Evidence in cloud security compliance : towards a meta-evaluation framework
Recently the trend of outsourcing IT services into cloud environments as opposed to traditional locally administrated services has been on the rise. This transition allows enables great cost savings through service flexibility for the customer. As a byproduct, the need for the cloud security customers to assure that the service being considered or used meets the needs to provide appropriate security to protect customer data has presents formerly inexistent compliance challenges. To provide transparency and trust between cloud security customer and service provider, several new standards and frameworks have emerged to provide trust by assuring a set of safeguards demanded by a respective standard are in place. The standards provide a set of controls, requirements that must be met to receive an official certification or a third-party attestation. The compliance against the controls must be verified by providing evidence to an auditor. This is followed by the auditor’s decision of whether the requirements are in place or not. The problem with a host of existing standards and frameworks suitable for auditing cloud security is that the process of evidence evaluation is not described in detail or at all. As of now, the evidence evaluation in many standards is left to the professional judgement of the auditor. Auditors are fallible to human errors, such as biased decision-making, in the absence of standardized guidelines. The objective for the master’s thesis is to study the quality requirements for scientific evidence and find out if the qualities are applicable and transferable over to cloud security audit evidence evaluation. The discovered applicable qualities will be conceptualized into a checklist, a meta-evaluation tool to assist both the auditor and the auditee in the evaluation decision-making process. The conclusions may assist the auditee in providing the auditor quality evidence and the auditor will be able to review the evidence from sufficiency and appropriateness points of view. In other words, the objective is to study what the professional judgement of the auditor should consist of; what qualities must cloud security compliance assessment evidence consist of. ...
MetadataShow full item record
- Pro gradu -tutkielmat 
Showing items with similar title or keywords.
Influence of Organizational Culture on Employees Information Security Policy Compliance in Ethiopian Companies Ejigu, Kibrom; Siponen, Mikko; Muluneh, Tilahun (Association for Information Systems, 2021)Information security is one of the organizations' top agendas worldwide. Similarly, there is a growing trend in the kinds and rate of security breaches. Information security experts and scholars concentrate on outsiders' ...
Vanhanen, Tuomas (2003)
Investigating the Impact of Organizational Culture on Information Security Policy Compliance : The Case of Ethiopia Ejigu, Kibrom Tadesse; Siponen, Mikko; Arage, Tilahun Muluneh (Association for Information Systems, 2021)Information security is one of the organizations' top agendas worldwide. Similarly, there is a growing trend in the kinds and rate of security breaches. Information security experts and scholars concentrate on outsiders' ...
Moody, Gregory D.; Siponen, Mikko; Pahnila, Seppo (Management Information Systems Research Center, Carlson School of Management, University of Minnesota, 2018)Information systems security (ISS) behavioral research has produced different models to explain security policy compliance. This paper (1) reviews 11 theories that have served the majority of previous information ...
Käkölä, Timo; Koivulahti-Ojala, Mervi; Liimatainen, Jani (IEEE, 2009)High-tech companies need to collect and analyze requirements and allocate them to appropriate product releases in market-driven product development. Development activities are typically scattered across multiple sites and ...