Cloud Security Audit for A Certification and Training Center
Otieno, Duncan (2018)
Otieno, Duncan
Laurea-ammattikorkeakoulu
2018
All rights reserved
Julkaisun pysyvä osoite on
https://urn.fi/URN:NBN:fi:amk-2018053111697
https://urn.fi/URN:NBN:fi:amk-2018053111697
Tiivistelmä
This thesis project was commissioned by Data To Information College. This is a technical education, training and certification center for both local and international examinations. The institution is located in Eldoret, Kenya. The thesis audits the organization in five control domains for compliancy. A Continuous Assessments Initiative Questionnaire (CAIQ) by the Cloud Security Alliance is used for the security audit.
In the empirical section, an audit finding was carried out to determine the state of the organization’s security while accessing and using the cloud. The audit was carried out for the following domains: Audit Assurance & Compliance, Business Continuity Management & Operational Resilience, Governance and Risk Management, Security Incident Management, Threat Vulnerability Management. A business impact analysis (BIA) was carried out on 18 sub-controls that were not compliant. Qualitative and semi-quantitative analysis were used to determine the level of criticality and risk levels respectively.
A total of 41 questions were asked during the audit and 18 sub-controls were compliant, 18 were non-compliant and 5 were marked as ‘N/A’ which were either confidential or the auditee didn’t know the answer. Out of the sub-controls that were non-compliant, 11 posed a high risk level for the organization, 4 - medium risk level and 3 – low risk level.
In conclusion, the researcher recommended that the organization undertake a threat vulnerability management program to address the non-compliant sub-controls that had a high risk level to operational impact of the organization. A list of safeguards to be implemented against known threats was also presented.
In the empirical section, an audit finding was carried out to determine the state of the organization’s security while accessing and using the cloud. The audit was carried out for the following domains: Audit Assurance & Compliance, Business Continuity Management & Operational Resilience, Governance and Risk Management, Security Incident Management, Threat Vulnerability Management. A business impact analysis (BIA) was carried out on 18 sub-controls that were not compliant. Qualitative and semi-quantitative analysis were used to determine the level of criticality and risk levels respectively.
A total of 41 questions were asked during the audit and 18 sub-controls were compliant, 18 were non-compliant and 5 were marked as ‘N/A’ which were either confidential or the auditee didn’t know the answer. Out of the sub-controls that were non-compliant, 11 posed a high risk level for the organization, 4 - medium risk level and 3 – low risk level.
In conclusion, the researcher recommended that the organization undertake a threat vulnerability management program to address the non-compliant sub-controls that had a high risk level to operational impact of the organization. A list of safeguards to be implemented against known threats was also presented.