Cloud Compliance Audit
I have written previously about various types of audits that are necessary to validate your cloud service. In this post, I will cover the cloud service audit that helps you pick the right cloud service provider (CSP). While it is important that customers take the initiative in checking the various guarantees offered by the vendor on their own, it is helpful to have an industry certification that verifies each of the major parameters and that backup the vendor’s claims.
The Unified Certification Standard (UCS) from the industry body, the International Association of Managed Service Providers (MSP Alliance), shows promise in this regard.
The UCS, previously known as the Managed Services Accreditation Program (MSAP), has auditors who visit the facilities of the CSPs that request to be audited, and evaluate the CSP on eleven major control objectives.
1. Provider organization, governance, planning and risk management
This verifies that the vendor company has established an organizational structure that will allow it to effectively manage their services and provide an appropriate level of risk management.
2. Documented policies and procedures
This part verifies that the employees are trained and made aware of compliance procedures and that there is a periodical review of those procedures.
3. Service change management
This part verifies that the vendor is properly documenting the capacity planning and control change operations.
4. Event management
Customer support is essential for cloud computing customers. Thus, the audit verifies that the vendor has an established ticketing system and a help desk, and that it staffs their Network Operations Center (NOC) with trained personnel.
5. Logical security
Physical access to the servers and password management procedures are verified in this audit.
6. Change management
This part of the audit verifies that changes to policies and systems are logged and documented.
7. Data integrity
Security of your organization’s data is very important, and in this audit the vendor’s policies concerning data access and security policies are evaluated.
8. Physical and environmental security
The vendor must have sufficient safeguards in its datacenter to protect itself against vandalism and other kind of attacks. Apart from this, the audit checks that the environment is sufficiently safe from natural forces and has an effective DR/BC (Disaster Recovery/Business Continuity) planning.
9. Service level agreements
The vendor must provide SLAs that are duly signed by the clients.
10. Client reporting, billing and satisfaction
The vendor must provide proper invoicing and billing and send periodic reports to its customers.
11. Financial health
To ensure that you have an uninterrupted access to your services, the vendor’s financial position must be stable and it must have been running a profitable business over the past six months.
All these factors are important for any cloud customer, and it would be great if all CSPs were accredited according to these objectives. Let us know, if your vendor is accredited by UCS and share your experiences.
By Balaji Viswanathan