必看部分-从审计角度看云安全-(2012年新增知识考点)

1、Cloud Computing An Internal Audit Perspective Heather Paquette, Partner Tom Humbert, Manager March10 2011 2010 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. The KPMG name, logo and “cutting through complexity” are registered trademarks or trademarks of KPMG International. 43713CHI Discussion Agenda Introduction t

2、o cloud computing Types of cloud services Benefits, challenges, and risks Questions for auditors Emerging good practices User auditor assurance and Other approaches Risk-based Audit Scoping Utilizing RiskIT and COBIT References Cloud Computing An Internal Audit Perspective1 2010 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All right

3、s reserved. The KPMG name, logo and “cutting through complexity” are registered trademarks or trademarks of KPMG International. 43713CHI Tremendous Buzz Around Cloud Computing “Spending on IT cloud services to grow almost threefold over the next five years” Gartner EXP Worldwide Survey of 1600 CIOs “By 2012, 20 percent of businesses will own no IT assets” Gartners top predictions for 2010 and beyond “60% of virtualized servers will be less secure than the physical servers they replace through 20

4、12” Gartner Press Release March 2010 Cloud Computing An Internal Audit Perspective2 2010 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. The KPMG name, logo and “cutting through complexity” are registered trademarks or trademarks of KPMG International. 43713CHI What is Cloud Computing? Cloud Computing An Internal A

5、udit Perspective3 http:/ availability) -Workday (15 hours Payroll / HR) Customer Service -Availability expectations inquire whether the design is likely to meet the security and availability requirements. Findings: Proactive monitoring of the cloud application is not performed. This is particularly relevant for the end-user facing components of the cloud. Cloud Computing An Internal Audit Perspective26 2010 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG n

6、etwork of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. The KPMG name, logo and “cutting through complexity” are registered trademarks or trademarks of KPMG International. 43713CHI Audit Program : Technology Selection (continued) High-level Risk Scenario: Technology Selection Relevant COBIT Control Objective: AI 5.2 COBIT Control Objective: Supplier Contract Management Set up a procedure for establishing, modi

7、fying and terminating contracts for all suppliers. The procedure should cover, at a minimum, legal, financial, organizational, documentary, performance, security, intellectual property, and termination responsibilities and liabilities (including penalty clauses). Audit Procedure: Confirm through interviews with key staff members that the policies and standards are in place for establishing contracts with suppliers. Contracts should also include legal, financial, organizational, documentary, perf

8、ormance, security, auditability, intellectual property, responsibility and liability aspects. Findings: Cloud provider contract does not include certain critical elements to help protect security and privacy requirements. The contract does not include a non- disclosure agreement, right-to-audit clause, does not address requirements of the state breach notification laws. There is no process for monitoring of potential vendor failure (e.g., Coghead, MediaMax). Cloud Computing An Internal Audit Per

9、spective27 2010 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. The KPMG name, logo and “cutting through complexity” are registered trademarks or trademarks of KPMG International. 43713CHI Audit Program : Third-party Performance High-level Risk Scenario: Third-party Performance Relevant COBIT Control Objective: DS 2.4 COBIT Control Objective: Supplier Performance Monitoring Establish a process to monitor service delivery to ensure that the supplier is meeting current business requirements and continuing to adhere to the contract agreements and SLAs, and that performance is competitive with alternative suppliers and market conditions. Audit Procedure: Inspect a sample of supplier service reports to determine if the supplier regu

《必看部分-从审计角度看云安全-(2012年新增知识考点)》由会员小**分享，可在线阅读，更多相关《必看部分-从审计角度看云安全-(2012年新增知识考点)》请在金锄头文库上搜索。