Cloud Computing Compliance Recommendations from the A Teams

Tom McHale — Tue, 05 Jan 2010 13:45:00 GMT

I have spoken before on the issues of compliance and the cloud, and recently two of the big “kahunas” of security and compliance have published white papers on the topic.

The first is an ISACA paper: “Cloud Computing: Business Benefits with Security, Governance and Assurance Perspectives." This is a concise 10-page white paper that defines the cloud issue and discusses the “Assurance Considerations for Cloud Computing.” The paper identifies five assurance issues: transparency (of service providers), privacy, compliance, trans-border information flow and certification (of the service providers). However, there is not much guidance in this paper as to how to address these considerations. Their following guidance seems a bit circuitous to me:

The use of standards and frameworks will help businesses gain assurance around their cloud computing supplier’s internal controls and security. At the time of writing, there are no publicly available standards specific to the cloud computing paradigm. However, existing standards should be consulted to address the relevant areas and businesses should look to adjust their existing control frameworks.

My translation of this is: Businesses need some new standards/frameworks for cloud compliance, but there are none, so use your existing ones. I did not get a lot of useful information in this white paper – aside from the fact that ISACA is concerned about this issue and has expressed its opinion as to why we should be concerned (which I agree is important to point out). But there is not much practical content as to how I should address these issues.

On the other hand, the European Network and Information Security Agency (ENISA) has released its paper “Cloud Computing: Benefits, Risks and Recommendations for Information Security” weighing in at a mere 123 pages. In this document they have enumerated the risks of cloud computing and scored them as shown in the risk chart below.

As examples, they identified that the most serious risks with the highest score of 7 and the highest impact were:

R2: Loss of governance
R3: Compliance challenges
R22: Risk of change of jurisdiction

And the next most serious, with a score of 6 and highest probability, were:

R9: Isolation failure
R10: Cloud provider malicious insider
R14: Insecure or defective deletion of data
R26: Network management.

In this document they analyze each risk with respect to probability, impact, vulnerabilities, and assets. This is a very effective way to categorize the risks and how they may affect your business.

In the last section they make a set of recommendations that include:

An information assurance framework (a checklist of questions for service providers)
Legal recommendations (from the European point of view but still appropriate for other jurisdictions)
Research (recommendations for further research – useful if you want to write a research grant!).

The first two recommendations are very useful and thorough and can be used as a basis of contract terms and conditions with service providers.

The fact that both these influential groups have spent a lot of time and thought about cloud compliance emphasizes the interest and concern about taking your business into the cloud. I think both these papers can be used as a basis for your cloud compliance approach and I highly recommend spending a few hours and cups of caffeinated coffee reading the ENISA document.

Is IT GRC a Foundation for Enterprise GRC?

Tom McHale — Tue, 15 Sep 2009 10:05:00 GMT

Well, it is 75% already there with 3 of the 4 letters a G, an R and a C. Now just swap the IT with e and you have it. That is my contention.

There is much practitioner and market analyst discussion dealing with the most appropriate approach to deploying an enterprise-wide GRC (eGRC) program within an organization. Market analysts like Forrester and Gartner define the GRC ecosystem as composed of an "enterprise GRC platform" and then finance, operations and IT GRC programs associated with the platform. Their approach, in my few words, is that organizations should build their various programs like finance GRC on an eGRC platform by utilizing the common GRC capabilities of the eGRC platform and thus allowing each program, as it is developed, to share its information with other business units and leverage the work of the others within the organization. Synergy + cooperation = efficiency = decreased bottom line costs.

As I stated above, my contention is that there is a variation on the above approach and organizations may be able to achieve an eGRC program more effectively if they use an IT GRC program as their basic foundation and expand off that. This contention is based on the following:

>> The IT part of an organization has a significant set of GRC responsibilities of its own for the core services it provides such as communications (ex: email), information management and storage, and application infrastructure. These services involve several compliance issues and constitute significant operational risk if they do not perform as expected.

>> IT is the control owner of one of the largest critical mass of controls within an organization and they will greatly benefit themselves and their internal stakeholders by any automated GRC processes and control testing.

>> IT touches most organizational operational processes in some way, so many of the other GRC programs (finance, operations) utilize IT core components within their business processes. For example, to make effective tradeoffs about IT risk, a business executive needs to know what happens to the business when technology fails or underperforms.

Based on the above, an IT GRC program will need many of the same capabilities as an eGRC platform, and analysts agree that an IT GRC program needs the following capabilities:

Central repository of IT mandates, controls and control testing
Policy and controls library
Policy distribution
IT asset repository
Remediation management
Compliance reporting
IT risk assessment
IT control self-assessment
Automated control monitoring.

It is not by coincidence that these capabilities map very closely to the desired capabilities of an eGRC program "" I think all you need to do is substitute "enterprise" for "IT". There you go, an eGRC platform. Q.E.D.

OK, I will agree with some of the groans I just heard out there that eGRC has a different set of users than the IT department and has a much larger scope for risk management and compliance. But, I will also point out that IT may be the most fertile and cost-effective part of your organization to start an eGRC program. They have the need, they have the widest scope, and they can provide the greatest impact than any other part of the organization. They also have the experience in introducing new methodologies to the organization and scaling them to enterprise use.

Security Management : compliance, Tom McHale

Cloud Computing Compliance Recommendations from the A Teams

Is IT GRC a Foundation for Enterprise GRC?