GOVERNANCE & ENTERPRISE RISK MANAGEMENT
Well-developed information security governance processes result in information security management programs that are scalable with the business, repeatable across the organization, measurable, sustainable, defensible, continually improving, and cost-effective on an ongoing basis.
For many cloud deployments, a major element of governance will be the agreement between provider and customer.
For larger scale customer or providers, there will be a decision whether to trade off attention to detail vs. scalability of effort. Attention can be prioritized base on criticality or value at risk for the particular workload (e.g., up-time and availability may be more important for email than for HR systems).
2.1 Corporate Governance:
1) Good governance is based on the acceptance of the rights of shareholders, as the true owners of the corporation, and the role of senior management as trustees.There are many models of corporate governance; however, all follow five basic principles:
Auditing supply chains
Board and management structure and process
Corporate responsibility and compliance
Financial transparency and information disclosure
Ownership structure and exercise of control rights
2) A key factor in a customer decision to engage a corporation is the confidence that expectations will be met
3) If this becomes a systemic feature, the loss of confidence in one actor will rollover to others, and the market failure will increase the likelihood of both external action and alternative participants.
4) Stakeholders should carefully consider the monitoring mechanisms that are appropriate and necessary for the company’s consistent performance and growth.
2.2 Enterprise Risk Management
1) Enterprise risk management (ERM) is rooted in the commitment by every organization to provide value for its stakeholders.
3) Uncertainty presents both opportunity and risk with potential to increase or decrease the value of the organization and its strategies.
4) Information risk management is the process of identifying and understanding exposure to risk and capability of managing it, aligned with the risk appetite and tolerance of the data owner.
5) Enterprise risk management in business includes the methods and processes used by organizations to manage risks and seize opportunities related to the achievement of their objectives.
6) In a cloud environment, management selects a risk response strategy for specific risks identified and analyzed, which may include:
Avoidance—exiting the activities giving rise to risk
Reduction—taking action to reduce the likelihood or impact related to the risk
Share or insure—transferring or sharing a portion of the risk to finance it
Accept—no action is taken due to a cost/benefit decision
7) Risk management is naturally a balancing process with the goal not necessarily to minimize uncertainty or variation, but rather the goal of maximizing value in line with risk appetite and strategy.
8) Cloud computing offers enterprises many possible benefits, some of these benefits include:
Optimized resource utilization
Cost savings for cloud computing tenants
Transitioning of capital expenses
(CAPEX) to operating expenses (OPEX)
Dynamic scalability of IT power for clients
Shortened life cycle development of new applications or deployments
Shortened time requirements for new business implementation
9) Customers should view cloud services and security as supply chain security issues.
10) The level of attention and scrutiny should be connected to the value at risk – if the third party will not directly access enterprise data, then the level of risk drops significantly and vice versa.
2.3 Permissions
Adopt an established risk framework for monitoring and measuring corporate risk
Adopt metrics to measure risk management performance (e.g., Security Content Automation Protocol (SCAP) 13, Cybersecurity Information Exchange Framework (CYBEX)14, or GRC-XML15).
Adopt a risk centric viewpoint of corporate governance with senior management taking the role of trustee for both the shareholders and the stakeholders in the supply chain.
Adopt a framework from legal perspective to account for differences across jurisdictions.
2.4 Recommendations
1) The provider’s security governance processes and capabilities should be assessed for sufficiency, maturity, and consistency with the user’s information security management processes.
2) Security departments should be engaged during the establishment of Service Level Agreements (SLA’s) 16 and contractual obligations to ensure that security requirements are contractually enforceable.
3) Metrics and standards for measuring performance and effectiveness of information security management should be established prior to moving into the cloud.
4) The outcomes of risk treatment plans ( control, avoid, transfer, accept )should be incorporated into service agreements.
5) Risk assessment approaches between provider and user should be consistent with consistency in impact analysis criteria and definition of likelihood. The user and provider should jointly develop risk scenarios for the cloud service; this should be intrinsic to the provider’s design of service for the user, and to the user’s assessment of cloud service risk.
6) The service, and not just the vendor, should be the subject of risk assessment.
7) Customers of cloud services should ask whether their own management has defined risk tolerances with respect to cloud services and accepted any residual risk of utilizing cloud services.
8) Organizations should define risk metrics for engaging providers based on business and technical exposures. These metrics could include the type of data covered, the variety of user types relating to the information, and the vendors and other counterparties involved.
2.5 Requirements
Provide transparency to stakeholders and shareholders demonstrating fiscal solvency and organizational transparency.
Respect the interdependency of the risks inherent in the cloud supply chain and communicate the corporate risk posture and readiness to consumers and dependant parties.
Inspect and account for risks inherited from other members of the cloud supply chain and take active measures to mitigate and contain risks through operational resiliency.
No comments:
Post a Comment