Standards and Vendor Selection Cloud Computing

In selecting a vendor, and in evaluating what services and data you can entrust to the vendor, you need both criteria and a methodology. In general, information technology is evaluated by reference to two applicable standards, SAS 70 and ISO 27001. SAS 70, especially has become the measure of cloud security. We consider ISO 27001 first.

ISO 27001
ISO 27001 is an Information Security Management System (ISMS) standard published in October 2005 by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). Its full name is ISO/IEC 27001:2005 – Information technology -- Security techniques -- Information security management systems -- Requirements but it is commonly known as “ISO 27001”.

Compliance with ISO 27001 requires that management:

  • Systematically examine the organization’s information security risks, taking account of the threats, vulnerabilities and impacts;
  • Design and implement a coherent and comprehensive suite of information security controls and/or other forms of risk treatment (such as risk avoidance or risk transfer) to address those risks that are deemed unacceptable; and
  • Adopt an overarching management process to ensure that the information security controls continue to meet the organization’s information security needs on an ongoing basis.
  • Stage 1 is a preliminary, informal review of the ISMS, for example, checking the existence and completeness of key documentation such as the organization’s information security policy, Statement of Applicability (SoA), and Risk Treatment Plan (RTP). This stage serves to familiarize the auditors with the organization and vice versa.
  • Stage 2 is a more detailed and formal compliance audit, independently testing the ISMS against the requirements specified in ISO/IEC 27001. The auditors will seek evidence to confirm that the management system has been properly designed and implemented, and is in fact in operation (for example by confirming that a security committee or similar management body meets regularly to oversee the ISMS). Certification audits are usually conducted by ISO/IEC 27001 Lead Auditors. Passing this stage results in the ISMS being certified compliant with ISO/IEC 27001.
  • Stage 3 involves follow-up reviews or audits to confirm that the organization remains in compliance with the standard. Certification maintenance requires periodic re-assessment audits to confirm that the ISMS continues to operate as specified and intended. These should happen at least annually but (by agreement with management) are often conducted more frequently, particularly while the ISMS is still maturing.

SAS 70 (Statement on Auditing Standards No.70): Service Organizations
The Statement on Auditing Standards No. 70, commonly known as SAS 70, is an auditing statement put forth by the Auditing Standards Board as designated by the American Institute of Certified Public Accountants (AICPA). Over the years, more than 110 “SAS” have been issued, ranging on a number of critical subjects for auditing matters.

SAS 70 is part of the AU Section 324 Codification of Auditing Standards, which is used to report on controls placed in operation and the testing of the operating effectiveness of those controls. Put simply, it’s a widely used compliance audit for assessing the internal control framework on service organizations that provide critical outsourcing activities for other entities. Introduced in 1992, SAS 70 audits were used in the early and mid-1990s. They still are used for very traditional standards, such as evaluating a service organization’s services if those services are part of the user organization’s information system:

For example, if the ABC company used the XYZ company, which is a service organization, to perform and conduct transactions and procedures that are considered significant to the ABC company’s “information system” or business environment, then the XYZ service organization would need to be SAS 70 compliant.

Think of it as an audit that examines and tests the characteristics of internal controls for service organizations. Service organizations are the entities that undergo the SAS 70 audit. Who requires the audit to be done and why? Generally speaking, compliance legislation in recent years has revolved around corporate governance and the ability to have a strong mechanism of internal controls within organizations. Laws such as The Sarbanes-Oxley Act of 2002 (SOX), the Health Insurance Accountability and Portability Act (HIPAA), and the Gramm-Leach-Bliley Act (GLBA), have emphasized themes such as governance, privacy, security, confidentiality, and segregation of duties.

ANAB Accreditation for ISO/IEC 27001 Information Security Management Systems.

ANAB Accreditation for ISO/IEC 27001 Information Security Management Systems.

Type I and Type II Audits
Initially, service organizations undergo a SAS 70 Type I audit, gradually migrating towards Type II compliance in subsequent years. The main difference between the two “types” (I vs. II) is that a Type II requires a “testing period”, that is, a generally accepted allotted time frame (usually no less than six months) for conducting testing on a service organization’s control environment. A Type I, on the other hand, is just for a specified date, with no testing period whatsoever.

At the end of the audit, the service auditor issues an important report called the Service Auditor’s Report:

  • Type I includes an opinion written by the service auditor. Type I reports describe the degree in which the service organization fairly represent its services in regards to controls that have been implemented in operations and its inherent design to achieve objectives set forth.
  • Type II reports are similar to Type I, however an additional section is added; the additional section includes the service auditor’s opinion on how effectively controls operated under the defined period during the review (usually the defined period is six months, but can be longer).

Type II reports are more th[o]rough, because the auditors gives an opinion on how effective the controls operated under the defined period of the review. Type I only lists the controls, but Type II tests the efficacy of these controls to reasonably assure that they are working correctly. Because Type II reports require a much more thorough audit they are usually much more expensive.

All rights reserved © 2018 Wisdom IT Services India Pvt. Ltd Protection Status

Cloud Computing Topics