[prev in list] [next in list] [prev in thread] [next in thread]
List: isn
Subject: [ISN] Changes Continue for Cloud Service Provider Controls
From: InfoSec News <alerts () infosecnews ! org>
Date: 2011-06-23 6:50:18
Message-ID: alpine.DEB.2.02.1106222349540.3580 () infosecnews ! org
[Download RAW message or body]
http://www.law.com/jsp/lawtechnologynews/PubArticleLTN.jsp?id=1202498009028
By Thomas Shaw
Law Technology News
June 22, 2011
Organizations need assurances about controls used by third-party data
custodians, such as cloud service providers (CSPs). Two methods are
typically used: 1) certification against a standardized set of controls,
such as ISO 27001 certification using ISO 27002 controls, and 2) audit
opinions about existing controls, such as Statement of Auditing Services
(SAS) 70 reports.
But much has changed in the last year -- or will soon be changing. What
has changed already involves the types of audit reports on internal
controls of service organizations. Looming changes will address
certifications possible for service organizations, including updates to
the ISO security standards for cloud computing.
The first major change is that the International Auditing and Assurance
Standards Board has promulgated the "International Standard on Assurance
Engagements (ISAE) 3402 , Assurance Reports on Controls at a Service
Organization." This standard, effective for reporting years ending after
June 15, 2011, is focused on service organization controls in relation
to financial reporting. Specifically, the auditor is looking to obtain
reasonable assurance that the service organization's description of its
system of controls is fairly presented and that these controls were
"suitably designed" and operated effectively during the period under
reporting.
The Type 1 report includes the service organization's description of its
system, assertions about the fair presentation of its system description
and the suitable design of controls, and the auditor's reasonable
assurance about these assertions. The Type 2 report includes everything
in the Type 1 report and expands to include the operating effectiveness
of the controls over the reporting period, and describes the tests
conducted by the auditor and the results of those tests.
[...]
___________________________________________________________
Tegatai Managed Colocation: Four Provider Blended
Tier-1 Bandwidth, Fortinet Universal Threat Management,
Natural Disaster Avoidance, Always-On Power Delivery
Network, Cisco Switches, SAS 70 Type II Datacenter.
Find peace of mind, Defend your Critical Infrastructure.
http://www.tegataiphoenix.com/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic