Cloud Computing II

IT Audit

Overview

Cloud computing provides organizations broad access to computing resources by reducing overhead, improving performance and efficiency, facilitating collaboration, and enhancing productivity. However, cloud computing also creates challenges and introduces risks that must be managed and audited to provide reasonable assurance to key stakeholders. This course covers cloud service and deployment models, key vendor considerations and the impact on strategic and operational practices, software development, business continuity (BC) and disaster recovery (DR), cloud migration, application programming interfaces (APIs), and cloud security. There is ample coverage of key risks, controls, and best practices related to contracts, software development trends, containers, Zero-Trust, and cyber liability. Throughout the course, participants connect concepts, frameworks, regulations, and industry reports from organizations like the Cloud Security Alliance (CSA), the Federal Financial Institutions Examination Council (FFIEC), FedRamp, the Center for Internet Security (CIS) Critical Security Controls, the National Institute of Standards and Technology (NIST), Gartner, Forrester and others to risk management and audit practices, developing tailored audit programs they can use immediately.

Here are the topics we'll cover.

  1. Cloud Service Models Review 
    • NIST model of cloud computing 
    • Forms of service delivery 
    • SaaS, PaaS, FaaS, IaaS, characteristics, risks, controls, storage, and tools  
  2. Deployment Model Review 
    • Deployment models 
    • Deployment strategy and service architecture considerations  
  3. Key Cloud Vendors 
    • Quadrants for infrastructure and platform services 
    • Key terminology 
    • Risk considerations 
  4. Key Technology: Virtualization 
    • Definitions, capabilities, and key considerations 
    • Resource aggregation and sharing 
    • Hypervisor security considerations and management tools 
    • Risk categories and auditing considerations 
  5. Cloud Operations 
    • Cloud and cost considerations 
    • Cloud management, operations and security 
    • Virtual server and log management considerations 
    • Elasticity 
  6. Cloud Architecture 
    • Key considerations, virtual private clouds (VPC), security groups, and access control lists (ACLs)  
    • Multi-cloud architectures 
    • Active directory 
  7. Identity and Access Management (IAM) 
    • Key concepts, practices, and challenges 
    • Differences between cloud and traditional IAM 
    • Layers of permissions and configurations 
    • IAM policies, reports, access analyzers, and best practices 
    • IAM audit considerations 
  8. Application Programming Interfaces (APIs) 
    • Characteristics, and uses 
    • API security and management 
    • API risks, audit questions and key considerations 
  9. Zero Trust 
    • The Zero Trust Model, and differences from traditional network security models  
    • Zero trust goals, threats, and architecture 
    • Risk management  
    • Success factors for zero trust implementations 
    • Audit considerations 
  10. Shared Responsibility Model 
    • Key considerations and link to vendors 
    • Security requirements, tasks and ways to build and maintain secure applications 
  11. Business Continuity/Disaster Recovery (BC/DR) 
    • Important data recovery requirements, practices and controls 
    • Data back-up and restore strategies 
    • Recovery and continuity strategy options 
    • Disaster Recovery as a Service (DRaaS) 
  12. Software Development Environment 
    • Software release management 
    • System Development Life Cycle (SDLC): Traditional, Agile,  
    • Key tasks, roles and responsibilities 
    • DevSecOps, tools, and automation 
    • Key risks, controls, and audit considerations 
  13. Key Technology: Microservices and Containers 
    • Microservice definition, characteristics, and architecture 
    • Type classification 
    • Containers: Characteristics, benefits, stacking, and security considerations  
    • Audit considerations 
  14. Infrastructure as Code (IaC) 
    • Key concepts and best practices 
    • Common challenges and tools  
    • Automation and testing considerations 
  15. Software Trends 
    • Current trends in software development 
    • Pipeline: Continuous Integration (CI), Continuous Delivery (CD) and Continuous Deployment (CD) 
    • Version control, configuration management, and monitoring 
    • Key risks and controls in the automated process 
  16. Software Development Audit Considerations 
    • Common audit considerations for software development 
    • Auditing DevSecOps methodology, access control, and automation 
    • Key controls and testing practices 
  17. Cloud Enables Digital Transformation in Financial Services 
    • Digitization vs digital transformation 
    • Evolution from robotic process automation (RPA) to artificial intelligence (AI) 
    • AI maturity model 
    • AI data inputs, challenges, and key audit considerations 
  18. Cloud Security 
    • Key security concerns and survey results 
    • Ways to meet security needs and address challenges 
    • Best practices and pillars of data security 
    • Vendor offerings: Security as a service (SECaaS) and vulnerability management as a service 
    • Encryption 
  19. Cloud Access Security Brokers (CASBs) 
    • Definitions, capabilities, and considerations 
    • Risk implications while preparing a risk assessment 
  20. Cloud Migration 
    • Challenges of cloud application deployments 
    • Cloud readiness assessment and migration strategy evaluation criteria 
    • Best practices for cloud migration 
  21. Incident Response (IR) in the Cloud 
    • Policies, roles, communications, and contracted responsibilities 
    • Chain of custody, response times, legal and forensic implications 
    • Incident response frameworks and recommended practices 
    • Audit considerations for various service models 
  22. Cloud Risks 
    • Analyst’s reports 
    • Key regulatory requirements 
    • Threat modeling, risk categories, risk management, and audit considerations 
  23. Cloud Governance 
    • Goals of IT governance and link to risk management 
    • Key guidance, requirements and best practices 
    • Governance challenges 
  24. Due Diligence 
    • The review of internal processes before a cloud decision 
    • Essential due diligence resources and steps 
  25. Contracts/Service Level Agreements (SLAs) 
    • Contractual considerations and key terms 
    • Best practices for SLAs 
  26. Cyber Liability Insurance 
    • Market reports and analysis 
    • Common reasons for cyber liability insurance claim denials 
    • Audit considerations 
  27. Audit and Assurance 
    • Objectives and scope of cloud audits 
    • Common audit challenges, issues, and recommendations 
    • Top governance and operations controls 
    • Review of key examination areas 

Learning Style

Instructor Led

Level

Advanced

Who this course is for

Senior operational and IT auditors, technologists, information security managers and analysts, audit managers and directors looking to increase their knowledge about cloud computing, and how to audit it effectively.

NASBA Certified CPE

32 credits

Field of Study

Auditing

Length of course

32h

Prerequisites

None

Advanced Preparation

None
Start Learning Today
Stay ahead of the curve and future-proof your business with training programs designed for you.
Contact Sales

Here are the learning objectives we'll cover

  • Examine cloud computing service models, features, and characteristics.
  • Evaluate key indicators of effective cloud computing configuration and practices.
  • Apply key risks, controls, and audit techniques.

Attendance policy for on-site and online instructor-led training

Students are expected to arrive on time for classes with the proper materials and attitude. An overall attendance rate of 100% is expected to fully absorb the materials and to complete labs. If you have an expected absence, please email support@acilearning.com or your instructor ahead of time. The number of CPEs awarded will be equivalent to the number of hours attended.

ACI Learning is registered with NASBA

ACI Learning is registered with the National Association of State Boards of Accountancy (NASBA) as a sponsor of continuing professional education on the National Registry of CPE Sponsors. State boards of accountancy have final authority on the acceptance of individual courses for CPE credit. Complaints regarding registered sponsors may be submitted to the National Registry of CPE Sponsors through its website: https://www.nasbaregistry.org/