· Involve audit early in the process of selecting a service provider to ensure that internal and audit assurance activities meeting requirements for good governance
· Verify the extent and nature of assurance tests that are permitted for subscribers.
· Complete a comprehensive due-diligence of the supplier and supplier capabilities
· Carefully examine the true cost of IT services in comparison to cloud provided services maximizing on total value
· Balance cost with functionality, resiliency, and business value
· Service levels should document key business functional and technical requirements for cloud computing
· Service level agreements should be equitable to both the supplier and the user.
· Understand the needs and internal external environment
· Periodically revisit service priorities and requirements to ensure they are consistent with SLA agreements
Operational Procedures and Processes
· Business processes activities and flows should be revised to maximize benefit from cloud services.
· The transition to cloud computing should be used as an opportunity to restructure business processes and IT service management to bring value
· Endeavor to exceed value expectations
Policies Procedures and Standards
· Consider the implications of cloud computing on business unit, security and IT policies, processes, and procedures.
· Cloud transition and adoption should be treated as a strategic business decision
· Align business strategy and goals with technology delivery strategies
· Ensure service provider management as part of the cloud strategy
· Consider the organizational culture and changes that may be required to address cloud computing
· Make an informed business decision by considering business and operational needs and the benefits that will be provided by cloud computing
· Understand the business need for migrating your IT to the cloud. Confirm how cloud computing would support the organization's business strategy and objectives before engaging in it
· Look beyond cost savings by considering the full benefits of what cloud services and support can provide to the organization and how the integration with existing business process and support services can result in greater value.
· Consider technical and operational risks when considering a transition to the cloud
· Threat/ risk determinations should be based on relevant factors affecting the assets and should consider relevant factors such as data location
· Ensure that IT Controls/risk assessments are performed by service providers. Supplement their assessment activities with additional procedures performed by security or audit to ensure compliance to agreement requirements
· Results from independent audits of cloud provider environments should be performed on a regular basis and shared with users. The results of these audits should be incorporated into audit plans. Additional procedures and information should be performed as required to provide assurance for board and executive management.
· Critical aspects of cloud services should be monitored and tested on a continuous basis.
· Ensure that a thorough risk assessment is completed before migrating services to the cloud
· In the event of an incident verify the measures that suppliers will undertake to investigate the incident and to recover and preserve evidence.
· Classify data, infrastructure, applications on cloud with appropriate parameters and rate them based on their criticality/ business need.
· Address data location requirements and arrangement. Ask suppliers to disclose locations potentially used for processing and storing sensitive data
· Understand your data and security, privacy and availability needs and how these will be impacted by placement in the cloud.
· Evaluate provider capabilities to meet continuity of service requirements.
· Ensure data is not co-mingled in offsite storage or back up facility
· Consider requirements for future growth and the ability of service providers to meet growth demands
· Fully document and test business continuity and disaster recovery plans and the coordination of plans with service providers.
· Coordinate planning to address how events that can lead to incidents can be identified and communicated and how incident response activities will be coordinated
· Develop a Blackout Plan to address situations where problems arise that cannot be corrected and service disruptions or quality of service is threatened.
· Ensure that support by knowledgeable and capable professionals is available to support business needs.
Responsibilities and Accountabilities
· Clearly define internal and service provider responsibilities and accountabilities to ensure that these meet business requirements
· Ensure that capacity requirements are well established and service providers have the capability to meet expectations
· Ensure processes are in place for timely breach notification
· Ensure that service provider staff is qualified and certified and that sufficient numbers of staff are available to support business requirements
· Develop procedures for process integration between internal IT, business unit, provider IT and support personnel.
· Ensure that service provider management understand what they are accountable for and that they can meet these accountabilities
Regulatory and Legal Environment
· Understand the legal landscape of the organization. Knowing the regulations that apply to the organization can help assess what information can go to the cloud vs. what needs to stay behind the firewalls of the organization
· Comply with regulatory and legal requirements and understand how regulations in service provide jurisdiction will impact you
Service and Infrastructure Robustness
· Ensure that infrastructure and service deliver testing provided by service providers are comprehensive and fully documented
· Work towards continuous improvement of services
· Work towards seamless integration in support of business processes
· Consider plans for moving to another cloud provider or ending a cloud provider service arrangement.
· Develop plans for ending service provider service arrangements in particular to address sensitive data recovery or deletion.
· Ensure that service provider processes and procedures and staffing are adequate to maintain the technical environment.
· Ensure service provider can demonstrate that personnel understand information security requirements and are capable of discharging their protection responsibilities.
· Ensure that internal staff has the skill and expertise to coordinate activities with cloud providers and that they are engaged in cloud service acquisition and management.
· Service agreements should include all significant aspects of the business relationship and requirements for service including privacy and security considerations.
· Define business and technology related KGI's, KPI's. Establish a continuous monitoring program to ensure expectations are consistently met.
· Engage all relevant parties in developing and approving a service level agreement for cloud services.
· Recognize that large infrastructure providers may be less flexible in structure an SLA that meets specific organization requirements
· Require timely reports of actual performance promoting the transparency of cloud services
· Understand access management needs for the supplier and customer and ensure that proper monitoring and reporting capabilities are available and access decisions are enforced under normal and exceptional conditions.