Page 13 - ENGLISH MARCH final 2018

P. 13

IT Audit TO COMMENT on the article, IT Audit
EMAIL the author at arifzaman786@yahoo.com

By: Arif Zaman 3. Data Location
CLOUD COMPUTING Risks:

• The company may be
unaware of the physical
INTRODUCTION • When asked to describe their view of risk and control or virtual data storage
implications in moving to a cloud environment, 43% location.
The world is moving from onsite to offsite computing and responded: “I haven’t really given it much thought”.
storage, which is commonly known as cloud computing. The • Service provider may
question arises: ‘What is cloud?’ Cloud is just a metaphor for change the location
the internet. without informing the
CLOUD COMPUTING MODELS company.
In a survey conducted by GT (Grand Thornton LLP, 2014),
43% of Chief Audit Executives (CAEs) responded that • Software as a Service (SaaS) – Software applications • Company data may be
delivered over the internet.
they haven’t really given much thought to risk and control stored in international
implications in a cloud environment. • Platform as a Service (PaaS) – Full or partial operating locations that fall
In the simplest terms, cloud computing means storing and system and development environment delivered over the under foreign business
or national laws and
internet.
accessing data and programs over the internet, rather than regulations.
storing it onsite in your own data centre. • Infrastructure as a Service (IaaS) – Computer
infrastructure delivered over the internet. 4. Service Outage
The table below shows key differences between onsite and
offsite computing. • Business Process as a Service (BPasS) – A form of business Risks:
process outsourcing that employs a cloud computing service • Service provider quality
Current Future model. standards may not be
Onsite Computing Offsite Cloud Comput- Cloud computing is growing, as the following graph shows: in line with company
ing requirements.
Applications, services, devices Services • Cloud system performance
issues may lead to • Determine the service provider Service Organization
License based Subscription based
company services being inaccessible to employees or Control (SOC) (AICPA, n.d.) report addresses your
Capital expense Operating expense customers. company’s control requirements.
Modules Applications 5. Sustainability • Review the service provider methodology used to access
Operate, maintain, upgrade, Use Risks: data.
trouble shoot, fix • Insist on a copy of the service provider business continuity
• The service provider may go out of business. arrangements, and reports from tests performed.
Build, install, power, cooling Use
data center • The company may not be able to retrieve data, or a third- • Make sure the company business continuity plan is up-to-
party may gain access to company data. date and regularly tested.
Capacity building Entitlement 6. Scalability
Pay for the capacity installed Pay for capacity as a variable
as a fixed cost cost Risks: REFERENCES
• The service provider may not be able to scale to meet the AICPA, n.d. System and Organization Controls: SOC Suite of Services.
BENEFITS OF CLOUD COMPUTING company’s growth requirements. [Online]
KEY CLOUD COMPUTING RISKS Available at: https://www.aicpa.org/interestareas/
Benefits of cloud computing include: frc/assuranceadvisoryservices/sorhome.html?_
1. Security
• ‘Pay as you use’, as it can be relatively easy scale up or down ASSURANCE STRATEGIES ga=2.267140238.1251422042.1519287230-1164712656.1519287230
capability for your work requirements. Risks: • Use your own contract and not the service provider contract. [Accessed 22 02 2018].
• Services are provided over the internet, therefore are • Service provider data security standards may not match • The contract with the service provider needs to include Grand Thornton LLP, 2014. Risk & Rewards: Social Media and the
accessible anywhere and anytime. company requirements. Cloud. [Online]
conditions that cover these risks.
• Additional capacity and functionality can be acquired as • System updates may not be timely. Available at: http://agabaltimore.org/wp-content/uploads/2015/09/
Risks_and_Rewards_of_Social_Media_and_the_Cloud.pdf
required. • Security vulnerability assessments or penetration tests • Insist on receiving the service provider risk assessments. [Accessed 22 02 2018].
• Company capital can be saved on ICT infrastructure, as this may not be regularly performed. • Include penalties in the contract for service provider Risk Assessment Special Interest Group (SIG) and PCI Security
is provided by the cloud service provider. 2. Multi-Tenancy outages, non-delivery and under-performance. Standards Council, 2012. Information Supplement: PCI DSS Risk
CAE Survey on Cloud Computing Risks: • Require the service provider to meet your data security and Assessment Guidelines. [Online]
In a recent Grant Thornton survey, more than 300 CAEs • Company data may be accessed by third-parties. other requirements. Available at: https://www.pcisecuritystandards.org/documents/PCI_
responded on cloud computing, with the key statistics being: • Determine whether service provider security posture is DSS_Risk_Assmt_Guidelines_v1.pdf
• There may be inadequate encryption to assure data is based on appropriate standards such ISO, PCI DSS (Risk [Accessed 22 02 2018].
• 77% are at least somewhat familiar with cloud computing. properly segregated at rest and during transit. Assessment Special Interest Group (SIG) and PCI Security
• 64% of respondents do not include cloud computing in their • Company data on shared server space may lead to Standards Council, 2012), etc, and the service provider Arif Zaman, FCCA, CIA, CISA, CPA, CFE,
internal audit plan. regulatory non-compliance. performs regular security assessments. Head of Internal Audit at Emaar Industries & Investments (Pvt) JSC

10 INTERNAL AUDITOR - MIDDLE EAST MARCH 2018 MARCH 2018 INTERNAL AUDITOR - MIDDLE EAST 11

8 9 10 11 12 13 14 15 16 17 18