# Governance*

# Glossary

The risk that the client cedes control to the cloud provider.

# Overview

Governance is the system by which the provisioning and usage of cloud services are directed and controlled. Governance defines actions, assigns responsibilities, and verifies performance. Governance includes the policy, process, and internal controls that comprise how an organization is run. Everything from the structures and policies to the leadership and other mechanisms for management.

Governance provides oversight, foundation, direction, and support for the organization as a whole. This includes policies, mission statements, how issues are addressed, and so on. The fact that any issue actually requires addressing is outline by governance. Governance identifies what the organization needs to do to please their stakeholders, prioritize performance vs. security, and so on.

# Corporate Governance

Corporate governance is a broad area describing the relationship between the shareholders and other stakeholders in the organization versus the senior management of the corporation.

# Third-Party Governance

Like our organization, CSPs also have governance. We do not want to sacrifice our governance in favor of theirs. For example, think of third-party governance for a CSP.

  • Who reviews SLAs?
  • How is this accomplished?
  • Who reviews whether the metrics outlined in the SLA are actually being met?

Governance is making sure we have the right goals and that we have the supporting structure in place to achieve those goals. Do we have good third-party governance? Does our CSP have good governance?

# Policies

# Overview

Policies are one of the foundational elements of a governance and risk management program. They guide the organization, based on standards and guidelines. Policies ensure that the organization is operating within its risk profile. Policies actually define, or are the expression of, the organization.

The designing and implementing of security policies is carried out with input from senior management.

# Organizational Policies

Organizational policies take the form of those intended to reduce exposure and minimize risk of financial and data losses, as well as other types of damages such as loss of reputation.

Organizational policies form the basis of functional policies that can reduce the likelihood of the following:

  • Financial loss
  • Irretrievable loss of data
  • Reputational damage
  • Regulatory and legal consequences
  • Misuse and abuse of systems and resources

# Functional Policies

Functional policies are particularly useful for organizations that have a well-engrained and fully operational ISMS:

  • Information security policy
  • Information technology policy
  • Data classification policy
  • Acceptable usage policy
  • Network security policy
  • Internet use policy
  • Email use policy
  • Password policy
  • Virus and spam policy
  • Software security policy
  • Data backup policy
  • Disaster recovery (DR) policy
  • Remote access policy
  • Segregation of duties policy
  • Third-party access policy
  • Incident response and management policy
  • Human resources security policy
  • Employee background checks
  • Legal compliance guidelines

# Cloud Policies

As part of the review of cloud services, either during the development of the cloud strategy or during vendor reviews and discussions, the details and requirements should be expanded to compare or assess the required criteria as per existing policies.

  • Password policies
  • Remote access
  • Encryption
  • Third-party access
  • Segregation of duties
  • Incident management
  • Data backup

All of these policies are an expression of management's strategic goals and objective with regard to managing and maintaining the risk profile of the organization.