Transcription
Cloud Computing – WhatAuditors need to know
This presentation is provided solely for educational purposes and, in developing and presenting these materials, Deloitte is not providing accounting,business, financial, investment, legal, tax, or other professional advice or services. This presentation is not a substitute for such professional adviceor services, nor should it be used as a basis for any decisions or actions that may affect your business or to provide assurance that any decision oraction will be supported by your auditors and regulators. Before making any decision or taking any action that may affect your business, you shouldconsult a qualified professional advisor.Deloitte shall not be liable for any claims, liabilities, or expenses sustained by any person who relies on these courses for such purposes.1
Contents2Section 1Cloud overviewSection 2Risk and ControlsSection 3Internal audit’s roleSection 4SolutionSection 5Service organization controls
Cloud Overview
Cloud Computing OverviewSection 3: What is Cloud Computing?“On-demand self-service”Software-as-a-Service“Rapid elasticity”“MeasuredService”Service viceDeployment ModelsHaving a common definitionhelps with managing the cloudPublic Cloud (external)Private cloud (internal)Hybrid CloudCommunity Cloud“Resource pooling”“Broad network access” Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to ashared pool of configurable computing resources that can be rapidly provisioned and released withminimal management effort or service provider interaction. This cloud model is composed of fiveessential characteristics, three service models, and four deployment models.- The NIST 800-145Definition of Cloud Computing4
Cloud Computing Overview – Deployment ModelsCloud computing technology is deployed in four general types, based onthe level of internal or external ownership and technical architecturesPublic CloudCloud computing services from vendors that can be accessed acrossthe Internet or a private network, using systems in one or more datacenters, shared among multiple customers, with varying degrees ofdata privacy control.Private CloudComputing architectures modeled after Public Clouds, yet built,managed, and used internally by an enterprise; uses a sharedservices model with variable usage of a common pool of virtualizedcomputing resources. Data is controlled within the enterprise.Hybrid CloudA mix of vendor Cloud services, internal Cloud computingarchitectures, and classic IT infrastructure, forming a hybrid modelthat uses the best-of-breed technologies to meet specific needsCommunityCloud5The cloud infrastructure is shared by several organizations andsupports a specific community that has shared concerns (forexample, mission, objectives, security requirements, policy, andcompliance considerations). It may be managed by the organizationsor a third party, and may exist on-premise or off-premise.
Cloud Computing Overview – Service DeliveryDifferent types of Cloud computing services are grouped into specificcategories: Infrastructure, Platform and Software servicesInfrastructure as a Service(IaaS)Software as a Service(SaaS)DefinitionDefinitionDefinition Delivers computer infrastructure,typically a platform virtualizationenvironment as a service. Serviceis typically billed on a utilitycomputing basis and amount ofresources consumed. Delivers a computing platform asa service. It facilitates deploymentof applications while limiting orreducing the cost and complexityof buying and managing theunderlying hardware and softwarelayers Delivers software as a serviceover the Internet, avoiding theneed to install and run theapplication on the customer's owncomputers and simplifyingmaintenance and support.Customization Limited customization — existingapplications likely not be able tomigrateCustomization Customization where technologybeing deployed requires minimalconfiguration6Platform as a Service(PaaS)Operational notes Moderate customization — buildapplications within the constraintsof the platform Easier to migrate applicationsOperational notes User of Cloud maintains a largeportion of the technical staff(Developer, System Administrator,and DBA) Applications may require to be rewritten to meet the specificationsof the vendor User of the Cloud maintains adevelopment staffCustomizationOperational notes Applications may require to be rewritten to meet the specificationsof the vendor User utilizes the vendors IT staffand has limited to no technicalstaff
Cloud Computing Overview – Service DeliveryResponsibility chart – Your Organization vs Cloud VendorInfrastructure as a Service(IaaS)Software as a Service(SaaS)Your OrganizationDefinitionDefinitionDefinition Delivers computer infrastructure,typically a platform virtualizationenvironment as a service. Serviceis typically billed on a utilitycomputing basis and amount ofresources consumed. Delivers a computing platform asa service. It facilitates deploymentof applications while limiting orreducing the cost and complexityof buying and managing theunderlying hardware and softwarelayers Delivers software as a serviceover the Internet, avoiding theneed to install and run theapplication on the customer's owncomputers and simplifyingmaintenance and support.Customization Limited customization — existingapplications likely not be able tomigrateYour OrganizationCustomization Customization where technologybeing deployed requires minimalconfigurationYour OrganizationOperational notes Moderate customization — buildapplications within the constraintsof the platform Easier to migrate applicationsOperational notes User of Cloud maintains a largeportion of the technical staff(Developer, System Administrator,and DBA) Applications may require to be rewritten to meet the specificationsof the vendorCloud Vendor7Platform as a Service(PaaS)Cloud Vendor User of the Cloud maintains adevelopment staffCustomizationCloud VendorOperational notes Applications may require to be rewritten to meet the specificationsof the vendor User utilizes the vendors IT staffand has limited to no technicalstaff
Risk and Controls
Risks (and Controls) are WidespreadWe believe that cloud architectures can be a disruptive force enabling new business models andstructures to deliver information services2. PaaS controls3. IaaS controls5. Data managementand storagecontrols6. ACLs7. CommunicationchannelsGovernance4. Virtualizationcontrols8. SupportinginfrastructureEnd users, laptops,cell phones, etc.97Business processes, IT operationalprocesses, information security1. SaaS controlsDataDataDatastoragestoragestorage1Software asa Service(SaaS)2Platform asa Service(PaaS)3Infrastructureas a Service(IaaS)5ApplicationApplicationProgramming computerVirtualization4Supporting infrastructure(physical hardware, network devices)8VirtuallayerCloudsupportinginfrastructure
Auditing Challenges with Cloud ComputingA disruptive technology, like cloud computing, can impact “how” to audit Understanding the scope of the cloud computing environment– Do you use the same matrix for public clouds as for private clouds? (internal vs external)– The concept of a perimeter in a multi-tenant environment doesn’t make sense anymore– Where does the cloud start and stop? Can your current risk assessment capture the risks correctly?Sample selection– What is the universal population from which to pick a sample from?– What would your sample selection methodology be in a highly dynamic environment?– A snapshot in time may depend if it’s a high or low peak point in time Audit trails– How do you “test” historical data if there was no audit trail? Other– Educating the audit committee– Overcoming internal barriers restricting the early involvement of internal audit as a ‘risk advisor’ tothe business and IT10
Internal Audit’s Role
Internal Audit’s RoleWhat should the role of internal audit be in your organization’s move tothe Cloud?1. Proactive trusted advisor/partner2. Proactively identify risks to be mitigated in order to optimize thebenefits of the outsourcing relationship3. Internal Audit does not get involved with the move until it is time toaudit4. Advise on the costs savings that would be realized by a reductionof audits12
Internal Audit’s RoleInternal audit and compliance have a key role to play in helping to manage and assessrisk as cloud services evolve, especially for third-party compliance.Embrace the “trusted advisor” role as the organization takes on new risks Proactively offer a balance of consultative and assurance services Educate and engage with the Board/Audit CommitteeRecommended approach Understand and educate on cloud computing risks– Security, privacy, data integrity, contractual clarity and protections, business continuity, process andsystem reliability, effectiveness/efficiency of new business processes, configuration management,compliance with cross-jurisdictional regulations, etc. Help mitigate risks– Participate in cross functional discussions to identify risks, vulnerabilities, implications andaction plans– Participate pre-implementation (such as in product design teams) to help assess risk and designmitigations; considering people, process, policy– Assess effectiveness of product/project implementation processes across functions– When appropriate, assess adequacy and effectiveness of controls, but recognize the absenceof any authoritative control standard/baseline Provide objective insights13
Managing Cloud Computing RiskCloudsubscriberIdentity and AccessManagement (IAM)RegulatoryPrivacyCyber Threat14Risk management principles Mitigate Transfer BearCloudprovider Select an IAM solution based on current andanticipated access control requirements Secure authorization and mature role-basedAccess Control life cycles Drive access control solutions that align withcustomer contract requirements and in supportof several regulatory requirements forcustomers Least privilege access enabled and followed Select a Cloud Service Provider (CSP)/vendorthat can support your regulatory requirements Build a vendor oversight program tomonitor/measure compliance to contractrequirements Utilize a rationalized security framework basedon multiple regulatory requirements to establishcontrols and processes Revise privacy statements and program toadjust for geographic challenges with cloudcomputing Define privacy practices and processes Revise patch and vulnerability assessmentpolicies and standards based on risks Develop mature security assessments andstandards for vendor management Develop processes for handling sensitive/privacyrelated data with defined acceptable use anddata protection processes and standards Reporting process for unauthorized access Establish security monitoring processes inconjunction with vulnerability managementprogram Establish application-level code reviews,stringent Software Development Life Cycleprocesses, and provide notification of changes
Managing Cloud Computing RiskCloudsubscriberResiliency andAvailability Redefine enterprise continuity of operationpolicies and standards for data replication andbackup Reestablish availability metrics and standardsSecurity Operations Create explicit security operations policies andstandards for cloud computing Consider a policy-based approach forconsistently consuming cloud servicesApplicationDevelopmentEnterprise ResourcePlanning (ERP)15Risk management principles Mitigate Transfer BearCloudprovider Define processes for replication, failover, andreconstitution of services related to disruptions Reassess availability commitments and confirmtesting results for compliance with SLAs Establish a Security Operation Center (SOC) Define assessment, reporting, and responsecapabilities Consider a policy-based approach forconsistently managing cloud systems Use software development lifecycle policies andstandards based on common frameworks Use release and change management policies Establish application-level code reviews,stringent SDLC processes, and providenotification of changes and release management Offer self-service change acceptance processes Establish security policies and standards forERP management and acceptable data usage Define acceptable use of modules anddatabases Establish security zones, data protections, andaccess-provisioning processes Offer strong authentication with Single Sign-oncapabilities based on customer roles
The SolutionRisk-Based Approach
Risk-Based ApproachUnderstanding the various cloud models and the related threats andvulnerabilities will help manage riskServiceDeliveryRisk EvaluateVirtualizationrisksEvaluateSaaS risksEvaluatePaaS risksEvaluateIaaS risksDeploymentRisk Understand public cloud risksUnderstand private cloudrisksUnderstandhybrid cloudrisksBusinessModelRiskEvaluate cloudconsumer risksEvaluate cloudprovider risksSecurityRisk ---OtherRisksPerform ananalysis of thesecurity risksRISK ASSET THREAT VULNERABILITY LIKELIHOOD IMPACT (NIST SP 800-30)17Copyright 2014 Deloitte Development LLC. All rights reserved.
Sample of tools and frameworks - NIST SP 800-53, NIST SP 800-144, SP 800-30- Deloitte Cloud Computing Risk Intelligence Map- Cloud Security Alliance - Cloud Controls Matrix- ISACA Cloud Computing Audit Program- Federal Risk and Authorization Management Program - (FedRAMP)- Shared Assessments - Standard Information Gathering (SIG 7.0)Step 1 SystemCharacterizationFedRAMP Security Controls BaselineVersion 1.0NIST SP 800-30 Risk Assessment StepsControl Number andNameStep 2 ThreatIdentificationStep 5 LikelihoodDeterminationStep 6 ImpactAnalysisStep 7 RiskDeterminationControl Parameter RequirementsAC-2AccessAC-1ControlPolicy andProceduresAC-1Account AC-2ManagementAC-2AC-2 (1)AC-2 (2)AC-2 (3)AC-2 (4)AC-2 (7)AC-1[Assignment: organization-defined frequency]Parameter: [at least annually]Step 9 ResultsDocumentationAC-2 (2)[Assignment: organization-defined time period for eachtype of account (temporaryV. Cloudand emergency)]Parameter: [no more than ninetydaysfor temporaryand324TotalQuestionsto be Answeredemergency account types]Architectural RelevanceControl AreaV.1.1Software as a Service (SaaS)?ISO Ref Num4.14.2N/AV.1.2Platform as a Service (PaaS)?N/AV.1.3Infrastructure as a Service (IaaS)?N/AV.1.4What deployments models are provided (select all that apply):Private cloud?4.14.2N/AV.1.4.2Public cloud?V.1.4.3Community cloud?N/AV.1.4.4Hybrid cloud?N/AV.1.5Where is the cloud infrastructure hosted:N/A4.14.2V.1.5.1Datacenter: single tenancy?N/AV.1.5.2Co-Location: dedicated server?N/AV.1.5.3Co-Location: shared server?V.1.5.4V.1.5.5Co-Location: dedicated cabinet?N/ACo-Location: shared cabinet?N/AV.1.5.6Co-Location: dedicated cage?N/AV.1.5.7Co-Location: shared cage?V.1.5.8Cloud provider: e.g. AWS?What legal jurisdiction does data reside in (select all that apply):Control IDControl SpecificationControl NotesPhysNetworkComputeStorageAppDataCompliance - AuditPlanningCO-01Audit plans, activities and operational actionitems focusing on data duplication, access,and data boundary limitations shall bedesigned to minimize the risk of businessprocess disruption. Audit activities must beplanned and agreed upon in advance bystakeholders.XXXXXXCompliance Independent AuditsCO-02Independent reviews and assessments shallbe performed at least annually, or at plannedintervals, to ensure the organization iscompliant with policies, procedures,standards and applicable regulatoryrequirements (i.e., internal/external audits,certifications, vulnerability and penetrationtesting)XXXXXXCompliance - ThirdParty AuditsCO-03Third party service providers shalldemonstrate compliance with informationsecurity and confidentiality, servicedefinitions and delivery level agreementsincluded in third party contracts. Third partyreports, records and services shall undergoaudit and review, at planned intervals, togovern and maintain compliance with theservice delivery agreements.XXXXXX0%Percent CompleteAC-2 (3)AC-2 (3)Questionnaire Instructions:For each question chooseYes, No or N/A fromthe drop-downThemenuserviceprovided.If N/A is chosen,explanation is mandatory. Use the "Additional Information" field to the right of the question. Click on the instruction pop-up box and drag if necessary.[Assignment: roviderdefinesantheQues NumQuestion/RequestResponseAdditional InformationService ModelDeployment ModelAUP ReferenceParameter: [ninety days for user accounts]time period for non-user accounts (e.g.,accountsassociatedwith devices).Are Cloud Services provided? If so,what servicemodel is provided(select allThethat timeV.1apply):periods are approved and accepted by the JAB.V.1.618None.AC-2j.[Assignment: organization-defined frequency]Parameter: [at least annually]V.1.4.1Step 8 ControlRecommendationAdditional Requirementsand GuidanceModerate1.1. Access Control (AC)AC-1Step 3 VulnerabilityIdentificationStep 4 ControlAnalysisControl ?N/AV.1.6.3Asia?N/A
National Institute of Standards andTechnologyStep 1 SystemCharacterizationNIST SP 800-30As a provider or a subscriber, to evaluate a Company’s cloudcomputing environment, you can use a commonly accepted riskassessment standard.The National Institute of Standards and Technology (NIST) SP 80030 “Risk Management Guide for Information Technology Systemsdefines a set of risk assessment activities in nine (9) steps.Source: sp800-30.pdfNIST SP 800-144Guidelines on Security and Privacy in Public CloudsSource: /SP800-144.pdfNIST SP 800-53Security and Privacy controls for Federal Information Systems andOrganizationsSource: ns/NIST.SP.80053r4.pdf19NIST SP 800-30 Risk Assessment StepsUse and BenefitsStep 2 ThreatIdentificationStep 3 VulnerabilityIdentificationStep 4 ControlAnalysisStep 5 LikelihoodDeterminationStep 6 ImpactAnalysisStep 7 RiskDeterminationStep 8 ControlRecommendationStep 9 ResultsDocumentation
Deloitte’s Cloud Computing Risk Intelligence MapUse and Benefits– Identifies significant risks that maybe introduced by cloud computing– Expands the risk discussion to thebroad range of risks that need to beconsidered across the enterprise– Identifies significant risks that maybe introduced by cloud computing– Expands the risk discussion to thebroad range of risks that need to beconsidered across the enterprise20Copyright 2014 Deloitte Development LLC. All rights reserved.
Deloitte’s Cloud Computing Risk Intelligence MapThe Cloud Computing Risk Intelligence Map Broad Risk Categories– Governance, Risk management and compliance– Delivery Strategy and Architecture– Infrastructure Security– Identity and Access Management– Data Management– Business Resiliency and Availability– IT Operations– Vendor Management– Business Operations (HR, Legal, Finance, Tax)21Copyright 2014 Deloitte Development LLC. All rights reserved.
Cloud Security Alliance - Cloud Controls MatrixThe Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM) is specifically designed toprovide fundamental security principles to guide cloud vendors and to assist prospectivecloud customers in assessing the overall security risk of a cloud provider. 22It provides a controls framework isaligned to the Cloud Security Allianceguidance in 16 domains.The foundations rest on its customizedrelationship to other industry-acceptedsecurity standards, regulations, andcontrols frameworks such as the ISO27001/27002, ISACA COBIT, PCI, NIST,Jericho Forum and NERC CIPIt will augment or provide internal controldirection for SOC attestations providedby cloud providers.Architectural RelevanceControl AreaControl IDControl SpecificationCompliance - AuditPlanningCO-01Compliance Independent AuditsCompliance - ThirdParty AuditsControl NotesPhysNetworkComputeStorageAppDataAudit plans, activities and operational actionitems focusing on data duplication, access,and data boundary limitations shall bedesigned to minimize the risk of businessprocess disruption. Audit activities must beplanned and agreed upon in advance bystakeholders.XXXXXXCO-02Independent reviews and assessments shallbe performed at least annually, or at plannedintervals, to ensure the organization iscompliant with policies, procedures,standards and applicable regulatoryrequirements (i.e., internal/external audits,certifications, vulnerability and penetrationtesting)XXXXXXCO-03Third party service providers shalldemonstrate compliance with informationsecurity and confidentiality, servicedefinitions and delivery level agreementsincluded in third party contracts. Third partyreports, records and services shall undergoaudit and review, at planned intervals, togovern and maintain compliance with theservice delivery agreements.XXXXXX
Cloud Security Alliance - Cloud Controls MatrixThe Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM) domains. 23Application & Interface SecurityAudit Assurance & ComplianceBusiness Continuity Management &Operational ResilienceChange Control & Configuration ManagementData Security & Information LifecycleManagementDatacenter SecurityEncryption & Key ManagementGovernance and Risk ManagementHuman ResourcesIdentity & Access ManagementInfrastructure & Virtualization SecurityInteroperability & PortabilityMobile SecuritySecurity Incident Management, E-Discovery& Cloud ForensicsSupply Chain Management, Transparencyand AccountabilityThreat and Vulnerability ManagementArchitectural RelevanceControl AreaControl IDControl SpecificationCompliance - AuditPlanningCO-01Compliance Independent AuditsCompliance - ThirdParty AuditsControl NotesPhysNetworkComputeStorageAppDataAudit plans, activities and operational actionitems focusing on data duplication, access,and data boundary limitations shall bedesigned to minimize the risk of businessprocess disruption. Audit activities must beplanned and agreed upon in advance bystakeholders.XXXXXXCO-02Independent reviews and assessments shallbe performed at least annually, or at plannedintervals, to ensure the organization iscompliant with policies, procedures,standards and applicable regulatoryrequirements (i.e., internal/external audits,certifications, vulnerability and penetrationtesting)XXXXXXCO-03Third party service providers shalldemonstrate compliance with informationsecurity and confidentiality, servicedefinitions and delivery level agreementsincluded in third party contracts. Third partyreports, records and services shall undergoaudit and review, at planned intervals, togovern and maintain compliance with theservice delivery agreements.XXXXXX
That is a lot of tools.What now?Architectural RelevanceControl AreaStep 1 SystemCharacterizationFedRAMP Security Controls BaselineVersion 1.0Control Number andNameNIST SP 800-30 Risk Assessment StepsStep 2 ThreatIdentificationControl BaselineLowControl Parameter RequirementsAC-1AC-1[Assignment: organization-defined frequency]Parameter: [at least annually]Step 4 ControlAnalysisAC-2Account AC-2ManagementAC-2AC-2j.[Assignment: organization-defined frequency]Parameter: [at least annually]AC-2 (1)AC-2 (2)Step 5 LikelihoodDetermination324Total Questions to be AnsweredAC-2 (3)[Assignment: organization-defined time period]Parameter: [ninetydays for useraccounts]QuestionnaireInstructions:V.1AC-2 (4)Step 7 RiskDeterminationV.1.1AC-2 (7)FedRAMP Security Controls BaselineVersion 1.0NIST SP 800-30 Risk Assessment StepsStep 5 LikelihoodDeterminationStep 6 ImpactAnalysisStep 7 RiskDeterminationStep 8 ControlRecommendationControl Parameter RequirementsAC-2AccessAC-1ControlPolicy andProceduresAC-1Account AC-2ManagementAC-2AC-2 (1)AC-2 (2)AC-2 (3)AC-1[Assignment: organization-defined frequency]Parameter: [at least annually]AC-2 (3)Requirement: The service provider defines thetime period for non-user accounts (e.g.,accounts associated with devices). The timeperiods are approved and accepted by the JAB.Compliance Independent AuditsCO-02Independent reviews and assessments shallbe performed at least annually, or at plannedintervals, to ensure the organization iscompliant with policies, procedures,standards and applicable regulatoryrequirements (i.e., internal/external audits,certifications, vulnerability and penetrationtesting)XXXXXXCompliance - ThirdParty AuditsCO-03Third party service providers shalldemonstrate compliance with informationsecurity and confidentiality, servicedefinitions and delivery level agreementsincluded in third party contracts. Third partyreports, records and services shall undergoaudit and review, at planned intervals, togovern and maintain compliance with theservice delivery agreements.XXXXXX0%Percent CompleteISO Ref Num4.14.2Are Cloud Services provided? If so, what service model is provided (select all thatapply):N/APlatform as a Service (PaaS)?N/AInfrastructure as a Service (IaaS)?N/AV.1.4What deployments models are provided (select all that apply):4.14.2Private cloud?N/AV.1.4.2Public cloud?V.1.4.3Community cloud?N/AV.1.4.4Hybrid cloud?N/AV.1.5.1N/A4.14.2Where is the cloud infrastructure hosted:Datacenter: single tenancy?N/AV.1.5.2Co-Location: dedicated server?N/AV.1.5.3Co-Location: shared server?V.1.5.4Co-Location: dedicated cabinet?N/AV.1.5.5Co-Location: shared cabinet?N/AV.1.5.6Co-Location: dedicated cage?V.1.5.7Co-Location: shared cage?V.1.5.8Cloud provider: e.g. AWS?N/AN/AN/AWhat legal jurisdiction does data reside in (select all that 3Asia?N/ANone.Architectural RelevanceControl AreaAC-2j.[Assignment: organization-defined frequency]Parameter: [at least annually]324Total Questions to be AnsweredAC-2 (3)[Assignment: organization-defined time period]Parameter: [ninetydays for useraccounts]QuestionnaireInstructions:AC-2 (3)Requirement: The service provider defines thetime period for non-user accounts (e.g.,accounts associated with devices). The timeperiods are approved and accepted by the JAB.AC-2 (7)V.1Are Cloud Services provided? If so, what service model is provided (select all thatapply):V.1.1Software as a Service (SaaS)?ISO Ref Num4.14.2N/AV.1.2Platform as a Service (PaaS)?N/AV.1.3Infrastructure as a Service (IaaS)?N/AV.1.4What deployments models are provided (select all that apply):V.1.4.1Private cloud?4.14.2N/AV.1.4.2Public cloud?V.1.4.3Community cloud?N/AV.1.4.4Hybrid cloud?N/AWhere is the cloud infrastructure hosted:N/A4.14.2V.1.5.1Datacenter: single tenancy?N/AV.1.5.2Co-Location: dedicated server?N/AV.1.5.3Co-Location: shared server?V.1.5.4Co-Location: dedicated cabinet?N/ACo-Location: shared cabinet?N/AV.1.5.6Co-Location: dedicated cage?N/AV.1.5.7Co-Location: shared cage?V.1.5.8Cloud provider: e.g. AWS?V.1.6What legal jurisdiction does data reside in (select all that apply):Control SpecificationControl NotesPhysNetworkComputeStorageAppDataCO-01Audit plans, activities and operational actionitems focusing on data duplication, access,and data boundary limitations shall bedesigned to minimize the risk of businessprocess disruption. Audit activities must beplanned and agreed upon in advance bystakeholders.XXXXXXCompliance Independent AuditsCO-02Independent reviews and assessments shallbe performed at least annually, or at plannedintervals, to ensure the organization iscompliant with policies, procedures,standards and applicable regulatoryrequirements (i.e., internal/external audits,certifications, vulnerability and penetrationtesting)XXXXXXCompliance - ThirdParty AuditsCO-03Third party service providers shalldemonstrate compliance with informationsecurity and confidentiality, servicedefinitions and delivery level agreementsincluded in third party contracts. Third partyreports, records and services shall undergoaudit and review, at planned intervals, togovern and maintain compliance with theservice delivery agreements.XXXXXX0%Percent CompleteFor each question choose either Yes, No or N/A from the drop-down menu provided. If N/A is chosen, an explanation is mandatory. Use the "Additional Information" field to the right of the question. Click on the instruction pop-up box and drag if necessary.Ques NumQuestion/RequestResponseAdditional InformationService ModelDeployment ModelAUP ReferenceAC-2 (4)Control IDCompliance - AuditPlanningAC-2 (2)[Assignment: organization-defined time period for eachtype of account (temporary and emergency)]Parameter: [no more than ninety days for temporary andV. types]Cloudemergency accountV.1.5.524XAdditional Requirementsand GuidanceModerateV.1.5Step 9 ResultsDocumentationDataX1.1. Access Control (AC)AC-1Step 3 VulnerabilityIdentificationStep 4 ControlAnalysisAppXV.1.3V.1.6Step 2 oftware as a Service (SaaS)?V.1.4.1Step 8 ControlRecommendationControl BaselineNetworkXFor each question choose either Yes, No or N/A from the drop-down menu provided. If N/A is chosen, an explanation is mandatory. Use the "Additional Information" field to the right of the question. Click on the instruction pop-up box and drag if necessary.Ques NumQuestion/RequestResponseAdditional InformationService ModelDeployment ModelAUP ReferenceStep 9 ResultsDocumentationControl Number andNamePhysAC-2 (2)[Assignment: organization-defined time period for eachtype of account (temporary and emergency)]Parameter: [no more than ninety days for temporary andV. types]Cloudemergency accountAC-2 (3)Step 6 ImpactAnalysisNone.Control NotesAudit plans, activities and operational actionitems focusing on data duplication, access,and data boundary limitations shall bedesigned to minimize the risk of businessprocess d
Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources that can be rapidly provisioned and rele
