Although cloud computing and outsourced operations can provide benefits to a company in terms of cost and resource...
efficiency, they also introduce additional risks, as the company gives up control over its data and IT environment.
This excerpt from IT Auditing: Using Controls to Protect Information Assets gives advice on how to audit cloud computing providers and implementations, including what you should be sure to include in vendor contracts.
IT Auditing: Using Controls to Protect Information Assets
Auditing Cloud Computing and Outsourced Operations
Review applicable contracts to ensure that they adequately identify all deliverables, requirements, and responsibilities pertinent to your company’s engagement.
The contract is your only true fallback mechanism should you have issues with the vendor. If it’s not spelled out in the contract, it becomes very difficult, if not impossible, to enforce requirements and/or seek restitution should there be issues. This step is applicable to all forms of outsourcing.
The best time to perform this step is before the contract is finalized and signed, because that’s when you can make changes and influence the contents of the contract relatively easily. However, if you are performing the audit after the contract has been signed, it is still relevant for two reasons: First, it will give you an idea as to what you’re working with and what sort of leverage you will have during the audit. Second, it will allow you to provide input as to what changes need to be made in the contract when it’s time to renegotiate.
Regardless of whether you’re reviewing a signed contract or providing input before the fact, you should make sure the following areas are addressed in the contract:
- Specify how performance will be measured, including Service Level Agreements (SLAs) that specify requirements for availability (such as expected uptime), performance (such as speed of transaction response after the ENTER key is pressed), response time (such as whether the vendor will respond to problems 24/7 or only during normal business hours), and issue resolution time (such as how quickly you should expect issues to be fixed).
- SLAs for security (that is, requirements for controls to protect the confidentiality, integrity, and availability of data) can include requiring specific control frameworks (such as COBIT) to be followed and requirements for third-party assessments. It should also include requirements for how data should be stored (such as encryption, including requirements for the algorithm and key length), who may be granted access to it, how business continuity and disaster recovery will be ensured, how investigations will be supported, what security training and background checks are required for personnel who will access your systems and data, how data retention and destruction should occur, and so on. Overall, you want to make sure your vendor takes contractual responsibility for security.
- Other key metrics and performance indicators should be included, which can be used by your company to measure the quality of the service. For example, if you have outsourced your helpdesk function, you might want to set an expectation as to tickets closed per analyst and customer satisfaction rating.
- Outline requirements for compliance with applicable laws and regulations (such as PCI, HIPAA), including requirements for independent assessments certifying compliance.
- Provide provisions for penalties upon nonperformance or delayed performance of SLAs and conditions for terminating the agreement if performance goals are not met.
- Add a right to audit clause, specifying what your company is allowed to audit and when. You obviously will want to push for a broad right to audit, allowing you to audit whatever you want, whenever you want (including the ability to perform surprise audits). You can negotiate from there. The broader you make this clause, the more freedom you will have.
- Include provisions for your right to audit and review independent assessments (such as SAS 70) for functions that your vendor subcontracts out to other vendors (for example, if your SaaS vendor is hosting its systems with another third party). If possible, dictate in the contract what functions (if any) your vendor is allowed to subcontract and/or obtain the right of approval for any subcontracting relationships.
- Gain assurance that you can retrieve your data when you need it and in the format you desire.
- Add language prohibiting the vendor from using your data for its own purposes (that is, for any purposes not specified by you).
- Include nondisclosure clauses to prevent the vendor from disclosing your company’s information.
- Include evidence that the contract was reviewed by your procurement and legal organizations, as well as applicable operations groups.
- Basically, include anything you expect from the service provider that needs to be specifically outlined in the contract. Consider the other steps in this chapter for ideas as well.
Review and evaluate the process used for selecting the outsourcing vendor.
If the process for selecting the vendor is inadequate, it can lead to the purchase of services that do not meet the requirements of the business and/or poor financial decisions.
This step is applicable to all forms of outsourcing.
Obviously, your goal should be to perform this step prior to vendor selection, when you can influence the decision. However, if your audit is being performed after the fact, there is still value in understanding the vendor selection process. It can identify gaps that must be addressed and provide information that can be used when it’s time to renew the contract or enter into other contracts.
Review the vendor selection process for elements such as these:
- Ensure that multiple vendors are evaluated and involved in the bid process. This provides for competitive bidding and lower prices.
- Determine whether the vendors’ financial stability was investigated as part of the evaluation process. Failure to do so may result in your company signing up with a vendor that goes out of business, causing significant disruption to your operations as you attempt to bring them back in-house or move them to another vendor.
- Determine whether the vendors’ experience with providing support for companies of similar size to yours and/or in a similar industry was evaluated. This can include obtaining and interviewing references from companies that currently use the vendor’s services. You generally want to use vendors who have already demonstrated that they can perform the types of services you’re looking for at a similar scale.
- Ensure that the vendors’ technical support capabilities were considered and evaluated.
- Ensure each vendor was compared against predefined criteria, providing for objective evaluations.
- Determine whether there was appropriate involvement of procurement personnel to help negotiate the contract, of operations personnel to provide expert evaluations as to the vendor’s ability to meet requirements, and of legal personnel to provide guidance on potential regulatory and other legal ramifications of the outsourcing arrangement.
- Ensure that a thorough cost analysis was performed. The total cost of performing the operation in-house should be developed as well as the total cost for using each vendor. This analysis should include all relevant costs, including costs for one-time startup activities, hardware and related power and cooling, software, hardware maintenance, software maintenance, storage, support (labor), and so on. Too often, companies make decisions without considering all relevant costs. For example, some of the cost savings from cloud computing may be offset by increased monitoring to ensure that requirements are met. These costs need to be included in the analysis to ensure that the company is making an informed decision.
For more information on virtualization and auditing, download the rest of Chapter 14: Auditing Cloud Computing and Outsourced Operations (.pdf).
Excerpted from IT Auditing: Using Controls to Protect Information Assets, 2nd Edition by Chris Davis and Mike Schiller, with Kevin Wheeler (McGraw-Hill; 2011), with permission from McGraw-Hill.
ID rogue cloud services with an internal cloud audit