In the past number 4 of ISACA Journal, the article "Managing Cloud Risk. Top Considerations for Business Leaders" written by Phil Zongo was published. Among other references, the article echoes of a document from Australian Prudential and Regulatory Authority (APRA) that raises a concern about the reporting to Board of Directors of cloud risks in regulated entities because it focuses on benefits forgetting about associated risks. For APRA, it is fundammental that BoD analyzes if the risk is alligned with business strategy and risk appetite in the Organization.

This balance between cloud risk and risk appetite needs to take into consideration information like:

  • Cloud value proposition
  • Main business risks and treatment staregy
  • Cloud deployment model
  • Cloud service delivery model
  • Service provider selection criteria
  • Plausible business disruption scenarios
  • Service Level Agreements (SLA)
  • Third-party assurance, penetration testing, vulnerability assessments and right-to-audit clauses

Apart from the first four ones, that are description elements of cloud services, the last ones can be showed by the rating label, as an element that could be used for showing to the Board of Director the risk that the Organization is taking for using specific services, i.e.,:

  • Rating levels can be incorporated to the vendor selection processes in a way that depending on service criticality more o less strict security requirements can be defined (i.e., high or lower rating levels
  • Recovery measures are part of evaluation criteria of rating, like third-party assurance, scope and periodicity of penetration tests and vulnerability aseessments
  • SLAs and supervision and monitoring mechanisms are, also, part of rating criteria
  • And, finally, audit is one of the supervision mechanisms of rating, so, just being rated means that vendor is being audited (apart from the right-to-audit clause that can be incorporated to the agreement between client and vendor)

As we can see, using rating system allows to inform in a simple, efficent and independent way to the Board about the risks taken in relation to cloud services that are being used by the Organization.

You can follow us on twitter.com/leet_security

10 de octubre de 2016