openstack/security-doc
Code Issues Proposed changes

Merge "Added section for the phases of an audit. Updated link to CSA CCM"

Browse Source
This commit is contained in:
Jenkins
2016-07-04 22:36:08 +00:00
committed by Gerrit Code Review
parent 4b0e09337f fa47ad1151
commit 7c2198fb37
1 changed files with 53 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

57
security-guide/source/compliance/understanding-the-audit-process.rst
View File

@@ -28,8 +28,8 @@ Determining audit scope, specifically what controls are needed and how
to design or modify an OpenStack deployment to satisfy them, should be to design or modify an OpenStack deployment to satisfy them, should be
the initial planning step. the initial planning step.
When scoping OpenStack deployments for compliance purposes, consider When scoping OpenStack deployments for compliance purposes,
prioritizing controls around sensitive services, such as command and prioritize controls around sensitive services, such as command and
control functions and the base virtualization technology. Compromises of control functions and the base virtualization technology. Compromises of
these facilities may impact an OpenStack environment in its entirety. these facilities may impact an OpenStack environment in its entirety.
@@ -49,7 +49,7 @@ additionally a number of external entities provide comprehensive lists.
The following are some examples: The following are some examples:
The `Cloud Security Alliance Cloud Controls The `Cloud Security Alliance Cloud Controls
Matrix <https://cloudsecurityalliance.org/research/ccm/>`__ (CCM) Matrix <https://cloudsecurityalliance.org/group/cloud-controls-matrix/>`__ (CCM)
assists both cloud providers and consumers in assessing the overall assists both cloud providers and consumers in assessing the overall
security of a cloud provider. The CSA CMM provides a controls framework security of a cloud provider. The CSA CMM provides a controls framework
that map to many industry-accepted standards and regulations including that map to many industry-accepted standards and regulations including
@@ -68,11 +68,60 @@ certifications, and provide visibility to both auditors and auditees on
problem areas within control sets for particular compliance problem areas within control sets for particular compliance
certifications and attestations. certifications and attestations.
Phases of an audit
~~~~~~~~~~~~~~~~~~
An audit has four distinct phases, though most stakeholders and control owners
will only participate in one or two. The four phases are Planning, Fieldwork,
Reporting and Wrap-up. Each of these phases is discussed below.
The Planning phase is typically performed two weeks to six months before
Fieldwork begins. In this phase audit items such as the timeframe, timeline,
controls to be evaluated, and control owners are discussed and finalized.
Concerns about resource availability, impartiality, and costs are also
resolved.
The Fieldwork phase is the most visible portion of the audit. This is where
the auditors are onsite, interviewing the control owners, documenting the
controls that are in place, and identifying any issues. It is important to
note that the auditors will use a two part process for evaluating the controls
in place. The first part is evaluating the design effectiveness of the
control. This is where the auditor will evaluate whether the control is
capable of effectively preventing or detecting and correcting weaknesses and
deficiencies. A control must "pass" this test to be evaluated in the second
phase. This is because with a control that is designed ineffectually, there
is no point considering whether it is operating effectively. The second part
is operational effectiveness. Operational effectiveness testing will determine
how the control was applied, the consistency with which the control was
applied and by whom or by what means the control was applied. A control may
depend upon other controls (indirect controls) and, if they do, additional
evidence that demonstrates the operating effectiveness of those indirect
controls may be required for the auditor to determine the overall operating
effectiveness of the control.
The Reporting phase is where any issues that were identified during the
Fieldwork phase will be validated by management. For logistics
purposes, some activities such as issue validation may be performed during the
Fieldwork phase. Management will also need to provide remediation plans to
address the issues and ensure that they do not reoccur. A draft of the
overall report will be circulated for review to the stakeholders and
management. Agreed upon changes are incorporated and the updated draft is
sent to senior management for review and approval. Once senior management
approves the report, it is finalized and distributed to executive management.
Any issues are entered into the issue tracking or risk tracking mechanism the
organization uses.
The Wrap-up phase is where the audit is officially spun down. Management will
begin remediation activities at this point. Processes and notifications are
used to ensure that any audit related information is moved to a secure
repository.
Internal audit Internal audit
~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~
Once a cloud is deployed, it is time for an internal audit. This is the Once a cloud is deployed, it is time for an internal audit. This is the
time compare the controls you identified above with the design, time to compare the controls you identified above with the design,
features, and deployment strategies utilized in your cloud. The goal is features, and deployment strategies utilized in your cloud. The goal is
to understand how each control is handled and where gaps exist. Document to understand how each control is handled and where gaps exist. Document
all of the findings for future reference. all of the findings for future reference.