We’re entering what feels like a new era in re-inventing how we once worked. 2020年前似乎是一辈子以前的事了, and not only are organizations accelerating their cloud adoption, we as practitioners are re-examining our own careers and skills.
I found myself forming a strategy this time last year on how to audit our organization’s cloud strategy, 关键过程, 和控制. I quickly learned that I needed Friday mornings, 咖啡, and a team of people just as hungry as I was to make this happen.
As we read countless articles and journals and held brainstorming sessions, we knew we had to define the value to our auditees and ourselves. 结果是, I am sharing an approach that may help you strategize how to approach auditing cloud adoption in your organization:
第一步:凝聚兴趣,培养人才. If you don’t have a team of people that are running toward the cloud competencies, then you will spend your energy and time convincing, 过度规划和执行. 提高技能是必要的 for everyone no matter how many years of practical IT experience you have on your team. Consider rewards and incentives for those in the organization who are eager or interested. Seek out and hire individuals that already have these skills to encourage and bring others along. Create a burning platform and incorporate cloud skill expectations into job descriptions. These concepts apply not only to us, but to those we will audit.
步骤2:确定云活动存在的位置. Like the challenge of identifying hardware and software assets in organizations today, seeking out where cloud activity exists is key to effectively strengthening your organization to deal with potential security risks and privacy issues. Methods to identify activity can include independent scans, tagging and tracking of invoices and chargebacks to cloud service providers, and/or the maintenance and verification of a cloud registry.
Step 3: Proactively identify risks as cloud maturity evolves. After you know where cloud applications or software exist in your organization, consider how you’d like to identify key risks and audit the controls. While your initial list of key risks may involve your go-to items like security controls or resiliency, they may not be ready for your review until you’ve understood the current state of affairs. A maturity assessment may be the right place to start.
Elements of the maturity assessment should align with where your key risks currently exist. 例如, you may want to examine how individual and group access is assigned and managed in the new cloud environments, but those group policies are only being discussed and haven’t been set up yet. What better time to collaborate with your auditees?
Consider how the continuous development, integration and testing processes are set up. Remember that decade-plus of when our audit job was to keep developers out of production? 现在的过程不同了, 尽管职责隔离仍然很重要, 它看起来和以前不一样了. Changes are deployed real time and automated controls have replaced the “wait until someone logs in to approve” methodologies that were used in auditing before.
As your organization matures its cloud usage, update and enhance your audit coverage accordingly. Continuous auditing is necessary over the point in time “drive by auditing” of the past. Being an effective auditor requires consistent conversations and a regular seat at the table.
第四步:保持冷静,调整你的方向. 你的云审计会按计划进行吗? 不. Expect this and plan on including time buffers, and allow grace for learning and development. 不仅是连续的, 敏捷审计是必要的, it is essential for pivoting in your objective and swiftly swapping it out for an emerging risk.
Auditing evolving processes in the cloud environment requires patience, 谦虚和学习的心态. 有成长的烦恼. Setting a multi-year strategy may be your best bet at accomplishing your goals and evolving your own auditing techniques and knowledge pool.
Remember, just like life, cloud adoption moves pretty fast. If you don’t stop and look around once in a while, you could miss it.
作者附言: These views are my own and do not represent the Federal Reserve Bank of Chicago.
编者按: Find out more about cloud auditing upskilling through the 云审计知识证书(CCAK), a Cloud Security Alliance and ISACA credential.
