05. The Nature and Evaluation of IT General Controls
05.10. Cloud Computing and Mobile Computing
Briefly reflect on the following before we begin:
- What are the unique challenges in auditing cloud service providers?
- How is data security managed differently in cloud computing environments?
- What considerations are essential in assessing BYOD processes?
- How does mobile device and application management impact organizational security?
This section will explore the increasingly relevant and complex domains of cloud and mobile computing in the context of IS auditing. We will begin by introducing cloud computing. This technology has revolutionized how organizations manage and deploy IT resources. We start by defining cloud computing and its various service models, such as Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS). This introduction sets the foundation for understanding the complex dynamics of cloud computing environments and their implications for IS auditing. We will also discuss the critical role of identifying underlying risks and evaluating the controls and practices of cloud providers. As organizations increasingly rely on third-party providers for essential IT services, thorough assessments become paramount. We will discuss how auditors evaluate the security, privacy, and compliance aspects of cloud services, including examining provider agreements, data security measures, and compliance with relevant regulations and standards. With cloud computing, data often resides outside the organization’s control, creating unique security challenges. We will delve into how auditors assess the measures implemented to protect data in the cloud, including encryption techniques, access controls, and data breach response protocols.
Next, we will focus on mobile computing, another rapidly evolving area in information systems. Mobile computing poses distinct challenges due to the portable nature of devices and the diversity of platforms and applications. We will begin by discussing the Bring Your Device (BYOD) process assessment, which involves evaluating policies and controls for using personal devices for work purposes. We will also address the security implications of BYOD and how organizations manage the associated risks. Lastly, we will explore how auditors assess the management of mobile devices and applications within an organization. It covers areas such as device security, application controls, and the management of mobile-specific threats.
Cloud Computing
Cloud computing audits focus on services, such as software-as-a-service (SaaS), platform-as-a-service (PaaS), and infrastructure-as-a-service (IaaS). Cloud computing, while offering scalability and cost-savings, can introduce risks related to data security, vendor dependence, and compliance with data protection laws.
Access control and user authentication are paramount in ensuring the security of cloud and mobile computing environments. These processes involve mechanisms and protocols to verify the identity of users and control their access to resources. Organizations implement access control measures to restrict user access to specific systems, applications, and data. This involves defining user roles, permissions, and privileges. Role-based access control (RBAC) is a common approach where users are assigned roles and access rights are associated with those roles. Audit trails are maintained to record who accessed what and when. User authentication verifies the identity of individuals or devices trying to access resources.
Standard methods include username and password, multi-factor authentication (MFA), biometrics, and single sign-on (SSO). MFA, which requires users to provide two or more forms of authentication, adds an extra layer of security, reducing the risk of unauthorized access. Protecting data in transit and at rest is a fundamental security practice for cloud and mobile computing. This involves encrypting data to ensure it remains confidential and secure. Data transmitted between devices or over networks must be encrypted to prevent interception by unauthorized parties. Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols are commonly used to secure transit data. These protocols establish secure communication channels, ensuring data remains confidential and integral during transmission. Data at rest refers to data stored on physical or virtual devices, such as servers, hard drives, or cloud storage. To protect this data, organizations use encryption algorithms to convert it into an unreadable format when it’s not actively being used. Encryption keys are required to decrypt and access the data. Data encryption at rest is crucial for safeguarding sensitive information, ensuring that the data remains inaccessible even if the physical device is compromised.
Evaluating Cloud Service Providers (CSPs) is critical for organizations adopting cloud computing. CSP assessment ensures that the chosen provider aligns with the organization’s security, compliance, and operational requirements. One of the primary considerations is assessing the CSP’s adherence to security and compliance standards. Auditors review whether the CSP complies with industry-specific regulations and standards, such as ISO 27001, HIPAA, or SOC 2. They also scrutinize the CSP’s security policies and procedures to ensure they meet the organization’s requirements. Data governance is another crucial aspect of CSP assessment. Auditors examine how the CSP manages and protects data. This includes evaluating data encryption practices, access controls, and data recovery procedures. Data residency and jurisdiction are also assessed to ensure compliance with data protection regulations in different geographical regions. Service Level Agreements (SLAs) are closely examined during CSP assessment. Auditors review SLAs to understand the CSP’s responsibilities regarding uptime, availability, and incident response. They assess the CSP’s historical performance in meeting SLA commitments to gauge reliability and service quality. Additionally, auditors may scrutinize the CSP’s disaster recovery and business continuity plans. They assess how data is backed up, the frequency of backups, and the recovery procedures in case of data loss or service disruptions. These assessments help organizations make informed decisions when selecting and partnering with CSPs, ensuring a secure and compliant cloud computing environment.
Cloud Security Monitoring involves continuous surveillance and analysis of cloud infrastructure and services to detect and respond to security incidents. Organizations use various tools and services to collect logs, events, and performance metrics from their cloud resources in cloud security monitoring. These tools provide real-time visibility into the cloud environment and help organizations track user activities, system behaviour, and potential vulnerabilities. Security Information and Event Management (SIEM) systems are central to cloud security monitoring. SIEM solutions aggregate data from various cloud services and resources, correlate events, and generate alerts when suspicious or unauthorized activities are detected. These alerts trigger incident response procedures. Additionally, organizations may employ cloud-native security tools provided by cloud service providers. These tools offer insights into resource-level security, network traffic, and authentication logs. Organizations can configure these tools to send alerts when predefined security thresholds are breached. Continuous monitoring also includes vulnerability scanning and assessment of cloud resources. Regular vulnerability scans help identify vulnerabilities and misconfigurations that attackers could exploit. These findings are remediated as part of the organization’s security hygiene.
Cloud Data Backup and Recovery Procedures ensure data availability and business continuity in a cloud computing environment. IS Auditors assess these procedures to ensure the organization can recover data in case of data loss or service disruptions. First, auditors evaluate the frequency and data backup methods in the cloud. This includes incremental and full backups, ensuring that data can be restored to a specific point in time. The organization’s Recovery Point Objectives (RPOs) often determine backup frequency. Recovery Point Objectives (RPOs) and Recovery Time Objectives (RTOs) are closely examined during the audit. RPOs define how much data an organization can afford to lose in case of a disaster, while RTOs specify the maximum acceptable downtime. Auditors assess whether the cloud backup procedures align with these objectives. Testing and validation are critical components of cloud data backup procedures. Auditors may review the testing protocols and confirm that data restoration processes are regularly tested. This ensures that backups are reliable and can be used effectively during data loss incidents. Documentation plays a crucial role in audit procedures. Auditors assess the documentation of cloud data backup and recovery processes, including backup schedules, testing results, and incident response plans. Detailed documentation is essential for audit trail purposes and helps organizations demonstrate compliance with data protection regulations.
Mobile Computing
Mobile computing audits scrutinize the management of mobile devices, applications, and data used within the organization. Mobile computing raises concerns about data security on personal devices, app vulnerabilities, and protecting sensitive corporate data in a mobile environment.
Mobile Device Management (MDM) is essential for organizations that allow employees to use mobile devices. MDM solutions help manage and secure mobile devices, ensuring compliance with security policies. It begins with device enrollment, where mobile devices are registered with the MDM system. IT administrators can then configure devices according to organization-specific security policies, which include setting up passcodes, enforcing encryption, and configuring remote wipe capabilities if a device is lost or stolen. MDM solutions allow organizations to manage mobile applications. IT administrators can distribute and update apps, apply security policies, and blocklist or allowlist apps based on security considerations. MDM systems continuously monitor mobile devices, detecting and responding to security threats. This involves monitoring for malware, unauthorized access attempts, and device compliance with security policies.
When organizations migrate to cloud environments, assessing cloud service providers (CSPs) is critical to ensure they meet security and compliance requirements. IS Auditors assess whether CSPs adhere to industry-specific security and compliance standards, such as ISO 27001, HIPAA, or SOC 2, and review the CSP’s security policies and procedures to ensure they align with organizational requirements. IS Auditors examine how CSPs manage and protect data. This includes data encryption, access controls, and data recovery procedures. They assess data residency and jurisdiction to ensure compliance with data protection regulations. IS Auditors also review SLAs to understand the CSP’s responsibilities regarding uptime, availability, and incident response. They assess the CSP’s track record in meeting SLA commitments.
Mobile applications are ubiquitous, making them attractive targets for cyberattacks. Auditing mobile application security involves comprehensive testing to identify vulnerabilities and ensure data protection. IS Auditors may conduct penetration testing to simulate cyberattacks and identify vulnerabilities in mobile applications. This includes assessing the app’s security against common attack vectors such as SQL injection, cross-site scripting (XSS), and insecure data storage. IS Auditors also review the source code of mobile applications to identify security flaws. They assess the coding practices, encryption methods, and data handling procedures to ensure compliance with security standards. Static analysis involves examining the application’s code without execution, while dynamic analysis involves testing the app during runtime. These methods help auditors uncover vulnerabilities that may not be apparent through other means. Auditing cloud data backup and recovery procedures ensures data availability and business continuity. IS Auditors can assess how frequently data is backed up to the cloud, which includes incremental and full backups to ensure that data can be restored to a specific point.
Mobile Application Security Testing is the process of evaluating the security of mobile apps to identify vulnerabilities and ensure data protection. Penetration Testing is a common practice during Mobile Application Security Testing. IS Auditors simulate cyberattacks to uncover vulnerabilities in the mobile app’s security. This includes assessing the app’s resilience against common attack vectors like SQL injection, cross-site scripting (XSS), and insecure data storage. The goal is to identify weaknesses that malicious actors could exploit. IS Auditors also review the source code of mobile applications to identify security flaws in the app’s architecture and coding practices. They assess encryption methods, data handling procedures, and third-party libraries to ensure compliance with security standards. Static and Dynamic Analysis are employed to evaluate mobile application security comprehensively. Static analysis examines the application’s code without execution, while dynamic analysis tests the app during runtime. These methods help auditors uncover vulnerabilities that may not be apparent through other means. They assess how data is transmitted and stored, looking for potential weak points where data breaches could occur.
Relevant Risks
Organizations face several primary risks in cloud computing and mobile computing that can significantly impact their operations and strategic objectives. Understanding these risks is vital for effective risk management and ensuring security is maintained around the organization’s critical data and IS on a need-to-know basis. Let’s consider some of these risks.
| Risk | Description | Example |
|---|---|---|
| Unauthorized Access to Cloud Resources | Unauthorized individuals gain access to cloud resources or mobile devices due to weak authentication or misconfigured access controls, resulting in data breaches, loss, and potential exposure of sensitive information. | An attacker guesses a weak password and gains unauthorized access to a cloud server, leading to the theft of customer data. |
| Data Breaches during Data Transfer | Data is intercepted and compromised during transmission between mobile devices and cloud servers. This could result in confidential data exposure, loss of data integrity, and potential legal and reputational consequences. | Malicious actors intercept unencrypted data from a mobile app to a cloud server via unsecured public Wi-Fi, resulting in data theft. |
| Inadequate Mobile Device Security | Weak security practices on mobile devices, such as missing updates or unsecured configurations, make them susceptible to attacks, malware infections, data breaches, and potential compromise of corporate networks. | A mobile device with outdated security patches falls victim to a malware attack, leading to unauthorized access to corporate data. |
| Insufficient Cloud Service Provider Security | The cloud service provider (CSP) fails to implement robust security measures, leaving cloud resources vulnerable to data breaches, service interruptions, and loss of customer trust. | A CSP neglects to patch a critical security vulnerability in its infrastructure, which cybercriminals exploit to access customer data. |
| Insecure Mobile Applications | Mobile applications contain vulnerabilities that attackers can exploit, resulting in data breaches, compromised user privacy, and potential regulatory fines. | A mobile banking app has a code vulnerability that allows attackers to access user account information and conduct fraudulent transactions. |
| Data Loss in Cloud Backups | Inadequate backup and recovery procedures in the cloud, leading to irretrievable data loss, potential business disruption, and financial losses. | An organization loses critical customer data due to misconfigured cloud backups, causing operational setbacks. |
| Inadequate Security Monitoring | Lack of adequate monitoring in cloud and mobile environments, resulting in delayed detection of security incidents, extended periods of unauthorized access, data breaches, and compromised system integrity. | A security breach goes unnoticed for several weeks in a cloud environment, allowing attackers to exfiltrate sensitive data. |
| Regulatory Non-Compliance | Failing to comply with industry-specific or regional data protection regulations. This could result in regulatory fines, legal consequences, and damage to the organization’s reputation. | A healthcare organization stores patient data in the cloud without proper encryption, violating Health Insurance Portability and Accountability Act (HIPAA) regulations. |
| Mobile Device Theft or Loss | Often used for work, mobile devices are lost or stolen, potentially exposing sensitive corporate data and resulting in data breaches, reputation damage, and potential legal liabilities. | An employee’s smartphone containing sensitive corporate emails and documents is stolen, and the data falls into the wrong hands. |
Relevant IT General Controls Objectives and Activities
In cloud computing and mobile computing, a subset of IT General Controls (ITGC), several crucial controls ensure information systems’ effective access management to roles and profiles. These controls are vital in aligning existing IS with business objectives, managing risks, and ensuring successful outcomes. Let’s consider the primary ITGC objectives for this category.
Access Control and User Authentication
The primary objective of this control is to ensure that only authorized users and devices can access cloud and mobile resources by implementing robust access control mechanisms and user authentication. The control objective is to enforce strict access control policies, define user roles and permissions, and employ secure user authentication methods such as multi-factor authentication (MFA) to prevent unauthorized access to cloud and mobile resources. This includes restricting access to sensitive data and critical functions.
Examples of ITGC activities that may facilitate the achievement of this objective include the following:
- Implement RBAC to ensure that users are assigned roles with appropriate permissions. This control ensures only authorized personnel can access specific cloud or mobile resources.
- Enforce MFA to add an extra layer of security by requiring users to provide multiple forms of identification, such as a password and a one-time token, for access.
- Establish and enforce password policies that mandate vital password requirements, regular password changes, and account lockout after multiple failed login attempts.
Data Encryption in Transit and at Rest
This control aims to ensure that sensitive data is encrypted during transmission (in transit) and stored (at rest) within cloud and mobile environments. The control objective involves implementing encryption protocols like TLS/SSL for data in transit and encryption algorithms for data at rest. This ensures that data remains confidential and secure, whether transmitted across networks or stored on devices or cloud servers.
Examples of ITGC activities that may facilitate the achievement of this objective include the following:
- Implement Secure Socket Layer (SSL) or Transport Layer Security (TLS) encryption for data transmitted between mobile devices and cloud servers to protect it during transit.
- Utilize encryption algorithms like AES (Advanced Encryption Standard) to encrypt sensitive data stored on mobile devices or within cloud databases.
- Implement strong critical management practices to store and manage encryption keys securely for data protection.
Mobile Device Management (MDM) and Security
This control aims to secure and manage mobile devices within the organization’s mobile ecosystem through Mobile Device Management (MDM) solutions. The control objective entails using MDM solutions to enforce security policies on mobile devices, such as configuring passcodes, ensuring encryption, and enabling remote wipe capabilities. It also involves monitoring and managing mobile applications, tracking device compliance, and protecting against threats.
Examples of ITGC activities that may facilitate the achievement of this objective include the following:
- Ensure mobile devices are registered and enrolled with the MDM system before accessing corporate resources.
- Enable the ability to remotely wipe the data on lost or stolen devices, ensuring data security in case of device compromise.
- Employ MDM controls to allow or block specific mobile applications based on security policies and business requirements.
Cloud Service Provider Assessment
The primary objective of this control is to evaluate and assess cloud service providers to ensure they meet the organization’s security and compliance requirements. The control objective involves scrutinizing CSPs’ adherence to security standards and compliance regulations, data governance practices, and assessing their ability to meet service level agreements (SLAs). It also includes evaluating their disaster recovery and business continuity capabilities.
Examples of ITGC activities that may facilitate the achievement of this objective include the following:
- Regularly audit and assess the CSP’s security practices and compliance with industry standards and regulations.
- Ensure the CSP complies with data residency and jurisdiction requirements, especially when dealing with international data transfers.
- Evaluate the CSP’s Service Level Agreements (SLAs) to verify that they align with the organization’s uptime, availability, and incident response expectations.
Mobile Application Security Testing
This control aims to ensure the security of mobile applications by conducting comprehensive security testing to identify and mitigate vulnerabilities. The control objective encompasses penetration testing, code review, and static/dynamic analysis of mobile applications. It aims to identify and remediate security flaws, ensuring mobile apps resist common attack vectors.
Examples of ITGC activities that may facilitate the achievement of this objective include the following:
- Conduct penetration tests to identify vulnerabilities and weaknesses in mobile applications, simulating real-world attack scenarios.
- Thoroughly review the source code of mobile apps to identify security flaws and coding errors.
- Utilize static and dynamic analysis tools to assess mobile application security, identifying code and runtime behaviour vulnerabilities.
Cloud Data Backup and Recovery Procedures
This control establishes reliable data backup and recovery procedures in cloud environments to safeguard data and ensure business continuity. The control objective involves defining backup frequency, aligning with Recovery Point Objectives (RPOs) and Recovery Time Objectives (RTOs), regularly testing data restoration procedures, and maintaining comprehensive documentation of backup and recovery processes.
Examples of ITGC activities that may facilitate the achievement of this objective include the following:
- Establish automatic backup schedules to ensure data is consistently backed up at specified intervals.
- Conduct periodic testing of data restoration procedures to verify that backups are reliable and can be restored successfully.
- Maintain detailed documentation of backup and recovery processes to facilitate audit trails and compliance reporting.
Cloud and Mobile Security Monitoring
The primary purpose of this control is to continuously monitor cloud and mobile environments to detect and respond to security incidents, ensuring proactive security management. The control objective includes implementing Security Information and Event Management (SIEM) systems for cloud environments, employing network traffic analysis for mobile devices, and using cloud-native security tools. It also involves monitoring compliance with security policies and actively identifying potential threats through continuous surveillance.
Examples of ITGC activities that may facilitate the achievement of this objective include the following:
- Implement SIEM systems to collect and analyze security events, generate alerts, and respond to potential threats in real-time.
- Use network traffic analysis tools to monitor and detect suspicious activities, unauthorized access, and data exfiltration from mobile devices and cloud resources.
- Continuously monitor cloud and mobile environments for compliance with security policies and regulations, ensuring adherence to established controls and standards.
Summarized Audit Program
As discussed in Chapter 3, an audit program is a structured and comprehensive plan that outlines the procedures and activities to assess the effectiveness of an organization’s control environment. Based on the core concepts of cloud computing and mobile computing management ITGCs discussed above, presented below is a summarized audit program highlighting select relevant risks, corresponding ITGCs, and potential ways (audit procedures) to assess the operating effectiveness of such ITGCs. Please note that this is not an exhaustive audit program covering all applicable risks and controls and is provided for your reference only.
| Detailed Description of the Risk and Its Impact | Relevant IT General Control Activity | Detailed Test of Controls Audit Procedure |
|---|---|---|
| Inadequate data security in cloud and mobile computing can lead to data breaches and loss of sensitive information. | Implement robust data security measures for cloud and mobile computing environments, including encryption, access controls, and regular security assessments. These measures are reviewed and updated quarterly. | Review 2 recent quarterly security assessment reports. Use inspection and analysis techniques to confirm that data security measures are effectively implemented and updated regularly. Check for encryption and access controls and assess the comprehensiveness of security assessments. |
| Non-compliance with cloud and mobile computing regulatory standards risks legal penalties and reputational damage. | Regular compliance checks with data protection and privacy regulations relevant to cloud and mobile computing are conducted semi-annually. Responsibilities include ensuring adherence to regulations such as GDPR and HIPAA. | Examine documentation from 1 recent semi-annual compliance review. Use confirmation techniques to verify compliance with data protection and privacy regulations. Assess the organization’s adherence to regulatory requirements and review actions taken for any identified compliance gaps. |
| Ineffective management of cloud service providers can lead to service disruptions and security vulnerabilities. | Conduct thorough evaluations and continuous monitoring of cloud service providers, with annual assessments and monthly monitoring. | Review one annual evaluation report of cloud service providers and two recent monthly monitoring reports. Use inspection and analysis techniques to assess the effectiveness of provider management and monitoring practices. Determine that cloud service providers meet the organization’s security and service standards and that ongoing monitoring is effective. |
| Security vulnerabilities in mobile computing can compromise organizational data. | Regular security assessments and updates for mobile devices and applications are carried out, with evaluations performed monthly. | Review 2 recent monthly security assessment reports for mobile computing. Use inspection and reperformance techniques to assess the security of mobile devices and applications. Verify that mobile computing devices and applications are regularly evaluated for security vulnerabilities and that necessary updates are applied. |
| Lack of user training on secure cloud and mobile computing practices can lead to security incidents. | Provide regular training on secure cloud and mobile computing practices to all employees, conducted semi-annually. | Review records from 1 recent training session on secure cloud and mobile computing practices. Use inspection and inquiry techniques to assess the coverage and effectiveness of the training. Determine that the training adequately addresses certain computing practices and that employees understand their responsibilities. |
| Inadequate disaster recovery planning for cloud and mobile computing can result in data loss and prolonged downtime during incidents. | Develop and maintain a comprehensive disaster recovery plan for cloud and mobile computing, with the plan reviewed and tested annually. | Inspect documentation from 1 recent annual disaster recovery plan review and test. Use inspection and reperformance techniques to assess the adequacy and effectiveness of the disaster recovery plan for cloud and mobile environments. Verify that the disaster recovery plan is current, relevant, and effectively tested. |
| Failure to monitor and control ‘Bring Your Own Device’ (BYOD) policies can lead to security breaches. | Implement and regularly review a BYOD policy, with policy reviews conducted quarterly. Responsibilities include monitoring compliance with the policy and managing security risks associated with BYOD. | Review 2 recent quarterly BYOD policy review reports. Use inspection and confirmation techniques to assess the effectiveness and enforcement of the BYOD policy. Determine whether the BYOD policy is adequately enforced and addresses security concerns associated with personal device usage. |
In the Spotlight
For additional context on auditing emerging technologies, please read the article titled “Auditing Emerging Technologies: Facing New-Age Challenges” [opens a new tab].
Quereshi, M.A. (2020). Auditing emerging technologies: Facing new-age challenges. ISACA Journal, 2. https://www.isaca.org/resources/isaca-journal/issues/2020/volume-2/auditing-emerging-technologies
Knowledge Check
Review Questions
- What is the primary purpose of implementing Multi-Factor Authentication (MFA) in mobile device security, and how does it enhance security?
- Briefly explain the importance of conducting mobile application security testing and provide an example of a security vulnerability testing can uncover.
- Describe the potential impact of a data breach during data transfer between a mobile device and a cloud server, and name one security measure to mitigate this risk.
- What is the role of Mobile Device Management (MDM) solutions in mobile device security, and how can MDM help safeguard corporate data?
- Explain the significance of regular security monitoring in cloud and mobile environments and provide an example of an incident that could be detected through monitoring.
Mini Case Study
Imagine you are an IS auditor conducting an audit for a multinational corporation that extensively uses cloud services for data storage and mobile devices for its employees. During your audit, you discover that the organization lacks multi-factor authentication (MFA) for its mobile device access to cloud resources.
Required: As an IS auditor, what are the potential risks and consequences of the organization’s lack of MFA for mobile device access to cloud resources? Additionally, provide recommendations on how the organization can address this issue.
