Seminar on emerging technology, focusing on cloud technology.

1. Emerging Technology Challenges and Solutions
for Internal Audit and Compliance
A Focus on Cloud Computing and Mobile Platforms
Grant Thornton Breakfast Seminar Series
The Union League – Philadelphia, PA
November 2011
Presented by:
Danny Miller, CGEIT, CISA, ITIL, CRISC, QSA
Principal, Business Advisory Services
National Solutions Lead - Cyber Security & Privacy
© Grant Thornton. All rights reserved.

2. Topics
• Emerging Technology
– Cloud computing
– Mobile computing
– Cybersecurity trends
• Potential IA Complexities
• Risks and Mitigating Risk (strategies)
• What’s Next?
© Grant Thornton. All rights reserved.

3. Emerging Technology Trends
Spending on public IT cloud services will grow at more than five times the rate
of the IT industry in 2011-2012
Enterprise IT planners begin to include cloud-computing expertise in some of
their job searches to be prepared for the projects of the short-term and mid-term
future
Hosted private clouds will outnumber internal clouds 3:1… But service providers
have been incrementally ready.
Cloud management and monitoring will fuel enterprise cloud adoption
32% of CIOs expect virtualization to be their top investment in 2011
© Grant Thornton. All rights reserved.

4. Cloud computing overview
Grant Thornton's CAE Survey
• More than 300 CAEs surveyed responded that
– 77% are at least somewhat familiar with cloud computing
– 69% use cloud computing; many expect cloud computing use
to increase (45%) or stay the same (55%) in the next 12
months
• When asked to describe their view as to the security, governance,
risk and controls implications in moving to a cloud environment,
43% responded "I haven’t really given it much thought."
• 64% of respondents do not include cloud computing in their audit
plan
© Grant Thornton. All rights reserved.

5. Cloud computing overview
Global Public Cloud Market Size
© Grant Thornton. All rights reserved.

6. Emerging Technology
• Cloud computing
– Saas, PaaS, IaaS, DaaS
• Mobile computing
– Mobile platforms that are blurring the line between a hand-held and
complex computing
• Risks and Strategies for Cloud Computing
• Cybersecurity
– Trends
© Grant Thornton. All rights reserved.

7. Emerging Technology Platforms (con't.)
Types of Clouds Models of Cloud:
• Public • Software as a Service (SaaS)
- Shared computer resources provided - Software applications delivered over
by an off-site third-party provider the Internet
• Private • Platform as a Service (PaaS)
- Dedicated computer resources - Full or partial operating
provided by an off-site third-party or system/development environment
use of Cloud technologies on a private delivered over the Internet
internal network • Infrastructure as a Service (IaaS)
• Hybrid - Computer infrastructure delivered over
- Consisting of multiple public and the Internet
private Clouds • Desktop as a Service (DaaS)
- Virtualization of desktop systems
serving thin clients, delivered over the
Internet or a private Cloud
© Grant Thornton. All rights reserved.

8. Emerging Technology Platforms (con't.)
Public Cloud Private Cloud
© Grant Thornton. All rights reserved.

9. Emerging Technology Platforms (con't.)
• Mobile computing is:
– Wireless
– Utilizes tablet platforms and smartphones
– Internet-based
– Communication via 3G/4G and WiFi
– Scaled applications
© Grant Thornton. All rights reserved.

10. Potential New IA Complexity
Cloud computing
– Availability & performance
– Business continuity
– Cybersecurity
– Data encryption
– Privacy (especially in Healthcare & Life Sciences)
© Grant Thornton. All rights reserved.

11. Potential New IA Complexity (con't.)
Cloud computing (con't.)
– Compliance
• FISMA
• HIPAA
• SOX
• PCI DSS (card payments)
• EU Data Protection Directive, et al.
© Grant Thornton. All rights reserved.

12. Potential New IA Complexity (con't.)
Mobile computing
– Security (physical and virtual)
– Data ownership
– Service interruption and recovery
– Data archiving
– Availability
© Grant Thornton. All rights reserved.

13. Potential New IA Complexity (con't.)
Mobile computing
– WiFi/3G/4G security
– Surveillance and access control
– Availability
– Data ownership and recovery
– Auditability
– Bluetooth “hijacking”
– AIDC
© Grant Thornton. All rights reserved.

14. Risks and audit strategies for the Cloud
Six risk areas
• Security
• Multi-tenancy
• Data location
• Reliability
• Sustainability
• Scalability
© Grant Thornton. All rights reserved.

15. Risks and audit strategies
1. Security - risks
• The cloud provider’s security policies are not
as strong as the organization's data security
requirements (mis-alignment)
• Cloud systems (servers, other devices) which
store organization data are not updated or
patched when necessary (vulnerability)
• Security vulnerability assessments or
penetration tests are not performed on a
regular basis to ensure logical and physical
security controls are in place
• The physical location of company data is not
properly secured
© Grant Thornton. All rights reserved.

16. Risks and audit strategies
1. Security – audit strategy
• Determine if the cloud provider meets or
exceeds the Organization's security
requirements
• Determine if the cloud provider’s security
posture is based on a security standard (i.e.,
ISO27001, Cloud Security Alliance, PCI DSS,
etc.)
• Determine if the cloud provider has a security
assessment performed
• For your organization, have a baseline
security assessment done.
• Determine if the cloud provider’s Service
Organization Report (i.e., SSAE 16, SOC
Reports) addresses specific security controls
© Grant Thornton. All rights reserved.

17. Risks and audit strategies
2. Multi-tenancy – risks
• Organization data is not appropriately
segregated on shared hardware resulting in
Company data being inappropriately accessed
by third parties
• The cloud service provider has not deployed
appropriate levels of encryption to ensure data
is appropriately segregated both in rest and
transit
• The cloud service provider cannot determine
the specific location of the organization's data
on its systems
• Organization data resides on shared server
space which might conflict with regulatory
compliance requirements for the organization
© Grant Thornton. All rights reserved.

18. Risks and audit strategies
2. Multi-tenancy – audit strategy
• Inquire of the cloud service provider’s method
used to secure the Company’s data from being
accessed by other customers/third parties
• Review the cloud service provider’s SLA to
determine if the SLA addresses security of the
organization's data
• Review independent audit report(s) related to
the Cloud provider’s security posture (i.e.,
security settings, data encryption methods, etc.)
and/or exercise the organization's "right-to-audit"
clause
• Gain access to cloud system(s) and perform
limited auditing procedures from the
Company’s location
© Grant Thornton. All rights reserved.

19. Risks and audit strategies
3. Data location – risks
• Organization is not aware of all of the cloud
service provider’s physical location(s)
• Organization does not know where their data is
physically or virtually stored – implies potential
issue with sensitive data being stored outside the
country, violating certain laws and regulations
• The Cloud service provider moves organization
data to another location without informing the
Organization or gaining its consent
• Organization data is stored in international
locations and falls under foreign business or
national laws/regulations (Data Protection Directive –
EU 95/46/EC, Mass Data Privacy Law 201 CMR 17,
state Breach Laws and there is some additional U.S.
national proposed legislation coming soon)
© Grant Thornton. All rights reserved.

20. Risks and audit strategies
3. Data location – audit strategy
• Inquire of the cloud provider the specific
physical and virtual location of the
organization's data
• Work with the organization's legal group to
fully understand the impact and potential risks
of the organization's data residing in a foreign
country
• Ensure regulatory compliance is maintained
if data resides in multiple locations
© Grant Thornton. All rights reserved.

21. Risks and audit strategies
4. Reliability – risks
• The cloud service provider has quality of
service standards which conflict with business
requirements (do you have an SLA/OLA?)
• During peak system activity times, the cloud
service provider experiences system
performance issues that result in the
following:
- Organization employees cannot access
the organization's data when needed
- Customers are unable to use the
organization's systems (such as placing an
order on the organization's web site)
because of performance problems with the
cloud provider
© Grant Thornton. All rights reserved.

22. Risks and audit strategies
4. Reliability – audit strategy
• Inquire of the cloud service provider to determine
the controls in place to ensure the reliability of
the cloud solution
• Obtain an SLA/contract from the cloud service
provider which details the specific reliability
agreement for the organization. Compare this
information to actual performance
• Determine the times that the cloud provider
performs system upgrades and/or patches to
ensure data availability during peak business hours
is not affected
• Review the organization's business continuity
plan and determine if the plan addresses
interruptions with the cloud systems used by the
Company
© Grant Thornton. All rights reserved.

23. Risks and audit strategies
5. Sustainability – risks
• In the event the cloud service provider goes out of
business, the organization might not be able to
retrieve the organization's data. In addition,
another third party might gain access/control of
the organization's data
• The cloud service provider does not have
appropriate system recovery procedures in
place in the event of a disaster
• The organization's business continuity plan
does not address the cloud’s service offering
being unavailable
• Organization data is compromised as a result of
a disaster
© Grant Thornton. All rights reserved.

24. Risks and audit strategies
5. Sustainability – audit strategy
• Inquire of the cloud service provider to
determine if they have adequate controls in
place to recover and protect the organization's
data even in the event of a disaster
• Review the organization's business continuity
plan and determine if the plan addresses
interruptions with the cloud solution
• Inquire of the cloud service provider to
determine how the organization would gain
access to its data in the event the cloud service
provider goes out of business
© Grant Thornton. All rights reserved.

25. Risks and audit strategies
6. Scalability – risks
• The cloud service provider’s systems
cannot scale to meet the
organization's anticipated growth,
both for a short-term spike and/or to
meet a long-term strategy
• If the organization decides to migrate
all or part of the organization's system
and/or data back in-house (or to
another provider), the cloud service
provider cannot (or will not) provide
the data
© Grant Thornton. All rights reserved.

26. Risks and audit strategies
6. Scalability – audit strategy
• Determine if the cloud provider’s system can scale
to meet the organization's expected short-term
spikes and/or growth over the next five years
• Determine if the organization has a contingency
plan in the event the cloud provider’s systems
cannot scale to meet the organization's needs
• Determine who is the “owner” of the
organization's data
• Determine if the cloud provider would allow the
organization to move data back in house and/or
to another provider. Determine the specific
procedures and associated costs needed to
perform this task
© Grant Thornton. All rights reserved.

27. Cybersecurity Trends (What’s Next?)
• Distributed computing (the Cloud)
• Cybersecurity & Privacy focus
• Virtualization
• Advanced IA tools
– Analytics
– Provenance engines
– Enhanced hardware firewalls
– Advanced encryption technology
– New data segregation and security standards
– Secure digital communications
• Standards such as ITIL, COBIT and PCI are integrating and are now
complimentary
© Grant Thornton. All rights reserved.

28. Questions?
© Grant Thornton. All rights reserved.

29. Emerging Technology Challenges for Internal
Audit and Compliance
Danny Miller, CISA, CGEIT, CRISC, ITIL, QSA
National Solutions Lead – Cybersecurity
Regional Solutions Lead – Business Consulting
Principal, Grant Thornton LLP
Danny.Miller@us.gt.com
http://grantthornton.com/
© Grant Thornton. All rights reserved.