IT auditors and compliance professionals have their work cut out for them as more organizations move to the cloud. Audit and compliance standards that have existed for on-premises systems are not always sufficient for vetting cloud vendors, which makes cloud auditing a complex process. Two authors of “Cloud Auditing Best Practices,” Shinesa Cambric, contributing author of the book “97 Things Every Information Security Professional Should Know” and an eBook called “Shifting Security Left,” and Michael Ratemo, principal consultant at cybersecurity firm Cyber Security Simplified, have come up with practices to aid IT auditors in navigating the process. In a Q&A with TechTarget, the authors discussed how cloud audit and compliance work hand in hand and what advice they would offer novice IT auditors.
Cambric explained that while there’s no shortage of on-premises resources for auditors and compliance personnel, there’s less available for those migrating to the cloud. Companies need a “checklist or prescriptive guidance” for the cloud environment so they can be confident that their security controls are adequately implemented. Ratemo explained that auditing the cloud means reviewing the different regulatory standards governing its use. Platforms like Amazon Web Services offer compliance modules, which can assess an organization’s maturity from a compliance perspective as well as evaluate its security.
The importance of compliance, according to Cambric, is that it helps ensure that all organizations have a minimum standard of security. “Compliance does not equal security,” she said, “but if [organizations] have to adhere to certain compliance standards, at least they will have the minimum security baseline they need to have.” Ratemo added that compliance and governance programs are implemented to provide a foundation rather than a comprehensive security strategy.
When it comes to IT auditing, Ratemo said, it’s essential to read up on auditing standards, the tools available for the auditing process, and how to plan, execute, and report audits. Auditors need to review business processes and interact with stakeholders, so it’s important to have an open and inquiring mind and listen without bias to everyone involved.
Cambric’s advice for novice IT auditors is straightforward: Stay current with industry trends. “The cloud is not going away,” she said. “It will get more and more prevalent. If a company is not there yet, they will get there eventually, so just keep those skill sets up.” Ratemo agreed, adding that the technology is continuously evolving, so IT auditors need to keep up with the changes and invest in themselves.
The book the pair co-authored, “Cloud Auditing Best Practices,” provides a detailed roadmap for IT auditors and compliance personnel migrating to the cloud. The book emphasizes the need for a “comprehensive program” for auditing the cloud that incorporates different components, including compliance and governance, as well as security.