Select Page

558W4 Case Study 1 – Mitigating Cloud Computing Risks Case Study 1: Mitigating Cloud Computing Risks Worth 125 points Imagine you are an Information Security Manager in a medium-sized organization. Your CIO has asked you to prepare a case analysis report and presentation on establishing internal controls in cloud computing. The CIO has seen several resources online which discuss the security risks related to Cloud based computing and storage. One that stood out was located at http://www.isaca.org/Journal/Past-Issues/2011/Volume-4/Pages/Cloud-Computing-Risk-Assessment-A-Case-Study.aspx. You are being asked to summarize the information you can find on the Internet and other sources that are available. Moving forward, the CIO wants to have a firm grasp of the benefits and risks associated with public, private, and hybrid cloud usage. There is also concern over how these systems, if they were in place, should be monitored to ensure not only proper usage, but also that none of these systems or their data have been compromised. Write a three to four (3-4) page paper in which you: Provide a summary analysis of the most recent research that is available in this area. Examine the risks and vulnerabilities associated with public clouds, private clouds, and hybrids. Include primary examples applicable from the case studies you previously reviewed. Suggest key controls that organizations could implement to mitigate these risks and vulnerabilities. Develop a list of IT audit tasks that address a cloud computing environment based on the results from the analysis of the case studies, the risks and vulnerabilities, and the mitigation controls. Use at least three (3) quality resources in this assignment. Note: Wikipedia and similar Websites do not qualify as quality resources. Your assignment must follow these formatting requirements: Be typed, double spaced, using Times New Roman font (size 12), with one-inch margins on all sides; citations and references must follow APA or school-specific format. Check with your professor for any additional instructions. Include a cover page containing the title of the assignment, the student’s name, the professor’s name, the course title, and the date. The cover page and the reference page are not included in the required assignment page length. The specific course learning outcomes associated with this assignment are: Describe the process of performing effective information technology audits and general controls. Describe the various general controls and audit approaches for software and architecture to include operating systems, telecommunication networks, cloud computing, service-oriented architecture and virtualization. Use technology and information resources to research issues in information technology audit and control. Write clearly and concisely about topics related to information technology audit and control using proper writing mechanics and technical style conventions Click here to view the grading rubric for the case study.
cloud_computing_risk_assessment__a_case_study.pdf

w4_case_study_1___mitigating_cloud_computing_risks.docx

Unformatted Attachment Preview

1/14/2020
Cloud Computing Risk Assessment: A Case Study
Cloud Computing Risk Assessment: A Case Study
Sailesh Gadia, CISA, ACA, CPA, CIPP
Article in
Digital
Form
Download
Article
Cloud computing has come a long way from being a mere buzzword to a meaningful tool with a lot of potential for consumers of
technology products and services. The adoption of cloud computing has accelerated in the last few years, and it continues to
undergo phenomenal growth.1
Just as in the early days of the Internet, there are many unknown variables in cloud computing. Due to its nebulous nature, it is
important to understand the risks associated with utilizing cloud computing. It is not just a new technology; it is a different way of
doing business.
Case Study
Company A is a start-up that offers business software branded as BusinessExpress. Company A offers BusinessExpress as a
Software as a Service (SaaS) solution. The demand for SaaS solutions is expected to grow rapidly. With SaaS, customers enjoy all
the benefits of cloud solutions such as not having to host their software in-house2 (figure 1).
Company A’s core competency is performing software development, not providing hosting solutions. Infrastructure as a Service
(IaaS) cloud service providers (CSPs) specialize in providing hosting solutions. Leveraging an IaaS CSP for hosting has allowed
Company A to remain focused on its core competency. There are several other benefits of utilizing an IaaS CSP, such as:3
The ability to offer the software solution on a variety of hardware platforms such as Windows, UNIX and Linux
Rapid scalability
Pay-as-you-go capabilities
Resource availability
Due to the numerous benefits of IaaS, Company A leapt into a cloud computing arrangement. The cloud’s economies of scale and
ISACA
HAS CHANGED
PRIVACY
ACCESS
THEofREVISED
NOTICE
AND TERMS,
CLICK
HERE.
BYcompany engaged an
flexibility
are both aITS
friend
and a NOTICE,
foe from TO
a security
point
view.4 The
chief information
officer
(CIO)
of the
ACCEPT
CONTINUING
USE THE
SITE,
YOUtoAGREE
TOa THE
REVISED
TERMS.
informationTO
systems
(IS)
auditor
conduct
review
and assess
the risks of offering a SaaS solution and adopting IaaS cloud
computing for this arrangement. The following paragraphs describe the steps followed by the IS auditor to conduct the exercise.
This
exercise
will help
the CIO in GATHERING
determining TOOLS
what Company
A needs
to protect,
the risks
and determining a response.
THIS
WEBSITE
USES
INFORMATION
INCLUDING
COOKIES,
AND prioritizing
OTHER SIMILAR
TECHNOLOGY.
ACCEPT
BY USING THIS WEBSITE, YOU CONSENT TO USE OF THESE TOOLS. IF YOU DO NOT CONSENT, DO NOT USE THIS
WEBSITE. USE OF THIS WEBSITE IS NOT REQUIRED BY ISACA. OUR AD AND COOKIE POLICY IS LOCATED HERE.
https://www.isaca.org/Journal/archives/2011/Volume-4/Pages/Cloud-Computing-Risk-Assessment-A-Case-Study.aspx
1/7
1/14/2020
Cloud Computing Risk Assessment: A Case Study
To conduct a risk-based assessment of the cloud computing environment, there are generic risk frameworks such as the
Committee of Sponsoring Organizations of the Treadway Commission (COSO) Enterprise Risk Management—Integrated
Framework. There are also IT domain-specific risk frameworks, practices and process models such as ISO 27001 and IT
Infrastructure Library (ITIL). Bottom-up guidance specific to cloud computing also exists from various bodies such as the Cloud
Security Alliance (CSA), European Network and Information Security Agency (ENISA), and the US National Institute of Standards
and Technology (NIST). The Cloud Controls Matrix released by CSA is designed to provide security principles to guide cloud
vendors and assist prospective cloud clients in assessing overall security risks of a CSP. The NIST guidelines on security and
privacy in public cloud computing (NIST Special Publication [SP] 800-144), which are currently in draft form, contain the guidelines
required to address public cloud security and privacy. The Risk IT: Based on COBIT® framework from ISACA fills the gap between
generic risk management frameworks and domain-specific frameworks based on the premise that IT risk is not purely a technical
issue.
The IS auditor of Company A chose the Risk IT framework, supplemented with an understanding of the Cloud Controls Matrix,
ENISA’s cloud computing risk assessment and the NIST guidelines.
Risk IT provides a list of 36 generic high-level risk scenarios, which can be adapted for each organization. Starting with the set of
generic risk scenarios helps ensure that the IS auditor does not overlook risks and attains a more comprehensive view of IT risk.
Further, Risk IT offers an extensive mapping between the generic risk scenarios and the COBIT control objectives that are
customizable for each situation. Figure 2 illustrates the mapping between the high-level risk scenarios and the corresponding
COBIT control objectives created by the IS auditor for the cloud computing arrangement.
Leveraging Risk IT in conjunction with a widely accepted IT governance and controls framework such as COBIT makes the risk
identification robust and the risk assessment process effective and efficient. This leads to a model that is extensible and reusable
and that can scale up to IT risks affecting the entire company.
Once the risks and COBIT control objectives were defined, they were used by the IS auditor to develop a risk-based audit program.
Figures 3–105 represent a selection of the audit program for the higher-risk areas in figure 2. Figure 11 represents a summary of
the specific risks and gaps after conducting the audit.
ISACA HAS CHANGED ITS PRIVACY NOTICE, TO ACCESS THE REVISED NOTICE AND TERMS, CLICK HERE. BY
CONTINUING TO USE THE SITE, YOU AGREE TO THE REVISED TERMS.
ACCEPT
THIS WEBSITE USES INFORMATION GATHERING TOOLS INCLUDING COOKIES, AND OTHER SIMILAR TECHNOLOGY.
BY USING THIS WEBSITE, YOU CONSENT TO USE OF THESE TOOLS. IF YOU DO NOT CONSENT, DO NOT USE THIS
WEBSITE. USE OF THIS WEBSITE IS NOT REQUIRED BY ISACA. OUR AD AND COOKIE POLICY IS LOCATED HERE.
ACCEPT
https://www.isaca.org/Journal/archives/2011/Volume-4/Pages/Cloud-Computing-Risk-Assessment-A-Case-Study.aspx
2/7
1/14/2020
Cloud Computing Risk Assessment: A Case Study
ISACA HAS CHANGED ITS PRIVACY NOTICE, TO ACCESS THE REVISED NOTICE AND TERMS, CLICK HERE. BY
CONTINUING TO USE THE SITE, YOU AGREE TO THE REVISED TERMS.
ACCEPT
THIS WEBSITE USES INFORMATION GATHERING TOOLS INCLUDING COOKIES, AND OTHER SIMILAR TECHNOLOGY.
BY USING THIS WEBSITE, YOU CONSENT TO USE OF THESE TOOLS. IF YOU DO NOT CONSENT, DO NOT USE THIS
WEBSITE. USE OF THIS WEBSITE IS NOT REQUIRED BY ISACA. OUR AD AND COOKIE POLICY IS LOCATED HERE.
ACCEPT
https://www.isaca.org/Journal/archives/2011/Volume-4/Pages/Cloud-Computing-Risk-Assessment-A-Case-Study.aspx
3/7
1/14/2020
Cloud Computing Risk Assessment: A Case Study
ISACA HAS CHANGED ITS PRIVACY NOTICE, TO ACCESS THE REVISED NOTICE AND TERMS, CLICK HERE. BY
CONTINUING TO USE THE SITE, YOU AGREE TO THE REVISED TERMS.
ACCEPT
THIS WEBSITE USES INFORMATION GATHERING TOOLS INCLUDING COOKIES, AND OTHER SIMILAR TECHNOLOGY.
BY USING THIS WEBSITE, YOU CONSENT TO USE OF THESE TOOLS. IF YOU DO NOT CONSENT, DO NOT USE THIS
WEBSITE. USE OF THIS WEBSITE IS NOT REQUIRED BY ISACA. OUR AD AND COOKIE POLICY IS LOCATED HERE.
ACCEPT
https://www.isaca.org/Journal/archives/2011/Volume-4/Pages/Cloud-Computing-Risk-Assessment-A-Case-Study.aspx
4/7
1/14/2020
Cloud Computing Risk Assessment: A Case Study
The auditor created a heat map of risks (figure 12) that shows the impact/magnitude and likelihood/frequency of key risks relevant
to Company A. The combination of higher (negative) impact/magnitude and higher likelihood/frequency of the incident leads to a
higher level of business risk. The darker shade indicates unacceptable risk. This level of risk is far beyond Company A’s normal risk
appetite. (There may be other risks unique to the ultimate end users/customers of Company A, but that is out of scope for this case
study.)
Due to competing resources, the prioritization of risks related to cloud computing needs to occur, and appropriate action should be
taken based on the risk appetite of the company. Appropriate action includes a combination of the following:
Implement controls.
Transfer risk(s).
Avoid risk(s).
Accept risk(s).
The audit highlighted that Company A needs to mitigate several risks. However, implementing too many controls may not be the
ISACA
CHANGED ITS
PRIVACY
NOTICE,
ACCESS
REVISED NOTICE
TERMS,
CLICK
BY risk-mitigation
bestHAS
risk-mitigation
approach
because
theTO
benefit
fromTHE
implementing
controlsAND
should
outweigh
theHERE.
cost. Other
ACCEPT
CONTINUING TO USE THE SITE, YOU AGREE TO THE REVISED TERMS.
measures such as transferring, avoiding or accepting the risk are worth considering as well.
Once
the company
aligns IT risk with
the organization’s
overall business
risk AND
and remediates
unacceptable
security controls, the
THIS
WEBSITE
USES INFORMATION
GATHERING
TOOLS INCLUDING
COOKIES,
OTHER SIMILAR
TECHNOLOGY.
ACCEPT
BY USING
THIS
WEBSITE,
YOU CONSENT
OF of
THESE
IF YOU DO NOT CONSENT, DO NOT USE THIS
company
is better
prepared
to harnessTO
theUSE
power
cloudTOOLS.
computing.
WEBSITE. USE OF THIS WEBSITE IS NOT REQUIRED BY ISACA. OUR AD AND COOKIE POLICY IS LOCATED HERE.
https://www.isaca.org/Journal/archives/2011/Volume-4/Pages/Cloud-Computing-Risk-Assessment-A-Case-Study.aspx
5/7
1/14/2020
Cloud Computing Risk Assessment: A Case Study
Conclusion
Businesses are realizing the power of cloud computing, and its use is increasing. This case study represents a one-time attempt at
risk assessment of the cloud computing arrangement. The risk assessment helped uncover some of the key risks, prioritize those
risks and formulate a plan of action. Given the evolving nature of risks in cloud computing, no longer can one-time risk
assessments suffice. As newer risks emerge, risk assessments need to evolve and the mitigation approach needs to innovate. A
risk assessment needs to occur before an enterprise enters into a cloud computing arrangement—to help avoid surprises and
minimize the costs of implementing and maintaining controls.
References
American Institute of Certified Public Accountants (AICPA), Service Organization Control (SOC) reports,
www.aicpa.org/interestareas/accountingandauditing/resources/soc/pages/sorhome.aspx
Cloud Security Alliance, “Security Guidance for Critical Areas of Focus in Cloud Computing V2.1,” December 2009, USA,
https://cloudsecurityalliance.org/csaguide.pdf
International Organization for Standardization (ISO), ISO/IEC 27001:2005, Information technology—Security techniques—
Information security management systems—Requirements, Switzerland, 2005, www.iso.org/iso/catalogue_detail?
csnumber=42103
International Federation of Accountants (IFAC), International Standard on Assurance Engagements (ISAE) 3402,
Assurance Reports on Controls at a Service Organization, http://web.ifac.org/download/b014-2010-iaasb-handbook-isae3402.pdf
ITGI, IT Assurance Guide: Using COBIT, USA, 2007
Office of Government Commerce, IT Infrastructure Library, UK, www.itil-officialsite.com
Jansen, Wayne; Timothy Grance; National Institute of Standards and Technology (NIST) Draft Special Publication (SP)
800-144, Guidelines on Security and Privacy in Public Cloud Computing, NIST, USA, 2011,
http://csrc.nist.gov/publications/drafts/800-144/Draft-SP-800-144_cloudcomputing.pdf
Endnotes
1
Gartner Inc., “Gartner Says Worldwide Cloud Services Market to Surpass $68 Billion in 2010,” press release, 22 June 2010,
www.gartner.com/it/page.jsp?id=1389313
2
Gadia, Sailesh; “Cloud Computing: An Auditor’s Perspective,” ISACA Journal, vol. 6, 2009, www.isaca.org/Journal/PastIssues/2009/Volume-6/Pages/Cloud-Computing-An-Auditor-s-Perspective1.aspx
3
Pepitone, Julianne; “Why Attackers Can’t Take Down Amazon.com,” CNNMoney.com, 9 December 2010,
http://money.cnn.com/2010/12/09/technology/amazon_wikileaks_attack/index.htm
4
European Network and Information Security Agency (ENISA), Cloud Computing: Benefits, Risks and Recommendations for
Information Security, Greece, 2009, www.enisa.europa.eu/act/rm/files/deliverables/cloudcomputing-risk-assessment
5
IT Governance Institute (ITGI), COBIT® 4.1, USA, 2007
Sailesh Gadia, CISA, ACA, CPA, CIPP
is a director/senior manager at KPMG’s advisory practice in Minneapolis, Minnesota, USA. He has an extensive background in
designing, implementing and assessing IT controls in various industries and third-party service organizations. Gadia is also an
editorial advisor for the monthly Journal of Accountancy from the American Institute of Certified Public Accountants (AICPA). His
previous ISACA Journal article on cloud computing was published in vol. 6, 2009. Gadia can be reached at sgadia@kpmg.com.
Enjoying this article? To read the most current ISACA Journal articles, become a member or subscribe to the Journal.
The ISACA Journal is published by ISACA. Membership in the association, a voluntary organization serving IT governance
professionals, entitles one to receive an annual subscription to the ISACA Journal.
Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and
official statements of ISACA and/or the IT Governance Institute® and their committees, and from opinions endorsed by authors’
employers, or the editors of this Journal. ISACA Journal does not attest to the originality of authors’ content.
© 2011 ISACA. All rights reserved.
Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or
republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the
ISACA HAS CHANGED ITS PRIVACY NOTICE, TO ACCESS THE REVISED NOTICE AND TERMS, CLICK HERE. BY
ACCEPT
copyright owners
those
registered
withTO
theTHE
Copyright
Clearance
CONTINUING
TO USEfor
THE
SITE,
YOU AGREE
REVISED
TERMS. Center (CCC), 27 Congress St., Salem, MA 01970, to
photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the
ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal
THIS WEBSITE USES INFORMATION GATHERING TOOLS INCLUDING COOKIES, AND OTHER SIMILAR TECHNOLOGY.
reference,
of articlesYOU
or columns
notTO
owned
association
of the
association
ACCEPT
BY USING
THISorWEBSITE,
CONSENT
USE by
OFthe
THESE
TOOLS.without
IF YOU express
DO NOT permission
CONSENT, DO
NOT
USE THIS or the copyright
owner is
expressly
WEBSITE.
USE
OF THISprohibited.
WEBSITE IS NOT REQUIRED BY ISACA. OUR AD AND COOKIE POLICY IS LOCATED HERE.
https://www.isaca.org/Journal/archives/2011/Volume-4/Pages/Cloud-Computing-Risk-Assessment-A-Case-Study.aspx
6/7
1/14/2020
Cloud Computing Risk Assessment: A Case Study
good
Posted by BIKASH702 on 10 Aug 2011
i will work with, thanks
Posted by Robert759 on 11 Aug 2011
This is an useful document and well written.
Posted by Raktim794 on 04 May 2015
ISACA HAS CHANGED ITS PRIVACY NOTICE, TO ACCESS THE REVISED NOTICE AND TERMS, CLICK HERE. BY
CONTINUING TO USE THE SITE, YOU AGREE TO THE REVISED TERMS.
ACCEPT
THIS WEBSITE USES INFORMATION GATHERING TOOLS INCLUDING COOKIES, AND OTHER SIMILAR TECHNOLOGY.
BY USING THIS WEBSITE, YOU CONSENT TO USE OF THESE TOOLS. IF YOU DO NOT CONSENT, DO NOT USE THIS
WEBSITE. USE OF THIS WEBSITE IS NOT REQUIRED BY ISACA. OUR AD AND COOKIE POLICY IS LOCATED HERE.
ACCEPT
https://www.isaca.org/Journal/archives/2011/Volume-4/Pages/Cloud-Computing-Risk-Assessment-A-Case-Study.aspx
7/7
558W4 Case Study 1 – Mitigating Cloud Computing Risks
Case Study 1: Mitigating Cloud Computing Risks
Worth 125 points
Imagine you are an Information Security Manager in a medium-sized organization. Your CIO has asked
you to prepare a case analysis report and presentation on establishing internal controls in cloud
computing. The CIO has seen several resources online which discuss the security risks related to Cloud
based computing and storage. One that stood out was located at http://www.isaca.org/Journal/PastIssues/2011/Volume-4/Pages/Cloud-Computing-Risk-Assessment-A-Case-Study.aspx. You are being
asked to summarize the information you can find on the Internet and other sources that are
available. Moving forward, the CIO wants to have a firm grasp of the benefits and risks associated with
public, private, and hybrid cloud usage. There is also concern over how these systems, if they were in
place, should be monitored to ensure not only proper usage, but also that none of these systems or
their data have been compromised.
Write a three to four (3-4) page paper in which you:
1. Provide a summary analysis of the most recent research that is available in this area.
2. Examine the risks and vulnerabilities associated with public clouds, private clouds, and hybrids.
Include primary examples applicable from the case studies you previously reviewed.
3. Suggest key controls that organizations could implement to mitigate these risks and
vulnerabilities.
4. Develop a list of IT audit tasks that address a cloud computing environment based on the results
from the analysis of the case studies, the risks and vulnerabilities, and the mitigation controls.
5. Use at least three (3) quality resources in this assignment. Note: Wikipedia and similar Websites
do not qualify as quality resources.
Your assignment must follow these formatting requirements:

Be typed, double spaced, using Times New Roman font (size 12), with one-inch margins on all
sides; citations and references must follow APA or school-specific format. Check with your
professor for any additional instructions.

Include a cover page containing the title of the assignment, the student’s name, the professor’s
name, the course title, and the date. The cover page and the reference page are not included in
the required assignment page length.
The specific course learning outcomes associated with this assignment are:

Describe the process of performing effective information technology audits and general
controls.

Describe the various general controls and audit approaches for software and architecture to
include operating systems, telecommunication networks, cloud computing, service-oriented
architecture and virtualization.

Use technology and information resources to research issues in information technology audit
and control.

Write clearly and concisely about topics related to information technology audit and control
using proper writing mechanics and technical style conventions
Click here to view the grading rubric for the case study.

Purchase answer to see full
attachment