Face-to-face or online
Duration = 3 days
Why is this relevant?
Cloud computing refers to any type of services where data, applications and/or infrastructure is being stored online and accessible remotely. This can include services such as:- Software as a Service (SaaS), Platform as a Service (PaaS) and Infrastructure as a Service (IaaS).
The flexible delivery models and customization of such services has contributed to the widespread adoption of cloud computing. Some of the benefits of cloud computing include:
- Scalability – the ability to scale up or down depending on business needs with reduced CAPEX investment
- Increased mobility of information – remote access to large amounts of data e.g. access to company software via mobile phones
- Business continuity – uninterrupted and reliable central storage of data, accessible to various stakeholders
However, without proper training and security measures, the full benefits of cloud computing may not materialize and thus lead to increased exposure to operational, financial and compliance-related risks. For instance:
- Data security and regulatory risk – data held on a public cloud is entrusted to the governance and controls of a third party
- Operational risk – integration of existing private services with cloud services can be expensive and time-consuming. Additionally, shared cloud service models often provide limited customizability, creating greater integration risks.
- Financial risk – private cloud services require significant initial investment while shared services may vary depending on poor planning and changing business needs
- Vendor risk – vulnerability to risks faced by cloud vendors including regulatory, disaster recovery, reputational and financial exposure
Objectives
Conduct an independent assessment of the existing governance framework used for operating cloud platforms.
Assist the organization to identify and define appropriate cloud-computing certifications or provide observations and recommendations in order to create a fit-for-purpose cloud computing governance framework (i.e. ISO 27001 Certification).
Perform an independent assessment of any third-party cloud service providers on behalf of the organization to identify data security risks.
Assess the coverage and clarity of the roles and responsibilities assigned between the organization and the cloud service provider, e.g. crisis management.
Conduct reviews of the Service Level Agreements (SLAs) with third-party cloud computing service providers and assess contractual compliance.
Perform an independent review of the cloud computing setup in relation to internal and external regulations, i.e. POPIA.
New skills
In-depth experience in IT audit areas such as logging and monitoring, network configuration, data management, IT asset protection, vulnerability assessments and access control
Subject matter expertise in various cloud solutions including their technical differences and specific risks of each solution
Experience in developing controls mitigating key risks associated with cloud usage
Expertise in the risks and mitigating controls specific to data protection and privacy requirements when using cloud services
Expertise in guidelines and standards for cloud usage e.g. Cloud Security Alliance