April 22, 2023

Auditing Cloud ServicesBrian Daniels, CISA, GCFADavid Crotts, CISA

2

Overview• Introduction to cloud services in a

decentralized environment• Audit perspective of cloud service risks• Conducting the audit• Outcomes• Questions or comments

INTRODUCTION

Why Utilize Cloud Services?Who Uses Cloud Services?How Can You Identify Cloud Service Implementations?What is Virginia Tech’s Cloud Service Environment Like?

3

Why Use Cloud Services• Collaboration• Need for excess storage• Lack of resources to manage internally• Cost effective

4

Who Uses Cloud Services• Researchers• IT Professionals• Administrators• Students• Alumni• EVERYONE!

5

How to Identify Cloud Services• Request info from Central IT• Request info from Departments• Query technology related expenditures• Account Codes• MCC

• Unlikely to identify all

6

Control Environment at VT• Departmental purchasing authority.• Difficult to identify all purchases.• Purchase records only show vendor, not

product detail.• What about free services?• Mobile device apps?

7

Control Environment at VT• Guidelines suggest reviews by:• Central IT (Security, Network)• Data Stewards• Legal Counsel

• Is it realistic?

8

CLOUD SERVICES RISKS

Risk EnvironmentRisk AssessmentContract Risks

9

Risk Environment• Risks of outsourcing are similar to risks

of operating internally .• Additional risks exist when the system

is outside of your control.• Low cost/free services vs. high cost?• How do you monitor these risks?

10

Risk Assessment• A need has been identified.• What could go wrong utilizing a cloud

service provider?• What is the worst possible outcome?• What is a more likely outcome?• What am I exposing myself to?

11

Risk Assessment• What data elements will be utilized?• Are there any regulatory requirements?• FERPA• HIPAA• ITAR• PCI• PII

12

Risk Assessment• What risks are significant enough to

warrant special consideration in contract negotiations?

13

Contract Risks• Who has signature authority?• Click through agreements?

• Does the defined service adequately represent the identified need?

• How complete is the audit clause?• Client access to audit vendor performance.• Client access to review third party audits.

14

Contract Risks• Does the agreement require

acknowledgement of regulatory compliance?

• Who owns the data once it’s in the cloud?

15

Contract Risks• What invokes the termination clause

and what does it address?• Access to data upon termination.• Secure removal of data.• Termination fees or waiver of fees.• Responsibilities of each party upon

termination.

16

Contract Risks• Service Level Agreements• Are they complete?• Are they reasonable?• What is the measurement period?• What is the penalty for non-compliance?

17

Contract Risks• Are the specific obligations explicitly

stated in the contract?• If not, where are they located?• Policies, procedures, or privacy statements

are typically subject to change without notice.• Click through agreements may also change

without notice.

18

Contract Risks• Do the elements of the contract apply to

any subcontracted vendors?• Negotiation of appropriate contract terms

is an effective means to reducing risk exposure.

• It is often not possible to get all desired terms and conditions in the contract.

19

CONDUCTING THE AUDIT

SamplingDocument RequestsAudit Testing

20

Sampling• What factors exist in the population?• Users• Type of service• Functional Use• Cost

21

Sampling• Select a cross section• Single user to organization wide• Application or storage• Administrative, teaching, research• High cost, low cost

22

Documentation Request• Planning Documentation• Risk assessments• Steering committee minutes• Product reviews• Security reviews

23

Documentation Request• Original and most recently executed

contract.• Most recent SLA performance review• Most recent third party audit report• Preferred report is the SOC 2 Type 2

24

Testing• Risk assessment• Centrally created questionnaire• Only required for purchases greater than

$2,000• Yes/No responses• Developed in 2011

25

Testing• Steering Committee Minutes• No steering committee for most

department specific purchases• Expected for central systems purchases

(i.e. email, business intelligence software)

26

Testing• Security Reviews• Performed on 4 of 5 services with a cost

greater than $2,000• Not performed on smaller dollar purchases• IT Security Office provides an opinion on the

security architecture of the service• Has resulted in corrective action by the vendor.

27

Testing• Signature Authority• Department and Central authorization OK• Data steward review was often absent

• Based on the data utilized by the service• Legal Counsel review was often absent

28

Testing• Terms and Conditions• Audit Clauses

• One audit clause gave the vendor the right to audit Virginia Tech!

• Termination agreements• Beware of data retrieval and removal provisions

• Definition of adequate and robust SLAs

29

Testing• Terms and Conditions• Subcontractors

• Use of subcontractors permitted?• Enforcement of parent contract to

subcontractors?• Regulatory compliance requirements?• Personnel vetting?

30

Testing• Contract Monitoring• Periodic review of Terms and Conditions

• Still reflect current operating environment?• What changes have occurred?

• SLA Performance• Third party audit reviews

• Identified one subcontractor who had significant data breaches occur in 2009.

31

OUTCOMES

32

Outcomes• Risk assessment questionnaire• Revised questions to target specific risks

and help assess data elements used and need for ongoing monitoring.

• Expanded scope to include items under $2,000.

33

Outcomes• Communication and Training• Ensure adequate knowledge of the risks of

outsourcing for department staff.• Focus on training business staff and IT

professionals.

34

Outcomes• Assess the impact of restricting use of

certain MCC codes on selected Pcard holders.• Manage the risk at the point of

procurement by limiting the number of people able to purchase such services.

35

Outcomes• Establishment of preferred standard

contract language.• Joint effort led by IT Acquisitions in

collaboration with Procurement, Legal Counsel, and Central IT.

36

Outcomes• Processes and procedures designed to

help manage and monitor contracts.• Led by IT Acquisitions with input from

Central IT or other administrative functions.

37

QUESTIONS OR COMMENTS?

38