Collaborating author: Christeen Russell
As cloud computing continues to bring about dramatic technological advances, organizations must balance the risk of not innovating with its risk appetite for cloud usage. This should begin with the establishment and maintenance of a formal cloud governance framework optimally applied before adopting cloud computing solutions from third-parties.
Many organizations are currently cultivating a technological landscape of multi-cloud1 and on-premise2 systems to make better decisions more quickly and deliver innovative services without compromising user experiences or security posture.
The benefit of cloud is that it democratizes computing consumption facilitating organizational strategies that contemplate or fine-tune approaches to data analytics, artificial intelligence, automation and other technology innovations by more quickly and efficiently harnessing enhanced computing power, rapid deployment, leading-edge functionality and data storage.
A cloud computing governance framework defines management’s desired practices, policies and controls and provides a structure of aligning technology with business strategy. By following a consistent framework, organizations can produce measurable results toward achieving their strategic goals.
Key components of a Cloud Governance Framework
Cloud Policies and Procedures – Document policies and procedures governing cloud adoption, usage, data security, contracting and vendor management, and termination to guide the organization. Take steps to make sure the policies and procedures are being implemented properly.
Cloud Strategy – Establish a cloud strategy that encompasses cloud selection, deployment and ongoing usage that is aligned with organizational objectives and built into the IT strategy. Cloud strategy contributors should represent different organizational functions (i.e. finance, human resources, marketing, technology, operations, etc.) and have senior executive ownership and support.
Risk Assessment – Perform a risk assessment to help determine which business processes, applications, and data are cloud viable based on the organization’s risk appetite. This should still be done even if the organization has already gone to the cloud. Consider the following risks areas:
- Financial reporting
- Fraud (internal and external)
- Cyber risk and data security
- Operational disruption (e.g. business continuity and disaster recovery plans)
- Outsourcing risk
- Regulatory compliance (e.g. SOX, HIPPA, Privacy laws, etc.)
- Reputational risk
- Vendor lock-in (e.g. the difficulty of changing CSPs to due factors like data portability, CSP specific technology, etc.)
Internal Control – Don’t let internal control lag innovation. Start by mapping the organization’s current controls to the cloud environment and determine if cloud risks are mitigated. Leverage cloud risk and control frameworks such as ISACA’s COBIT 4.13 or Cloud Security Alliance’s Cloud Controls Matrix4 as a guide. Where needed, update risk and control documentation to reflect the current cloud environment. For unmitigated cloud risks, assess the organization’s risk appetite for each; risks can be accepted, mitigated, or monitored.
Vendor Management – Define ownership of the cloud vendor management program and how it incorporates into the overall risk management framework and vendor management strategy.
Data Governance – Ensure the organization has a detailed data classification to help determine which data can reside offsite and appropriate to be in the possession of cloud service providers (CSPs) and potentially their third-parties.
Wondering where to start? Begin the cloud governance journey by identifying an executive sponsor and establishing a cross functional implementation team to plan, design, implement, manage and continuously monitor and enhance the cloud governance framework. Secondly, define critical success factors to measure the team’s success and to continually fine-tune the framework and strategy needed to drive cloud governance effectiveness.