Upload
mike-c
View
949
Download
3
Embed Size (px)
DESCRIPTION
KPMG's cloud assurance poster - print it on A3 format or bigger and use it as a handy checklist
Citation preview
Business challenges
in the cloud
Security&
Privacy
Governance
Operations
Finance&
Tax
Vendors
Assurance
Third party vendor(s)
Cloud service provider
Network
Customer organisation
Data centre
Cloud services ecosystem• Areanythirdpartyvendorsinvolvedwhich
couldpotentiallyimpactcompliance?• Whatisthethirdpartyvendor’srole?• Whatistherelationshipbetweentheprimary
cloudserviceproviderandthethirdparty?• Whatlevelofassurancedoesthethirdparty
offertheprimarycloudserviceprovider?• Isthislevelofassurancesufficienttoachieve
andmaintaincompliance?• Howistheentirecloudsystemmonitoredin
termsofcompliance?
Data location• Whereisthecustomer’sdatastored,
processedandarchived?• Howisthecustomer’sdataisolatedand
separatedfromothercustomerdata?• Withinwhichjurisdictiondoestheprovider
anditsdatacentrefall?• Whatarethedatadeletion/destruction
policiesafterterminationofthecontract?
Public cloud• Towhatlevel/degreearetheITservicesshared
withothercustomers(facilities,network,hardware,software,supportstaff)?
• Towhatlevel/degreearetheITservicesstandardised;whatistheITservicescustomisationpotential?
• Howdoestheprovidersupportforensicanalysisbyindependentresearchers?
Certifications• Whatassuranceandqualitystatementscan
theprovideroffer?• Whichframeworksareused?• Whichaudittoolsandmethodsareused?• Areallriskareascoveredbythecontrols?• Whatisthevalidity/acceptanceofthe
frameworksused?• Whataretheintervalsfor(re)certification?• Arethecurrentcertificationsup-to-date?• Whataretheprovider’scurrentdeficienciesand
issuesandwhatisthestatusofthefollow-ups?
Regulatory compliance
•Dataprivacydirective•Basel•Solvency•SOx•PCIDSS
Trends and changes• Whatcurrentinitiativesareunderwayand
whatchangescanbeexpected?• Whatarethepoliticalfieldsofinfluence?• Howdootherorganisationscopewithrules
andregulations?
Licence to operate• Which(local,international)laws,rulesand
directivesapplytothecustomerorganisation?• WhichITservicesareinscopeofregulatory
compliance?• Whatisthecurrentlevelofcompliance?
Data protection and business continuity• Whatisthecriticalityofthebusinessdata?• Whataretheorganisation’sprinciples,
requirementsandexpectedlevelsregardingITservices?
• Whataretheminimummeasuresandcontrolswhichmustbeinplace?
External private cloud• Towhatlevel/degreearetheITservices
dedicatedtocustomer(facilities,network,hardware,software,supportstaff)?
• TowhatextentcantheITenvironmentbeauditedbythecustomer(‘righttoaudit’)?
Network resilience• Whatdegreeofassurancedoesthenetwork
offerintermsofavailabilityandperformance?• Whatsecuritymechanismsareappliedto
thenetwork(s)?• Whatistherelationshipbetweenthecloud
serviceprovider(s)andthenetworkprovider(s)?
Security and performance
•Securitystandards•Businesscontinuity•Serviceavailability•SLAs
Key contacts
JaapvanBeek|PartnerT:+31653256697E:[email protected]
JohnHermans|PartnerT:+31651366389E:[email protected]
Areas of importance and key questions
Orchestrating the Cloud: Assurance