Continuous Audit of SaaS Solutions for the Public Sector

• Provide a high level of automation to the current audit process of a SaaS provider in alignment to the EU CSA, with particular focus on continuous audit-based certification. 

At the state of practice, for a good number of requirements in current certification schemes (e.g., BSI C5, SOC2, ISO 20017, etc.), several CSPs already collect evidence automatically by using monitoring tools, log files, internal versioning and the likes. However, this generated evidence cannot, to date, be evaluated and audited automatically (continuously) due to the lack of standardized processes and tool chains.
Furthermore, there is no clear definition of what “real evidence” is (i.e., evidence that auditors consider trustworthy for certification purposes), when it is automatically produced. Severing this problem is the fact that requirements of certification schemes change over time (more rapidly than slowly), and the effort to translate them into technical implementations for automatic collection of evidence is too expensive for most European CSPs.

Application where MEDINA will be used:
This SaaS Use Case will follow and validate the MEDINA’s cloud security certificate life-cycle by making use of the risk-based auditor tool:

• Set the scope of the desired continuous audit process for the SaaS provider
• Continuously collect and evaluate evidence from a holistic perspective 
• Monitor continuous compliance within the SaaS provider

Expected benefits/ improvements using MEDINA tools

• A standardized way to technically approach the requirements of a compliance scheme.
• A framework and working language to translate requirements into automatically observable controls.
• Ultimately reducing the operation workload for developers and technical staff related to certification processes.