Example resource management controls
As mentioned in Chapter 2, Effective Techniques for Preparing to Audit Cloud Environments, several frameworks can be used as guidelines for a list of applicable controls and test procedures when defining the scope of your audit. As a reference for this chapter, we’ll highlight a few example controls from the Center for Internet Security (CIS) and Cloud Security Alliance (CSA) that are relevant to resource management, tagging, change management, change history, and financial features within an enterprise cloud environment.
Center for Internet Security (CIS) benchmark controls
As a reminder, determining all applicable controls will need to be based on system architecture and integration, business risk management goals, and enterprise operational procedures:
- CIS Control 3 Sub-Control 3.7 – Establish and Maintain a Data Classification Scheme: Establish and maintain an overall data classification scheme for the enterprise.
- CIS Control 3 Sub-Control 3.12 – Segment Data Processing and Storage Based on Sensitivity: Segment data processing and storage based on the sensitivity of the data. Do not process sensitive data on enterprise assets intended for lower sensitivity.
- CIS Control 8 Sub-Control 8.5 – Collect Detailed Audit Logs: Configure detailed audit logging for enterprise assets containing sensitive data.
- CIS Control 12 Sub-Control 12.2 – Establish and Maintain a Secure Network Architecture: Establish and maintain a secure network architecture. A secure network architecture must address segmentation, least privilege, and availability, at a minimum.
To find a comprehensive list of CIS benchmark controls, go to https://www.cisecurity.
Now that we’ve taken a look at some example controls from CIS, let’s take a look at controls from the CSA Cloud Controls Matrix (CCM).
CSA Cloud Controls Matrix
Within the CSA CCM v4.0 framework, controls that would be relevant to the technical assessment of functions in this chapter would fall under several domains, including Change Control and Configuration Management, Data Security and Privacy Life Cycle Management, and Infrastructure and Virtualization Security. Examples of CCM controls an IT auditor should reference for this chapter are as follows:
- Control ID CCC-04 – Unauthorized Change Protection: Restrict the unauthorized addition, removal, update, and management of organization assets
- Control ID CCC-07 – Detection of Baseline Deviation: Implement detection measures with proactive notification in case of changes deviating from the established baseline
- Control ID DSP-03 – Data Inventory: Create and maintain a data inventory, at least for any sensitive data and personal data
- Control ID IVS-08 – Network Architecture Documentation: Identify and document high-risk environments
You can find out more about the CCM matrix from CSA at https://cloudsecurityalliance. org/artifacts/cloud-controls-matrix-v4/. Please note that the matrix is periodically updated, so be sure you are accessing the latest version.