Global IT association ISACA has issued a new guide outlining how to implement effective controls and governance for Cloud computing.
According to the guide, titled IT Control Objectives for Cloud Computing: Controls and Assurance in the Cloud, when enterprises decide to use Cloud computing for IT services, business processes are impacted and governance becomes critical to:
- Effectively manage increasing risks
- Ensure continuity of critical business processes that now extend beyond the data centre
- Communicate clear enterprise objectives internally and to third parties
- Adapt effectively
- Facilitate continuity of IT knowledge, which is essential to sustain and grow the business
- Handle myriad regulations
However, despite its potential to deliver cost savings, according to a recent survey of ISACA’s Australian membership, less than half (42 per cent) currently utilise Cloud computing strategies in their enterprise. Further, the vast majority (80 per cent) limit it to low-risk, non-mission critical IT services, highlighting the hesitation of businesses to migrate to Cloud.
“Cloud take-up in Australia is relatively slow compared to other countries,” said ISACA international vice-president and Associate Director-General of the Queensland Department of Communities, Tony Hayes.
“Sensitive data, or that which has competitive advantage for organisations, has been retained internally under close scrutiny. Meanwhile, although government agencies are significant investors in IT, to date Cloud computing has been adopted mainly as a concept internal to government.”
ISACA international vice-president and director of information security at RSM Bird Cameron, Jo Stewart-Rattray, added: “While speaking with CIOs in Australia and the US, the mention of Cloud is met in one of two ways — an enormous groan or loud cheer.
"Of course, it will depend on the context of a business whether Cloud offerings suit its needs. If they do, security and governance around such offerings must be in place.”
Stewart-Rattray said due diligence around the proposed service provider and appropriate controls must also be established to ensure the organisation’s most valuable asset, its corporate information, is protected from loss, theft, tampering and loss of jurisdictional control.
According to the guide, to ensure proper governance of Cloud computing, enterprises need to ask some key questions, among them:
- How are identity and access managed in the Cloud?
- Where will the enterprise’s data be located?
- What are the Cloud service provider’s disaster recovery capabilities?
- How is the security of the enterprise’s data managed?
- How is the whole system protected from internet threats?
- How are activities monitored and audited?
- What type of certification or assurances can the enterprise expect from the provider?
Follow CIO Australia on Twitter: @CIO_Australia