CIS558 Case Study 1 Mitigating Cloud Computing Risks

Question Description

Imagine you are an Information Security Manager in a medium-sized organization. Your CIO has asked you to prepare a case analysis report and presentation on establishing internal controls in cloud computing. The CIO has seen several resources online which discuss the security risks related to Cloud based computing and storage. One that stood out was located at You are being asked to summarize the information you can find on the Internet and other sources that are available. Moving forward, the CIO wants to have a firm grasp of the benefits and risks associated with public, private, and hybrid cloud usage. There is also concern over how these systems, if they were in place, should be monitored to ensure not only proper usage, but also that none of these systems or their data have been compromised.

Write a three to four (3-4) page paper in which you:

  1. Provide a summary analysis of the most recent research that is available in this area.
  2. Examine the risks and vulnerabilities associated with public clouds, private clouds, and hybrids. Include primary examples applicable from the case studies you previously reviewed.
  3. Suggest key controls that organizations could implement to mitigate these risks and vulnerabilities.
  4. Develop a list of IT audit tasks that address a cloud computing environment based on the results from the analysis of the case studies, the risks and vulnerabilities, and the mitigation controls.
  5. Use at least three (3) quality resources in this assignment. Note: Wikipedia and similar Websites do not qualify as quality resources.

Your assignment must follow these formatting requirements:

  • Be typed, double spaced, using Times New Roman font (size 12), with one-inch margins on all sides; citations and references must follow APA or school-specific format. Check with your professor for any additional instructions.
Include a cover page containing the title of the assignment, the student’s name, the professor’s name, the course title, and the date. The cover page and the reference page are not included in the required assignment page length.

Use this template APA_Template_With_Advice_(6th_Ed) .doc

Unformatted Attachment Preview

Moeller IT Audit, CONTROL, SECURITY and IT Audit, CONTROL, and SECURITY Robert R. Moeller E1FFIRS 08/30/2010 19:24:8 Page 2 E1FFIRS 08/30/2010 19:24:8 Page 1 IT Audit, Control, and Security E1FFIRS 08/30/2010 19:24:8 Page 2 E1FFIRS 08/30/2010 19:24:8 Page 3 IT Audit, Control, and Security ROBERT MOELLER John Wiley & Sons, Inc. E1FFIRS 08/30/2010 19:24:8 Page 4 Copyright # 2010 by John Wiley & Sons, Inc. All rights reserved. Published by John Wiley & Sons, Inc., Hoboken, New Jersey. Published simultaneously in Canada. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning, or otherwise, except as permitted under Section 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 646-8600, or on the web at Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at Limit of Liability/Disclaimer of Warranty: While the publisher and author have used their best efforts in preparing this book, they make no representations or warranties with respect to the accuracy or completeness of the contents of this book and specifically disclaim any implied warranties of merchantability or fitness for a particular purpose. No warranty may be created or extended by sales representatives or written sales materials. The advice and strategies contained herein may not be suitable for your situation. You should consult with a professional where appropriate. Neither the publisher nor author shall be liable for any loss of profit or any other commercial damages, including but not limited to special, incidental, consequential, or other damages. For general information on our other products and services or for technical support, please contact our Customer Care Department within the United States at (800) 762-2974, outside the United States at (317) 572-3993 or fax (317) 572-4002. Wiley also publishes its books in a variety of electronic formats. Some content that appears in print may not be available in electronic books. For more information about Wiley products, visit our web site at Library of Congress Cataloging-in-Publication Data: Moeller, Robert R. IT audit, control, and security / Robert Moeller. p. cm. Includes bibliographical references and index. ISBN: 978-0-471-40676-1 (cloth); 978-0-470-87741-8 (ebk); 978-0-470-87767-8 (ebk); 978-0-470-87768-5 (ebk) 1. Information technology—Auditing. 2. Electronic data processing departments— Auditing. 3. Computer security. 4. Computer networks—Security measures. I. Title. T58.5.M645 2010 658.4’78–dc22 2010013505 Printed in the United States of America 10 9 8 7 6 5 4 3 2 1 E1FFIRS 08/30/2010 19:24:8 Page 5 Dedicated to my best friend and wife, Lois Moeller. Lois has been my companion and partner for over 40 years, whether we are on our Lake Michigan sailboat, skiing in Utah or elsewhere, traveling to interesting places in the world, gardening in the backyard, or cooking its produce. E1FFIRS 08/30/2010 19:24:8 Page 6 E1FTOC 09/17/2010 15:36:11 Page 7 Contents Introduction xiii PART ONE: AUDITING INTERNAL CONTROLS IN AN IT ENVIRONMENT Chapter 1: SOx and the COSO Internal Controls Framework Roles and Responsibilities of IT Auditors Importance of Effective Internal Controls and COSO COSO Internal Control Systems Monitoring Guidance Sarbanes-Oxley Act Wrapping It Up: COSO Internal Controls and SOx Notes Chapter 2: Using CobiT to Perform IT Audits Introduction to CobiT CobiT Framework Using CobiT to Assess Internal Controls Using CobiT in a SOx Environment CobiT Assurance Framework Guidance CobiT in Perspective Notes Chapter 3: IIA and ISACA Standards for the Professional Practice of Internal Auditing Internal Auditing’s International Professional Practice Standards Content of the IPPF and the IIA International Standards Strongly Recommended IIA Standards Guidance ISACA IT Auditing Standards Overview Codes of Ethics: The IIA and ISACA Notes Chapter 4: Understanding Risk Management Through COSO ERM Risk Management Fundamentals Quantitative Risk Analysis Techniques IIA and ISACA Risk Management Internal Audit Guidance COSO ERM: Enterprise Risk Management 1 3 4 6 21 22 31 31 32 33 35 39 51 54 55 55 57 58 61 75 76 79 81 82 83 92 94 97 vii E1FTOC 09/17/2010 viii 15:36:11 & Page 8 Contents IT Audit Risk and COSO ERM Notes Chapter 5: Performing Effective IT Audits IT Audit and the Enterprise Internal Audit Function Organizing and Planning IT Audits Developing and Preparing Audit Programs Gathering Audit Evidence and Testing Results Workpapers and Reporting IT Audit Results Preparing Effective IT Audits Notes PART TWO: AUDITING IT GENERAL CONTROLS Chapter 6: General Controls in Today’s IT Environments Importance of IT General Controls IT Governance General Controls IT Management General Controls IT Technical Environment General Controls Note Chapter 7: Infrastructure Controls and ITIL Service Management Best Practices ITIL Service Management Best Practices ITIL’s Service Strategies Component ITIL Service Design ITIL Service Transition Management Processes ITIL Service Operation Processes Service Delivery Best Practices Auditing IT Infrastructure Management Note Chapter 8: Systems Software and IT Operations General Controls IT Operating System Fundamentals Features of a Computer Operating System Other Systems Software Tools Chapter 9: Evolving Control Issues: Wireless Networks, Cloud Computing, and Virtualization Understanding and Auditing IT Wireless Networks Understanding Cloud Computing Storage Management Virtualization PART THREE: AUDITING AND TESTING IT APPLICATION CONTROLS Chapter 10: Selecting, Testing, and Auditing IT Applications IT Application Control Elements Selecting Applications for IT Audit Reviews 113 115 117 118 122 127 132 142 148 149 151 153 154 157 158 174 174 175 176 179 181 189 194 198 199 200 201 202 206 209 214 215 220 225 227 229 230 239 E1FTOC 09/17/2010 15:36:11 Page 9 Contents Performing an Applications Controls Review: Preliminary Steps Completing the IT Applications Controls Audit Application Review Case Study: Client-Server Budgeting System Auditing Applications under Development Importance of Reviewing IT Application Controls Notes & ix 242 249 255 258 266 266 Chapter 11: Software Engineering and CMMi 267 Software Engineering Concepts CMMi: Capability Maturity Model for Integration CMMi Benefits IT Audit, Internal Control, and CMMi Note 267 269 280 281 282 Chapter 12: Auditing Service-Oriented Architectures and Record Management Processes 283 Service-Oriented Computing and Service-Driven Applications IT Auditing in SOA Environments Electronic Records Management Internal Control Issues and Risks IT Audits of Electronic Records Management Processes Notes 284 294 300 301 303 Chapter 13: Computer-Assisted Audit Tools and Techniques 304 Understanding Computer-Assisted Audit Tools and Techniques Determining the Need for CAATTs CAATT Software Tools Steps to Building Effective CAATTs Importance of CAATTs for Audit Evidence Gathering 305 308 311 326 327 Chapter 14: Continuous Assurance Auditing, OLAP, and XBRL 329 Implementing Continuous Assurance Auditing Benefits of Continuous Assurance Auditing Tools Data Warehouses, Data Mining, and OLAP XBRL: The Internet-Based Extensible Markup Language Newer Technologies, the Continuous Close, and IT Audit Notes PART FOUR: IMPORTANCE OF IT GOVERNANCE Chapter 15: IT Controls and the Audit Committee Role of the Audit Committee for IT Auditors Audit Committee Approval of Internal Audit Plans and Budgets Audit Committee Briefings on IT Audit Issues Audit Committee Review and Action on Significant IT Audit Findings IT Audit and the Audit Committee Chapter 16: Val IT, Portfolio Management, and Project Management Val IT: Enhancing the Value of IT Investments IT Systems Portfolio and Program Management 330 338 339 346 351 351 353 355 356 357 359 360 362 363 364 371 E1FTOC 09/17/2010 x 15:36:11 & Page 10 Contents Project Management for IT Auditors Notes Chapter 17: Compliance with IT-Related Laws and Regulations Computer Fraud and Abuse Act Computer Security Act of 1987 Gramm-Leach-Bliley Act HIPAA: Healthcare and Much More Other Personal Privacy and Security Legislative Requirements IT-Related Laws, Regulations, and Audit Standards Chapter 18: Understanding and Reviewing Compliance with ISO Standards Background and Importance of ISO Standards in a World of Global Commerce ISO Standards Overview ISO 19011 Quality Management Systems Auditing ISO Standards and IT Auditors Notes Chapter 19: Controls to Establish an Effective IT Security Environment Generally Accepted Security Standards Effective IT Perimeter Security Establishing an Effective, Enterprise-Wide Security Strategy Best Practices for IT Audit and Security Notes Chapter 20: Cybersecurity and Privacy Controls IT Network Security Fundamentals IT Systems Privacy Concerns PCI-DSS Fundamentals Auditing IT Security and Privacy Security and Privacy in the Internal Audit Department Notes Chapter 21: IT Fraud Detection and Prevention Understanding and Recognizing Fraud in an IT Environment Red Flags: Fraud Detection Signs for IT and Other Internal Auditors Public Accounting’s Role in Fraud Detection IIA Standards and ISACA Materials for Detecting and Investigating Fraud IT Audit Fraud Risk Assessments IT Audit Fraud Investigations 374 383 384 386 387 390 395 403 404 407 408 410 419 421 421 422 423 429 430 432 433 434 435 443 446 447 448 453 454 455 456 461 462 464 467 E1FTOC 09/17/2010 15:36:11 Page 11 Contents IT Fraud Prevention Processes Fraud Detection and the IT Auditor Notes Chapter 22: Identity and Access Management Importance of Identity and Access Management Identity Management Processes Separation of Duties Identify Management Controls Access Management Provisioning Authentication and Authorization Auditing Identity and Access Management Processes Note Chapter 23: Establishing Effective IT Disaster Recovery Processes IT Disaster and Business Continuity Planning Today Building and Auditing an IT Disaster Recovery Plan Building the IT Disaster Recovery Plan Disaster Recovery Planning and Service Level Agreements Newer Disaster Recovery Plan Technologies: Data Mirroring Techniques Auditing Business Continuity Plans Disaster Recovery and Business Continuity Planning Going Forward Notes Chapter 24: Electronic Archiving and Data Retention Elements of a Successful Electronic Records Management Process Electronic Documentation Standards Implementing Electronic IT Data Archiving Auditing Electronic Document Retention and Archival Processes Chapter 25: Business Continuity Management, BS 25999, and ISO 27001 IT Business Continuity Management Planning Needs Today BS 25999 Good Practice Guidelines Auditing BCM Processes Linking the BCM with Other Standards and Processes Notes Chapter 26: Auditing Telecommunications and IT Communications Networks Network Security Concepts Effective IT Network Security Controls Auditing a VPN Installation Note & xi 468 471 471 472 473 474 477 478 479 481 485 486 487 489 497 503 505 506 508 508 509 510 516 517 519 521 522 524 540 543 543 544 545 549 555 557 E1FTOC 09/17/2010 xii 15:36:11 & Page 12 Contents Chapter 27: Change and Patch Management Controls 558 IT Change Management Processes Auditing IT Change and Patch Management Controls Notes 559 573 576 Chapter 28: Six Sigma and Lean Technologies Six Sigma Background and Concepts Implementing Six Sigma Lean Six Sigma Notes 577 578 580 587 590 Chapter 29: Building an Effective IT Internal Audit Function 591 Establishing an IT Internal Audit Function Internal Audit Charter: An Important IT Audit Authorization Role of the Chief Audit Executive IT Audit Specialists IT Audit Managers and Supervisors Internal and IT Audit Policies and Procedures Organizing an Effective IT Audit Function Importance of a Strong IT Audit Function Note 592 593 595 596 598 599 601 604 605 Chapter 30: Professional Certifications: CISA, CIA, and More 606 Certified Information Systems Auditor Credentials Certified Information Security Manager Credentials Certificate in the Governance of Enterprise IT Certified Internal Auditor Responsibilities and Requirements Beyond the CIA: Other IIA Certifications CISSP Information Systems Security Professional Certification Certified Fraud Examiner Certification ASQ Internal Audit Certifications Other Internal Auditor Certifications Note 607 609 611 612 623 628 628 629 630 631 Chapter 31: Quality Assurance Auditing and ASQ Standards 632 Duties and Responsibilities of Quality Auditors Role of the Quality Auditor Performing ASQ Quality Audits Quality Assurance Reviews of IT Audit Functions Future Directions for Quality Assurance Auditing Notes Index 633 635 638 641 647 648 649 E1CINTRO 09/18/2010 11:6:36 Page 13 Introduction: Importance of IT Auditing W E L C O M E T O T H E W O R L D of IT Audit, Control, and Security. Much has changed in information technology (IT) auditing since we published our first edition of this book when we were then called Computer Auditors. Back in those days, traditional mainframe or legacy computer systems were still common, we had difficulty envisioning laptop systems as serious business information systems tools, and the Internet was little more than an e-mail and text document communications tool for many. Computer security then was largely based on locked, secured mainframe facilities, and we were just seeing the very first computer viruses. Many auditors, both internal and external, typically had only limited knowledge about IT systems controls, and there were wide knowledge gaps among auditors, systems security specialists, and developers. It is hard to focus on just one development or event that has turned our view of IT audit controls into a separate discipline. However, the overall influence of the Web along with audit, security, and internal controls concerns has made IT controls more important to many today. This book focuses on both the technical and professional issues facing today’s audit, security, and internal control specialists in an information systems environment, with the goal of providing an understanding of key IT audit security and internal controls issues. We have expanded our audience beyond just auditors to include IT security and internal control specialists as well. Although some may not have not have specific job titles covering these audit, security, and internal controls disciplines, many professionals in today’s enterprises have a responsibility to ensure that good IT controls have been installed and are operating. IT auditors are key persons responsible for assessing these controls. Although the individual chapters of this book, outlined next, cover a broad range of technical and audit-related topics, each of the chapters focuses on three broad IT audit topic areas: 1. Technology-driven audit and internal controls. The effective IT auditor today needs to have a good understanding of a wide range of IT technologies as well as appropriate related audit, security, and control issues and techniques. As our first broad concentration area, the text addresses some of the more significant technology changes today along with their audit, security, and internal control implications. This book is not a detailed technology tutorial, but we describe important IT issues and introduce their IT control procedures in the following broad areas: & Electronic commerce systems, including the use of the XBRL protocol as well as wireless and cloud computing. This area generally goes under the name of ‘‘e-business’’ with evolving standards and good practices. xiii E1CINTRO 09/18/2010 xiv & & & & & & 11:6:37 & Page 14 Introduction Modern application implementation processes, including the use of comprehensive enterprise resource planning (ERP) software packages, software as a service (SAAS) implementation approaches and object oriented-application development processes. Effective IT continuity planning processes. Because virtually all enterprise operations today are tied to often interlocking IT processes, facilities must be in place to restore them to normal operations if some unexpected event arises. Systems infrastructure controls for managing existing applications and operations. Configuration management, service-level agreements, and effective customer service functions are all important in today’s modern IT environment. Effective IT governance procedures. Whether Sarbanes-Oxley Act (SOx) rules or international standards guidelines, all IT organizations today must understand and comply with the many new rules covering all aspects of IT governance and operations. The importance of storage management. Effective processing rules and IT governance requirements require that we keep backup copies of much of the data we use in IT operations as well as database operations to allow an enterprise to search for and retrieve that data easily. IT storage audit, security and internal control issues, and newer concepts such as virtualization are important IT concerns. Modern computer security procedures, including trusted networks and firewallprotected systems. Enterprises need to protect their data in light of ever-increasing threats in today’s Web and wireless environments. This list is not all-encompassing but highlights the overall topics in these chapters. Although some of these expressions may seem like buzzwords or techno-jargon to some readers, the chapters to come introduce many technical concepts with an emphasis on their related audit, security, and internal control concepts and procedures. 2. Security, privacy, and continuity issues. As the second broad topic area in this book, we discuss disaster recovery planning as well as effective continuity and information systems security processes in a modern IT environment. The emphasis is more on getting the business back in operation rather than just getting the IT resources working again. Closely related to security matters, privacy is another issue facing IT auditors. We are increasingly seeing legislation mandating privacy protections over multiple types of information systems data, such as medical records, financial data, and other areas. These new rules have encouraged many enterprises to install strengthened internal controls. 3. Auditing legislative and governance changes. Professionals constantly face legal and other changes that impact their work. Understanding and developing appropriate procedures is this book’s third broad objective. Although it occurred years ago now, the catastrophic failure of the then-prominent corporation, Enron, introduced a raft of new issues. Based on its stock market capitalization, Enron was then a rapidly growing large company engaged in trading oil, gas, and other commodities. Enron’s financial reports, in retrospect, contained many red-flag warnings of possible troubles. Despite these warning signs, Enron’s external auditors seemingly looked the other way. Enron subsequently collapsed, hurting many and leaving a trail of recriminations and questions about the overall independence and objectivity of its external auditors. As a result, the U.S. Congress passed the Sarbanes-Oxley Act (SOx), which changed the E1CINTRO 09/18/2010 11:6:37 Page 15 Introduction & xv process of auditing internal accounting c ...
Purchase answer to see full attachment

Final Answer

Here you go. In case of any further inputs, please let me know.All the best!I appreciate working with you!



Cloud Computing and Auditing



Summary analysis
Cloud computing is the provision of network access to a group of configured computing
resources such as storage, applications, and network services that can be accessed quickly on
demand. Cloud computing is done to increase convenience in data and information retrieval.
Cloud computing articulates technology in applications and internet connectivity and allows for a
flexible means of sourcing. Cloud computing is characterized by an extensive network service,
pooling of resources, elasticity, and on demand services. There is two known cloud model; they
are deployment and service models (Armbrust et al., 2010). Deployment model includes public
cloud and private cloud. A private cloud can further be categorized into an internal and external
cloud, where an internal cloud is where the resources are owned and maintained by an
organization and a private external cloud is where the computer resources belong to a service
provider who also maintains them at a cost such as IBM (Buyya et al., 2009). Public clouds are
offered by a service provider to the public. The service model can also be categorized into;
Software-as-a-Service (SaaS), Platform-as-a-Service (PaaS), and Infrastructure-as-a-Service
(IaaS). SaaS includes the use of service provider’s application available in the cloud
infrastructure. PaaS provides consumers with the ability to use custo...

CASIMIR (24456)
Boston College

Thanks for the help.

Outstanding. Studypool always delivers quality work.

Tutor was very helpful and took the time to explain concepts to me. Very responsive, managed to get replies within the hour.


Brown University

1271 Tutors

California Institute of Technology

2131 Tutors

Carnegie Mellon University

982 Tutors

Columbia University

1256 Tutors

Dartmouth University

2113 Tutors

Emory University

2279 Tutors

Harvard University

599 Tutors

Massachusetts Institute of Technology

2319 Tutors

New York University

1645 Tutors

Notre Dam University

1911 Tutors

Oklahoma University

2122 Tutors

Pennsylvania State University

932 Tutors

Princeton University

1211 Tutors

Stanford University

983 Tutors

University of California

1282 Tutors

Oxford University

123 Tutors

Yale University

2325 Tutors