- 1. Emerging Technology Challenges and Solutionsfor Internal
Audit and ComplianceA Focus on Cloud Computing and Mobile
PlatformsGrant Thornton Breakfast Seminar SeriesThe Union League
Philadelphia, PANovember 2011Presented by:Danny Miller, CGEIT,
CISA, ITIL, CRISC, QSAPrincipal, Business Advisory ServicesNational
Solutions Lead - Cyber Security & Privacy Grant Thornton. All
rights reserved.
2. Topics Emerging Technology Cloud computing Mobile computing
Cybersecurity trends Potential IA Complexities Risks and Mitigating
Risk (strategies) Whats Next? Grant Thornton. All rights reserved.
3. Emerging Technology Trends Spending on public IT cloud services
will grow at more than five times the rate of the IT industry in
2011-2012 Enterprise IT planners begin to include cloud-computing
expertise in some of their job searches to be prepared for the
projects of the short-term and mid-term future Hosted private
clouds will outnumber internal clouds 3:1 But service providers
have been incrementally ready. Cloud management and monitoring will
fuel enterprise cloud adoption 32% of CIOs expect virtualization to
be their top investment in 2011 Grant Thornton. All rights
reserved. 4. Cloud computing overview Grant Thorntons CAE Survey
More than 300 CAEs surveyed responded that 77% are at least
somewhat familiar with cloud computing 69% use cloud computing;
many expect cloud computing useto increase (45%) or stay the same
(55%) in the next 12months When asked to describe their view as to
the security, governance,risk and controls implications in moving
to a cloud environment,43% responded "I havent really given it much
thought." 64% of respondents do not include cloud computing in
their auditplan Grant Thornton. All rights reserved. 5. Cloud
computing overview Global Public Cloud Market Size Grant Thornton.
All rights reserved. 6. Emerging Technology Cloud computing Saas,
PaaS, IaaS, DaaS Mobile computing Mobile platforms that are
blurring the line between a hand-held andcomplex computing Risks
and Strategies for Cloud Computing Cybersecurity Trends Grant
Thornton. All rights reserved. 7. Emerging Technology Platforms
(cont.) Types of CloudsModels of Cloud: Public Software as a
Service (SaaS)-Shared computer resources provided -Software
applications delivered over by an off-site third-party provider the
Internet Private Platform as a Service (PaaS)-Dedicated computer
resources - Full or partial operating provided by an off-site
third-party orsystem/development environment use of Cloud
technologies on a privatedelivered over the Internet internal
network Infrastructure as a Service (IaaS) Hybrid- Computer
infrastructure delivered over-Consisting of multiple public and the
Internet private Clouds Desktop as a Service (DaaS)- Virtualization
of desktop systems serving thin clients, delivered over the
Internet or a private Cloud Grant Thornton. All rights reserved. 8.
Emerging Technology Platforms (cont.) Public CloudPrivate Cloud
Grant Thornton. All rights reserved. 9. Emerging Technology
Platforms (cont.) Mobile computing is: Wireless Utilizes tablet
platforms and smartphones Internet-based Communication via 3G/4G
and WiFi Scaled applications Grant Thornton. All rights reserved.
10. Potential New IA Complexity Cloud computing Availability &
performance Business continuity Cybersecurity Data encryption
Privacy (especially in Healthcare & Life Sciences) Grant
Thornton. All rights reserved. 11. Potential New IA Complexity
(cont.) Cloud computing (cont.) Compliance FISMA HIPAA SOX PCI DSS
(card payments) EU Data Protection Directive, et al. Grant
Thornton. All rights reserved. 12. Potential New IA Complexity
(cont.) Mobile computing Security (physical and virtual) Data
ownership Service interruption and recovery Data archiving
Availability Grant Thornton. All rights reserved. 13. Potential New
IA Complexity (cont.) Mobile computing WiFi/3G/4G security
Surveillance and access control Availability Data ownership and
recovery Auditability Bluetooth hijacking AIDC Grant Thornton. All
rights reserved. 14. Risks and audit strategies for the Cloud Six
risk areas Security Multi-tenancy Data location Reliability
Sustainability Scalability Grant Thornton. All rights reserved. 15.
Risks and audit strategies 1. Security - risks The cloud providers
security policies are not as strong as the organizations data
security requirements (mis-alignment) Cloud systems (servers, other
devices) which store organization data are not updated or patched
when necessary (vulnerability) Security vulnerability assessments
or penetration tests are not performed on a regular basis to ensure
logical and physical security controls are in place The physical
location of company data is not properly secured Grant Thornton.
All rights reserved. 16. Risks and audit strategies 1. Security
audit strategy Determine if the cloud provider meets or exceeds the
Organizations security requirements Determine if the cloud
providers security posture is based on a security standard (i.e.,
ISO27001, Cloud Security Alliance, PCI DSS, etc.) Determine if the
cloud provider has a security assessment performed For your
organization, have a baseline security assessment done. Determine
if the cloud providers Service Organization Report (i.e., SSAE 16,
SOC Reports) addresses specific security controls Grant Thornton.
All rights reserved. 17. Risks and audit strategies 2.
Multi-tenancy risks Organization data is not appropriately
segregated on shared hardware resulting in Company data being
inappropriately accessed by third parties The cloud service
provider has not deployed appropriate levels of encryption to
ensure data is appropriately segregated both in rest and transit
The cloud service provider cannot determine the specific location
of the organizations data on its systems Organization data resides
on shared server space which might conflict with regulatory
compliance requirements for the organization Grant Thornton. All
rights reserved. 18. Risks and audit strategies 2. Multi-tenancy
audit strategy Inquire of the cloud service providers method used
to secure the Companys data from being accessed by other
customers/third parties Review the cloud service providers SLA to
determine if the SLA addresses security of the organizations data
Review independent audit report(s) related to the Cloud providers
security posture (i.e., security settings, data encryption methods,
etc.) and/or exercise the organizations "right-to-audit" clause
Gain access to cloud system(s) and perform limited auditing
procedures from the Companys location Grant Thornton. All rights
reserved. 19. Risks and audit strategies 3. Data location risks
Organization is not aware of all of the cloud service providers
physical location(s) Organization does not know where their data is
physically or virtually stored implies potential issue with
sensitive data being stored outside the country, violating certain
laws and regulations The Cloud service provider moves organization
data to another location without informing the Organization or
gaining its consent Organization data is stored in international
locations and falls under foreign business or national
laws/regulations (Data Protection Directive EU 95/46/EC, Mass Data
Privacy Law 201 CMR 17, state Breach Laws and there is some
additional U.S. national proposed legislation coming soon) Grant
Thornton. All rights reserved. 20. Risks and audit strategies 3.
Data location audit strategy Inquire of the cloud provider the
specificphysical and virtual location of theorganizations data Work
with the organizations legal group tofully understand the impact
and potential risksof the organizations data residing in a
foreigncountry Ensure regulatory compliance is maintainedif data
resides in multiple locations Grant Thornton. All rights reserved.
21. Risks and audit strategies 4. Reliability risks The cloud
service provider has quality of service standards which conflict
with business requirements (do you have an SLA/OLA?) During peak
system activity times, the cloud service provider experiences
system performance issues that result in the following:-
Organization employees cannot accessthe organizations data when
needed- Customers are unable to use theorganizations systems (such
as placing anorder on the organizations web site)because of
performance problems with thecloud provider Grant Thornton. All
rights reserved. 22. Risks and audit strategies 4. Reliability
audit strategy Inquire of the cloud service provider to
determinethe controls in place to ensure the reliability ofthe
cloud solution Obtain an SLA/contract from the cloud
serviceprovider which details the specific reliabilityagreement for
the organization. Compare thisinformation to actual performance
Determine the times that the cloud providerperforms system upgrades
and/or patches toensure data availability during peak business
hoursis not affected Review the organizations business
continuityplan and determine if the plan addressesinterruptions
with the cloud systems used by theCompany Grant Thornton. All
rights reserved. 23. Risks and audit strategies 5. Sustainability
risks In the event the cloud service provider goes out of business,
the organization might not be able to retrieve the organizations
data. In addition, another third party might gain access/control of
the organizations data The cloud service provider does not have
appropriate system recovery procedures in place in the event of a
disaster The organizations business continuity plan does not
address the clouds service offering being unavailable Organization
data is compromised as a result of a disaster Grant Thornton. All
rights reserved. 24. Risks and audit strategies 5. Sustainability
audit strategy Inquire of the cloud service provider to determine
if they have adequate controls in place to recover and protect the
organizations data even in the event of a disaster Review the
organizations business continuity plan and determine if the plan
addresses interruptions with the cloud solution Inquire of the
cloud service provider to determine how the organization would gain
access to its data in the event the cloud service provider goes out
of business Grant Thornton. All rights reserved. 25. Risks and
audit strategies 6. Scalability risks The cloud service providers
systems cannot scale to meet the organizations anticipated growth,
both for a short-term spike and/or to meet a long-term strategy If
the organization decides to migrate all or part of the
organizations system and/or data back in-house (or to another
provider), the cloud service provider cannot (or will not) provide
the data Grant Thornton. All rights reserved. 26. Risks and audit
strategies 6. Scalability audit strategy Determine if the cloud
providers system can scale to meet the organizations expected
short-term spikes and/or growth over the next five years Determine
if the organization has a contingency plan in the event the cloud
providers systems cannot scale to meet the organizations needs
Determine who is the owner of the organizations data Determine if
the cloud provider would allow the organization to move data back
in house and/or to another provider. Determine the specific
procedures and associated costs needed to perform this task Grant
Thornton. All rights reserved. 27. Cybersecurity Trends (Whats
Next?) Distributed computing (the Cloud) Cybersecurity &
Privacy focus Virtualization Advanced IA tools Analytics Provenance
engines Enhanced hardware firewalls Advanced encryption technology
New data segregation and security standards Secure digital
communications Standards such as ITIL, COBIT and PCI are
integrating and are now complimentary Grant Thornton. All rights
reserved. 28. Questions? Grant Thornton. All rights reserved. 29.
Emerging Technology Challenges for Internal Audit and Compliance
Danny Miller, CISA, CGEIT, CRISC, ITIL, QSA National Solutions Lead
CybersecurityRegional Solutions Lead Business ConsultingPrincipal,
Grant Thornton LLP [email protected]://grantthornton.com/
Grant Thornton. All rights reserved.