[prev in list] [next in list] [prev in thread] [next in thread] 

List:       isn
Subject:    [ISN] Changes Continue for Cloud Service Provider Controls
From:       InfoSec News <alerts () infosecnews ! org>
Date:       2011-06-23 6:50:18
Message-ID: alpine.DEB.2.02.1106222349540.3580 () infosecnews ! org
[Download RAW message or body]

http://www.law.com/jsp/lawtechnologynews/PubArticleLTN.jsp?id=1202498009028

By Thomas Shaw
Law Technology News
June 22, 2011

Organizations need assurances about controls used by third-party data 
custodians, such as cloud service providers (CSPs). Two methods are 
typically used: 1) certification against a standardized set of controls, 
such as ISO 27001 certification using ISO 27002 controls, and 2) audit 
opinions about existing controls, such as Statement of Auditing Services 
(SAS) 70 reports.

But much has changed in the last year -- or will soon be changing. What 
has changed already involves the types of audit reports on internal 
controls of service organizations. Looming changes will address 
certifications possible for service organizations, including updates to 
the ISO security standards for cloud computing.

The first major change is that the International Auditing and Assurance 
Standards Board has promulgated the "International Standard on Assurance 
Engagements (ISAE) 3402 , Assurance Reports on Controls at a Service 
Organization." This standard, effective for reporting years ending after 
June 15, 2011, is focused on service organization controls in relation 
to financial reporting. Specifically, the auditor is looking to obtain 
reasonable assurance that the service organization's description of its 
system of controls is fairly presented and that these controls were 
"suitably designed" and operated effectively during the period under 
reporting.

The Type 1 report includes the service organization's description of its 
system, assertions about the fair presentation of its system description 
and the suitable design of controls, and the auditor's reasonable 
assurance about these assertions. The Type 2 report includes everything 
in the Type 1 report and expands to include the operating effectiveness 
of the controls over the reporting period, and describes the tests 
conducted by the auditor and the results of those tests.

[...]


___________________________________________________________
Tegatai Managed Colocation: Four Provider Blended
Tier-1 Bandwidth, Fortinet Universal Threat Management,
Natural Disaster Avoidance, Always-On Power Delivery
Network, Cisco Switches, SAS 70 Type II Datacenter.
Find peace of mind, Defend your Critical Infrastructure.
http://www.tegataiphoenix.com/
[prev in list] [next in list] [prev in thread] [next in thread]