Attestations (audit reports) prepared by third-party auditors can help organizations determine the suitability of the security and privacy practices of potential cloud service providers. Cloud providers regularly have their services assessed by independent auditors, to demonstrate conformance to standardized compliance frameworks. However, organizations may find these attestations difficult to interpret. This post highlights key considerations for evaluating cloud service attestations and will help your organization interpret these attestations with greater confidence.
Choosing Compliance Frameworks
Information security and privacy compliance frameworks defined by government and industry organizations, such as ISO 27001 and Systems and Organization Controls (SOC) 2, have great advantages over proprietary frameworks. For example, they use standard definitions/terminology, have wide adoption and reflect relevant perspectives from many organizations.
Leveraging a combination of complimentary compliance frameworks can also help your organizations assess a wider range of controls: For example, consider the breadth of controls encompassed by combining ISO 27001 for information security with EU Code of Conduct for privacy.
Analyzing Attestations and Certifications
You should consider the following questions when defining checklists or processes for cloud service attestation evaluation.
Compliance framework questions:
- Which compliance framework was used for this cloud service assessment? Is it the current version?
- How closely do that framework’s controls match your organization’s security and privacy objectives? Are there any gaps? If so, are the gaps filled by other available compliance attestations?
- Does the framework allow suppliers to self-assess or does it require that assessments are performed by an independent third-party auditor?
- Does the audit encompass the relevant services, systems and data center locations your organization may use?
- Is the attestation currently valid? (Note: many attestations are valid for 1 year, although validity period varies)
- Where any compliance framework requirements or relevant systems marked as ‘out of scope’, ‘not tested’, or otherwise excluded? If yes, why?
- Did the attestation rely on another attestation for any controls, such as the IaaS provider for a SaaS cloud application? If yes, obtain the other party’s attestation as well
- Is that assessor accredited to validate conformance to that compliance framework?
- What is the reputation of that assessor company?
Audit outcome questions:
- What observations were made by the auditor?
- Were any opportunities for improvement or areas of non-conformities noted? If yes, what is the response from the cloud provider regarding justification and/or corrective actions?
- Were any compensating controls utilized? If yes, do they seem effective at mitigating the risk which the control was designed to address?
- Learn more about how to evaluate cloud service providers in this blog or by watching the overview video
- Consider recommendations from the US National Institute and Standards and Technology (NIST) in their “Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations” Special Publication 800-161.
- Define policies, procedures and guidance for your organization about how to evaluate cloud service providers using existing attestations.
- Explore the Oracle Trust Center to learn about Oracle’s security practices and cloud compliance.
- Contact Sales to obtain attestations for Oracle cloud services.
With over 20 years of experience in managing risk, security, privacy and compliance audits relating to complex business processes and IT systems, Nancy Kramer helps define corporate information security policies and manages compliance and obligation management programs which oversee Oracle’s on-premises and cloud offerings. Nancy also provides thought leadership via engagement with industry organization such as Payment Card Industry Security Standards Council (PCI SSC).