Find Resources and Connect with members on topics that interest you.

AI - Acquire and Implement

PO - Plan and Organize

DS - Deliver and Support

Please sign in to see your topics.

Subscribe to this discussion

Week 3 Cloud Governance and Risk

Over the last two weeks we have come to a better idea about cloud computing and what it is.  Last week we explored cloud computing and organization strategy. This week we will explore cloud and risk management.

Some ideas that have been presented by our colleagues is that organizations will obtain the benefits they expect if they have a mature governance structure.  Cloud is no different than any other technology deployment. Organizations can adopt to technology and business change if there is a clear strategy, a structure of policies and standards, clear responsibilities and accountabilities, and an integrated approach to risk management that accounts for operational and technnical risks.

Will the adoption of cloud computing by organizations positively or negatively impact the ability of organizations to manage operational and technical risk?   Will the drive for quicker deployment and reduced costs impact the ability of security and audit professionals to protect organizations?   Will the reliance on service providers provide for better or reduced understanding of what the risks to the business are?
You must sign in to rate content.
(Unrated)

Comments

RE: Week 3 Cloud Governance and Risk

Will the adoption of cloud computing by organizations positively or negatively impact the ability of organizations to manage operational and technical risk?  

Positive aspect
1. For low maturity level organizations, adoption of cloud computing will bring benefits
2. Risks from mistakes of operations will decrease

Negative aspect
1. "Black Box" areas will be increased. So, without update of operational & technical risk management procedures, management level will become low level.
2.  If user is utilizing cloud computing and existing systems, risk management becomes more complicated one

Will the drive for quicker deployment and reduced costs impact the ability of security and audit professionals to protect organizations?  

1. Without SWOT analysis, appropriate business process re-engineering and update of role & responsibilities Security & audit professionals will be not able to perform appropriate roles & responsibilities.
2.

Will the reliance on service providers provide for better or reduced understanding of what the risks to the business are?

It depends on communications between providers & user and contracts & SLAs
    - good communications will bring benefits for both
    - timely update of contracts & SLAs will necessary
Masatoshi Kajimoto,CISA, CRISCEnergizer at 5/29/2011 9:54:04 PM Quote
You must sign in to rate content.
(Unrated)

RE: Week 3 Cloud Governance and Risk

Will the adoption of cloud computing by organizations positively or negatively impact the ability of organizations to manage operational and technical risk?  Lets talk in terms of impact only (positive/negative, we will see later). In practice, I see, more and more, business and operational managers contracting cloud services and products bypassing traditional structured IT Governance process, very often "mature" governance process. Why? In part because its ubiquity,, highly available nature, and sometimes very cheap conditions -at least at front-. Employees, Departments, and Companies are very often using cloud computing even without explicit awareness of that. In how many cases, companies are using web services such email, document storage, customer satisfaction surveys, quality surveys, web pages hosting, and others. Human resources function hiring help for career management or hiring processes. Procurement Departments utilizing payment processing services, etc.No minor issue also is that very often these "descentralized" IT managers can procure this kind of services within the operational expenses rules of the company (opex), and not necessarily under capital expenditures (capex). Consequently, probable under less rigurosity in terms of IT governance, information security, service and quality management rules. I can see here some potential negative impact in long terms because lack of governance but also positive in short terms for the hiring managers in terms of availability ofvsolutions, agility, costs and functionality.Fernando
fnikitinLively at 5/30/2011 8:07:50 AM Quote
You must sign in to rate content.
(Unrated)

RE: Week 3 Cloud Governance and Risk

Will the reliance on service providers provide for better or reduced understanding of what the risks to the business are?The answer to this question is far from the level of comfort that many of us can expect! While IT outsourcing introduce inherent risks the companies need to be particularly managed, this new modality of IT services and products called cloud computing is a very poweful marketing tool for IT vendors, is the vehicle for "extreme" IT outsourcing, and why not, sometimes for inadverted "off-shoring"Now, if you have one of these roles in charge of "providing assurance" (internal audit, external audit, regulators, audit committee, risk management, compliance, ...) you are facing a serious challenge! There is a substantial delay between the market of cloud computing and the level of development of regulations, rules, and professional standars on this subject. You may know that there are some efforts to upgrade SAS70 to the new SSAE16, that while remaining essentially the same, is largeley inssuficient to provide reasonable assurance. I am not aware of any better applicable standard.There are enough cases of failure on IT outsourcing arrangements that provide lesson learned that can be extrapolated to cloud computing. Examples that come to my mind include Worlbank vs Satyam, Banco Nacion-Argentina vs IBM, etc, etc, ...Fernando
fnikitinLively at 5/30/2011 8:32:07 AM Quote
You must sign in to rate content.
(Unrated)

RE: Week 3 Cloud Governance and Risk

Impact on the management of operational / technical issues?

For sure, there is going to be a impact on the ability of organizations to manage risks. And the effect will be positive or negative depending on the provider  the organization choose. Nevertheless, there are plenty of factors with opposite effects, so it is very difficult to say in advance if the net effect is going to be positive or negative. For example, it is more probable that the provider becomes a target of the bad boys because the concentration of information they manage than a single organization, but in the same way, we should expect the provider to be more able to manage attacks, because of their size, their resources and their specific focus in IT services.

But, I agree with Masatoshi, small companies are going to have better risk management capacity using cloud computing.

Ability of security / audit professionals to protect the organization?

Here, I agree with Fernando, if using cloud computing means forgetting about the governance process adopted by the companies, the capacity of these professionals to protect the organization is going to be less; but, if the organization keep their governance process, there should be no reduction in the ability of these professionals to protect their organizations.

Better understanding of risks because of reliance on service providers?

In my opinion, using cloud computing means to change a lot of actives with their threats, security controls... for a bunch called "service risk" which is related with the risk of the service not been provided by the service provider (in the same way that happens in supply chain).

And, in these days there is a lack of mechanisms that helps clients to have better information about service risks (SAS 70 audits are nice, but expensive and time-consuming). We will need additional mechanisms (like, for example, a rating) for knowing about the risk of the service provided in cloud computing "style".

Antonio.
Antonio RamosEnergizer at 5/30/2011 11:58:43 AM Quote
You must sign in to rate content.
(Unrated)

RE: Week 3 Cloud Governance and Risk

Cloud computing is not bad in itself but organizations may use pockets of services on cloud on their own risk assessment on what is exposed on the cloud and the impact. This would vary from business to business, service to service and for any combinations thereof. Risk assessment would need to be performed keeping in mind what service/business is in the context and the sensitive and other data in questions, governing business rules and regulations and what is the accpetable risk the organization in question is willing to accept.

I think reduced costs and quicker deployments is not a new thing as this has always been impacting the auditors and security managers for many technology deployments, however at the end of the day it all comes down to the Governance structure and management style on how they look at auditors and security managers and how the whole process is managed taking risk management  as part of the whole process . If a specific organization don't respect auditor/security managers' opinion for deploying any technology, why would they care for cloud computing deployments.

Accountability would never be transferred in case of cloud computing services and so accountability for the risks would still be with the organisation who make the decision to go with the cloud service provider(s) and again this is not much different than any outsourcing agreements.
SKAEnergizer at 5/30/2011 2:18:20 PM Quote
You must sign in to rate content.
(Unrated)

RE: Week 3 Cloud Governance and Risk

Will the adoption of cloud computing by organizations positively or negatively impact the ability of organizations to manage operational and technical risk?

I don't think there is any black and white answer to this. The risk impact will depend on lot of factors. We all know that given the increasing magnitude of GRC challenges in any organization, there is immense due diligence/work required to keep operational and technical risk under control. Many organizations are still struggling with it even with in-house IT dept. Now, with the adoption of cloud we need to revisit those security and risk related questions in the cloud context. ENISA and CSA has published some useful guidance regarding risk considerations for cloud adoption and much of it is common sense or conventional risk management anyways. Thus it is not easy (or fair) to answer yes or no to the question of risk impact of cloud because it totally depends on what answers organizations get when they do soul searching with respect risk management whether it's in-house IT or in the Cloud. For example, given the obvious advantages, many organizations have already outsourced their IT functions to service providers. And if they have managed to keep the technology and operational risks under control, then cloud is logical next step of outsourcing for them. Of course that requires further risk assessment and mitigation efforts to continue to keep operational risks in control. 

As with any new technology there are risk and challenges of adoption and possibility that due to lack of experience and unforeseen challenges, things do not go as planned. But impact of these known/unknown risks could be minimized by having effective governance strategy and planning in place. Having a viable cloud adoption strategy can minimize the negative risk impact to a great extent. It typically involves 1. Identifying stakeholders and objectives of adopting cloud computing. 2. Determine organizational impact by carrying out application assessment and business impact analysis. 3. Thorough vendor selection process once migration strategy is defined. 4. Managing liabilities and residual risk through contracts and exit strategy. 5. Operationalizing cloud technology by making management principles part of everyday operations.  Thus I believe by careful planning and systematic execution process, organizations can avoid pitfalls of blindly adopting cloud technology and also avoid losing out on benefits of cloud technology by alienating cloud computing

Regards,

Subodh
CISA, CISM, CRISC, CISSP, CSSLP, ISO27001 .

SubodhLively at 5/30/2011 3:12:00 PM Quote
You must sign in to rate content.
(Unrated)

RE: Week 3 Cloud Governance and Risk

In each discussion we need to have clear terms. For instance"moving a service to the Cloud" - is an internal, or external Cloudreferred to? If external is it public or private. This simple language issue, Ithink, leads to the first risk - lack of clarity. Every process or controlaspect of the management of the service or the data that is unknown is vulnerability.Every known process or control weakness is a risk.

The next risk is that in moving any service from onedelivery model to another, time and resources are consumed without necessarilyproducing new business value. (it’s the same service, in a new delivery model).A lot of effort will go to the transition, and usually insufficient attentionwill go to the management of the service. Management weakness, (as above) are vulnerabilitiesand risks.

Risk mitigation should include knowing the supplierspolicies on all management practices, including, for instance, data securityand privacy before using their services. I think you have to think in terms of “governanceof process activities performed by a third party”. This means not only definingmanagement system requirements, but knowing how you will monitor, evaluate anddirect improvements to the management system. If an incident occurs, how willthat be handled? How does that integrate into your incident handling process?When changes are made, how do you participate in the decision making and atleast be sure you are prepared for changes that impact other systems or services.Are there really “autonomous services“? I think all services have service toservice, service to system and service to supplier dependencies that must beknown and managed. For information risk, I think you should at least understandsupplier policies related to:

  •          Privileged user access—Roles with specializedaccess to data and the hiring and management practices related to these administrators
  •          Regulatory compliance—willingness and pastperformance related to external audits and/or security certifications
  •          Data location—is there any control over thelocation of data
  •          Data segregation—is encryption available at allstages and “encryption schemes designed and tested by experiencedprofessionals.”
  •          Recovery—what will happen to data in the case ofa disaster; do they offer complete restoration and, if so, how long that wouldtake
  •          Investigative Support—supplier ability toinvestigate inappropriate or legal activity
  •          Long-term viability—what will happen to data ifthe supplier goes out of business; how will data be returned and in what format.

In practice, check by asking to get back old data and seehow long it takes, and that the checksums match the original data. Anotheroption is encrypt the data yourself. If you encrypt the data using a trustedalgorithm, then regardless of the service provider's security and encryptionpolicies, the data will only be accessible with the decryption keys. This leadsto a follow-on problem: managing private keys in a pay-on-demand computinginfrastructure.

Document your assumptions about management processes andcontrols. Most of these new cloud offerings are raw infrastructures andplatforms that do not have great management capabilities.

Bill PowellLively at 5/31/2011 8:03:42 AM Quote
You must sign in to rate content.
(Unrated)

RE: Week 3 Cloud Governance and Risk

My take on Cloud is that it will be much harder for the risk and security professionals to conduct their oversight role. 

The primary reason for this is that it is so easy for individuals to enter into Cloud-based services that bypass the normal governance processes - especially for smaller Cloud arrangements with online billing that can be paid by credit card. I'm already seeing pressure from individual business managers that have been enticed by promises of 'reduced costs', 'fast provisioning' etc. While governance processes can catch some of these it is very difficult to be sure they are catching them all. 

Aspects such as concentration risk, continuity issues and compliance risk (e.g. geographic data protection constraints etc.) are easily overlooked by the individual business areas and the risk and security professionals can end up with an incomplete picture of the true overall risk position.

In summary, I think that while it is possible to improve governance through the use of Cloud when approached strategically, the risk presented by small tactical Cloud deployments is much more difficult to measure and control. The governance personnel are going to have to be even more pro-active than normal to be effective and to manage the proliferation of tactical Cloud deployments.  
RGN01Lively at 5/31/2011 2:02:18 PM Quote
You must sign in to rate content.
(Unrated)

RE: Week 3 Cloud Governance and Risk

From what I have experienced, the adoption of cloud computing by organizations that currently struggle with managing operational and technical risks will be negatively impacted. Today they don’t understand the risks they have or perhaps poorly manage those risks.  Transferring risk even those risks that are not understood, to a cloud provider will only increase the likelihood and occurrence of those risks, if they are not managed.

Organizations that drive for quick wins in the cloud, or reduced costs, will likely impact the ability of security and audit professions to protect the organization, particularly if they are excluded from the decision making aspects of selecting and monitoring the provider.

In my opinion, if the business side of the house, assumes that the cloud solution will provide a better  understanding of what the risks are for their business, they may learn early on that the cloud provider doesn’t understand what the risks are for the operation and technology of the user, unless there is a great deal of due diligence prior to transferring those risks.

You must sign in to rate content.
(Unrated)

RE: Week 3 Cloud Governance and Risk

Looking at Cloud Risk Management through the lenses of the Risk IT Framework, I would start discussing the risk appetite and risk tolerance of the typical Cloud Computing client, that has to be prepared to make risk-aware business decisions on the Cloud. COSO ERM can be very helpful for this. This block would set the scope of the Cloud Computing Risk Governance.   
Next, I would discuss Risk Scenarios. The Risk IT Framework recommends breaking these scenarios in two: Top-down Scenario Identification (Business Objectives) and Bottom-up Scenario Identification (Generic Risk Scenarios). Then, for each Risk Scenario I would estimate its components: Event, Threat Type, Actor, Asset/Resource and Time. After that, these Risk scenarios should be weighted with the so-called Risk Factors.
Finally, I would discuss Risk Response Selectiona and Prioritisation, Risk Avoidance and Key Risk Indicators.  
In my opinion, The Risk IT Framework can help us on the discussion of Cloud Computing Risk Management, providing a structured and ordered approach "to cover all the bases" on this topic.  
Souza NetoLively at 6/1/2011 2:31:37 PM Quote
You must sign in to rate content.
(Unrated)

RE: Week 3 Cloud Governance and Risk

I think that companies need to know real risk that this kind of services can generate. I agree with Souzaneto because it´s very important the risk appetite and risk tolerance and a good methodology to control the different situation that they can have.

The cloud computing generates many kind of risk, for example
1.       Suppliers : all about maturity of suppliers. It is important because you have to choose the best supplier to have the best service.  In this topic, you can include all risks about experience, reputation, relations with third parties, sustainability, availability and follow-up. 

2.       Low Experience or low knowledge of suppliers.  In this case, you need to how doing their activities, which is their architecture, how are their policies and what is their control environment.

3.       Other group of risk is associated to levels of services or SLA. This risks can be controlled by formal agreements and a good follow up. 

4.       Problems with information processed, this risks need continuity planning, backups, formal system to response incidents, recovery planning. Normally this group is associated with the importance of information.  You need to classify information assets.

All things like this need controls to mitigate the consequences.

JpvargasLively at 6/1/2011 3:55:36 PM Quote
You must sign in to rate content.
(Unrated)

RE: Week 3 Cloud Governance and Risk

Will the adoption of cloud computing by organizations positively or negatively impact the ability of organizations to manage operational and technical risk?  
This all depends on the organizations approach to cloud computing. If the organization has the opinion that the cloud vendor has "taken care of everything" as some of them do, it will negatively impact their ability to manage operational and technical risk. Too many organizations feel that when they outsource something they can transfer the liability or the onus of performing. They wash their hands so to speak. If they additionally do not have a good contract, ie one that has some granularity to it regarding capabilities and deliverables, they further put themselves in a position of greater risk. If however, on the other hand, an organization takes a disciplined, methodical and granular approach to the contract and the implementation, it can positively impact their ability to manage risks, giving their staff more time to concentrate on activities that provide more value to the organization.

Will the drive for quicker deployment and reduced costs impact the ability of security and audit professionals to protect organizations?  
Again, depending on the organization's attitude and why they are outsourcing, same answer as above.

Will the reliance on service providers provide for better or reduced understanding of what the risks to the business are?
It shouldn't change the understanding of the risks, it may add or eliminate a specific risk, but the business risks should focus on protection of the asset, the data itself.  The approach to managing the risks might be different.
Mary SieroLively at 6/2/2011 12:48:09 PM Quote
You must sign in to rate content.
(Unrated)

RE: Week 3 Cloud Governance and Risk

Some great points have been shared with the group this week. Here is a short list of highlights.

  • Smaller organizations will most benefit from cloud computing because of the increased maturity that providers will bring to solutions.  SME organizations should experience fewer operational errors as a result of the increased capability provided in the shared cloud environment.
  • Cloud computing could be seen as being a black box since operational processes and risk management may not be totally transparent to tenants.
  • Organizations will need to revisit RACI charts to ensure that responsibilities and accountabilities are clearly defined and accepted to acount for the sharing or responsibility between tenants and providers and the need for closer process integration.
  • Because fo the possible complexity of cloud solutions and the potential for cloud services to be provided as a black box, tenants may have to rely on provider communications to understand the governance and control environment.
  • Risk in cloud computing may be greater from an operational risk standpoint because cloud decisions such as procudement decisions may fall below traditional governance trigger points. Cloud decisions may not be subjected to more stringent review and approval as a result.
  • Cloud tenants may rely on cloud service level agreements to ensure that services meet business unit expectations.  Cloud providers may not offer an opportunity for tenants to structure individual SLAs. Instead tenants may only be able to accept standard terms and conditions which are common to all subscribers.
  • Cloud poroviders currently lack an acceptable mechanism for providing assurance to tenants.
  • The risk of adopting cloud services will be minimized for organizations that have an established governance structure that addresses strategy alignment, value creation, and responsibilities and accountabilities.
  • Cloud computing may be less of a governance of IT and more governance of processes performed by a third party.
  • The separation between tenant and supplier and the lack of knowledge by providers of user operational and technical risk management requirements and processes can increase the level of risk for tenants.
  • Business units need a structured and ordered approach to cloud computing to ensure that critical technical and business issues are identified and solved.
Ron Hale Ph.D. CISMEnergizer at 6/3/2011 12:53:44 PM Quote
You must sign in to rate content.
(Unrated)

RE: Week 3 Cloud Governance and Risk

Will the adoption of cloud computing positively or negatively impact the ability of organisations to manage operational or technical risk?

I think the question puts things in a wrong order. You need to have certain capabilities regarding the management of operational or technical risks before you introduce cloud computing. I would compare this with a driving licence. You need the licence and some practical experiences before you go and buy or drive a car. So I think one of the next questions should explore what capabilities we need to run cloud computing in a professional way.

Will the drive for quicker deployment and reduced costs impact the ability of security and audit professionals to protect organisations?

The drive for quicker deployment and reduced costs does not impact the ability of security and audit professionals to protect the organisation but sets the bar much higher to convince the accountable business managers.  In the good old days when time and budged seemed to be unlimited the argument that something is needed for security reasons was completely sufficient to spend more money or time. But  for example in my industry (utilities) these times are gone and since almost 10 years there is an increasing demand to convince business managers that something is really necessary. That means that also security investments have to come with a positive business case to apply the appropriate level of security and not the highest possible one. And even more sometimes we have to learn that from an economic point of view that taking a risk is sometimes more beneficial than spending much money to mitigate it.


Will the reliance on service providers provide for better or reduced understanding of what the risks to the business are?

I think there is no difference compared to today. Also today most organisations work with service providers and just do not name it a cloud service. Starting from that point I would wonder if where a substantial difference to cloud services should come from.
Michael.SemrauLively at 6/3/2011 1:27:15 PM Quote
You must sign in to rate content.
(Unrated)

RE: Week 3 Cloud Governance and Risk

Cloud computing definitely change the way of approaching risk and facing this new challenge on technological risk assessment. In my opinion, it is required a separated evaluations of strategic risk and operational risk. Cloud computing locate generally businesses between the benefit of reduced costs and a likely increasing on risk managed in several aspects of its services. Security and audit professionals must rethink their application to fit an effective accompaniment to the organization at the time of taking the decision to be a consumer of that service. To success of good governance on cloud computing will be more likely in an organization with a strong risk management culture in all its collaborators.
Romulo LomparteSocial at 6/5/2011 11:15:12 PM Quote
You must sign in to rate content.
(Unrated)

RE: Week 3 Cloud Governance and Risk

I am taking this discussion from another viewpoint , on developing trend with Service Providers ,  their new engagement model alignment with organisation's Cloud Governance and Risk Management strategy .The culminationof cloud solution complexity, market fragmentation, and rapid growth isresulting in one significant trend across nearly all service providers - isthat they all want to become cloud  brokers or orchestrators , Thismeans they will offer some or all of the following services to meet growingclient's demand for Cloud Governance and risk management services.

·        Risk mitigation. Providers are aiming to reduce risk in several ways. First,they may vet the viability of vendors in their ecosystem through a combinationof financial health checks and security audits, including visits to datacenters and investigation of personnel requirements, encryption, andverification of certifications and standards compliance. Second, they may beable to mitigate risk by partnering with multiple firms in the same category,which means that they could potentially swap customers over to a replacement inthe event of a SaaS failure or other negative event (pricing or service issues,for example).

·        Contract and SLAmanagement. Providers can become acentral point of contact and a "single throat to choke" for contractand SLA management, taking on risk andresponsibility for uptime, performance, and contracts. This meanssimplification for many of today's sourcing and vendor management executiveswho are currently managing dozens of SaaS and cloud  contracts, all with different contract terms and coming upfor renewal on different cycles.

·        Ongoing service and support. Providers can offer help desk services and a single point ofcontact. This gives the advantage of familiarity with the client's businessprocesses in addition to the SaaS technology, as well as familiarity withcustomizations and configurations that may be in place. In today's oftenfragmented multi-SaaS environments, this consolidated, centralized knowledgecan be hard to come by, with multiple support relationships across multipletypes of providers.

·        Upgrade management and testing. SaaS providers frequently release one to four major upgradesand numerous smaller upgrades per year. And, many of them have started to offersandbox environments or early access to upgrades to help with testing now thattheir solutions have become more complex. Service providers can help withupgrade management and testing, much as they do in traditional packagedapplication spaces.

·        Billing and provisioning. Firms often sign up for SaaS because of the ability to scaleusers up or down as needs change. However, this can become complex (andexpensive!) with single-sign-on limitations and multiple styles of pricing andconsumption across different categories of SaaS technologies. Service providerscan help simplify this process, often leveraging platform technologies (theirown or from specialist providers like Aria Systems, eVapt, MetraTech, or Zuora)to help.

·        Integration. As SaaS proliferates across categories, integration can beone of the most expensive and time consuming components of the SaaS life cycle.With an increasing amount of SIs offering orchestration models, they arepre-building integrations for common scenarios (either with their own tools orusing leading integration tools like Boomi, Cast Iron Systems, and Informaticaamong others).

Reliance on service providers , provide an aid or a subset to an alternative strategy, for understanding of what the risks to the business are , but it can't totally substitute " Management Accountability " which has to be done internally.

Madhav ChablaniSocial at 6/6/2011 9:56:43 AM Quote
You must sign in to rate content.
(Unrated)

RE: Week 3 Cloud Governance and Risk

I recommend reviewing the results of ISACA's 2011 IT Risk / Reward Barometer. There are sections about cloud computing.

http://www.isaca.org/Pages/Survey-Risk-Reward-Barometer.aspx

Romulo LomparteSocial at 6/6/2011 4:31:44 PM Quote
You must sign in to rate content.
(Unrated)

RE: Week 3 Cloud Governance and Risk

I recommend reviewing the results of ISACA's 2011 IT Risk / Reward Barometer. There are sections about cloud computing.

http://www.isaca.org/Pages/Survey-Risk-Reward-Barometer.aspx

Romulo LomparteSocial at 6/6/2011 4:31:44 PM Quote
You must sign in to rate content.
(Unrated)

RE: Week 3 Cloud Governance and Risk

I am taking this discussion from another viewpoint , on developing trend with Service Providers ,  their new engagement model alignment with organisation's Cloud Governance and Risk Management strategy .The culminationof cloud solution complexity, market fragmentation, and rapid growth isresulting in one significant trend across nearly all service providers - isthat they all want to become cloud  brokers or orchestrators , Thismeans they will offer some or all of the following services to meet growingclient's demand for Cloud Governance and risk management services.

·        Risk mitigation. Providers are aiming to reduce risk in several ways. First,they may vet the viability of vendors in their ecosystem through a combinationof financial health checks and security audits, including visits to datacenters and investigation of personnel requirements, encryption, andverification of certifications and standards compliance. Second, they may beable to mitigate risk by partnering with multiple firms in the same category,which means that they could potentially swap customers over to a replacement inthe event of a SaaS failure or other negative event (pricing or service issues,for example).

·        Contract and SLAmanagement. Providers can become acentral point of contact and a "single throat to choke" for contractand SLA management, taking on risk andresponsibility for uptime, performance, and contracts. This meanssimplification for many of today's sourcing and vendor management executiveswho are currently managing dozens of SaaS and cloud  contracts, all with different contract terms and coming upfor renewal on different cycles.

·        Ongoing service and support. Providers can offer help desk services and a single point ofcontact. This gives the advantage of familiarity with the client's businessprocesses in addition to the SaaS technology, as well as familiarity withcustomizations and configurations that may be in place. In today's oftenfragmented multi-SaaS environments, this consolidated, centralized knowledgecan be hard to come by, with multiple support relationships across multipletypes of providers.

·        Upgrade management and testing. SaaS providers frequently release one to four major upgradesand numerous smaller upgrades per year. And, many of them have started to offersandbox environments or early access to upgrades to help with testing now thattheir solutions have become more complex. Service providers can help withupgrade management and testing, much as they do in traditional packagedapplication spaces.

·        Billing and provisioning. Firms often sign up for SaaS because of the ability to scaleusers up or down as needs change. However, this can become complex (andexpensive!) with single-sign-on limitations and multiple styles of pricing andconsumption across different categories of SaaS technologies. Service providerscan help simplify this process, often leveraging platform technologies (theirown or from specialist providers like Aria Systems, eVapt, MetraTech, or Zuora)to help.

·        Integration. As SaaS proliferates across categories, integration can beone of the most expensive and time consuming components of the SaaS life cycle.With an increasing amount of SIs offering orchestration models, they arepre-building integrations for common scenarios (either with their own tools orusing leading integration tools like Boomi, Cast Iron Systems, and Informaticaamong others).

Reliance on service providers , provide an aid or a subset to an alternative strategy, for understanding of what the risks to the business are , but it can't totally substitute " Management Accountability " which has to be done internally.

Madhav ChablaniSocial at 6/6/2011 9:56:43 AM Quote
You must sign in to rate content.
(Unrated)

RE: Week 3 Cloud Governance and Risk

Cloud computing definitely change the way of approaching risk and facing this new challenge on technological risk assessment. In my opinion, it is required a separated evaluations of strategic risk and operational risk. Cloud computing locate generally businesses between the benefit of reduced costs and a likely increasing on risk managed in several aspects of its services. Security and audit professionals must rethink their application to fit an effective accompaniment to the organization at the time of taking the decision to be a consumer of that service. To success of good governance on cloud computing will be more likely in an organization with a strong risk management culture in all its collaborators.
Romulo LomparteSocial at 6/5/2011 11:15:12 PM Quote
You must sign in to rate content.
(Unrated)

RE: Week 3 Cloud Governance and Risk

Will the adoption of cloud computing positively or negatively impact the ability of organisations to manage operational or technical risk?

I think the question puts things in a wrong order. You need to have certain capabilities regarding the management of operational or technical risks before you introduce cloud computing. I would compare this with a driving licence. You need the licence and some practical experiences before you go and buy or drive a car. So I think one of the next questions should explore what capabilities we need to run cloud computing in a professional way.

Will the drive for quicker deployment and reduced costs impact the ability of security and audit professionals to protect organisations?

The drive for quicker deployment and reduced costs does not impact the ability of security and audit professionals to protect the organisation but sets the bar much higher to convince the accountable business managers.  In the good old days when time and budged seemed to be unlimited the argument that something is needed for security reasons was completely sufficient to spend more money or time. But  for example in my industry (utilities) these times are gone and since almost 10 years there is an increasing demand to convince business managers that something is really necessary. That means that also security investments have to come with a positive business case to apply the appropriate level of security and not the highest possible one. And even more sometimes we have to learn that from an economic point of view that taking a risk is sometimes more beneficial than spending much money to mitigate it.


Will the reliance on service providers provide for better or reduced understanding of what the risks to the business are?

I think there is no difference compared to today. Also today most organisations work with service providers and just do not name it a cloud service. Starting from that point I would wonder if where a substantial difference to cloud services should come from.
Michael.SemrauLively at 6/3/2011 1:27:15 PM Quote
You must sign in to rate content.
(Unrated)

RE: Week 3 Cloud Governance and Risk

Some great points have been shared with the group this week. Here is a short list of highlights.

  • Smaller organizations will most benefit from cloud computing because of the increased maturity that providers will bring to solutions.  SME organizations should experience fewer operational errors as a result of the increased capability provided in the shared cloud environment.
  • Cloud computing could be seen as being a black box since operational processes and risk management may not be totally transparent to tenants.
  • Organizations will need to revisit RACI charts to ensure that responsibilities and accountabilities are clearly defined and accepted to acount for the sharing or responsibility between tenants and providers and the need for closer process integration.
  • Because fo the possible complexity of cloud solutions and the potential for cloud services to be provided as a black box, tenants may have to rely on provider communications to understand the governance and control environment.
  • Risk in cloud computing may be greater from an operational risk standpoint because cloud decisions such as procudement decisions may fall below traditional governance trigger points. Cloud decisions may not be subjected to more stringent review and approval as a result.
  • Cloud tenants may rely on cloud service level agreements to ensure that services meet business unit expectations.  Cloud providers may not offer an opportunity for tenants to structure individual SLAs. Instead tenants may only be able to accept standard terms and conditions which are common to all subscribers.
  • Cloud poroviders currently lack an acceptable mechanism for providing assurance to tenants.
  • The risk of adopting cloud services will be minimized for organizations that have an established governance structure that addresses strategy alignment, value creation, and responsibilities and accountabilities.
  • Cloud computing may be less of a governance of IT and more governance of processes performed by a third party.
  • The separation between tenant and supplier and the lack of knowledge by providers of user operational and technical risk management requirements and processes can increase the level of risk for tenants.
  • Business units need a structured and ordered approach to cloud computing to ensure that critical technical and business issues are identified and solved.
Ron Hale Ph.D. CISMEnergizer at 6/3/2011 12:53:44 PM Quote
You must sign in to rate content.
(Unrated)

RE: Week 3 Cloud Governance and Risk

Will the adoption of cloud computing by organizations positively or negatively impact the ability of organizations to manage operational and technical risk?  
This all depends on the organizations approach to cloud computing. If the organization has the opinion that the cloud vendor has "taken care of everything" as some of them do, it will negatively impact their ability to manage operational and technical risk. Too many organizations feel that when they outsource something they can transfer the liability or the onus of performing. They wash their hands so to speak. If they additionally do not have a good contract, ie one that has some granularity to it regarding capabilities and deliverables, they further put themselves in a position of greater risk. If however, on the other hand, an organization takes a disciplined, methodical and granular approach to the contract and the implementation, it can positively impact their ability to manage risks, giving their staff more time to concentrate on activities that provide more value to the organization.

Will the drive for quicker deployment and reduced costs impact the ability of security and audit professionals to protect organizations?  
Again, depending on the organization's attitude and why they are outsourcing, same answer as above.

Will the reliance on service providers provide for better or reduced understanding of what the risks to the business are?
It shouldn't change the understanding of the risks, it may add or eliminate a specific risk, but the business risks should focus on protection of the asset, the data itself.  The approach to managing the risks might be different.
Mary SieroLively at 6/2/2011 12:48:09 PM Quote
You must sign in to rate content.
(Unrated)

RE: Week 3 Cloud Governance and Risk

I think that companies need to know real risk that this kind of services can generate. I agree with Souzaneto because it´s very important the risk appetite and risk tolerance and a good methodology to control the different situation that they can have.

The cloud computing generates many kind of risk, for example
1.       Suppliers : all about maturity of suppliers. It is important because you have to choose the best supplier to have the best service.  In this topic, you can include all risks about experience, reputation, relations with third parties, sustainability, availability and follow-up. 

2.       Low Experience or low knowledge of suppliers.  In this case, you need to how doing their activities, which is their architecture, how are their policies and what is their control environment.

3.       Other group of risk is associated to levels of services or SLA. This risks can be controlled by formal agreements and a good follow up. 

4.       Problems with information processed, this risks need continuity planning, backups, formal system to response incidents, recovery planning. Normally this group is associated with the importance of information.  You need to classify information assets.

All things like this need controls to mitigate the consequences.

JpvargasLively at 6/1/2011 3:55:36 PM Quote
You must sign in to rate content.
(Unrated)

RE: Week 3 Cloud Governance and Risk

Looking at Cloud Risk Management through the lenses of the Risk IT Framework, I would start discussing the risk appetite and risk tolerance of the typical Cloud Computing client, that has to be prepared to make risk-aware business decisions on the Cloud. COSO ERM can be very helpful for this. This block would set the scope of the Cloud Computing Risk Governance.   
Next, I would discuss Risk Scenarios. The Risk IT Framework recommends breaking these scenarios in two: Top-down Scenario Identification (Business Objectives) and Bottom-up Scenario Identification (Generic Risk Scenarios). Then, for each Risk Scenario I would estimate its components: Event, Threat Type, Actor, Asset/Resource and Time. After that, these Risk scenarios should be weighted with the so-called Risk Factors.
Finally, I would discuss Risk Response Selectiona and Prioritisation, Risk Avoidance and Key Risk Indicators.  
In my opinion, The Risk IT Framework can help us on the discussion of Cloud Computing Risk Management, providing a structured and ordered approach "to cover all the bases" on this topic.  
Souza NetoLively at 6/1/2011 2:31:37 PM Quote
You must sign in to rate content.
(Unrated)

RE: Week 3 Cloud Governance and Risk

From what I have experienced, the adoption of cloud computing by organizations that currently struggle with managing operational and technical risks will be negatively impacted. Today they don’t understand the risks they have or perhaps poorly manage those risks.  Transferring risk even those risks that are not understood, to a cloud provider will only increase the likelihood and occurrence of those risks, if they are not managed.

Organizations that drive for quick wins in the cloud, or reduced costs, will likely impact the ability of security and audit professions to protect the organization, particularly if they are excluded from the decision making aspects of selecting and monitoring the provider.

In my opinion, if the business side of the house, assumes that the cloud solution will provide a better  understanding of what the risks are for their business, they may learn early on that the cloud provider doesn’t understand what the risks are for the operation and technology of the user, unless there is a great deal of due diligence prior to transferring those risks.

You must sign in to rate content.
(Unrated)

RE: Week 3 Cloud Governance and Risk

My take on Cloud is that it will be much harder for the risk and security professionals to conduct their oversight role. 

The primary reason for this is that it is so easy for individuals to enter into Cloud-based services that bypass the normal governance processes - especially for smaller Cloud arrangements with online billing that can be paid by credit card. I'm already seeing pressure from individual business managers that have been enticed by promises of 'reduced costs', 'fast provisioning' etc. While governance processes can catch some of these it is very difficult to be sure they are catching them all. 

Aspects such as concentration risk, continuity issues and compliance risk (e.g. geographic data protection constraints etc.) are easily overlooked by the individual business areas and the risk and security professionals can end up with an incomplete picture of the true overall risk position.

In summary, I think that while it is possible to improve governance through the use of Cloud when approached strategically, the risk presented by small tactical Cloud deployments is much more difficult to measure and control. The governance personnel are going to have to be even more pro-active than normal to be effective and to manage the proliferation of tactical Cloud deployments.  
RGN01Lively at 5/31/2011 2:02:18 PM Quote
You must sign in to rate content.
(Unrated)

RE: Week 3 Cloud Governance and Risk

In each discussion we need to have clear terms. For instance"moving a service to the Cloud" - is an internal, or external Cloudreferred to? If external is it public or private. This simple language issue, Ithink, leads to the first risk - lack of clarity. Every process or controlaspect of the management of the service or the data that is unknown is vulnerability.Every known process or control weakness is a risk.

The next risk is that in moving any service from onedelivery model to another, time and resources are consumed without necessarilyproducing new business value. (it’s the same service, in a new delivery model).A lot of effort will go to the transition, and usually insufficient attentionwill go to the management of the service. Management weakness, (as above) are vulnerabilitiesand risks.

Risk mitigation should include knowing the supplierspolicies on all management practices, including, for instance, data securityand privacy before using their services. I think you have to think in terms of “governanceof process activities performed by a third party”. This means not only definingmanagement system requirements, but knowing how you will monitor, evaluate anddirect improvements to the management system. If an incident occurs, how willthat be handled? How does that integrate into your incident handling process?When changes are made, how do you participate in the decision making and atleast be sure you are prepared for changes that impact other systems or services.Are there really “autonomous services“? I think all services have service toservice, service to system and service to supplier dependencies that must beknown and managed. For information risk, I think you should at least understandsupplier policies related to:

  •          Privileged user access—Roles with specializedaccess to data and the hiring and management practices related to these administrators
  •          Regulatory compliance—willingness and pastperformance related to external audits and/or security certifications
  •          Data location—is there any control over thelocation of data
  •          Data segregation—is encryption available at allstages and “encryption schemes designed and tested by experiencedprofessionals.”
  •          Recovery—what will happen to data in the case ofa disaster; do they offer complete restoration and, if so, how long that wouldtake
  •          Investigative Support—supplier ability toinvestigate inappropriate or legal activity
  •          Long-term viability—what will happen to data ifthe supplier goes out of business; how will data be returned and in what format.

In practice, check by asking to get back old data and seehow long it takes, and that the checksums match the original data. Anotheroption is encrypt the data yourself. If you encrypt the data using a trustedalgorithm, then regardless of the service provider's security and encryptionpolicies, the data will only be accessible with the decryption keys. This leadsto a follow-on problem: managing private keys in a pay-on-demand computinginfrastructure.

Document your assumptions about management processes andcontrols. Most of these new cloud offerings are raw infrastructures andplatforms that do not have great management capabilities.

Bill PowellLively at 5/31/2011 8:03:42 AM Quote
You must sign in to rate content.
(Unrated)

RE: Week 3 Cloud Governance and Risk

Will the adoption of cloud computing by organizations positively or negatively impact the ability of organizations to manage operational and technical risk?

I don't think there is any black and white answer to this. The risk impact will depend on lot of factors. We all know that given the increasing magnitude of GRC challenges in any organization, there is immense due diligence/work required to keep operational and technical risk under control. Many organizations are still struggling with it even with in-house IT dept. Now, with the adoption of cloud we need to revisit those security and risk related questions in the cloud context. ENISA and CSA has published some useful guidance regarding risk considerations for cloud adoption and much of it is common sense or conventional risk management anyways. Thus it is not easy (or fair) to answer yes or no to the question of risk impact of cloud because it totally depends on what answers organizations get when they do soul searching with respect risk management whether it's in-house IT or in the Cloud. For example, given the obvious advantages, many organizations have already outsourced their IT functions to service providers. And if they have managed to keep the technology and operational risks under control, then cloud is logical next step of outsourcing for them. Of course that requires further risk assessment and mitigation efforts to continue to keep operational risks in control. 

As with any new technology there are risk and challenges of adoption and possibility that due to lack of experience and unforeseen challenges, things do not go as planned. But impact of these known/unknown risks could be minimized by having effective governance strategy and planning in place. Having a viable cloud adoption strategy can minimize the negative risk impact to a great extent. It typically involves 1. Identifying stakeholders and objectives of adopting cloud computing. 2. Determine organizational impact by carrying out application assessment and business impact analysis. 3. Thorough vendor selection process once migration strategy is defined. 4. Managing liabilities and residual risk through contracts and exit strategy. 5. Operationalizing cloud technology by making management principles part of everyday operations.  Thus I believe by careful planning and systematic execution process, organizations can avoid pitfalls of blindly adopting cloud technology and also avoid losing out on benefits of cloud technology by alienating cloud computing

Regards,

Subodh
CISA, CISM, CRISC, CISSP, CSSLP, ISO27001 .

SubodhLively at 5/30/2011 3:12:00 PM Quote
You must sign in to rate content.
(Unrated)

RE: Week 3 Cloud Governance and Risk

Cloud computing is not bad in itself but organizations may use pockets of services on cloud on their own risk assessment on what is exposed on the cloud and the impact. This would vary from business to business, service to service and for any combinations thereof. Risk assessment would need to be performed keeping in mind what service/business is in the context and the sensitive and other data in questions, governing business rules and regulations and what is the accpetable risk the organization in question is willing to accept.

I think reduced costs and quicker deployments is not a new thing as this has always been impacting the auditors and security managers for many technology deployments, however at the end of the day it all comes down to the Governance structure and management style on how they look at auditors and security managers and how the whole process is managed taking risk management  as part of the whole process . If a specific organization don't respect auditor/security managers' opinion for deploying any technology, why would they care for cloud computing deployments.

Accountability would never be transferred in case of cloud computing services and so accountability for the risks would still be with the organisation who make the decision to go with the cloud service provider(s) and again this is not much different than any outsourcing agreements.
SKAEnergizer at 5/30/2011 2:18:20 PM Quote
You must sign in to rate content.
(Unrated)

RE: Week 3 Cloud Governance and Risk

Impact on the management of operational / technical issues?

For sure, there is going to be a impact on the ability of organizations to manage risks. And the effect will be positive or negative depending on the provider  the organization choose. Nevertheless, there are plenty of factors with opposite effects, so it is very difficult to say in advance if the net effect is going to be positive or negative. For example, it is more probable that the provider becomes a target of the bad boys because the concentration of information they manage than a single organization, but in the same way, we should expect the provider to be more able to manage attacks, because of their size, their resources and their specific focus in IT services.

But, I agree with Masatoshi, small companies are going to have better risk management capacity using cloud computing.

Ability of security / audit professionals to protect the organization?

Here, I agree with Fernando, if using cloud computing means forgetting about the governance process adopted by the companies, the capacity of these professionals to protect the organization is going to be less; but, if the organization keep their governance process, there should be no reduction in the ability of these professionals to protect their organizations.

Better understanding of risks because of reliance on service providers?

In my opinion, using cloud computing means to change a lot of actives with their threats, security controls... for a bunch called "service risk" which is related with the risk of the service not been provided by the service provider (in the same way that happens in supply chain).

And, in these days there is a lack of mechanisms that helps clients to have better information about service risks (SAS 70 audits are nice, but expensive and time-consuming). We will need additional mechanisms (like, for example, a rating) for knowing about the risk of the service provided in cloud computing "style".

Antonio.
Antonio RamosEnergizer at 5/30/2011 11:58:43 AM Quote
You must sign in to rate content.
(Unrated)

RE: Week 3 Cloud Governance and Risk

Will the reliance on service providers provide for better or reduced understanding of what the risks to the business are?The answer to this question is far from the level of comfort that many of us can expect! While IT outsourcing introduce inherent risks the companies need to be particularly managed, this new modality of IT services and products called cloud computing is a very poweful marketing tool for IT vendors, is the vehicle for "extreme" IT outsourcing, and why not, sometimes for inadverted "off-shoring"Now, if you have one of these roles in charge of "providing assurance" (internal audit, external audit, regulators, audit committee, risk management, compliance, ...) you are facing a serious challenge! There is a substantial delay between the market of cloud computing and the level of development of regulations, rules, and professional standars on this subject. You may know that there are some efforts to upgrade SAS70 to the new SSAE16, that while remaining essentially the same, is largeley inssuficient to provide reasonable assurance. I am not aware of any better applicable standard.There are enough cases of failure on IT outsourcing arrangements that provide lesson learned that can be extrapolated to cloud computing. Examples that come to my mind include Worlbank vs Satyam, Banco Nacion-Argentina vs IBM, etc, etc, ...Fernando
fnikitinLively at 5/30/2011 8:32:07 AM Quote
You must sign in to rate content.
(Unrated)

RE: Week 3 Cloud Governance and Risk

Will the adoption of cloud computing by organizations positively or negatively impact the ability of organizations to manage operational and technical risk?  Lets talk in terms of impact only (positive/negative, we will see later). In practice, I see, more and more, business and operational managers contracting cloud services and products bypassing traditional structured IT Governance process, very often "mature" governance process. Why? In part because its ubiquity,, highly available nature, and sometimes very cheap conditions -at least at front-. Employees, Departments, and Companies are very often using cloud computing even without explicit awareness of that. In how many cases, companies are using web services such email, document storage, customer satisfaction surveys, quality surveys, web pages hosting, and others. Human resources function hiring help for career management or hiring processes. Procurement Departments utilizing payment processing services, etc.No minor issue also is that very often these "descentralized" IT managers can procure this kind of services within the operational expenses rules of the company (opex), and not necessarily under capital expenditures (capex). Consequently, probable under less rigurosity in terms of IT governance, information security, service and quality management rules. I can see here some potential negative impact in long terms because lack of governance but also positive in short terms for the hiring managers in terms of availability ofvsolutions, agility, costs and functionality.Fernando
fnikitinLively at 5/30/2011 8:07:50 AM Quote
You must sign in to rate content.
(Unrated)

RE: Week 3 Cloud Governance and Risk

Will the adoption of cloud computing by organizations positively or negatively impact the ability of organizations to manage operational and technical risk?  

Positive aspect
1. For low maturity level organizations, adoption of cloud computing will bring benefits
2. Risks from mistakes of operations will decrease

Negative aspect
1. "Black Box" areas will be increased. So, without update of operational & technical risk management procedures, management level will become low level.
2.  If user is utilizing cloud computing and existing systems, risk management becomes more complicated one

Will the drive for quicker deployment and reduced costs impact the ability of security and audit professionals to protect organizations?  

1. Without SWOT analysis, appropriate business process re-engineering and update of role & responsibilities Security & audit professionals will be not able to perform appropriate roles & responsibilities.
2.

Will the reliance on service providers provide for better or reduced understanding of what the risks to the business are?

It depends on communications between providers & user and contracts & SLAs
    - good communications will bring benefits for both
    - timely update of contracts & SLAs will necessary
Masatoshi Kajimoto,CISA, CRISCEnergizer at 5/29/2011 9:54:04 PM Quote
You must sign in to rate content.
(Unrated)

RE: Week 3 Cloud Governance and Risk

Will the adoption of cloud computing by organizations positively or negatively impact the ability of organizations to manage operational and technical risk?  

Positive aspect
1. For low maturity level organizations, adoption of cloud computing will bring benefits
2. Risks from mistakes of operations will decrease

Negative aspect
1. "Black Box" areas will be increased. So, without update of operational & technical risk management procedures, management level will become low level.
2.  If user is utilizing cloud computing and existing systems, risk management becomes more complicated one

Will the drive for quicker deployment and reduced costs impact the ability of security and audit professionals to protect organizations?  

1. Without SWOT analysis, appropriate business process re-engineering and update of role & responsibilities Security & audit professionals will be not able to perform appropriate roles & responsibilities.
2.

Will the reliance on service providers provide for better or reduced understanding of what the risks to the business are?

It depends on communications between providers & user and contracts & SLAs
    - good communications will bring benefits for both
    - timely update of contracts & SLAs will necessary
Masatoshi Kajimoto,CISA, CRISCEnergizer at 5/29/2011 9:54:04 PM Quote
You must sign in to rate content.
(Unrated)

RE: Week 3 Cloud Governance and Risk

Will the adoption of cloud computing by organizations positively or negatively impact the ability of organizations to manage operational and technical risk?  Lets talk in terms of impact only (positive/negative, we will see later). In practice, I see, more and more, business and operational managers contracting cloud services and products bypassing traditional structured IT Governance process, very often "mature" governance process. Why? In part because its ubiquity,, highly available nature, and sometimes very cheap conditions -at least at front-. Employees, Departments, and Companies are very often using cloud computing even without explicit awareness of that. In how many cases, companies are using web services such email, document storage, customer satisfaction surveys, quality surveys, web pages hosting, and others. Human resources function hiring help for career management or hiring processes. Procurement Departments utilizing payment processing services, etc.No minor issue also is that very often these "descentralized" IT managers can procure this kind of services within the operational expenses rules of the company (opex), and not necessarily under capital expenditures (capex). Consequently, probable under less rigurosity in terms of IT governance, information security, service and quality management rules. I can see here some potential negative impact in long terms because lack of governance but also positive in short terms for the hiring managers in terms of availability ofvsolutions, agility, costs and functionality.Fernando
fnikitinLively at 5/30/2011 8:07:50 AM Quote
You must sign in to rate content.
(Unrated)

RE: Week 3 Cloud Governance and Risk

Will the reliance on service providers provide for better or reduced understanding of what the risks to the business are?The answer to this question is far from the level of comfort that many of us can expect! While IT outsourcing introduce inherent risks the companies need to be particularly managed, this new modality of IT services and products called cloud computing is a very poweful marketing tool for IT vendors, is the vehicle for "extreme" IT outsourcing, and why not, sometimes for inadverted "off-shoring"Now, if you have one of these roles in charge of "providing assurance" (internal audit, external audit, regulators, audit committee, risk management, compliance, ...) you are facing a serious challenge! There is a substantial delay between the market of cloud computing and the level of development of regulations, rules, and professional standars on this subject. You may know that there are some efforts to upgrade SAS70 to the new SSAE16, that while remaining essentially the same, is largeley inssuficient to provide reasonable assurance. I am not aware of any better applicable standard.There are enough cases of failure on IT outsourcing arrangements that provide lesson learned that can be extrapolated to cloud computing. Examples that come to my mind include Worlbank vs Satyam, Banco Nacion-Argentina vs IBM, etc, etc, ...Fernando
fnikitinLively at 5/30/2011 8:32:07 AM Quote
You must sign in to rate content.
(Unrated)

RE: Week 3 Cloud Governance and Risk

Impact on the management of operational / technical issues?

For sure, there is going to be a impact on the ability of organizations to manage risks. And the effect will be positive or negative depending on the provider  the organization choose. Nevertheless, there are plenty of factors with opposite effects, so it is very difficult to say in advance if the net effect is going to be positive or negative. For example, it is more probable that the provider becomes a target of the bad boys because the concentration of information they manage than a single organization, but in the same way, we should expect the provider to be more able to manage attacks, because of their size, their resources and their specific focus in IT services.

But, I agree with Masatoshi, small companies are going to have better risk management capacity using cloud computing.

Ability of security / audit professionals to protect the organization?

Here, I agree with Fernando, if using cloud computing means forgetting about the governance process adopted by the companies, the capacity of these professionals to protect the organization is going to be less; but, if the organization keep their governance process, there should be no reduction in the ability of these professionals to protect their organizations.

Better understanding of risks because of reliance on service providers?

In my opinion, using cloud computing means to change a lot of actives with their threats, security controls... for a bunch called "service risk" which is related with the risk of the service not been provided by the service provider (in the same way that happens in supply chain).

And, in these days there is a lack of mechanisms that helps clients to have better information about service risks (SAS 70 audits are nice, but expensive and time-consuming). We will need additional mechanisms (like, for example, a rating) for knowing about the risk of the service provided in cloud computing "style".

Antonio.
Antonio RamosEnergizer at 5/30/2011 11:58:43 AM Quote
You must sign in to rate content.
(Unrated)

RE: Week 3 Cloud Governance and Risk

Cloud computing is not bad in itself but organizations may use pockets of services on cloud on their own risk assessment on what is exposed on the cloud and the impact. This would vary from business to business, service to service and for any combinations thereof. Risk assessment would need to be performed keeping in mind what service/business is in the context and the sensitive and other data in questions, governing business rules and regulations and what is the accpetable risk the organization in question is willing to accept.

I think reduced costs and quicker deployments is not a new thing as this has always been impacting the auditors and security managers for many technology deployments, however at the end of the day it all comes down to the Governance structure and management style on how they look at auditors and security managers and how the whole process is managed taking risk management  as part of the whole process . If a specific organization don't respect auditor/security managers' opinion for deploying any technology, why would they care for cloud computing deployments.

Accountability would never be transferred in case of cloud computing services and so accountability for the risks would still be with the organisation who make the decision to go with the cloud service provider(s) and again this is not much different than any outsourcing agreements.
SKAEnergizer at 5/30/2011 2:18:20 PM Quote
You must sign in to rate content.
(Unrated)

RE: Week 3 Cloud Governance and Risk

Will the adoption of cloud computing by organizations positively or negatively impact the ability of organizations to manage operational and technical risk?

I don't think there is any black and white answer to this. The risk impact will depend on lot of factors. We all know that given the increasing magnitude of GRC challenges in any organization, there is immense due diligence/work required to keep operational and technical risk under control. Many organizations are still struggling with it even with in-house IT dept. Now, with the adoption of cloud we need to revisit those security and risk related questions in the cloud context. ENISA and CSA has published some useful guidance regarding risk considerations for cloud adoption and much of it is common sense or conventional risk management anyways. Thus it is not easy (or fair) to answer yes or no to the question of risk impact of cloud because it totally depends on what answers organizations get when they do soul searching with respect risk management whether it's in-house IT or in the Cloud. For example, given the obvious advantages, many organizations have already outsourced their IT functions to service providers. And if they have managed to keep the technology and operational risks under control, then cloud is logical next step of outsourcing for them. Of course that requires further risk assessment and mitigation efforts to continue to keep operational risks in control. 

As with any new technology there are risk and challenges of adoption and possibility that due to lack of experience and unforeseen challenges, things do not go as planned. But impact of these known/unknown risks could be minimized by having effective governance strategy and planning in place. Having a viable cloud adoption strategy can minimize the negative risk impact to a great extent. It typically involves 1. Identifying stakeholders and objectives of adopting cloud computing. 2. Determine organizational impact by carrying out application assessment and business impact analysis. 3. Thorough vendor selection process once migration strategy is defined. 4. Managing liabilities and residual risk through contracts and exit strategy. 5. Operationalizing cloud technology by making management principles part of everyday operations.  Thus I believe by careful planning and systematic execution process, organizations can avoid pitfalls of blindly adopting cloud technology and also avoid losing out on benefits of cloud technology by alienating cloud computing

Regards,

Subodh
CISA, CISM, CRISC, CISSP, CSSLP, ISO27001 .

SubodhLively at 5/30/2011 3:12:00 PM Quote
You must sign in to rate content.
(Unrated)

RE: Week 3 Cloud Governance and Risk

In each discussion we need to have clear terms. For instance"moving a service to the Cloud" - is an internal, or external Cloudreferred to? If external is it public or private. This simple language issue, Ithink, leads to the first risk - lack of clarity. Every process or controlaspect of the management of the service or the data that is unknown is vulnerability.Every known process or control weakness is a risk.

The next risk is that in moving any service from onedelivery model to another, time and resources are consumed without necessarilyproducing new business value. (it’s the same service, in a new delivery model).A lot of effort will go to the transition, and usually insufficient attentionwill go to the management of the service. Management weakness, (as above) are vulnerabilitiesand risks.

Risk mitigation should include knowing the supplierspolicies on all management practices, including, for instance, data securityand privacy before using their services. I think you have to think in terms of “governanceof process activities performed by a third party”. This means not only definingmanagement system requirements, but knowing how you will monitor, evaluate anddirect improvements to the management system. If an incident occurs, how willthat be handled? How does that integrate into your incident handling process?When changes are made, how do you participate in the decision making and atleast be sure you are prepared for changes that impact other systems or services.Are there really “autonomous services“? I think all services have service toservice, service to system and service to supplier dependencies that must beknown and managed. For information risk, I think you should at least understandsupplier policies related to:

  •          Privileged user access—Roles with specializedaccess to data and the hiring and management practices related to these administrators
  •          Regulatory compliance—willingness and pastperformance related to external audits and/or security certifications
  •          Data location—is there any control over thelocation of data
  •          Data segregation—is encryption available at allstages and “encryption schemes designed and tested by experiencedprofessionals.”
  •          Recovery—what will happen to data in the case ofa disaster; do they offer complete restoration and, if so, how long that wouldtake
  •          Investigative Support—supplier ability toinvestigate inappropriate or legal activity
  •          Long-term viability—what will happen to data ifthe supplier goes out of business; how will data be returned and in what format.

In practice, check by asking to get back old data and seehow long it takes, and that the checksums match the original data. Anotheroption is encrypt the data yourself. If you encrypt the data using a trustedalgorithm, then regardless of the service provider's security and encryptionpolicies, the data will only be accessible with the decryption keys. This leadsto a follow-on problem: managing private keys in a pay-on-demand computinginfrastructure.

Document your assumptions about management processes andcontrols. Most of these new cloud offerings are raw infrastructures andplatforms that do not have great management capabilities.

Bill PowellLively at 5/31/2011 8:03:42 AM Quote
You must sign in to rate content.
(Unrated)

RE: Week 3 Cloud Governance and Risk

My take on Cloud is that it will be much harder for the risk and security professionals to conduct their oversight role. 

The primary reason for this is that it is so easy for individuals to enter into Cloud-based services that bypass the normal governance processes - especially for smaller Cloud arrangements with online billing that can be paid by credit card. I'm already seeing pressure from individual business managers that have been enticed by promises of 'reduced costs', 'fast provisioning' etc. While governance processes can catch some of these it is very difficult to be sure they are catching them all. 

Aspects such as concentration risk, continuity issues and compliance risk (e.g. geographic data protection constraints etc.) are easily overlooked by the individual business areas and the risk and security professionals can end up with an incomplete picture of the true overall risk position.

In summary, I think that while it is possible to improve governance through the use of Cloud when approached strategically, the risk presented by small tactical Cloud deployments is much more difficult to measure and control. The governance personnel are going to have to be even more pro-active than normal to be effective and to manage the proliferation of tactical Cloud deployments.  
RGN01Lively at 5/31/2011 2:02:18 PM Quote
You must sign in to rate content.
(Unrated)

RE: Week 3 Cloud Governance and Risk

From what I have experienced, the adoption of cloud computing by organizations that currently struggle with managing operational and technical risks will be negatively impacted. Today they don’t understand the risks they have or perhaps poorly manage those risks.  Transferring risk even those risks that are not understood, to a cloud provider will only increase the likelihood and occurrence of those risks, if they are not managed.

Organizations that drive for quick wins in the cloud, or reduced costs, will likely impact the ability of security and audit professions to protect the organization, particularly if they are excluded from the decision making aspects of selecting and monitoring the provider.

In my opinion, if the business side of the house, assumes that the cloud solution will provide a better  understanding of what the risks are for their business, they may learn early on that the cloud provider doesn’t understand what the risks are for the operation and technology of the user, unless there is a great deal of due diligence prior to transferring those risks.

You must sign in to rate content.
(Unrated)

RE: Week 3 Cloud Governance and Risk

Looking at Cloud Risk Management through the lenses of the Risk IT Framework, I would start discussing the risk appetite and risk tolerance of the typical Cloud Computing client, that has to be prepared to make risk-aware business decisions on the Cloud. COSO ERM can be very helpful for this. This block would set the scope of the Cloud Computing Risk Governance.   
Next, I would discuss Risk Scenarios. The Risk IT Framework recommends breaking these scenarios in two: Top-down Scenario Identification (Business Objectives) and Bottom-up Scenario Identification (Generic Risk Scenarios). Then, for each Risk Scenario I would estimate its components: Event, Threat Type, Actor, Asset/Resource and Time. After that, these Risk scenarios should be weighted with the so-called Risk Factors.
Finally, I would discuss Risk Response Selectiona and Prioritisation, Risk Avoidance and Key Risk Indicators.  
In my opinion, The Risk IT Framework can help us on the discussion of Cloud Computing Risk Management, providing a structured and ordered approach "to cover all the bases" on this topic.  
Souza NetoLively at 6/1/2011 2:31:37 PM Quote
You must sign in to rate content.
(Unrated)

RE: Week 3 Cloud Governance and Risk

I think that companies need to know real risk that this kind of services can generate. I agree with Souzaneto because it´s very important the risk appetite and risk tolerance and a good methodology to control the different situation that they can have.

The cloud computing generates many kind of risk, for example
1.       Suppliers : all about maturity of suppliers. It is important because you have to choose the best supplier to have the best service.  In this topic, you can include all risks about experience, reputation, relations with third parties, sustainability, availability and follow-up. 

2.       Low Experience or low knowledge of suppliers.  In this case, you need to how doing their activities, which is their architecture, how are their policies and what is their control environment.

3.       Other group of risk is associated to levels of services or SLA. This risks can be controlled by formal agreements and a good follow up. 

4.       Problems with information processed, this risks need continuity planning, backups, formal system to response incidents, recovery planning. Normally this group is associated with the importance of information.  You need to classify information assets.

All things like this need controls to mitigate the consequences.

JpvargasLively at 6/1/2011 3:55:36 PM Quote
You must sign in to rate content.
(Unrated)

RE: Week 3 Cloud Governance and Risk

Will the adoption of cloud computing by organizations positively or negatively impact the ability of organizations to manage operational and technical risk?  
This all depends on the organizations approach to cloud computing. If the organization has the opinion that the cloud vendor has "taken care of everything" as some of them do, it will negatively impact their ability to manage operational and technical risk. Too many organizations feel that when they outsource something they can transfer the liability or the onus of performing. They wash their hands so to speak. If they additionally do not have a good contract, ie one that has some granularity to it regarding capabilities and deliverables, they further put themselves in a position of greater risk. If however, on the other hand, an organization takes a disciplined, methodical and granular approach to the contract and the implementation, it can positively impact their ability to manage risks, giving their staff more time to concentrate on activities that provide more value to the organization.

Will the drive for quicker deployment and reduced costs impact the ability of security and audit professionals to protect organizations?  
Again, depending on the organization's attitude and why they are outsourcing, same answer as above.

Will the reliance on service providers provide for better or reduced understanding of what the risks to the business are?
It shouldn't change the understanding of the risks, it may add or eliminate a specific risk, but the business risks should focus on protection of the asset, the data itself.  The approach to managing the risks might be different.
Mary SieroLively at 6/2/2011 12:48:09 PM Quote
You must sign in to rate content.
(Unrated)

RE: Week 3 Cloud Governance and Risk

Some great points have been shared with the group this week. Here is a short list of highlights.

  • Smaller organizations will most benefit from cloud computing because of the increased maturity that providers will bring to solutions.  SME organizations should experience fewer operational errors as a result of the increased capability provided in the shared cloud environment.
  • Cloud computing could be seen as being a black box since operational processes and risk management may not be totally transparent to tenants.
  • Organizations will need to revisit RACI charts to ensure that responsibilities and accountabilities are clearly defined and accepted to acount for the sharing or responsibility between tenants and providers and the need for closer process integration.
  • Because fo the possible complexity of cloud solutions and the potential for cloud services to be provided as a black box, tenants may have to rely on provider communications to understand the governance and control environment.
  • Risk in cloud computing may be greater from an operational risk standpoint because cloud decisions such as procudement decisions may fall below traditional governance trigger points. Cloud decisions may not be subjected to more stringent review and approval as a result.
  • Cloud tenants may rely on cloud service level agreements to ensure that services meet business unit expectations.  Cloud providers may not offer an opportunity for tenants to structure individual SLAs. Instead tenants may only be able to accept standard terms and conditions which are common to all subscribers.
  • Cloud poroviders currently lack an acceptable mechanism for providing assurance to tenants.
  • The risk of adopting cloud services will be minimized for organizations that have an established governance structure that addresses strategy alignment, value creation, and responsibilities and accountabilities.
  • Cloud computing may be less of a governance of IT and more governance of processes performed by a third party.
  • The separation between tenant and supplier and the lack of knowledge by providers of user operational and technical risk management requirements and processes can increase the level of risk for tenants.
  • Business units need a structured and ordered approach to cloud computing to ensure that critical technical and business issues are identified and solved.
Ron Hale Ph.D. CISMEnergizer at 6/3/2011 12:53:44 PM Quote
You must sign in to rate content.
(Unrated)

RE: Week 3 Cloud Governance and Risk

Will the adoption of cloud computing positively or negatively impact the ability of organisations to manage operational or technical risk?

I think the question puts things in a wrong order. You need to have certain capabilities regarding the management of operational or technical risks before you introduce cloud computing. I would compare this with a driving licence. You need the licence and some practical experiences before you go and buy or drive a car. So I think one of the next questions should explore what capabilities we need to run cloud computing in a professional way.

Will the drive for quicker deployment and reduced costs impact the ability of security and audit professionals to protect organisations?

The drive for quicker deployment and reduced costs does not impact the ability of security and audit professionals to protect the organisation but sets the bar much higher to convince the accountable business managers.  In the good old days when time and budged seemed to be unlimited the argument that something is needed for security reasons was completely sufficient to spend more money or time. But  for example in my industry (utilities) these times are gone and since almost 10 years there is an increasing demand to convince business managers that something is really necessary. That means that also security investments have to come with a positive business case to apply the appropriate level of security and not the highest possible one. And even more sometimes we have to learn that from an economic point of view that taking a risk is sometimes more beneficial than spending much money to mitigate it.


Will the reliance on service providers provide for better or reduced understanding of what the risks to the business are?

I think there is no difference compared to today. Also today most organisations work with service providers and just do not name it a cloud service. Starting from that point I would wonder if where a substantial difference to cloud services should come from.
Michael.SemrauLively at 6/3/2011 1:27:15 PM Quote
You must sign in to rate content.
(Unrated)

RE: Week 3 Cloud Governance and Risk

Cloud computing definitely change the way of approaching risk and facing this new challenge on technological risk assessment. In my opinion, it is required a separated evaluations of strategic risk and operational risk. Cloud computing locate generally businesses between the benefit of reduced costs and a likely increasing on risk managed in several aspects of its services. Security and audit professionals must rethink their application to fit an effective accompaniment to the organization at the time of taking the decision to be a consumer of that service. To success of good governance on cloud computing will be more likely in an organization with a strong risk management culture in all its collaborators.
Romulo LomparteSocial at 6/5/2011 11:15:12 PM Quote
You must sign in to rate content.
(Unrated)

RE: Week 3 Cloud Governance and Risk

I am taking this discussion from another viewpoint , on developing trend with Service Providers ,  their new engagement model alignment with organisation's Cloud Governance and Risk Management strategy .The culminationof cloud solution complexity, market fragmentation, and rapid growth isresulting in one significant trend across nearly all service providers - isthat they all want to become cloud  brokers or orchestrators , Thismeans they will offer some or all of the following services to meet growingclient's demand for Cloud Governance and risk management services.

·        Risk mitigation. Providers are aiming to reduce risk in several ways. First,they may vet the viability of vendors in their ecosystem through a combinationof financial health checks and security audits, including visits to datacenters and investigation of personnel requirements, encryption, andverification of certifications and standards compliance. Second, they may beable to mitigate risk by partnering with multiple firms in the same category,which means that they could potentially swap customers over to a replacement inthe event of a SaaS failure or other negative event (pricing or service issues,for example).

·        Contract and SLAmanagement. Providers can become acentral point of contact and a "single throat to choke" for contractand SLA management, taking on risk andresponsibility for uptime, performance, and contracts. This meanssimplification for many of today's sourcing and vendor management executiveswho are currently managing dozens of SaaS and cloud  contracts, all with different contract terms and coming upfor renewal on different cycles.

·        Ongoing service and support. Providers can offer help desk services and a single point ofcontact. This gives the advantage of familiarity with the client's businessprocesses in addition to the SaaS technology, as well as familiarity withcustomizations and configurations that may be in place. In today's oftenfragmented multi-SaaS environments, this consolidated, centralized knowledgecan be hard to come by, with multiple support relationships across multipletypes of providers.

·        Upgrade management and testing. SaaS providers frequently release one to four major upgradesand numerous smaller upgrades per year. And, many of them have started to offersandbox environments or early access to upgrades to help with testing now thattheir solutions have become more complex. Service providers can help withupgrade management and testing, much as they do in traditional packagedapplication spaces.

·        Billing and provisioning. Firms often sign up for SaaS because of the ability to scaleusers up or down as needs change. However, this can become complex (andexpensive!) with single-sign-on limitations and multiple styles of pricing andconsumption across different categories of SaaS technologies. Service providerscan help simplify this process, often leveraging platform technologies (theirown or from specialist providers like Aria Systems, eVapt, MetraTech, or Zuora)to help.

·        Integration. As SaaS proliferates across categories, integration can beone of the most expensive and time consuming components of the SaaS life cycle.With an increasing amount of SIs offering orchestration models, they arepre-building integrations for common scenarios (either with their own tools orusing leading integration tools like Boomi, Cast Iron Systems, and Informaticaamong others).

Reliance on service providers , provide an aid or a subset to an alternative strategy, for understanding of what the risks to the business are , but it can't totally substitute " Management Accountability " which has to be done internally.

Madhav ChablaniSocial at 6/6/2011 9:56:43 AM Quote
You must sign in to rate content.
(Unrated)

RE: Week 3 Cloud Governance and Risk

I recommend reviewing the results of ISACA's 2011 IT Risk / Reward Barometer. There are sections about cloud computing.

http://www.isaca.org/Pages/Survey-Risk-Reward-Barometer.aspx

Romulo LomparteSocial at 6/6/2011 4:31:44 PM Quote
You must sign in to rate content.
(Unrated)

Leave a Comment

* required

You must login to leave a comment.