Cloud computing continues to gain popularity as an option to improve IT-related services with minimal investment. In the past five years, cloud adoption has changed from an idea that met resistance to a solution that is growing exponentially and globally. To help companies find value in this solution and avoid an information security nightmare from the loss of control over their information, Controls and Assurance in the Cloud: Using COBIT 5 provides practical steps for governance, assurance and control in the cloud.
Based on the positive reception of the 2011 publication IT Controls Objectives for Cloud Computing, ISACA built on it by updating concepts, identifying new risk and providing practical guidance using COBIT 5 products. Controls and Assurance in the Cloud: Using COBIT 5 was published in April 2014 to assist enterprises in assessing the cloud’s value vs. its business risk. Additionally, the 2014 book provides guidance on how to determine whether the risk aligns with the enterprise’s established risk levels and whether the rewards and benefits are worth the cost and effort to mitigate that risk.
Controls and Assurance in the Cloud includes governance and risk management practices to guide the cloud management life cycle (evaluation and selection of cloud services, transition to the cloud, cloud service provider [CSP] management, assurance and decommission), security practices to protect enterprise assets, and assurance practices to determine whether the cloud services in use meet enterprise goals and compliance requirements. The appendices offer tools that can be used to accomplish many of the objectives mentioned throughout the book.
The book’s appendices include the following:
- A cross-reference of the COBIT 5 enabling processes to the Cloud Security Alliance Cloud Controls Matrix version 3 (CSA CCMv3). This reference identifies process practices that are relevant to users, CSPs and integrators to implement security and assurance programs.
- An example of an audit program based on COBIT 5 for Assurance
- An example of a process capability assessment based on COBIT Process Assessment Model (PAM): Using COBIT 5
- A list of risk scenarios based on COBIT 5 for Risk
- Examples of contractual provisions that should be included in cloud services contracts and reviewed during assurance assessments
- A cloud enterprise risk management and governance checklist
- A practical approach to measure return on investment (ROI)
The guidance provided in Controls and Assurance in the Cloud will benefit CSPs, customers, cloud integrators and third-party assessors the same way. CSPs can use the risk management and security recommendations to design secured service offerings, customers can use the governance and assurance recommendations to select the services that best fit their needs and obtain assurance that their assets are protected as expected. Cloud integrators and third-party assessors can use the tools included in the appendices to evaluate CSPs’ environments and issue reports attesting their capabilities to provide secure services.
Sai K. Honig, CISA, CIA
Has more than 10 years of experience preparing and executing financial, operational and IT audits as well as enterprisewide risk assessments. Honig is familiar with software life cycle development, COBIT, ITIL, the US Health Insurance Portability and Accountability Act (HIPAA), the US Sarbanes-Oxley Act, business continuity, and cloud implementations (SaaS). Honig is currently focusing on these efforts by assisting the Grameen Foundation as it prepares its internal audit processes.