Information Security News mailing list archives

Previous By Date Next
Previous By Thread Next

Changes Continue for Cloud Service Provider Controls

From: InfoSec News <alerts () infosecnews org>
Date: Wed, 22 Jun 2011 23:50:18 -0700 (MST)
http://www.law.com/jsp/lawtechnologynews/PubArticleLTN.jsp?id=1202498009028

By Thomas Shaw
Law Technology News
June 22, 2011
Organizations need assurances about controls used by third-party data custodians, such as cloud service providers (CSPs). Two methods are typically used: 1) certification against a standardized set of controls, such as ISO 27001 certification using ISO 27002 controls, and 2) audit opinions about existing controls, such as Statement of Auditing Services (SAS) 70 reports.
But much has changed in the last year -- or will soon be changing. What has changed already involves the types of audit reports on internal controls of service organizations. Looming changes will address certifications possible for service organizations, including updates to the ISO security standards for cloud computing.
The first major change is that the International Auditing and Assurance Standards Board has promulgated the "International Standard on Assurance Engagements (ISAE) 3402 , Assurance Reports on Controls at a Service Organization." This standard, effective for reporting years ending after June 15, 2011, is focused on service organization controls in relation to financial reporting. Specifically, the auditor is looking to obtain reasonable assurance that the service organization's description of its system of controls is fairly presented and that these controls were "suitably designed" and operated effectively during the period under reporting.
The Type 1 report includes the service organization's description of its system, assertions about the fair presentation of its system description and the suitable design of controls, and the auditor's reasonable assurance about these assertions. The Type 2 report includes everything in the Type 1 report and expands to include the operating effectiveness of the controls over the reporting period, and describes the tests conducted by the auditor and the results of those tests. 

[...]


___________________________________________________________
Tegatai Managed Colocation: Four Provider Blended
Tier-1 Bandwidth, Fortinet Universal Threat Management,
Natural Disaster Avoidance, Always-On Power Delivery
Network, Cisco Switches, SAS 70 Type II Datacenter.
Find peace of mind, Defend your Critical Infrastructure.
http://www.tegataiphoenix.com/
Previous By Date Next
Previous By Thread Next

Current thread: