For all the talk of Cloud computing, the governance issue remains, for many enterprises, the great unknown. Cloud computing inevitably impacts business processes, making governance vital to managing risk and adapting to take advantage of new opportunities.
Industry body, ISACA, is looking to change that, issuing a new guide for implementing controls and governance.
Entitled, IT Control Objectives for Cloud Computing: Controls and Assurance in the Cloud, the guide looks at business case development, standards and practices to assist with governance and how to establish business goals for the Cloud. It also outlines risk considerations and responsibilities, and a Cloud computing management audit/assurance program.
According to a survey of ISACA’s Australian members, less than half — 42 per cent — currently include Cloud computing strategies within their enterprise. And 80 per cent of these organisations limit Cloud computing to low-risk, non-mission-critical IT services.
"Cloud take-up in Australia is relatively slow compared to other countries," said ISACA international vice-president and the Queensland Department of Communities associate director-general, Tony Hayes.
"Lower-risk and less contentious data seem to be the first choice for early adopters."
Hayes said organisations retain sensitive data and that which holds competitive advantage for organisations.
“Government agencies are significant investors in IT and, to date, Cloud computing has been adopted mainly as a concept internal to government," he said.
ISACA international vice-president and RSM Bird Cameron director of information security, Jo Stewart-Rattray, said CIOs remain polarised about Cloud computing.
"While speaking with CIOs in Australia and the US, the mention of the Cloud is met in one of two ways: An enormous groan or a loud cheer,” she said.
“Of course it will depend upon the context of a business whether Cloud offerings will suit its needs. If they do, security and governance around such offerings must be in place within the organisation.
Due diligence around the proposed service provider and appropriate controls must also be in place, she said, to ensure corporate information, is protected from loss, theft, tampering and loss of jurisdictional control.
Key questions for Cloud governance
ISACA’s guidance recommends enterprises ask the following key questions:
- What is the enterprise’s expected availability?
- How are identity and access managed in the Cloud?
- Where will the enterprise’s data be located?
- What are the Cloud service provider’s disaster recovery capabilities?
- How is the security of the enterprise’s data managed?
- How is the whole system protected from internet threats?
- How are activities monitored and audited?
- What type of certification or assurances can the enterprise expect from the provider?
ISACA will hold its Oceania CACS2011 conference to be held in Brisbane from 18-23 September, which will explore issues such as control, risk management, data loss prevention and assurance for Cloud strategies.
Follow Georgina Swan on Twitter: @swandives
Follow CIO Australia on Twitter: @CIO_Australia