Cloud Security and Privacy : Regulatory/External Compliance (part 1)

12/11/2010 11:36:56 AM

CSPs face an increasingly complex array of external compliance requirements from their customers, whether those include industry standards, regulatory regimes, or customer-specific frameworks. Frequently, those requirements are based on or refer to industry standards. As a result, using industry standards can be an effective compliance approach for CSPs if they can navigate through the ever-increasing number of standards that exist or are under development (see Figure 1).

Figure 1. So many standards

From an information technology and security controls perspective, it can be helpful to look at these standards in terms of their focus and objective. The matrix in Table 1 was developed to summarize how a number of leading industry standards/regulatory requirements fit together.^[74] Understanding these standards in their proper context helps an organization to determine their applicability and how they might be used.

^[74] Lundin, Mark. “Industry Issues and Standards—Effectively Addressing Compliance Requirements.” ISACA San Francisco Chapter, Consumer Information Protection Event; April 1, 2009.

Table 1. High-level standards road map
	Control environment/company level controls	Information security	IT service delivery/operations	Systems development	Financial reporting systems	Specific technologies or incremental requirements
Best practices Guidance	COBIT
Best practices Guidance	COSO	ISO27002	ITILISO 20000-2	CMM/ISO 21827	ITGI-SOX	ISO various ANSI various NIST various
Certification/audit criteria/requirements		ISO 27001	ISO 20000-1
Regulatory/industry requirements		FFIEC HIPAA HITRUST NIST PCI ISO 2700X		SOXPCAOB	EV SSL
Audit framework	SAS 70 SysTrust WebTrust BITS FISAP	PCAOB	WebTrust CA WebTrust EV GAPP

As Table 1 shows, many IT standards have a specific area of focus, such as:

Overall control environment/company-level controls
Information security
IT service delivery/operations
Systems development
Financial reporting systems
Specific technologies

In addition, the nature of individual standards can generally be characterized as:

Best Practices Guidance
Certification/Audit Criteria/Requirements
Regulatory/Industry Requirements
Audit Framework

When developing a controls framework or assessing how to address the requirements of a particular standard/set of requirements, it is desirable to base the framework on the standard that is most relevant. For CSPs, where security is a paramount concern, ISO 27001 is used as a baseline. The CSP may refer to ISO 27002 for additional best practices guidance. It may then be necessary to add to the control framework incremental requirements from relevant regulatory or industry requirements or topics covered in the illustrative control objectives. As the CSP enters new markets or industries and inherits new requirements, it is essential that the CSP critically analyze such requirements to determine whether they truly give rise to needed additional controls or whether they are already covered by the CSP’s control set. Relevant audit frameworks should be considered when designing the CSP’s control set and periodic external audits should cover the most relevant aspects of the CSP’s controls.

The following sections discuss a selection of common industry/regulatory requirements (Sarbanes-Oxley, PCI DSS, HIPAA) and their applicability in a cloud computing environment.

1. Sarbanes-Oxley Act

In response to significant financial reporting fraud in 2001–2002, the Sarbanes-Oxley Act of 2002 (SOX) was passed and signed into law. As a result of SOX:

Public company CEOs and CFOs are required to certify the effectiveness of their internal controls over financial reporting (ICOFR) on a quarterly and annual basis.
Management is required to perform an annual assessment of its ICOFR.
External auditors are required to express an opinion on the effectiveness of management’s ICOFR as of the company’s fiscal year end.^[75]
^[75] Sarbanes-Oxley Act of 2002, sections 302, 404.

SOX also led to the creation of the Public Company Accounting Oversight Board (PCAOB) which was charged with establishing audit standards. PCAOB Auditing Standard No. 2 called attention to the importance of information technology general controls (ITGCs). The following paragraph gave rise to public companies’ renewed focus on the effectiveness of their ITGCs:

Some controls ... might have a pervasive effect on the achievement of many overall objectives of the control criteria. For example, information technology general controls over program development, program changes, computer operations, and access to programs and data help ensure that specific controls over the processing of transactions are operating effectively.^[76]
^[76] PCAOB Auditing Standard No. 2—An Audit of Internal Control Over Financial Reporting Performed in Conjunction with an Audit of Financial Statements, March 9, 2004.

Ultimately, the IT Governance Institute developed a set of IT Control Objectives for Sarbanes-Oxley that became the de facto industry standard for ITGC needed to achieve the requirements of SOX. This included control objectives and recommended supporting control procedures in the following areas:

Program Development and Program Change

Acquire or develop application system software.

Acquire technology infrastructure.

Develop and maintain policies and procedures.

Install and test application software and technology infrastructure.

Manage changes.

Computer Operations and Access to Programs and Data

Define and manage service levels.

Manage third-party services.

Ensure system security.

Manage the configuration.

Manage problems and incidents.

Manage data.

Manage operations.

From an IT perspective, key application controls supporting financial reporting processes would also be within the scope of a company’s internal and external SOX compliance efforts.

PCAOB Audit Standard No. 5 in 2007 emphasized a risk-based approach, thereby enabling most companies to narrow the scope of their SOX compliance activities. Although SOX applies to U.S. public companies with a certain market capitalization, the concept has also been adopted in Japan (J-SOX), in the insurance industry (NAIC Model Audit Rule), and elsewhere.

1.1. Cloud computing impact of SOX

SOX focuses on the effectiveness of a company’s financial reporting process—including finance and accounting processes, other key business processes (e.g., the order-to-cash process), and controls over IT systems that have a material impact on financial reporting (e.g., the company’s enterprise resource planning or ERP system and transaction processing systems that feed into the general ledger). The scope includes internally managed systems and outsourced systems that can materially impact financial reporting. The SOX compliance scope for each public company is ultimately defined by the company’s management with input from its external auditor. Whether or not a CSP becomes relevant to a specific corporate customer’s SOX audit activities will depend on the nature of service provided by the CSP to that corporate customer.

Services provided by a CSP could be relevant to a corporate customer from a SOX perspective. For example, an organization might utilize a SaaS application that plays a significant role in financial reporting serving as the system of record for various transactional activities. If those transactional activities are financially significant to the customer, the SaaS application would likely be part of the customer’s SOX scope. As a result, the customer and its external auditor would be required to test relevant CSP controls—by performing test procedures at the CSP site, reviewing the CSP’s current audit report, or a combination of both. Such controls would typically include the aforementioned topics and may include application controls as described shortly.

In another scenario, an organization might utilize PaaS to underlie an important financial application. An organization might use IaaS to support traditional applications or cloud-based applications that are used for processing or reporting on financial transaction activities. In each of these cases, SOX control requirements would be applicable.

From an IT general controls perspective, it is important to have robust processes for user management/segregation of duties, systems development, program and infrastructure change management, and computer operations (e.g., monitoring, backup, and problem management). Effective IT general controls are imperative to enable application controls.

Application controls will vary depending on the nature of the application. Typical controls focus on segregation of duties for key functions, completeness and accuracy of reports, system configurations for transaction processing, logging of activities, and so on.

In addition, it is important for the CSP to clearly define which control activities are the CSP’s responsibility and which are the responsibility of the customer. Consequently, the CSP and its customers need to define boundaries where there is shared responsibility. This enables the CSP to focus its compliance efforts on areas it controls, while helping customers to do the same.

Where the CSP supports services that are likely to be in scope for SOX, the CSP should build those key controls into its control framework and provide guidance for customers as to how the CSP helps the customer otherwise meet its compliance requirements.