All right, let's move on to talking about audit
and audit is essential. When we talk about auditing, we're talking about assurance that's usually turn that goes hand in hand with auditing. We may have internal audits and external audits and a combination of the three right. But what we're looking for is to get assurance from an unbiased party
that the processes that are in place are being followed and that they're effective now. Ah, a specific type of audit report that does come up on the exam. Are the sock reports service organizational controls specifically looking at sock 12 and three.
So the big thing to remember, you know, just cut into the chase. From a testable standpoint, Sock one is going to give me financial details. All right, So service organizational controls, this these air, the audit documents that we can review
when we're looking at a service provider. So, for instance, are cloud service provider,
So a sock one documents just gonna tell us their financials? That's not really gonna be relevant to us a ce forest. This test goes. We're more information about their controls to protect confidentiality, integrity and availability. Well, that comes in sock, too. But the problem with Sock, too,
is that that is only for customers of the service provider. And when that information is divulged, that customer usually has to sign a non disclosure agreement. So that's not publicly available. Sock threes,
however, are publicly available and would give us information on security controls for the CIA. Try it. So I think maybe on the exam your
looking at various cloud service providers, you're looking for third party assurance in relation to their security controls. Which document would you use? Sock Three would be the document that use. Okay,
Um, now, as far as our audit goes, I mentioned third party audit. You know, the cloud service provider can share their internal audits? Absolutely. But there are some other elements. For instance, the cloud trust protocol. I haven't heard of this being on the exam,
but you know, but it's important to understand.
So basically, the Cloud trust protocol is a set of practices designed to configure a trust between the cloud service provider and the cloud customer and ultimately letting there be trends transparency between the two so that the cloud customer can have that assurance
access to independently meaning on their end. Verify the cloud service providers processes.
Now the C s. A star cloud security alliance Probably worth a question. Their security trust and Assurance registry in this registry assurance processes. This is the third party audit that's essentially going to verify
or evaluated cloud service providers adherence to their service level agreements.
So this really is one of the defining elements of third party assurance on dhe. This isn't just bound to data center operations, but it would certainly include data center operations as well.
All right now, vendor management vendor management is something we all have to do. Our cloud service provider will be a vendor. They'll have vendors. They'll have contractors and subcontractors and so on, so forth.
So in going back to this idea of the star registry, there are various elements of assessment level 12 and three. So self assessment
at a station basically is between the Cloud Security alliance A. I C. P. A. Making sure that the C. S P s are providing the degree again of security that is required ongoing monitoring
It means exactly what it said is it is continuously,
publishing their practices continuously assessed in order to provide the greatest degree of assurance to customers will say that
all right, contract management, that's all. Third party governments. And we've talked about third party governments before how we have to determine the types of contracts, how we have to determine what our contractual requirements should be in the service level. Agreement,
how we're gonna test and verify that those the service level requirements are met.
You know all of those same elements. We've talked about performance requirements. How is business continuity handled? Incident Response. How often are do we have the rightto audit? How do we ensure regulatory compliance? Right
All that contract management falls under third party governments
supply chain. We evaluate the associate the associated risks with the elements that are brought into our cloud service provider or our own premise
organization. Just being aware that a chain is only ah strong as its weakest link right? And our providers that supplies equipment,
software, hardware, firm were whatever that may be would fall under supply chain management