This page is currently queued for revision.
The risk that the client cedes control to the cloud provider.
Governance is the system by which the provisioning and usage of cloud services are directed and controlled. Governance defines actions, assigns responsibilities, and verifies performance. Governance includes the policy, process, and internal controls that comprise how an organization is run. Everything from the structures and policies to the leadership and other mechanisms for management.
Governance provides oversight, foundation, direction, and support for the organization as a whole. This includes policies, mission statements, how issues are addressed, and so on. The fact that any issue actually requires addressing is outline by governance. Governance identifies what the organization needs to do to please their stakeholders, prioritize performance vs. security, and so on.
Corporate governance is a broad area describing the relationship between the shareholders and other stakeholders in the organization versus the senior management of the corporation.
Like our organization, CSPs also have governance. We do not want to sacrifice our governance in favor of theirs. For example, think of third-party governance for a CSP.
- Who reviews SLAs?
- How is this accomplished?
- Who reviews whether the metrics outlined in the SLA are actually being met?
Governance is making sure we have the right goals and that we have the supporting structure in place to achieve those goals. Do we have good third-party governance? Does our CSP have good governance?
Policies are one of the foundational elements of a governance and risk management program. They guide the organization, based on standards and guidelines. Policies ensure that the organization is operating within its risk profile. Policies actually define, or are the expression of, the organization.
The designing and implementing of security policies is carried out with input from senior management.
Organizational policies take the form of those intended to reduce exposure and minimize risk of financial and data losses, as well as other types of damages such as loss of reputation.
Organizational policies form the basis of functional policies that can reduce the likelihood of the following:
- Financial loss
- Irretrievable loss of data
- Reputational damage
- Regulatory and legal consequences
- Misuse and abuse of systems and resources
Functional policies are particularly useful for organizations that have a well-engrained and fully operational ISMS:
- Information security policy
- Information technology policy
- Data classification policy
- Acceptable usage policy
- Network security policy
- Internet use policy
- Email use policy
- Password policy
- Virus and spam policy
- Software security policy
- Data backup policy
- Disaster recovery (DR) policy
- Remote access policy
- Segregation of duties policy
- Third-party access policy
- Incident response and management policy
- Human resources security policy
- Employee background checks
- Legal compliance guidelines
As part of the review of cloud services, either during the development of the cloud strategy or during vendor reviews and discussions, the details and requirements should be expanded to compare or assess the required criteria as per existing policies.
- Password policies
- Remote access
- Third-party access
- Segregation of duties
- Incident management
- Data backup
All of these policies are an expression of management's strategic goals and objective with regard to managing and maintaining the risk profile of the organization.