Questions for the audit committee to consider
- Is the organization well positioned to manage governance activities in a CSP environment?
- What is the organization’s risk tolerance related to electronic data?
- Which compliance and security requirements must the organization and the CSP meet?
- What independently verifiable assurances of security and privacy does the CSP offer?
- Does management understand the CSP’s stance on security — who will have access to the organization’s data, where the data will be stored, what its backup procedures are and what notification the provider will give in the event of a security breach?
Considering cloud migration opportunities
50% of respondents said their chief reason for avoiding cloud computing was security concerns.
Cloud computing is growing rapidly, but for large organizations, information security concerns continue to slow the pace of adoption.
Relinquishing control of the security of IT infrastructure and data seems risky for most large organizations. In fact, in a recent survey of North American and European businesses, 50% of respondents said their chief reason for avoiding cloud computing was security concerns.1
What do boards and organizations fear?
- Increased risk to data as it travels over the internet
- Cloud service provider (CSP) business models that share infrastructure among many clients
- The inherent opacity of the cloud, which makes it difficult to determine where data is located or how it is protected
- Personally identifiable information stored in the cloud that could be breached
Yet in the same survey, Forrester Research projects that within five years cloud security will become one of the primary drivers for adopting cloud computing.2
Feeling secure in the cloud
Organizations thinking about a move to the cloud should consider this approach:
|1 || |
Get comfortable with the cloud before moving the most sensitive data
To test the risk of moving data to the cloud, organizations should consider moving less risky services first (see examples in this figure, “Considering cloud migration opportunities”). These applications may have little or no regulatory oversight and are relatively easy to implement. Other business processes, like HR systems or email, both of which involve personal data, should probably move last.
|2 || |
Be prepared to respond to incidents in the cloud
Responding rapidly to security incidents is difficult enough when organizations are using their own infrastructure. When data moves to the cloud, these incidents can create additional process challenges. Boards and organizations need to understand how their data is being stored and who has access to the data, as well as the appropriate levels of response to data requests.
|3 || |
Understand a CSP’s security position
Because CSPs do not always provide transparent access to the technical details of their security practices, understanding the provider’s security position can be somewhat difficult. Instead of focusing on technical implementation details, organizations may want to consider asking process and control questions, such as:
- Will the CSP provide timely notification if there is a security breach?
- What is the CSP’s policy when a law enforcement agency subpoenas the organization’s data directly, without going through the organization’s general counsel office?
1 “Cloud Security to Reap $1.5 Billion by 2015,” CMP TechWeb, 22 October 2010, via Dow Jones Factiva, © 2010 United Business Media LLC.
« Previous | Next »