Evidence in cloud security compliance : towards a meta-evaluation framework
Recently the trend of outsourcing IT services into cloud environments as opposed to traditional locally administrated services has been on the rise. This transition allows enables great cost savings through service flexibility for the customer. As a byproduct, the need for the cloud security customers to assure that the service being considered or used meets the needs to provide appropriate security to protect customer data has presents formerly inexistent compliance challenges. To provide transparency and trust between cloud security customer and service provider, several new standards and frameworks have emerged to provide trust by assuring a set of safeguards demanded by a respective standard are in place. The standards provide a set of controls, requirements that must be met to receive an official certification or a third-party attestation. The compliance against the controls must be verified by providing evidence to an auditor. This is followed by the auditor’s decision of whether the requirements are in place or not. The problem with a host of existing standards and frameworks suitable for auditing cloud security is that the process of evidence evaluation is not described in detail or at all. As of now, the evidence evaluation in many standards is left to the professional judgement of the auditor. Auditors are fallible to human errors, such as biased decision-making, in the absence of standardized guidelines. The objective for the master’s thesis is to study the quality requirements for scientific evidence and find out if the qualities are applicable and transferable over to cloud security audit evidence evaluation. The discovered applicable qualities will be conceptualized into a checklist, a meta-evaluation tool to assist both the auditor and the auditee in the evaluation decision-making process. The conclusions may assist the auditee in providing the auditor quality evidence and the auditor will be able to review the evidence from sufficiency and appropriateness points of view. In other words, the objective is to study what the professional judgement of the auditor should consist of; what qualities must cloud security compliance assessment evidence consist of.
...
Asiasanat
Metadata
Näytä kaikki kuvailutiedotKokoelmat
- Pro gradu -tutkielmat [29743]
Lisenssi
Samankaltainen aineisto
Näytetään aineistoja, joilla on samankaltainen nimeke tai asiasanat.
-
An information system design product theory for the class of eSourcing requirements, delivery and completion management systems for eSourcing service providers
Lu, Yikun (University of Jyväskylä, 2015) -
Tietoturva-auditointiprosessin kehittäminen viranomaisnäkökulmasta
Virtanen, Alex (2022)Informaatioteknologian keskeinen rooli liiketoiminnan mahdollistajana merkitsee myös tietoturvallisuuden eri osa-alueiden korostamista, kun tarkoituksena on suojata organisaatioiden informaatio-omaisuuseriä. Nämä omaisuuserät ... -
Pilvipalveluiden tietoturva : standardit ja viitekehykset sekä erityyppisen tiedon suojaaminen
Räsänen, Iiro (2021)Tämän pro gradu -tutkielman tarkoituksena oli tutkia pilvipalveluiden tietoturvaa käsitteleviä standardeja ja viitekehyksiä sekä niiden noudattamista erityyppisen tiedon näkökulmasta. Tietoturvan tasoa on hyvin vaikea ... -
The moderating impact of organizational culture on information security compliance
Ejigu, Kibrom; Siponen, Mikko; Muluneh, Tilahun (Addis Ababa University Press, 2023)This research paper investigates the association between organizational culture and employees' compliance with information security policies. Drawing upon rational choice theory (RCT) and the competing values framework ... -
Influence of Organizational Culture on Employees Information Security Policy Compliance in Ethiopian Companies
Ejigu, Kibrom; Siponen, Mikko; Muluneh, Tilahun (Association for Information Systems, 2021)Information security is one of the organizations' top agendas worldwide. Similarly, there is a growing trend in the kinds and rate of security breaches. Information security experts and scholars concentrate on outsiders' ...
Ellei toisin mainittu, julkisesti saatavilla olevia JYX-metatietoja (poislukien tiivistelmät) saa vapaasti uudelleenkäyttää CC0-lisenssillä.