Page 22 - QDigitz
P. 22
Q!Digitz Vol 1 Aug 2019
Both data in transit and rest should be
encrypted. For data in transit auditor needs
to ensure mechanisms like use of HTTPS/TLS
(with forward secrecy), IPSEC and SSH are
employed.
Steps taken by the bank for safety of the
encryption keys
Does the CSP provide a clear backup and
data archival policy, which gives assurance
of data recovery in the event of an
unfortunate incident. Auditor can review the SLA’s set for privacy
Data classi cation to identify what sensitive of data in contract
data resides in the cloud and what controls Is there any penalty clause associated if
it applies to an accidental deletion of data privacy is breached.
including archived data? With increasing awareness of data privacy
Recommended certi cations from CSP are and discussions on it in Parliament, there
(not limited to) ISO 27001, PCI-DSS & PA-DSS. could be further enforcement of regulations.
Additionally, IDRBT recommends Cloud This could have an impact like CSP’s could
Security Framework, SOC1 and SOC2. be termed as una liated parties and data
Auditor can verify these certi cations of CSP privacy regulations would be more stringent.
Auditor needs to ensure the mechanism Should such a scenario arise auditor can
used to protect data in transit by verifying verify the competency of the CSP to align
use of HTTPS/TLS (with forward secrecy), with the regulations.
IPSEC and SSH
Data Loss–Events are beyond human control like
Data Privacy - Privacy is accountability to collect, oods, earthquakes could be a potential cause to
process, disclose, store and destroy data that data loss along with human or technical errors.
could help in identifying an individual. There is no
speci c consensus on what it means to be private Is there an agreeable policy in place to
data. You might have seen the irony many times in recover the data? They can achieve this if
banks–where Aadhar card copies are just lying on the CSP has a concurrent data storage
the desk.
facility.
The auditor can also demand evidence of
This lenient approach is a strong “NO” for privacy proactive testing records by Bank and CSP–
in the cloud. for data loss scenarios. This would provide
enough assurance of data retrieval, should
KPMG has a de ned data life cycle as – an event occur.
Must have terms in the contract - Considering the
criticality of the operations and the catastrophic
impact of failure puts the auditor in the critical
situation to identify and ensure measures taken.
DigitQ.in
