Evidence in cloud security compliance : towards a meta-evaluation framework

Abstract

Recently the trend of outsourcing IT services into cloud environments as opposed to traditional locally administrated services has been on the rise. This transition allows enables great cost savings through service flexibility for the customer. As a byproduct, the need for the cloud security customers to assure that the service being considered or used meets the needs to provide appropriate security to protect customer data has presents formerly inexistent compliance challenges. To provide transparency and trust between cloud security customer and service provider, several new standards and frameworks have emerged to provide trust by assuring a set of safeguards demanded by a respective standard are in place. The standards provide a set of controls, requirements that must be met to receive an official certification or a third-party attestation. The compliance against the controls must be verified by providing evidence to an auditor. This is followed by the auditor’s decision of whether the requirements are in place or not. The problem with a host of existing standards and frameworks suitable for auditing cloud security is that the process of evidence evaluation is not described in detail or at all. As of now, the evidence evaluation in many standards is left to the professional judgement of the auditor. Auditors are fallible to human errors, such as biased decision-making, in the absence of standardized guidelines. The objective for the master’s thesis is to study the quality requirements for scientific evidence and find out if the qualities are applicable and transferable over to cloud security audit evidence evaluation. The discovered applicable qualities will be conceptualized into a checklist, a meta-evaluation tool to assist both the auditor and the auditee in the evaluation decision-making process. The conclusions may assist the auditee in providing the auditor quality evidence and the auditor will be able to review the evidence from sufficiency and appropriateness points of view. In other words, the objective is to study what the professional judgement of the auditor should consist of; what qualities must cloud security compliance assessment evidence consist of.