ISACA issues Cloud computing guide to help enterprise increase value and manage risk

CIOs remain polarised on the benefits of Cloud computing

ISACA international vice-president and RSM Bird Cameron director of information security, Jo Stewart-Rattray

ISACA international vice-president and RSM Bird Cameron director of information security, Jo Stewart-Rattray

For all the talk of Cloud computing, the governance issue remains, for many enterprises, the great unknown. Cloud computing inevitably impacts business processes, making governance vital to managing risk and adapting to take advantage of new opportunities.

Industry body, ISACA, is looking to change that, issuing a new guide for implementing controls and governance.

Entitled, IT Control Objectives for Cloud Computing: Controls and Assurance in the Cloud, the guide looks at business case development, standards and practices to assist with governance and how to establish business goals for the Cloud. It also outlines risk considerations and responsibilities, and a Cloud computing management audit/assurance program.

According to a survey of ISACA’s Australian members, less than half — 42 per cent — currently include Cloud computing strategies within their enterprise. And 80 per cent of these organisations limit Cloud computing to low-risk, non-mission-critical IT services.

"Cloud take-up in Australia is relatively slow compared to other countries," said ISACA international vice-president and the Queensland Department of Communities associate director-general, Tony Hayes.

"Lower-risk and less contentious data seem to be the first choice for early adopters."

Hayes said organisations retain sensitive data and that which holds competitive advantage for organisations.

“Government agencies are significant investors in IT and, to date, Cloud computing has been adopted mainly as a concept internal to government," he said.

ISACA international vice-president and RSM Bird Cameron director of information security, Jo Stewart-Rattray, said CIOs remain polarised about Cloud computing.

"While speaking with CIOs in Australia and the US, the mention of the Cloud is met in one of two ways: An enormous groan or a loud cheer,” she said.

“Of course it will depend upon the context of a business whether Cloud offerings will suit its needs. If they do, security and governance around such offerings must be in place within the organisation.

Due diligence around the proposed service provider and appropriate controls must also be in place, she said, to ensure corporate information, is protected from loss, theft, tampering and loss of jurisdictional control.

Key questions for Cloud governance

ISACA’s guidance recommends enterprises ask the following key questions:

  • What is the enterprise’s expected availability?
  • How are identity and access managed in the Cloud?
  • Where will the enterprise’s data be located?
  • What are the Cloud service provider’s disaster recovery capabilities?
  • How is the security of the enterprise’s data managed?
  • How is the whole system protected from internet threats?
  • How are activities monitored and audited?
  • What type of certification or assurances can the enterprise expect from the provider?

ISACA will hold its Oceania CACS2011 conference to be held in Brisbane from 18-23 September, which will explore issues such as control, risk management, data loss prevention and assurance for Cloud strategies.

Follow Georgina Swan on Twitter: @swandives

Follow CIO Australia on Twitter: @CIO_Australia

Join the CSO newsletter!

Error: Please check your email address.

Tags ISACA Tony HayesISACATony HayesJo Stewart-Rattrayenterprisecloud computing

More about ACAAustralian Computer SocietyCA TechnologiesHayesRSM Bird Cameron

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Georgina Swan

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place