Chapter 2
Cloud-Based IT Audit Process
The cloud supports a business model with some significant benefits for the consumer, including cost savings for equipment and for management of Information Technology (IT) resources and business services. Examples such as e-mail and office applications, sales/customer management and payroll services, and infrastructure on demand have all been successfully implemented via cloud services by a number of companies and agencies. But there are security risks exacerbated by outsourcing to the cloud that have not been fully understood by either buyers or providers of cloud services, that are important to consider, especially as it comes to compliance and regulation.
It is not unusual that decisions to use the cloud are initially driven by economic desires and not as part of an IT and business services roadmap. When cost savings drive business decisions, it is critical that concerns about meeting regulatory requirements not be an afterthought, or worse, not considered until the auditors arrive. Worse yet, changes to IT infrastructure that are not understood by the business can introduce significant risk to the business itself, and so audit, compliance, and risk management should all be considered part of the true cost of cloud computing.
This chapter reviews the audit approach and unique concerns in assuring security and compliance in the cloud environment. We discuss the common failing of security when a business starts ...
