pscorian. ae hinge Date: 4-6-2020 Audit Considerations Introduction to the Cloud 1. Aueit the environment thatthe CSC builds on top ofthe cloud 2. Aust the cloud service provider infrastructure Cloud Services & Scoping 4. Perform a walk-through ofthe services with the CISO, head of cloud, of security aut team to understand the documented process forwhitelsting and approving clous services 2 Oblain ist of sorvices and validate if approval was inline with formal process. 2, Review the service map and inventory. Ensure al he services that are listed inthe inventory are also inthe service map. 3. Ensure al services you would expect o see for CSC workloads are being used 4, Ensure the services the CSC is consuming are included in he CSP's thire-partyallestaton. Only services that are actually being used by the CSC shoula bein scope forthe CSC aut, 5. Ensure the CSC is using services that are compliant withthe framework that is being assessed against 6. Obtain the inventory of te CSC's cloud systems, along with the network diagrams. 7. Vorly the CSC's cloud network is documantad and all cloud ertcal systems are included inthe inventory documentation (for their potion ofthe saree responsibly mode) {8 Review all connectivity betwoen the network and the cloud platform by reviewing the folowing: VPN connections wh premises public IPs are mapped to CSC's gateways in any private cloud owned by the CSC. the one Governance, Risk, & Personnel 1. Understand the CSC's cloud governance strategy (governance tools, structure, monitoring, and reporting) 2. For personne, ensure the CSC trains thelr employees on cloud secunty best practices, verlying seculy awareness training records, Review the organizational structure to identity cloud appropriate roles (e.. Che" Digital Offeer (CDO)).pscorian. ae hinge danity who owns and manages the CSP relationship, ensuring that is an appropiate person, Do the employavs who make decisions about th clowa services have the education and skis to do $07 3, Ask fora copy ofthe third party attestation and certfcations in order to gain reasonable assurance ofthe design and operating ‘fectiveness of control objectives and conteals 4. Ask for isk assessment documentation and examine f they reflect the current environment and accurately describe the residual isk 5, Assess and map thc-pary atestation to relevant risks tothe CSC. The mapping wil dive whal needs tobe audited atthe CSP level versus the CSC. Look forthe complementary user entity controls (CUEC}. ASk the CSC to prove thelr response to each of the ‘sks thatthe CSP slates resides withthe CSC. 6. Identity key controls using the technology the CSP provides in ther services. {2 Understana who the amine ané aides are, Who or what are the admins? Who has access o code? Ave they the same people? In the cloud, admins can be services, system calls oes, et. ©. Confirm the CSC nas assigned an orployeo(s) as authority for the use and security of cloud services and there are defined rolas for those noted as koy roles, including a Chef Information Security Oicer (C180), ‘© Sample question: Ask about any published cybersecurly risk management process standards the CSC has used to model information securly architecure and processes. 7. Look at €8¢'s intemal contrals for rancal reporting. Does the contract include ether a relevant attestation report andlor rightto- aut? £8, Combine both the CSP attestaton and your audit ofthe CSC's environment to perform a fal gap-analysis ‘2. Review the conta fo ensure each controls covered ether by the CSP. your auctor both ®. Assoss the control matrix halstealy 1 ensure each controls covered. Access Management 1. Ensure there are intemal pocies and procedures for managing access to CSP services and compute instances. 2. Ensure the 43. Ensure restriction of users to those CSP services strcly for thelr business function. Review the type of access contin place ast relates fo CSP services. (a) CSP access cortal at a CSP level - using access management with Tagging to coral management ot ‘Compute instances (start/stopiterminat) within networks. (b) CSC Access Control using an access management (LDAP solution) to manage access to resources which exist in networks atthe Operating System /Applcation layers. c)Ensure segregation of duties is documontod and followed. (6) Network Accoss control — using CSP virual firewalls, Network Accoss Conta Lists (NACL), Routing ‘Tables, VPN Connections private claud peering to contol network access to resources within CSC owned private cloud. (@) Access to ecibviewideta data —alfnough not admin'storng security, sansitve information sil needs prvleged access.) Ensure tha CSP region ‘hat hosts resources for CSC data has regon-spectfe cerfeatons, 4, How does the CSC federat identity to the cloud? Is active directory the single source of code? Da they have mull-factor ‘authentication onthe foot ascaunt? Who has the ably to create/delete accounts? 5. Review the access management system (which may be used o allow authenticated access tothe applications hasted ontop of cloud eervices) and validate whether iis federated withthe cloud systems, is an approval process, lagging pracess, or controls to prevent unauthorized remote access.pscorian. ae hinge Data Security 4. Understand what data the CSC has inthe cloud and where the data resides, and validate the methods used to protet the dala at rest and in transit (aso refered to a8 “data inight” or “ia motion" [Ask ifthe CSC has asked thow CSP for evidence thal thor data doesn't go whore i's not supposed to. sit pat ofthe contractual ‘obligation? Determine what's in scope rogarding regions and legislation, What CSP regions are being used? What regionaliglobal legislation shouldbe considered? 2. Understang what data the CSC has in the cloud and where the data resides, and validate the methods used to protect the data at rest and in transit (aso refered to as “data intight” oF “in motion”) (a) Aki the CSC has asked their CSP for evidence that ther data doesn't go where I's not supposed to. sit part ofthe contractual abigtion? (b) Determine what's in scape regarding regions and loglslation, What CSP rogions are being used” What regianaligiobal legislation should be considered? 43. Understand # CSC is leveraging the existing mechanisms for encryption or buiting on-op-of the CSPs. 2. Ensure there are appropriate encryption carols in place to protect confidential information (or highly Sensitve) in transit and at rst ‘while using CSP services. © How is dala shared in the cloud? Cloud access eecurity broker? 4. Assess ifthe CSP services are compliant tothe framework being assessed. they are not, i it documented in the CSC's risk management documentation? Daas the CSC have addtional contrlsin place covering the service thereby mitigating the risk? 5, Review methods for cannestion to CSP console 6, Review management AP, storage, and databases for enforcement of eneypton 7. Review internal policies and procedures for key management, including CSP services and compute instances. '8, Review the controls the CSC has in place fo manage shadow IT (hardware, software, applications being used without the knowledge of vival frewals), 9. Review the procedure for conducting a specialized wipe prior to deleting the volume for compliance with established requirements. This isto enue the deletion of CSC cata Network. 4. Understand the CSP secunty requirements and what the CSP requtes ofeach oftheir customers, Ate the configurations managed by the CSC approprate fr ther service usage? Understand how a packet traverses from node to node along the CSP backbone and within the CSC environment 43, Understane the connectivity withthe cloud and if that trafic is encrypted, What can connect? User devices? VPN? Direct network Connections? Are the connections appropriate? Ave ther lining securty rules lo Scope connectivity down tothe minimum required? ‘Who has access to configure and change VPN settings? 4, Review CSP Securty Group imslementation, CSP direct connection and VPN configuration for proper implementation of network ‘Segmentation and ACL and fewall sting o: CSP services,pscorian. ae hinge 5, Vey they have a procedure fo granting remote, Infermet oF VPN access to emplayees for CSP Console access as wel as remote ‘access to networks and systems 6. Review the DDoS layered defense solution unsing which operates direct on CSP reviewing components which are leveraged as part ofa DDoS solution. How did the CSC thnk about DDoS protection? Did they protect main network iaffic routes, or did they cover fll possible rauts lo the virtual network? Can the virtual network resources scale inthe event of increased network raf load? User Device Management 4. Understand the CSC's cloud network constuets and security boundaries, 2, Ask for worktlow diagrams between user device and the network construct 43. Review a copy ofthe mobile device management policy (MOM), Doss the MDM allow for employees to bring thelr own device (ev00)? Iso, What are the policies and requirements? Do you have a management profiles on user mobile devices? How are user devices managed” How are they handling operating system updates? 4. there a cloud access security broker (CASB) in place? Iso, (a) Who Is managing the policies and threat analytes? (0) Does the CSP offerthis as a service or s ita third-party? 5, Understand the hand-off between CSP and the GSC. What inthe contact agrooment? CSP SLAS? Configuration Management 4. Validate that the operating systems ane applications are designee, configured, patched and hardened in accordance with CSC policies, procedures, and standards. Al OS and anpicalion management practices can ve common between on-premises and cloud Systems and services. 2. Validate thatthe operating systems and applications are designed, configured, patched and hardened in accordance with audios Bolles procedures, and standards. Al OS and appiication management practices can be common between on-premises and cloud Systems and services. 4, What changes ate the responsibities ofthe CSC versus the CSP? For example, a CSC may be responsible for change request, UAT, change deployment wnereas the CSP could be responsible for development and integraton testing, 4, For changes that the CSC is responsible for, s there sufficient changa management controls in pla ‘expectations are met and risks aro addressed” 5. Review documented process for configuration of cloud compute instances: Machine Images, Operating systems, Applications to ensure that management 6. Understand the asa schedules. Do the changes match the rolease schedules? 7. Review API calls for n scope services for delete calls to ensure IT aseeis have been properly disposed,pscorian. ae hinged Vulnerability Management 4. Determine the relevant esks tothe environment, Understand what the CSC's cloud is used for, for 2.9. storage of financial 2. Identity what vulnerabilty scanning tals the CSC uses for ther cloud services, either trom thei CSP, a thirt-party, or bath. 5. Check’ scanning tools are being used, how the tools are being used, and if the fools and its outputs ave reliable 4, Review the output, (a) Determine ifthe output match the regulatory requirements (b) Understand what the CSC s doing withthe futout. (c) Understand ithe outputs reviewed by management. (6) Understand f the output addressing relevant sk(). 5, Review lessons learned and ensure the CSC has addressed any fndings in a imely manner. 6. Understand the CSC's approach to patching. Understand ithe CSC is automaticaly accepting CSP forced patches or manually ‘accepting them, 7. Ask how the CSC is hardening their images and keeping thor up-to-date, as the CSP isnot responsible fort '. Ask for documentation on how the CSC prioritizes and ranks vunerabilties and SLAs. (8) Moved where the environment exsts? It {ould bein scope now when twasst before. (b) Understand what protections (tools, technology, SLAs) the CSC has in place and how they ae testing those since those ar diferent now that ihe CSC isn the cloud. c) Understand how the CSC eategorizes these protections, 9, Ask how the CSC manages penetration testing, a8 requires working with the CSP, Understand f they are dong it or not doing it Because ofthe extra notfeation and coordinaion overhead 11. Confirm penetration testing has been completed 12. Very cloud services are includes within an internal patch management process 413. Assess the implementation and management of antimalware for compute instances in a similar manner as with physical systems Logging & Monitoring 4. Understand the hand off of ownership and responsibilty in tems of what the CSP is responsible for versus the CSC. 2. Understan all the risks go that the CSC can fok fr the lags that can alert o these risks. 3. Understand the monitoring and logging tools the CSC is using that are provided by ther CSP. 4, Ensure the CSC can access the logs as needed. (a) Understand how the logs are being provided and where is they are stored. (b) Ensure the log are consumable, (c) Understand vo has access tothe lags and what level of access ang permissions are configured. (q) Ensue the logs are protected and can be accessed only by approved and authorized personnel. (e) Review the IAM Credential rept for unauthorized users and resource tagging for unauthorized devices.) Understand if there are addtional tools being used to supplement the CSP out-otthe-box log. (g)Canfimm aggregation and correlation of event cata rom multiple sources. 5. Understand how the CSC is using the CSP provided iogs (a) Understand ways the CSC is analyzing these logs that is ferent from the on-premises environment (if presen). b) UnderstandpscorianL ae hinged ‘he input logs and ensure they are being consumed into the security incident manager. (c) Verify that logging mechanisms a Configured io send logs toa conraized server, and ensure thal for compute instances the proper {ype and format of logs are retained in {similar manner as with physical systems 6, Ensure CSC's employees have te right sls and knowledge to configure the logs corel, and analyze and act on them. 7. Identity applicable compliance requirements and review third-party attestation repor to ersure those requirements are covered 12 Understana the types of instances the CSC cares about that show up. ©. To ensure completoness and accuracy, test the relevant transaction types by recreating instances to prove thatthe instances will ‘actualy show inthe logs. '. Ensure the logs comply with policy. (a) Review logging and monitoring polices and procedures for adequacy, retention, defined thresholds and secure maintenance, specfcaly for detecting unauthorized actly Tor cloud service. (b) Validate that aust logging is being performes on the quest OS and etical applications installed on compute instances and that implementation isin alignment wih CSC policies ana procedures, especialy as it relates to the storage, protection, and analysis of the logs. c) Ensure analytes of events, {are lized to improve defensive measures and policies. 8, Ensure the log inform incidont response, Review host-based intrusion detecion systems on the compute instances ina similar manner as wih physical systems. Review evidence on whore information on inttusion detection processes can be reviewod Incident Response 1. Verity an Incident Response Plan exists. (a) Understand the relevant risks exst and whether these risks considered as part ofthe pian, (0) Ensure the plan has cleat identification ofthe CSC versus CS® responsibilies, Understand fa RACI documentation is ‘avaliable within the plan. (C) Ensure the plan outlines a communication path between the audiee and CSP. (4) Verity that tho Incident Response (e) Plan undergoes aperiodic review and changes related lo CSP are made, as needed. Note ifthe Incident Response Plan has notation procedures and how the CSC addresses responsibly for losses associated wit attacks or impacting instructions, Ensure the CSC's RTO and RPO are rellected in the inedent response plan 2. Ensure the CSC is leveraging existing incident monitoring tools, as well as CSP available tools to monitor the use of CSP services, 3. Understane the CSC's defriton ofan incdent that impacts the risk of what's in the cloud. Ask forthe defintion ofthe communication ‘escalation path It can be the same as on-premises bu! understanding the hang-ofs fs important because the technology ean be diferent nthe cous, Evaluate the process for Incident clasurelesaluton 4. Understand what isin the CSP SLA. the folowing: (a) Understand when a CSP is required to contact an audtee and wien an ‘uitee is required to contact their CSP? (b) Understand how ineidents are identfiad. Ensure the eght level of precisionprortzation is being applied to communicate the ght incidents c) Understand the responsibly fo mligate a breach, tre level of eetal provded, and mechanisms in place that can be leveraged to moritor and evaluate breach 5. Understand ithe CSP reported any incidents to them, 6, Understand the mechanism by which the CSC is confident inthe aceurateress and completeness of the reporting coming from the csP, Example questions: a) How are you comfortable that you are being informed of all those incidents? (o) How confident are you? (c) Best practice answer: Those ouipuis are covered in he thiré-party attestation repor, and sted by name,7. Identity active point of contacts at both the CSP and CSC. Business Continuity & Contingency Plant 9 1. Understand the impact oftheir cloud services ta revenue. Understand how each service impacts business operations and what the Impact would be It were to cease unexpectedly, 2. Understane the importance of the cloud to their business continuity and ensure the CSC reconfirmed this solution and answer every {eat as eervee consumption change, 3, Understand the alsaster recovery and determine the fault-tolerant architecture employed for those erical asses, 4. Ask forthe BOP, including the CSP services utlzed, and ensure it addresses mitigation of the effects of and recovery from @ ‘ybersecunty incident ‘5. Understand how the CSC is using the cloud for recoverabily, classation of recoverabilty times, testing the recoverability by faling ‘back othe cloud 6, Look at contingency planning policies, procedures, aterate storage and processing, backup, recovery and reconstitution, Distinguish between data loss and continued operations. The diferent risks are determined for different sels. Spectfealy, for SaaS, which tend io be more volatile, understand how the CSC has prepared fora scenario where the SaaS provider shuts down, 7. Ensure Businass Continuity Plan has bean tested. £8, Roviow the CSC's periodic tet of thor backup systom for CSP services. The clous gives you the ably to do snapshots wasior, ask how long the CSC is storing them. Are they encrypted? 9, Review inventory of data backed up to CSP services as oftsite backup, psicoenLaa ranigwattecadiepenthed