Cloud Security and Privacy : Regulatory/External Compliance (part 1)

12/11/2010 11:36:56 AM
CSPs face an increasingly complex array of external compliance requirements from their customers, whether those include industry standards, regulatory regimes, or customer-specific frameworks. Frequently, those requirements are based on or refer to industry standards. As a result, using industry standards can be an effective compliance approach for CSPs if they can navigate through the ever-increasing number of standards that exist or are under development (see Figure 1).
Figure 1. So many standards

From an information technology and security controls perspective, it can be helpful to look at these standards in terms of their focus and objective. The matrix in Table 1 was developed to summarize how a number of leading industry standards/regulatory requirements fit together.[74] Understanding these standards in their proper context helps an organization to determine their applicability and how they might be used.

[74] Lundin, Mark. “Industry Issues and Standards—Effectively Addressing Compliance Requirements.” ISACA San Francisco Chapter, Consumer Information Protection Event; April 1, 2009.

Table 1. High-level standards road map
 Control environment/company level controlsInformation securityIT service delivery/operationsSystems developmentFinancial reporting systemsSpecific technologies or incremental requirements
Best practices GuidanceCOBIT

ANSI various

NIST various
Certification/audit criteria/requirements ISO 27001ISO 20000-1 
Regulatory/industry requirements FFIEC





ISO 2700X
Audit frameworkSAS 70




WebTrust EV


As Table 1 shows, many IT standards have a specific area of focus, such as:

  • Overall control environment/company-level controls

  • Information security

  • IT service delivery/operations

  • Systems development

  • Financial reporting systems

  • Specific technologies

In addition, the nature of individual standards can generally be characterized as:

  • Best Practices Guidance

  • Certification/Audit Criteria/Requirements

  • Regulatory/Industry Requirements

  • Audit Framework

When developing a controls framework or assessing how to address the requirements of a particular standard/set of requirements, it is desirable to base the framework on the standard that is most relevant. For CSPs, where security is a paramount concern, ISO 27001 is used as a baseline. The CSP may refer to ISO 27002 for additional best practices guidance. It may then be necessary to add to the control framework incremental requirements from relevant regulatory or industry requirements or topics covered in the illustrative control objectives. As the CSP enters new markets or industries and inherits new requirements, it is essential that the CSP critically analyze such requirements to determine whether they truly give rise to needed additional controls or whether they are already covered by the CSP’s control set. Relevant audit frameworks should be considered when designing the CSP’s control set and periodic external audits should cover the most relevant aspects of the CSP’s controls.

The following sections discuss a selection of common industry/regulatory requirements (Sarbanes-Oxley, PCI DSS, HIPAA) and their applicability in a cloud computing environment.

1. Sarbanes-Oxley Act

In response to significant financial reporting fraud in 2001–2002, the Sarbanes-Oxley Act of 2002 (SOX) was passed and signed into law. As a result of SOX:

  • Public company CEOs and CFOs are required to certify the effectiveness of their internal controls over financial reporting (ICOFR) on a quarterly and annual basis.

  • Management is required to perform an annual assessment of its ICOFR.

  • External auditors are required to express an opinion on the effectiveness of management’s ICOFR as of the company’s fiscal year end.[75]

    [75] Sarbanes-Oxley Act of 2002, sections 302, 404.

SOX also led to the creation of the Public Company Accounting Oversight Board (PCAOB) which was charged with establishing audit standards. PCAOB Auditing Standard No. 2 called attention to the importance of information technology general controls (ITGCs). The following paragraph gave rise to public companies’ renewed focus on the effectiveness of their ITGCs:

Some controls ... might have a pervasive effect on the achievement of many overall objectives of the control criteria. For example, information technology general controls over program development, program changes, computer operations, and access to programs and data help ensure that specific controls over the processing of transactions are operating effectively.[76]

[76] PCAOB Auditing Standard No. 2—An Audit of Internal Control Over Financial Reporting Performed in Conjunction with an Audit of Financial Statements, March 9, 2004.

Ultimately, the IT Governance Institute developed a set of IT Control Objectives for Sarbanes-Oxley that became the de facto industry standard for ITGC needed to achieve the requirements of SOX. This included control objectives and recommended supporting control procedures in the following areas:

Program Development and Program Change

Acquire or develop application system software.

Acquire technology infrastructure.

Develop and maintain policies and procedures.

Install and test application software and technology infrastructure.

Manage changes.

Computer Operations and Access to Programs and Data

Define and manage service levels.

Manage third-party services.

Ensure system security.

Manage the configuration.

Manage problems and incidents.

Manage data.

Manage operations.

From an IT perspective, key application controls supporting financial reporting processes would also be within the scope of a company’s internal and external SOX compliance efforts.

PCAOB Audit Standard No. 5 in 2007 emphasized a risk-based approach, thereby enabling most companies to narrow the scope of their SOX compliance activities. Although SOX applies to U.S. public companies with a certain market capitalization, the concept has also been adopted in Japan (J-SOX), in the insurance industry (NAIC Model Audit Rule), and elsewhere.

1.1. Cloud computing impact of SOX

SOX focuses on the effectiveness of a company’s financial reporting process—including finance and accounting processes, other key business processes (e.g., the order-to-cash process), and controls over IT systems that have a material impact on financial reporting (e.g., the company’s enterprise resource planning or ERP system and transaction processing systems that feed into the general ledger). The scope includes internally managed systems and outsourced systems that can materially impact financial reporting. The SOX compliance scope for each public company is ultimately defined by the company’s management with input from its external auditor. Whether or not a CSP becomes relevant to a specific corporate customer’s SOX audit activities will depend on the nature of service provided by the CSP to that corporate customer.

Services provided by a CSP could be relevant to a corporate customer from a SOX perspective. For example, an organization might utilize a SaaS application that plays a significant role in financial reporting serving as the system of record for various transactional activities. If those transactional activities are financially significant to the customer, the SaaS application would likely be part of the customer’s SOX scope. As a result, the customer and its external auditor would be required to test relevant CSP controls—by performing test procedures at the CSP site, reviewing the CSP’s current audit report, or a combination of both. Such controls would typically include the aforementioned topics and may include application controls as described shortly.

In another scenario, an organization might utilize PaaS to underlie an important financial application. An organization might use IaaS to support traditional applications or cloud-based applications that are used for processing or reporting on financial transaction activities. In each of these cases, SOX control requirements would be applicable.

From an IT general controls perspective, it is important to have robust processes for user management/segregation of duties, systems development, program and infrastructure change management, and computer operations (e.g., monitoring, backup, and problem management). Effective IT general controls are imperative to enable application controls.

Application controls will vary depending on the nature of the application. Typical controls focus on segregation of duties for key functions, completeness and accuracy of reports, system configurations for transaction processing, logging of activities, and so on.

In addition, it is important for the CSP to clearly define which control activities are the CSP’s responsibility and which are the responsibility of the customer. Consequently, the CSP and its customers need to define boundaries where there is shared responsibility. This enables the CSP to focus its compliance efforts on areas it controls, while helping customers to do the same.

Where the CSP supports services that are likely to be in scope for SOX, the CSP should build those key controls into its control framework and provide guidance for customers as to how the CSP helps the customer otherwise meet its compliance requirements.

Other -----------------
- Developing an SEO-Friendly Website : Root Domains, Subdomains, and Microsites (part 2)
- Developing an SEO-Friendly Website : Root Domains, Subdomains, and Microsites (part 1)
- Parallel Programming with Microsoft .Net : Parallel Aggregation - An Example
- Parallel Programming with Microsoft .Net : Parallel Aggregation - The Basics
- Developing an SEO-Friendly Website : Creating an Optimal Information Architecture (part 4)
- Developing an SEO-Friendly Website : Creating an Optimal Information Architecture (part 3)
- Developing an SEO-Friendly Website : Creating an Optimal Information Architecture (part 2)
- Developing an SEO-Friendly Website : Creating an Optimal Information Architecture (part 1)
- Cloud Security and Privacy : Governance, Risk, and Compliance (GRC)
- Cloud Security and Privacy : Internal Policy Compliance
- jQuery 1.3 : Improving a basic form (part 8) - Checkbox manipulation
- jQuery 1.3 : Improving a basic form (part 7)
- jQuery 1.3 : Improving a basic form (part 6)
- jQuery 1.3 : Improving a basic form (part 5) - Conditionally displayed fields
- jQuery 1.3 : Improving a basic form (part 4)
- jQuery 1.3 : Improving a basic form (part 3) - Required field messages
- jQuery 1.3 : Improving a basic form (part 1) - The legend
- jQuery 1.3 : Improving a basic form (part 1) - Progressively enhanced form styling
- Changes to Privacy Risk Management and Compliance in Relation to Cloud Computing
- Cloud Security and Privacy : What Are the Key Privacy Concerns in the Cloud?
Most View
- Exchange Server 2010 : Antivirus Considerations
- SQL Server 2012 : T-SQL Enhancements - The MERGE Statement (part 1)
- Windows 7 : Disabling Network SSID Broadcasting
- SQL Server 2008 R2 : Database Pages (part 2) - Row-Overflow Pages, LOB Data Pages
- Parallel Programming with Microsoft Visual Studio 2010 : Introduction to Parallel Programming - Multicore Computing & Speedup
- SharePoint 2010: Modify a Content Type
- Exchange Server 2003 : Creating and Managing Address Lists and Recipient Policies (part 1) - Creating and Modifying Address Lists
- SQL server 2008 : Managing Security - Permissions
- Windows Server 2008: Understanding and Deploying BranchCache (part 3)
- SharePoint Server 2010 Business Intelligence Platform (part 4) - PerformancePoint Services - Time Intelligence, Decomposition Tree
Top 10
- Implementing Edge Services for an Exchange Server 2007 Environment : Utilizing the Basic Sender and Recipient Connection Filters (part 3) - Configuring Recipient Filtering
- Implementing Edge Services for an Exchange Server 2007 Environment : Utilizing the Basic Sender and Recipient Connection Filters (part 2)
- Implementing Edge Services for an Exchange Server 2007 Environment : Utilizing the Basic Sender and Recipient Connection Filters (part 1)
- Implementing Edge Services for an Exchange Server 2007 Environment : Installing and Configuring the Edge Transport Server Components
- What's New in SharePoint 2013 (part 7) - BCS
- What's New in SharePoint 2013 (part 6) - SEARCH
- What's New in SharePoint 2013 (part 6) - WEB CONTENT MANAGEMENT
- What's New in SharePoint 2013 (part 5) - ENTERPRISE CONTENT MANAGEMENT
- What's New in SharePoint 2013 (part 4) - WORKFLOWS
- What's New in SharePoint 2013 (part 3) - REMOTE EVENTS