Scope
The cloud services provided by AWS includes a set of services such as computing power, infrastructure services, networking, storage, and databases. These services are delivered to the client on a need basis, on-demand basis, and also on a pay-as-you-go basis (Willcocks & Lacity, Eds. 2016). Different use cases are considered by the service provider. In this context, AWS provides over 50 different types of services. The company takes into consideration the security needs of its clients. To this extent, it has put in place an infrastructure that ensures that the security is better than on-premise security. To offer the best services, the company also puts into consideration the regulations put in place by the government and other relevant bodies. It offers its services to small and large organizations.
Goals and Objectives
AWS’ main goals are to offer services, guidance, and consultation to the client on cloud technology. To accomplish this, the company has consultants that relate to and educate the client on cloud technology. The company seeks to transform the IT sector through the provision of second to none services and products. In this effort, the organization has setup 53 availability zones all over the world. These are located in 18 geographic regions. Notably, there are plans to increase this number by 12 more regions. With strict adherence to the set guidelines and regulations, the organization is making good inroads in the industry and has a steadily growing client base.
To determine whether the operations of AWS are in line with the industry recommended standards, an audit has to be undertaken of its operations. Such an audit should include the determination whether the organization is adhering to the set laws that are associated with cloud technology. The audit should also seek to determine whether the privacy laws are followed. The IT security should also be analyzed, through the determination of the plans put in place for mitigating and dealing with possible threats and risks. The audit should also seek to determine the policies put in place by the organization on security and other operations associated with the provision of cloud services.
The frequency of the Audit
The proposed audit should be conducted once in a while. It is recommended that the audit should be conducted in phases and to a different extent. An overall audit could be conducted once in a year. However, departmental audits could be conducted periodically after every three months. These audits would shed light on what needs immediate attention and what the overall audit might miss due to the generalization that would be incorporated in such an audit (Armbrust et al., 2010). The periodical audits would also help the organization to know whether it is in the right direction and whether it is improving on previously mentioned issues.
Are you a business student having trouble writing your business paper and looking for help ? Business Writing Services have professional writers who can help you write quality paper. We are a reliable Business Writing Company that helps students globally to write quality and original business papers.
Duration
The periodic audits could be scheduled to last for a week. The main audit or what could be referred to as the overall audit could be scheduled to last for two weeks. Nonetheless, the periods are not fixed such that if the auditors were to require more time, they should be allowed to complete their work.
Requirements
Certain requirements are necessary for the audit process to be carried out. Firstly, the team of auditors would have to be constituted. In this case, it has to be determined whether they will be internal or external auditors. More so, there are specific issues that will be considered when the audit is being undertaken. These include the technical expertise and experience of the key personnel in the organization, the compliance to government policies and regulations, the frequency and quality of any security and awareness training undertaken, and the issues to do with accountability.
The rate at which new technologies are being used is also critical. On the same note, the management of change as a result of new procedures and processes associated with new technology is also critical. The factors mentioned above are important to the organization due to their influence on the overall wellbeing of the organization regarding its provision of cloud services. If the organization is responsible enough to take care of these issues and to have plans in place to mitigate these issues, then it would be determined to be in the right direction since these aspects are bound to better its performance and service delivery.
Privacy Laws
On personal data, privacy laws have to be adhered to. Most of the time, privacy is also associated with security. Since AWS is a public service provider, there are certain key security and privacy issues that have to be put into consideration. Firstly, it would be important to determine the governance of AWS regarding how oversight and control in the organization are managed by the standards, policies, and procedures put in place. Secondly, it would also be important to consider the compliance of the organization in line with the set regulations and policies. In this context, privacy laws come to play.
The privacy laws include the Privacy Act which dictates how the collection, use, dissemination and maintenance of personal information in a system where records are maintained. In as much as this regulation is mostly determined to be for Federal Agencies, they are also good standards and should be considered by private entities. Under this context, the organization is expected to undertake a Privacy Impact Assessment (PIA) (Krutz & Vines, 2010). This assessment should be performed on the different technologies that are used to collect, maintain, disseminate personal information.
In the same context of dealing with privacy laws, organization is expected to practice some level of restraining and control over the data. It is expected that an organization which is handling PII should have adequate security for the information it holds. The information should be kept away from any unauthorized personnel. It should also not be disclosed disrupted, used, modified or even destructed by unauthorized persons (Kandukuri & Rakshit, 2009). This involves the protection of the information systems that are used to relay and handle the data.
IT Security Assessment Plan
To have a thorough assessment of the IT security of the organization, it has to be in the context of the risk management, threat analysis, vulnerability analysis, and risk assessment analysis.
Risk Management
The risk management plan of the organization has to be strategic, and it has to conform to modern standards. To assess the risk management of the organization, it is important to first consider the kinds of risk that the organization is prone to. Risk management will also be determined through the analysis of the compliance of the organization with PCI standards. It would also be critical to determine whether the organization is ensuring that SAS 70 Type II standards are being adhered to (Kandukuri & Rakshit, 2009). Other factors to consider when looking into the risk management is the issue of data loss and recovery. Although most of the time the data that is contained in the cloud is often encrypted, it is usually harder to decrypt and recover such kind of data. In this context, it would be important to consider the plans that the organization has put in place to help recover the lost data. It is also critical that the performance of the systems and procedure put in place be determined in regards the management of risk.
Threat Analysis
As far as threat analysis is concerned, it is important to determine what kinds of threats the organization is able to handle and more so which threats it is likely to come under. It is also important to determine from the client’s point of view, the types of threats that they are likely to face. Once the threats are determined the organization should be able to detail the plans it has in place to help mitigate the threats.
Vulnerability Analysis
An analysis of the vulnerabilities the company is likely to face is essential. In this context, the physical security will be analyzed to determine whether the people, activities equipment, and operations are safeguarded against possible threats. The organization will also be audited to determine whether it is prepared to deal with the loss of data. It is also important to consider issues such as data lockout. There is the risk of data lockout that could affect the activities, people, information and operations of the organization to a great extent. Other vulnerabilities that have to be looked into include identity management, issues to do with authorization, execution control, external and internal cloud application interaction.
Risk Assessment Analysis
The risk assessment analysis should be carried out by answering the following questions. It would be important to determine what the threat categorization is at the organization. The other analysis that should be done is the analysis of the threat impact regarding how severe the threats would be. The threat frequency should also be determined as well as the uncertainty factor.
Resources for the Audit
The information and resources for the audit process shall be acquired from the organization upon acquiring permission from the management to access the systems and data. The auditors will work together with the organization’s staff in the process. The organization’s staffs shall be expected to provide all the necessary resources and information.
Seven Domains
1. User domain – the users of the cloud technology. The audit will seek to determine whether the users are authenticated before they are allowed access to the cloud.
2. Workstation domain – these are the computers as other devices that could be used to access the cloud. The audit of the security policies and regulations will be associated with the workstations that are allowed to access the cloud.
3. LAN domain – The equipment that is connected to a LAN at the client’s organization. The audit will seek to determine whether the policies that are put in place help with the regulation of the devices connected to the LAN which might affect the security of the cloud.
4. WAN domain – The equipment connected to the cloud service. Policies dictating the connection to the cloud are associated with this domain.
5. LAN-WAN domain – The equipment that connects the cloud to the devices operated by the client. The security policies and regulations, as well as controls set in place, affect this domain.
6. Remote Access domain – includes the encryption technology that is put in place to protect the cloud service. The audit of the encryption and other security policies and systems will be in line with this domain.
7. System/Application domain – includes the technologies that are used by the cloud service users to conduct their business and are also associated with the audit of the security policies associate with the use of the cloud service.
Policies and Procedures
The audit process shall put into consideration the security policies and procedures that have been put in place by the organization. To determine these, the organization’s liaison will be required to provide documentation on the policies that have been put in place. On the same note, the audit team can decide to carry out some tests to determine how effective the policies and procedures that have been put in place are. The organization should have procedures in place on how to deal with security threats. These should be tested to determine how effective they are in dealing with the security threats.
The policies should also be checked to determine whether there are controls that have been put in place to support them. There should be documentation on the controls. If there are none, some will be recommended with the depiction of the possible scenario of when the controls would come in handy being enacted. The effective implementation of the monitoring controls shall be checked. The monitoring process and tools of these controls shall also be checked to determine whether they are effective.
Security Control Points
It is important to have several security control points in the cloud service provider’s system. These points include the access, management, manipulation, storage, and relay of information in the cloud service. These points should be verified since they are gateways that can be used maliciously to access and manipulate the data by unauthorized parties. To determine whether these points are secured, an analysis should be done on all of them. This analysis should be done with real data and real users.