A major area of risk that we’ve recognized is remote cloud audits. We hear many organizations indicate that because they are a cloud-based organization, they do not want or need onsite assessments, but we want to help them avoid this attitude. Let’s be clear: it’s completely inaccurate to say that everything is in the cloud. Why? Let’s find out.
Why You Need Onsite Assessments
Human error is often the weakest link in a security system, and the same is true for cloud environments. How did your data get into the cloud? Think of all the ways that an employee, user, or vendor interacts with your cloud – someone has to put data in the cloud, someone manages it, and someone accesses it. Each of these touchpoints is an opportunity for an insecure process, but remote cloud audits won’t be able to catch those vulnerabilities. An auditor needs to see how employees complete a secure process. They need to visit your office location and examine your heating and cooling systems, your power regulation, your physical security controls. They need to interview your employees who manage vendor compliance to verify that vendor processes are secure.
If you’ve partnered with KirkpatrickPrice on an audit before, you know that we try to eliminate as much intrusive and expensive onsite time as possible; with our Online Audit Manager, clients typically complete 80% of the audit before an onsite visit. Even with that goal in mind, we still believe that onsite assessments are necessary for a quality audit. Onsite assessments are for the review and testing of controls that cannot be tested remotely, and this purpose stands true for audits of cloud environments. Remote cloud audits will not be as thorough or accurate as ones that include onsite assessments.
It’s vital for auditors to examine your people, processes, and technologies, and it’s impossible for all of that to exist in the cloud. Onsite assessments help auditors understand the culture, physical security, and day-to-day processes of the organization being assessed.
What are the Requirements?
Need some evidence to convince you of the need for onsite assessments? From the SOC 2 perspective, the system being audited is composed of people, processes, applications, infrastructure, and data. One could argue that the applications and maybe most of the infrastructure is in the cloud, but the data has to come from somewhere. Even processes need people to complete them. How do you onboard your customers? It usually involves someone at the office doing something with the application that’s in the cloud.
PCI takes a very similar approach, where the scope includes people, processes, and technology that transmit, process, or store cardholder data, or are connected to or could impact the security of the cardholder data environment. Again, how do the people in your physical office location support the applications, infrastructure, and data that are in the cloud?
It’s understandable that a company would want to focus all of its attention on the technology in the cloud, but it’s an incomplete analysis to conclude that because you are a cloud-based organization, no onsite assessments are required. If your auditor isn’t even coming to meet you in person, you’re not getting a quality audit. If they’re not coming onsite to examine your people, processes, and technology, your audit is even more flawed. If you want a thorough audit of your cloud environment, let KirkpatrickPrice help. Contact us today.