Cloud Computing - Home | University of Texas System Cloud...Cloud Computing Audit Report # 16-09 ......

Cloud Computing

Audit Report # 16-09

February 28, 2017

The University of Texas at El Paso Institutional Audit Office

"Committed to Service, Independence and Quality"

- THE UNIVERSITY of TEXAS SYSTEM FOURTEEN INSTITUTIONS . UNLIMITED POSSIBILITIES .

February 28, 2017

Dr. Diana Natalicio President, The University of Texas at El Paso Administration Building, Suite 500 EIPaso,Texas79968

Dear Dr. Natalicio:

UTEP Institutional Audit Office 500 West University Ave El Paso, Texas 79968 915-747-5191 WWW uTEP"

WWW.UTSYS f ~· "')L

The Office of Auditing and Consulting Services has completed a limited scope audit of cloud computing services. During the audit, we identified opportunities for improvement and offered the corresponding recommendations in the audit report. The recommendations are intended to assist the department in strengthening controls and help ensure that the University's mission, goals and objectives are achieved.

We appreciate the cooperation and assistance provided by the Information Security Office staff and the survey respondents during our audit.

Sincerely,

~ r/1J_ 10.ud; Lori Wertz Chief Audit Executive

The University ofTexas at Arlington · The University of Texas at Austin 'The University of Texas atDallas · The University of Texas at El Paso ·

The University of Texas of the Permian Basin · The University of Texas Rio Grande Valley ·The University of Texas at San Antonio · The University of Texas at

Tyler 'The University of Texas Southwestern Medical Center · The University of Texas Medical Branch at Galveston ·

The University of Texas Health Science Center at Houston · The University of Texas Health Science Center at San Antonio ·

The University of Texas MD Anderson Cancer Center · The University of Texas Health Science Center at Tyler ·

Report Distribution:

The University of Texas at El Paso:

Mr. Richard Adauto Ill, Executive Vice President

Dr. Stephen Riter, Vice President for Information Resources and Planning

Ms. Sandy Vasquez, Assistant Vice President for Compliance Services

Mr. Gerard Cochrane Jr., Chief Information Security Officer

The University of Texas System (UT System):

UT System Audit Office

External:

Governor's Office of Budget, Planning and Policy

Legislative Budget Board

Internal Audit Coordinator, State Auditor's Office

Sunset Advisory Commission

Audit Committee Members:

Mr. David Lindau

Mr. Steele Jones

Mr. Fernando Ortega

Dr. Howard Daudistel

Mr. Benjamin Gonzalez

Dr. Gary Edens

Dr. Roberto Osegueda

Auditors Assigned to the Audit:

Ms. Cecilia Estrada, Auditor I

Ms. Victoria Morrison, IT Auditor

TABLE OF CONTENTS

EXECUTIVE SUMMARY ........................................................................................... ..... . 4

BACKGROUND .............................................................................................................. . 5

AUDIT OBJECTIVES ..................................................................................................... . 6

SCOPE AND METHODOLOGY ..................................................................................... . 7

RANKING CRITERIA ..................................................................................................... . 8

AUDIT RESULTS ........................................................................................................... . 9

1. Awareness I Training Of Cloud Computing Services Selection And Risk ......... .. ..... . 9

2. Cloud Computing Policies, Procedures And Standards ................................... ... ... 10

3. Type Of Cloud Computing Services Throughout The University ...................... ... ... 10

4. The University Cloud Computing Services: Risks, Data Classification, Safeguarding Of The Data ...................................................................................... ... 1 O

5. CISO Access And Awareness Of Cloud Computing Services Throughout The University ................................................................................................................... 11

CONCLUSION ........................................................................................................... .... 12

Appendix A: Cloud Computing Companies .......................................................... ...... 13

Appendix B: Cloud Computing Services ............................................................... .. .... 14

Appendix C: Extended List of Category - I Data ..................................................... ... 15

Appendix D: Phase 1 Summary Results .................................................................... 16

Appendix E: Criteria ................................................................................................ ... 18

Appendix F: Glossary ................................................................................................. 20

Office of Auditing and Consulting Services Audit #16-09 Cloud Computing

EXECUTIVE SUMMARY

The Office of Auditing and Consulting Services (OACS) has completed an audit of cloud computing services throughout the University. The audit scope was limited to understanding the types of services already purchased by faculty and staff as well as assessing the types of data stored outside the University network.

The source of the audit criteria is The Texas Department of Information Resources (DIR) and the Cloud Security Alliance. During the audit we tested the following:

• Awareness/training of cloud computing services

• Cloud computing policies, procedures, and standards

• Type of cloud computing services in use at the University, and

• Chief Information Security Officer (CISO) access and awareness of cloud

computing services throughout the University.

The results of our audit indicated that users of cloud computing services at The University of Texas at El Paso (UTEP) are not aware of the current guidelines developed by the CISO. Nonetheless, there were no instances in which Category I data was stored in unsecured cloud applications. In addition, assessments of research data did not reveal any high risks for the University.

4

Office of Auditing and Consulting Serl/ices Audit #16-09 Cloud Computing

BACKGROUND Cloud computing was rated as high in the University-wide risk assessment for the last two years.

According to the Cloud Security Alliance, "Cloud solutions continue to be adopted at a rapid rate as Cloud Service Providers offer flexible computing and storage needs, easier collaboration with internal users and customers, added security features, and more; allowing organizations to focus on their core business functions." For a visual example of cloud computing Companies go to Appendix A: Cloud Computing Companies)

Cloud computing has been described as "the ultimate form of outsourcing." This refers to the fact that moving into the cloud allows the enterprise to outsource or rent infrastructure, IT services, application software, business systems, computer processing time, storage or any combination of these (See Appendix B: Cloud Computing Services).

It has become crucial that the University, when using cloud computing services, be protected from risks such as data loss, loss of reputation, investment loss, and legal action .

The Chief Information Security Officer (CISO) has a general idea of the cloud computing services being used and the type of data being stored by the UTEP community. With this audit, we hope to close the gap even further by identifying the kind of cloud computing services used, service providers, and the type of data being stored in the cloud.

5


AUDIT OBJECTIVES

The objectives of this audit were to:

• Assure that the University has policies and procedures, directed and approved by management, when acquiring and using cloud services to remediate risks and comply with laws and regulations.

• Identify the type of cloud computing services used throughout the University, and the type of data being stored in the cloud .

• Conclude whether those sampled cloud computing users are addressing the risks of acquiring the services on the cloud, have classified data, and if data is safeguarded .

• Ensure there is an awareness program when selecting or using cloud computing services in order to reduce the University's risk of loss of data, revenue, or/and reputation .

• Determine if the CISO has access and awareness of cloud computing services to assure security controls and if he is able to investigative incidents and perform forensic analysis.

6


SCOPE AND METHODOLOGY

The audit was conducted in accordance with the International Standards for the Professional Practice of Internal Auditing issued by the Institute of Internal Auditors (llA) .

The audit addresses the high risk areas identified in the University-wide risk assessments for Fiscal Years 2016 and 2017.

The audit criteria is:

• Cloud Security Alliance (CSA)-Cloud Controls Matrix Cloud Security Alliance (CSA) • Texas Department of Information Resource-Security Control Standards Catalog

(TAC 202-76) • UTS165 Information Resources Use and Security Policy

The audit scope is limited to purchases of cloud software/services within the period beginning 09/01/2015 and ending 08/31/2016.

Audit procedures included:

Interviewing key personnel,

reviewing applicable laws, regulations, policies and procedures,

verifying the existence of appropriate institutional policies and procedures,

requesting information from key personnel,

analyzing purchasing reports,

surveying the University community, and

limited in-depth testing of cloud controls.

7


RANKING CRITERIA

All findings in this report are ranked based on an assessment of applicable qualitative, operational control and quantitative risk factors, as well as the probability of a negative outcome occurring if the risk is not adequately mitigated. The criteria for the rankings are

as follows:

Priority - an issue identified by an internal audit that, if not addressed timely, could directly impact achievement of a strategic or important operational objective of a UT institution or the UT System as a whole.

High - A finding identified by internal audit that is considered to have a medium to high probability of adverse effects to the UT institution either as a whole or to a significant college/school/unit level.

Medium - A finding identified by internal audit that is considered to have a low to medium probability of adverse effects to the UT institution either as a whole or to a college/ school/unit level.

Low - A finding identified by internal audit that is considered to have minimal probability of adverse effects to the UT institution either as a whole or to a college/ school/unit level.

8

Office of Auditing and Consulting Ser 11ices Audit #16-09 Cloud Computing

AUDIT RESULTS

1. Awareness I Training Of Cloud Computing Services Selection And Risk

The CISO has developed cloud computing policies and procedures which are posted on the Information Security UTEP Web site. After the survey and interviews were conducted during the course of this audit, users reached out to the Information Security Office for guidance on addressing the risks of cloud computing. There is currently no awareness program or training provided to users.

Based on the assessment results, there is a lack of user awareness in the following areas:

• Procurement/acquisition guidelines for cloud computing services, and • Policies and procedures for cloud services usage

The lack of awareness increases the risk of loss of data, revenue, and reputation .

Recommendation:

We recommend the ISO develop an awareness program based on the System-wide Information Security Office training materials.

Level: This finding is considered Medium as the lack of awareness of cloud computing guidelines could result in users selecting a non-reliable service provider. This may lead to data loss and possible financial or legal issues.

Management Response:

Training material will be created and incorporated into UTEP's annual compliance training for 2017.

Responsible Party:

Gerard Cochrane Jr. , Chief Information Security Officer

Implementation Date:

November 1, 2017

9

Office of Alldtting and Consulting Services Audit #16-09 Cloud Computing

2. Cloud Computing Policies, Procedures And Standards

The ISO has posted the "Information Security Policies and Procedures" on the UTEP Web site which includes cloud computing services guidelines. Attention has been placed on guidelines that focus on Category I and II data (See Appendix C: Extended List of Category - I Data).

3. Type Of Cloud Computing Services Throughout The University

We were able to determine the type of cloud computing services used throughout the University, the type of data being stored in the cloud, the names of providers, and what method was used to purchase the services. We provided the CISO with the full report of results. For a summary of the results go to the Appendix D: Phase 1 Summary Results.

The "Phase I" of our assessment did not indicate any high risks to UTEP.

4. The University Cloud Computing Services: Risks, Data Classification, Safeguarding Of The Data

To determine if current cloud computing users are adequately protecting data and addressing the risks of this type of services, auditors judgmentally selected a sample of 11 out of 213 users who responded to the survey to conduct formal interviews. Questions were related to what type of data was being stored in the cloud and if they were conscious of the risks associated with selecting a non-reliable vendor and storing confidential information . These subsequent interviews constitute "Phase II" of our assessment.

After analyzing the results from "Phase I" and "Phase II", we concluded that faculty and staff across the University are using a variety of cloud computing services. Some risks of cloud computing were addressed by establishing a formal contract with the vendor or by using a purchase order.

There were no instances in which Category I data was stored in unsecured cloud applications. Additionally, the assessment on research data did not indicate high risks to the University. The CISO was provided the detailed results of each user interview.

10


5. CISO Access And Awareness Of Cloud Computing Services Throughout The University

The Chief Information Security Officer requires notification when Category I and II type data is stored in the cloud. The "UTEP Information Security Office Cloud Services Guidelines" specifies that for non-approved cloud services, an exception form must be submitted:

"The University of Texas at El Paso Information Security Office {ISO} specifies that neither Category I nor Category II University Data may be stored on non-approved cloud services. An ISO Exception Form must be submitted for approval by the UTEP Chief Information Security Officer {CISO} if Category I or Category II data that must be stored on a non-approved cloud services. Please review the UTEP Information Security Exception Reporting Process referenced below. "

In "Phase I" of our assessment, 42 percent of the users surveyed answered yes when asked if they were aware of cloud computing services guidelines.

11


CONCLUSION

Based on the work performed, OACS did not find any instances in which confidential student or research data was stored in unprotected cloud services. However, the University needs improvement in the areas of training and user awareness on cloud computing policies.

We wish to thank the management and staff of the Information Security Office and all of our survey respondents for the assistance and cooperation provided throughout the audit.

12

()fiic2 rJf !\uc11t111g 'll1C1 Corr ;ult111g 2erl/IC~3 Audit P. I i)-1)'-) Cloud Comput n~

Appendix A: Cloud Computing Companies

A visual: Companies with cloud computing services grouped by laaS, PaaS, Saas

Business Management

..i11 Aff> M • rf111i

- C::e<tam ....,. t

"'~"" - O mupo = c vent __.,.,..)

.rii- 'c rte.At

Tools

6.:uuo ,~ ~

"( ••. 1 t = '""" jii/i! cru ...... , P.agro

O -.t ~r:·U UOf!i;e9.,., .rc,

I •t 0

Crealed by :

Cloud'U:i mrs

Source: CloudTimes Org . Return to BACKGROUND

-Cloud

Seculi1y

Cloud Compa ie

CRM

E~-.. -. ----

General

aU.t

-.

Em!D f) ' ' ' "c-.;,Q~ Skytap l • 4. lfflOf'Y

N<!tw"'11ing

~ · ~:;;~· CrT'lbronc

M ,_, .... ~

Content Delive<y Netwo<1<s

("?., ~

~ ~ . .. -...,. ELAS~A EMC'

:::11 • • 3e!i I.lo

13


Appendix B: Cloud Computing Services

A Visual of possible cloud computing services grouped by laaS, PaaS, Saas

Source: EMC Corporation. Return to BACKGROUND

14

Office of ,il,ucJit111g a11d Consulting Se1 11ices AucJ1t # 16-09 Cloud Computing

Appendix C: Extended List of Category- I Data

From the document "Data Classification Appendix A" in the ISO policies and procedures UTEP Website

Patient Medical/Health Information (HIPAA) The following information is confidential:

• Social security number

• Patient names, street address, city, county, zip code, telephone I fax numbers

• Dates (except year) related to an individual, account I medical record numbers, health plan beneficiary numbers • Personal vehicle information • Certificate/ license numbers, device IDs and serial numbers, e-mail, URLs, IP addresses

• Access device numbers (ISO number, building access code, etc.) • Biometric identifiers and full face images • Any other unique identifying number, characteristic, or code • Payment Guarantor's information

Student Records (FERPA) The following information is confidential. This applies to both enrolled and prospective student data.

• Social security number • Grades (including test scores, assignments, and GPA, class grades) • Student financials, credit cards, bank accounts, wire transfers, payment history, financial aid/grants,

scholarships, student bills • Ethnicity • Access device numbers (UTEP 80/88 number, building access code, etc.) • Biometric identifiers (fingerprint, voice print, retina or iris image, etc.) • Note that for enrolled students, the following data may ordinarily be revealed by the university without student

consent unless the student designates otherwise: • Name, directory address and phone number, mailing address, secondary mailing or permanent address,

residence assignment and room or apartment number, campus office address (for graduate students) • Electronic mail address • Specific semesters of registration at UTEP; UTEP degree(s) awarded and date(s); major(s), minor(s), and

field(s); the university degree honors • Institution attended immediately prior to UTEP • ID card photographs for the university classroom use

Donor/Alumni Information (UTS-165, Texas Identity Theft Enforcement and Protection Act, HIPAA) The following information is confidential:

• Social security number

• Name • Personal financial information • Family information

• Medical information

Return to 1. Cloud computing policies, procedures and standards

15


Appendix D: Phase 1 Summary Results

Percent of survey respondents using cloud computing services

Does your dept. use external services not provided by UTEP?

Yes No

30% 70%

Type of cloud computing services being used throughout the University and ranked by usage

Rank Cloud computing services 1 Application Services

2 Data Storage, Collection, Database

3 Data Sharing

Comimems Software as a Service (SaaS)

Infrastructure as a Service (laaS)

e.g. Dropbox

4 Use of external database to query information

5 Data Backup/Recovery

6 Other

Cloud computing Guidelines Awareness

Method Percentage 42%

58%

Comments

Lack of response was interpreted as lack of awareness.

16


Data Type in the Cloud (There could be multiple entries for a reply)

Entries 0

2

5

Data Type Bank routing information

Biometric identifiers and full face images Social security numbers

6 Credit card numbers

9 UTEP ID numbers (80/88 or 600)

Comments

Used by Enterprise Computing, College of Education, Enrollment Services, Registrar, Veteran Affairs (Queries)

FERPA protected student information Used by Enterprise Computing, Enrollment Services, Registrar, Student

10 Support Services, College of Liberal Arts, VP Student Affairs

11

14

20

30

32

Research data (e.g. intellectual property, medical research data, etc.) Date of birth

Student Information

No Response

OTHER

Will consider using cloud computing services in the future

Yes

No

Response

No response

Percentage 30%

30%

40%

Return to 2. Type of cloud computing services throughout the University

Comments

17


Appendix E: Criteria

Cloud Security Alliance (CSAJ-Cloud Controls Matrix Cloud Security Alliance V3.0. 1 0610612016

CSA: Provide in-depth training specific to the content handled by the facility

CSA: Develop and regularly update a security awareness program and train company personnel and third party workers upon hire and annually thereafter on the security policies and procedures, addressing the following areas at a minimum: • IT security policies and procedures • Content/asset security and handling •Security incident reporting and escalation • Disciplinary measures

CSA: Establish policies and procedures regarding asset and content security; policies should address the following topics, at a minimum: • Human resources policies ·Acceptable use (e.g., social networking, Internet, phone, etc.) • Asset classification • Asset handling policies • Digital recording devices (e.g., smart phones, digital cameras, camcorders) • Exception policy (e.g., process to document policy deviations) •Password controls (e.g., password minimum length, screensavers) • Prohibition of client •asset removal from the facility

Texas Department of Information Resource-Security Control Standards Catalog (TAC 202-76)

Awareness and Training Controls AT-1 Security Awareness and Training Policy and Procedures AT-2 Security Awareness Training AT-3 Role-Based Security Training AT-4 Security Training Records

Planning Controls PL-1 Security Planning Policy and Procedures

Personnel Security Controls PS-7 Third-Party Personnel Security Policies and Procedures

18


UTS165 Information Resources Use and Security Po/icy

UTS165 Sec. 26 Security Training UTS165 Standard 2. Acceptable Use of Information Resources UTS 165 Standard 11. Safeguarding Data UTS165 Standard 13. Use and Protection of Social Security Numbers UTS165 Standard 14. Information Services (IS) Privacy

UTEP Information Security Policies and Procedures

Acceptable Use of Information Resources-Jun2014.pdf Data Classification Appendix A Data Classification Standards UTEP Security Exception Reporting Process Social Security Number Use Solicitation Policy FERPA 101

19

Of11ce -n ud1ling cl'ld _.1'w 1 ting Serv es .A.11d1t it 1 o lJ'J Clouo C>mputmg

Appendix F: Glossary

Term CSA

Software as a Service (SaaS)

Infrastructure as a Service (laaS)

Platforms as a Service (PaaS)

CSP

Definition The Cloud Security Alliance is a not-for-profit organization with a mission to promote the use of best practices for providing security assurance within Cloud Computing, and to provide education on the uses of Cloud Computing to help secure all other forms of computing. The Cloud Security Alliance is led by a broad coalition of industry practitioners, corporations, associations and other key stakeholders. http://www. cloudsecurityalliance.org

Software as a Service There are various ways to break down Saas, but here is one framework: • Business process modeling • Evaluation and analysis • Process execution When opting for Saas, cloud users not only hire infrastructure and platforms from the CSP, but also run CSP-provided applications on them. Examples are: Computer Services Inc., Salesforce, New Relic®, Logicworks, Apptix®, Google App Engine, Microsoft Windows Azure, Amazon Web Services LLC, etc. from ISACA

Infrastructure as a Service There are various ways to break down laaS, but here is one way: • Connectivity • Network services and management • Compute services and management • Data storage •Security In an laaS solution, the CSP provides cloud users with processing, storage, networks and other fundamental computing resources. Operating systems and applications, however, are the responsibility of the user and are not included in the service offering of the CSP. Examples are: Racks pace®, Equinix®, Softlayer®, iomart Group pie, Amazon Web Services LLC, etc. from ISACA

Platforms as a Service (PaaS)-PaaS entails the CSP making available Infrastructures and platforms on which cloud users deploy their own applications. This requires the CSP to support programming languages, libraries, services and tools. Examples are: Google App Engine TM, Microsoft® Windows Azure TM, from ISACA

Cloud service provider

20


Term Cloud computing

Cloud computing risks

Definition Cloud computing is defined by the US National Institute of Standards and Technology (NIST) as "a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction."

Assets common risk events: (DDos) • Unavailability-The asset is unavailable and cannot be used or accessed by the enterprise. The cause can be accidental (failure of the infrastructure), intentional (distributed denial-of-service [DDoS] attacks) or legal (subpoena of database holding all data in a case of multitenancy architecture where one client's data are subject to legal investigation). • Loss-The asset is lost or destroyed. The cause can be accidental (natural disaster, wrong manipulation, etc.) or intentional (deliberate destruction of data). • Theft-The asset has been intentionally stolen and is now in possession of another individual/enterprise. Theft is a deliberate action that can involve data loss. • Disclosure-The asset has been released to unauthorized staff/enterprises/organizations or to the public. Disclosure can be accidental or deliberate. This also includes the undesired, but legal, access to data due to different regulations across international borders

Source: ISACA, DOD, NIST, Cloud Security Alliance

21

Cloud Computing - Home | University of Texas System Cloud...Cloud Computing Audit Report # 16-09 ......

Documents

Transcript of Cloud Computing - Home | University of Texas System Cloud...Cloud Computing Audit Report # 16-09 ......