Auditors Fear the Cloud
Does internal audit only see the dark, rainy clouds? Can you see whether the silver lining, the potential for cloud computing is worth the risk?
Auditors should not fear risk. If you eliminate risk, you will also eliminate profit.
The key is to make decisions based on a knowledge of both the potential for adverse impacts and the potential for reward.
SC Magazine had a good set of questions in a November 2010 article:
- Am I using a trusted vendor?
- Have I considered the value and risk to the information that I am outsourcing to the cloud provider?
- What business continuity and disaster recovery measures are in place in the cloud infrastructure? Does the cloud provider have a backup in place?
- Have I considered the potential implication of employees wanting to sabotage a successful cloud migration strategy?
- Have I considered how knowledge of the business process would be retained and versioned, should I wish to switch cloud providers at a future date?
- Do I have a detailed list of security controls based on security, operational and business risks to determine how the cloud vendor complies with them?
- Does your cloud provider meet the regulatory or compliance requirements needed by your organization?
- How do I audit or evaluate security controls placed on the cloud-based infrastructure?
The questions for auditors are:
- Do you know what your organization is doing now with cloud? What is running where?
- What are your organization’s plans and strategies for cloud?
- Are you involved, helping them navigate the risks and rewards? If not, why not?
- Are you being reasonable with respect to taking on risk, relative to the potential rewards?
- Are you an enabler, a navigator, or a roadblock to success?
Posted on Apr 29, 2011 by Norman Marks
Share This Article: