Evidence in cloud security compliance towards a meta-evaluation framework

Recently the trend of outsourcing IT services into cloud environments as opposed to traditional locally administrated services has been on the rise. This transition allows enables great cost savings through service flexibility for the customer. As a byproduct, the need for the cloud security custome...

Full description

Bibliographic Details
Main Author: Hentula, Antti
Other Authors: Informaatioteknologian tiedekunta, Faculty of Information Technology, Informaatioteknologia, Information Technology, Jyväskylän yliopisto, University of Jyväskylä
Format: Master's thesis
Language:eng
Published: 2019
Subjects:
Online Access: https://jyx.jyu.fi/handle/123456789/66664
_version_ 1826225755510538240
author Hentula, Antti
author2 Informaatioteknologian tiedekunta Faculty of Information Technology Informaatioteknologia Information Technology Jyväskylän yliopisto University of Jyväskylä
author_facet Hentula, Antti Informaatioteknologian tiedekunta Faculty of Information Technology Informaatioteknologia Information Technology Jyväskylän yliopisto University of Jyväskylä Hentula, Antti Informaatioteknologian tiedekunta Faculty of Information Technology Informaatioteknologia Information Technology Jyväskylän yliopisto University of Jyväskylä
author_sort Hentula, Antti
datasource_str_mv jyx
description Recently the trend of outsourcing IT services into cloud environments as opposed to traditional locally administrated services has been on the rise. This transition allows enables great cost savings through service flexibility for the customer. As a byproduct, the need for the cloud security customers to assure that the service being considered or used meets the needs to provide appropriate security to protect customer data has presents formerly inexistent compliance challenges. To provide transparency and trust between cloud security customer and service provider, several new standards and frameworks have emerged to provide trust by assuring a set of safeguards demanded by a respective standard are in place. The standards provide a set of controls, requirements that must be met to receive an official certification or a third-party attestation. The compliance against the controls must be verified by providing evidence to an auditor. This is followed by the auditor’s decision of whether the requirements are in place or not. The problem with a host of existing standards and frameworks suitable for auditing cloud security is that the process of evidence evaluation is not described in detail or at all. As of now, the evidence evaluation in many standards is left to the professional judgement of the auditor. Auditors are fallible to human errors, such as biased decision-making, in the absence of standardized guidelines. The objective for the master’s thesis is to study the quality requirements for scientific evidence and find out if the qualities are applicable and transferable over to cloud security audit evidence evaluation. The discovered applicable qualities will be conceptualized into a checklist, a meta-evaluation tool to assist both the auditor and the auditee in the evaluation decision-making process. The conclusions may assist the auditee in providing the auditor quality evidence and the auditor will be able to review the evidence from sufficiency and appropriateness points of view. In other words, the objective is to study what the professional judgement of the auditor should consist of; what qualities must cloud security compliance assessment evidence consist of.
first_indexed 2019-12-05T21:01:52Z
format Pro gradu
free_online_boolean 1
fullrecord [{"key": "dc.contributor.advisor", "value": "Soliman, Wael", "language": "", "element": "contributor", "qualifier": "advisor", "schema": "dc"}, {"key": "dc.contributor.author", "value": "Hentula, Antti", "language": "", "element": "contributor", "qualifier": "author", "schema": "dc"}, {"key": "dc.date.accessioned", "value": "2019-12-05T10:52:19Z", "language": "", "element": "date", "qualifier": "accessioned", "schema": "dc"}, {"key": "dc.date.available", "value": "2019-12-05T10:52:19Z", "language": "", "element": "date", "qualifier": "available", "schema": "dc"}, {"key": "dc.date.issued", "value": "2019", "language": "", "element": "date", "qualifier": "issued", "schema": "dc"}, {"key": "dc.identifier.uri", "value": "https://jyx.jyu.fi/handle/123456789/66664", "language": "", "element": "identifier", "qualifier": "uri", "schema": "dc"}, {"key": "dc.description.abstract", "value": "Recently the trend of outsourcing IT services into cloud environments as opposed to traditional locally administrated services has been on the rise. This transition allows enables great cost savings through service flexibility for the customer. As a byproduct, the need for the cloud security customers to assure that the service being considered or used meets the needs to provide appropriate security to protect customer data has presents formerly inexistent compliance challenges. To provide transparency and trust between cloud security customer and service provider, several new standards and frameworks have emerged to provide trust by assuring a set of safeguards demanded by a respective standard are in place. The standards provide a set of controls, requirements that must be met to receive an official certification or a third-party attestation. The compliance against the controls must be verified by providing evidence to an auditor. This is followed by the auditor\u2019s decision of whether the requirements are in place or not. The problem with a host of existing standards and frameworks suitable for auditing cloud security is that the process of evidence evaluation is not described in detail or at all. As of now, the evidence evaluation in many standards is left to the professional judgement of the auditor. Auditors are fallible to human errors, such as biased decision-making, in the absence of standardized guidelines. The objective for the master\u2019s thesis is to study the quality requirements for scientific evidence and find out if the qualities are applicable and transferable over to cloud security audit evidence evaluation. The discovered applicable qualities will be conceptualized into a checklist, a meta-evaluation tool to assist both the auditor and the auditee in the evaluation decision-making process. The conclusions may assist the auditee in providing the auditor quality evidence and the auditor will be able to review the evidence from sufficiency and appropriateness points of view. In other words, the objective is to study what the professional judgement of the auditor should consist of; what qualities must cloud security compliance assessment evidence consist of.", "language": "en", "element": "description", "qualifier": "abstract", "schema": "dc"}, {"key": "dc.description.provenance", "value": "Submitted by Paivi Vuorio (paelvuor@jyu.fi) on 2019-12-05T10:52:19Z\r\nNo. of bitstreams: 0", "language": "en", "element": "description", "qualifier": "provenance", "schema": "dc"}, {"key": "dc.description.provenance", "value": "Made available in DSpace on 2019-12-05T10:52:19Z (GMT). No. of bitstreams: 0\r\n Previous issue date: 2019", "language": "en", "element": "description", "qualifier": "provenance", "schema": "dc"}, {"key": "dc.format.extent", "value": "77", "language": "", "element": "format", "qualifier": "extent", "schema": "dc"}, {"key": "dc.format.mimetype", "value": "application/pdf", "language": null, "element": "format", "qualifier": "mimetype", "schema": "dc"}, {"key": "dc.language.iso", "value": "eng", "language": null, "element": "language", "qualifier": "iso", "schema": "dc"}, {"key": "dc.rights", "value": "In Copyright", "language": "en", "element": "rights", "qualifier": null, "schema": "dc"}, {"key": "dc.subject.other", "value": "assurance", "language": "", "element": "subject", "qualifier": "other", "schema": "dc"}, {"key": "dc.subject.other", "value": "evidence evaluation", "language": "", "element": "subject", "qualifier": "other", "schema": "dc"}, {"key": "dc.subject.other", "value": "frameworks", "language": "", "element": "subject", "qualifier": "other", "schema": "dc"}, {"key": "dc.subject.other", "value": "cloud security", "language": "", "element": "subject", "qualifier": "other", "schema": "dc"}, {"key": "dc.subject.other", "value": "information security management systems", "language": "", "element": "subject", "qualifier": "other", "schema": "dc"}, {"key": "dc.title", "value": "Evidence in cloud security compliance : towards a meta-evaluation framework", "language": "", "element": "title", "qualifier": null, "schema": "dc"}, {"key": "dc.type", "value": "master thesis", "language": null, "element": "type", "qualifier": null, "schema": "dc"}, {"key": "dc.identifier.urn", "value": "URN:NBN:fi:jyu-201912055136", "language": "", "element": "identifier", "qualifier": "urn", "schema": "dc"}, {"key": "dc.type.ontasot", "value": "Pro gradu -tutkielma", "language": "fi", "element": "type", "qualifier": "ontasot", "schema": "dc"}, {"key": "dc.type.ontasot", "value": "Master\u2019s thesis", "language": "en", "element": "type", "qualifier": "ontasot", "schema": "dc"}, {"key": "dc.contributor.faculty", "value": "Informaatioteknologian tiedekunta", "language": "fi", "element": "contributor", "qualifier": "faculty", "schema": "dc"}, {"key": "dc.contributor.faculty", "value": "Faculty of Information Technology", "language": "en", "element": "contributor", "qualifier": "faculty", "schema": "dc"}, {"key": "dc.contributor.department", "value": "Informaatioteknologia", "language": "fi", "element": "contributor", "qualifier": "department", "schema": "dc"}, {"key": "dc.contributor.department", "value": "Information Technology", "language": "en", "element": "contributor", "qualifier": "department", "schema": "dc"}, {"key": "dc.contributor.organization", "value": "Jyv\u00e4skyl\u00e4n yliopisto", "language": "fi", "element": "contributor", "qualifier": "organization", "schema": "dc"}, {"key": "dc.contributor.organization", "value": "University of Jyv\u00e4skyl\u00e4", "language": "en", "element": "contributor", "qualifier": "organization", "schema": "dc"}, {"key": "dc.subject.discipline", "value": "Tietojenk\u00e4sittelytiede", "language": "fi", "element": "subject", "qualifier": "discipline", "schema": "dc"}, {"key": "dc.subject.discipline", "value": "Computer Science", "language": "en", "element": "subject", "qualifier": "discipline", "schema": "dc"}, {"key": "yvv.contractresearch.funding", "value": "0", "language": "", "element": "contractresearch", "qualifier": "funding", "schema": "yvv"}, {"key": "dc.type.coar", "value": "http://purl.org/coar/resource_type/c_bdcc", "language": null, "element": "type", "qualifier": "coar", "schema": "dc"}, {"key": "dc.rights.accesslevel", "value": "openAccess", "language": null, "element": "rights", "qualifier": "accesslevel", "schema": "dc"}, {"key": "dc.type.publication", "value": "masterThesis", "language": null, "element": "type", "qualifier": "publication", "schema": "dc"}, {"key": "dc.subject.oppiainekoodi", "value": "601", "language": "", "element": "subject", "qualifier": "oppiainekoodi", "schema": "dc"}, {"key": "dc.subject.yso", "value": "vaatimustenmukaisuus", "language": "", "element": "subject", "qualifier": "yso", "schema": "dc"}, {"key": "dc.subject.yso", "value": "tietoturva", "language": "", "element": "subject", "qualifier": "yso", "schema": "dc"}, {"key": "dc.subject.yso", "value": "pilvipalvelut", "language": "", "element": "subject", "qualifier": "yso", "schema": "dc"}, {"key": "dc.subject.yso", "value": "auditointi", "language": "", "element": "subject", "qualifier": "yso", "schema": "dc"}, {"key": "dc.subject.yso", "value": "compliance with requirements", "language": "", "element": "subject", "qualifier": "yso", "schema": "dc"}, {"key": "dc.subject.yso", "value": "data security", "language": "", "element": "subject", "qualifier": "yso", "schema": "dc"}, {"key": "dc.subject.yso", "value": "cloud services", "language": "", "element": "subject", "qualifier": "yso", "schema": "dc"}, {"key": "dc.subject.yso", "value": "auditing (evaluation)", "language": "", "element": "subject", "qualifier": "yso", "schema": "dc"}, {"key": "dc.format.content", "value": "fulltext", "language": null, "element": "format", "qualifier": "content", "schema": "dc"}, {"key": "dc.rights.url", "value": "https://rightsstatements.org/page/InC/1.0/", "language": null, "element": "rights", "qualifier": "url", "schema": "dc"}, {"key": "dc.type.okm", "value": "G2", "language": null, "element": "type", "qualifier": "okm", "schema": "dc"}]
id jyx.123456789_66664
language eng
last_indexed 2025-02-18T10:55:37Z
main_date 2019-01-01T00:00:00Z
main_date_str 2019
online_boolean 1
online_urls_str_mv {"url":"https:\/\/jyx.jyu.fi\/bitstreams\/edfd4d80-8c29-446b-9206-6d26d36378bf\/download","text":"URN NBN fi jyu-201912055136.pdf","source":"jyx","mediaType":"application\/pdf"}
publishDate 2019
record_format qdc
source_str_mv jyx
spellingShingle Hentula, Antti Evidence in cloud security compliance : towards a meta-evaluation framework assurance evidence evaluation frameworks cloud security information security management systems Tietojenkäsittelytiede Computer Science 601 vaatimustenmukaisuus tietoturva pilvipalvelut auditointi compliance with requirements data security cloud services auditing (evaluation)
title Evidence in cloud security compliance : towards a meta-evaluation framework
title_full Evidence in cloud security compliance : towards a meta-evaluation framework
title_fullStr Evidence in cloud security compliance : towards a meta-evaluation framework Evidence in cloud security compliance : towards a meta-evaluation framework
title_full_unstemmed Evidence in cloud security compliance : towards a meta-evaluation framework Evidence in cloud security compliance : towards a meta-evaluation framework
title_short Evidence in cloud security compliance
title_sort evidence in cloud security compliance towards a meta evaluation framework
title_sub towards a meta-evaluation framework
title_txtP Evidence in cloud security compliance : towards a meta-evaluation framework
topic assurance evidence evaluation frameworks cloud security information security management systems Tietojenkäsittelytiede Computer Science 601 vaatimustenmukaisuus tietoturva pilvipalvelut auditointi compliance with requirements data security cloud services auditing (evaluation)
topic_facet 601 Computer Science Tietojenkäsittelytiede assurance auditing (evaluation) auditointi cloud security cloud services compliance with requirements data security evidence evaluation frameworks information security management systems pilvipalvelut tietoturva vaatimustenmukaisuus
url https://jyx.jyu.fi/handle/123456789/66664 http://www.urn.fi/URN:NBN:fi:jyu-201912055136
work_keys_str_mv AT hentulaantti evidenceincloudsecuritycompliancetowardsametaevaluationframework