sargx digital garden

Risk Management

3 min read

  • The primary issue to remember when governing cloud computing is that an organization can never outsource responsibility for governance, even when using external providers.
  • Cloud computing changes the responsibilities and mechanisms for implementing and managing governance.
  • Responsibilities and mechanisms for governance are defined in the contract.
    • If the area of concern isn’t in the contract, there are no mechanisms available to enforce, and there is a governance gap.
    • Governance gaps don’t necessarily excludeusing the provider, but they do require the customer to adjust their own processes to close thegaps or accept the associated risks.
  • As with governance, you can never outsource your overall responsibility and accountability for risk management to an external provider.

The supplier assessment sets the groundwork for the cloud risk management program:

  • Request or acquire documentation.
  • Review their security program and documentation.
  • Review any legal, regulatory, contractual, and jurisdictional requirements for both the provider and yourself. (See the Domain 3: Legal for more.)
  • Evaluate the contracted service in the context of your information assets.
  • Separately evaluate the overall provider, such as finances/stability, reputation, and outsourcers.

RESUME:

  • Identify the shared responsibilities of security and risk management based on the chosen cloud deployment and service model. Develop a Cloud Governance Framework/Model as per relevant industry best practices, global standards, and regulations like CSA CCM, COBIT 5, NIST RMF, ISO/IEC 27017, HIPAA, PCI DSS, EU GDPR, etc.
  • Understand how a contract affects your governance framework/model.
    • Obtain and review contracts (and any referenced documents) before entering into an agreement.
    • Don’t assume that you can effectively negotiate contracts with a cloud provider—but this also shouldn’t necessarily stop you from using that provider.
    • If a contract can’t be effectively negotiated and you perceive an unacceptable risk, consider alternate mechanisms to manage that risk (e.g. monitoring or encryption).
  • Develop a process for cloud provider assessments.
    • This should include:
      • Contract review.
      • Self-reported compliance review.
      • Documentation and policies.
      • Available audits and assessments.
      • Service reviews adapting to the customer’s requirements.
      • Strong change-management policies to monitor changes in the organization’s use of the cloud services.
    • Cloud provider re-assessments should occur on a scheduled basis and be automated if possible.
  • Cloud providers should offer easy access to documentation and reports needed by cloud prospects for assessments.
    • For example, the CSA STAR registry.
  • Align risk requirements to the specific assets involved and the risk tolerance for those assets.
  • Create a specific risk management and risk acceptance/mitigation methodology to assess the risks of every solution in the space
  • Use controls to manage residual risks.
    • If residual risks remain, choose to accept or avoid the risks.
  • Use tooling to track approved providers based on asset type (e.g. linked to data classification), cloud usage, and management.

🌱 Back to Garden

Graph View

Backlinks