately concerned about having their business information stored offsite in an ‘intangible’ cloud. The audit program will need to pull together various other programmes such as 3rd party management, infrastructure reviews, information security, regulatory and compliance implications.

Advertisements

The Silly Season for Fraud

It’s the festive season in many parts of the world so time for celebrations and some well-earned relaxation. Not everyone follows suit however – criminals are well aware that companies may be running with key staff on holiday and seize this opportunity to commit fraud. For those that are not taking leave it is a time to remain more vigilant than normal. Don’t let inexperienced staff make decisions such as authorising a high value deal just because the usual manager is out of the office. It is important for normal procedural controls to be in place with the right experience at hand, and for your key risk indicator (KRI) monitoring program to be functioning properly.

The same applies to technology – depending on your business this time of year could be one of the busiest, and so system uptime and performance are crucial. On the topic of technology, criminals may also look to target people as well through phishing or other social engineering attacks. Remember, when in doubt, apply common sense and logic.