Workshop & Tutorial on Continuous Auditing Based Certification

Continuous auditing is the breakthrough needed to improve assurance, transparency and trust in cloud services

Date: 8. October 2019

Location: Fraunhofer Institute FOKUS, Berlin

This workshop revolves around the EU-SEC approach for adopting Continuous Auditing Based Certification scheme for Cloud Services. The workshop will include a demo and hands-on session showing the pilot architecture modules and functionalities for the end-users and auditors.

Third party audits and certifications have become the most effective solution to increase the level of trust in the reliability of security and privacy measures implemented by CSPs. Such audits are traditionally performed annually or bi-annually, which means that whenever interim changes are made to security and privacy practices, these amendments go unaudited until the next official check. This creates gaps in assurance during the periods where no audits are conducted. While this may be an acceptable risk for some cloud customers, for others, these assurance gaps remain a strong barrier to cloud adoption.

The EU-SEC project is developing a process that will bring continuous assurance by addressing the lack of regularity and proactivity of traditional “point-in-time” certifications. The method developed for this is called Continuous Auditing Based Certification. By using technology to monitor and flag non-compliant activity on an ongoing basis, continuous auditing delivers an enhancement to traditional certification. It increases the assessment frequency via a continuous workflow. State of the art security monitoring systems supervise the IT’s security status by collecting data from the CSP’s information system. This collected data is further assessed and used as the basis for continuous auditing.