Whitepaper:7 Steps to Developinga Cloud Security Plan
Executive Summary:7 Steps to Developinga Cloud Security PlanDesigning and implementing an enterprise security plan can be ...
Table of ContentsINTRODUCTION …………………………………………………………………………………….…... 4STEP 1: REVIEW YOUR BUSINESS GOALS ………………………………………………...
IntroductionCloud computing provides compellingcost and strategic benefits, including:scalability with reduced capitalexpe...
Secure cloud services plan breaks down into the following seven steps:By following these steps organizations can structure...
6SECURITY IS NOT AONE-SIZE-FITS-ALLSCENARIOStep 1:REVIEW YOUR BUSINESS GOALSIt is important that any cloud securityplan be...
7AN EFFECTIVE CLOUDCOMPUTING RISKMANAGEMENTPROGRAM ISIMPORTANT FORREDUCING THEOVERALL RISK TO THEORGANIZATION.Step 2:MAINT...
8MANY OF THE NEEDSTO CHANGE SECURITYPLANS ARE NOT ARESULT OFCORPORATESTRATEGIES BUTEVOLUTIONS OFCOMPLIANCEREQUIREMENTS.Ste...
9Step 4:ESTABLISH CORPORATE-WIDE SUPPORT &ALIGNMENTA key element of a successful cloudcomputing security plan is theinvolv...
10Step 5:CREATE SECURITY POLICIES,PROCEDURES, AND STANDARDSA set of guidelines is important to ensurethat all compliance m...
11AUDIT AND REVIEWOFTEN CHECKLISTIt is important to review the security planon a regular basis, report onachievements of g...
12CONTINUOUSIMPROVEMENTCHECKLISTA well-developed security plan will allowfor the continuous improvement ofsecurity and com...
13Properly managed cloud infrastructureprovides better security than mostenterprise data centers, applications,and IT infr...
AppendixA:7 STEPS TO DEVELOPINGACLOUD SECURITY PLAN CHECKLISTBy following these seven steps to developing a secure outsour...
AppendixA:7 STEPS, CONTINUEDSTEP 5: CREATE SECURITY POLICIES, PROCEDURES,AND STANDARDS Establish a set of guidelines to e...
Upcoming SlideShare
Loading in …5
×

7 Steps To Developing A Cloud Security Plan

493 views

Published on

Enterprise security should not be taken lightly but it also doesn't have to be a major roadblock either. By following these guidelines, organizations can structure security and compliance programs to take advantage of the economic advantages of managed cloud applications and services while meeting organizational security and compliance objectives.

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
493
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
15
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

7 Steps To Developing A Cloud Security Plan

  1. 1. Whitepaper:7 Steps to Developinga Cloud Security Plan
  2. 2. Executive Summary:7 Steps to Developinga Cloud Security PlanDesigning and implementing an enterprise security plan can be a daunting task for anybusiness. To help facilitate this endeavor NaviSite has developed a manageable process andchecklist that can be used by enterprise security, compliance, and IT professionals as aframework for crafting a successful cloud computing security plan. It defines seven steps—sequentially—that have been tested and refined through NaviSite’s experiences helpinghundreds of companies secure enterprise resources according to best practices. This planenables organizations to gain the economic advantages of secure and compliant managedcloud services.
  3. 3. Table of ContentsINTRODUCTION …………………………………………………………………………………….…... 4STEP 1: REVIEW YOUR BUSINESS GOALS …………………………………………………….…. 6STEP 2: MAINTAIN A RISK MANAGEMENT PROGRAM …………………………………….……. 7STEP 3: CREATE A SECURITY PLANTHAT SUPPORTS YOUR BUSINESS GOALS ………………………………………………....…… 9STEP 4: ESTABLISH CORPORATE-WIDE SUPPORT ……………………………...………..…...10STEP 5: CREATE SECURITY POLICIES,PROCEDURES, AND STANDARDS …………………………………………….…….....................11STEP 6: AUDIT AND REVIEW OFTEN ..…………………………..………………………..…...….12STEP 7: CONTINUOUSLY IMPROVE ………………………………..………………………………13CONCLUSION ………………………………………………………………………..………………….14APPENDIX A: 7 STEPS TO DEVELOPINGA CLOUD SECURITY PLAN CHECKLIST ………………………………………………………..…. 15
  4. 4. IntroductionCloud computing provides compellingcost and strategic benefits, including:scalability with reduced capitalexpenditure; more efficient use of ITresources; and the ability for anorganization to focus on their corecompetency. Many well establishedsecurity technologies and procedurescan be applied to cloud computing toprovide enterprise-class security. Inmany cases the cloud provider canachieve better security in a virtualizedenvironment than enterprises canachieve internally.Selecting a service provider with strongsecurity procedures and services incloud computing can be a strategicmove, but enterprise organizations needto continue to take an active role insecurity and risk management. Workingtogether, the cloud provider and theenterprise can ensure that existingsecurity practices are beingcomplemented and that enterpriseresources are protected according toindustry best practices.Cloud infrastructure services enableimproved efficiencies for IT, allowingcompanies to reduce capital expenseseven as resource demand increases.They also provide companies acompetitive edge through greaterscalability and flexibility to addressbusiness opportunities. Concerns aroundthe security of cloud infrastructure havebeen viewed as a barrier to adoption, butthere are seven tangible stepsenterprises can take to gain the cost andbusiness advantages of cloud serviceswithout compromising the security ofenterprise applications.By following these steps the enterprisecan rely on a proven methodology forcost-effectively and securely leveragingcloud services. NaviSite takes pride inensuring its enterprise customersservices are secure and reliable butencourages all businesses—no matterwhat provider they are partnering with—to take an active role in being sure theirspecific security and compliancerequirements are met.4“…THERE ARE SEVENTANGIBLE STEPSENTERPRISES CANTAKE TO GAIN THECOST AND BUSINESSADVANTAGES OFCLOUD SERVICESWITHOUTCOMPROMISING THESECURITY OFENTERPRISEAPPLICATIONS.”
  5. 5. Secure cloud services plan breaks down into the following seven steps:By following these steps organizations can structure security and complianceprograms to take advantage of the economic advantages of managed cloud serviceswhile meeting organizational security and compliance objectives.5FIGURE 1: 7 STEPS.STEP 6:Audit andReview OftenSTEP 2:Maintain a RiskManagement ProgramSTEP 3:Create a SecurityPlan that SupportsYour Business GoalsSTEP 4:Secure Corporate-Wide SupportSTEP 5:Create SecurityPolicies, Procedures,and StandardsSTEP 1:Review Your Business GoalsSTEP 7:ContinuouslyImprove
  6. 6. 6SECURITY IS NOT AONE-SIZE-FITS-ALLSCENARIOStep 1:REVIEW YOUR BUSINESS GOALSIt is important that any cloud securityplan begins with the basic understandingof your specific business goals. Securityis not a one-size-fits-all scenario andshould focus on enabling:• TECHNOLOGIES: Authentication andauthorization, managing andmonitoring, and reporting and auditingtechnologies should be leveraged toprotect, monitor, and report on accessto information resources• PROCESSES: Methodologies shouldbe established that define clearprocesses for everything fromprovisioning and accountestablishment through incidentmanagement, problem management,change control, and acceptable usepolicies so that processes governaccess to information• PEOPLE: Organizations need accessto the proper skill sets and expertise todevelop security plans that align withbusiness goalsToo often, organizations view internalsecurity and compliance teams asinhibitors to advancing the goals of thebusiness. Understanding the businessobjectives and providing long-termstrategies to enable business growth,customer acquisition, and customerretention is essential to any successfulsecurity plan.The best way to do this is to developcloud security policies based on cross-departmental input. A successful securityprogram includes contribution from allstakeholders to ensure that policies arealigned and procedures are practical andpragmatic.The broader the input the more likely thefinal security plan will truly align with, andsupport corporate goals. Executive inputis not only essential to ensure thatassets are protected with the propersafeguards, but also to ensure that allparties understand the strategic goals.For example, if a company plans todouble in size within a few years,security infrastructure needs to bedesigned to support scalability.CASE IN POINT: At NaviSite, we oftensee customers faced with the challengeof making major security and technologychanges to address evolving corporategoals. For example, a customer thathosts multiple merchant sites had aPayment Card Industry (PCI)-compliantapplication, but when it was acquired, itsparent company required stricter controlsthat conformed to the enterprise-widePCI program. The acquired companycame to us with a small companyperspective, while the new parentcompany wanted to enforce even tightersecurity across its divisions.We worked with them to realign andbolster the goals of the acquiredcompany’s security and complianceprograms with the corporate goals of theparent company. By reviewing thebusiness goals with the stakeholdersfrom the parent company, the newlyacquired company, and our securityteam, we were able to identify anddocument the objectives for the newcompliance program and ensure thatthey were aligned with the over-archingPCI program.
  7. 7. 7AN EFFECTIVE CLOUDCOMPUTING RISKMANAGEMENTPROGRAM ISIMPORTANT FORREDUCING THEOVERALL RISK TO THEORGANIZATION.Step 2:MAINTAIN A RISK MANAGEMENT PROGRAMIt is naïve to think that your applications willnever be breached, whether they arehosted in your data center or in a manageddata center. Every organization needs todevelop and maintain a risk managementprogram, and it should be done centrallyand viewed holistically.An effective cloud computing riskmanagement program is important forreducing the overall risk to theorganization. It is also essential forprioritizing the utilization of resources andfor providing the business with a long-termstrategy. If a growing organization canidentify and reduce the risk of newproducts, technologies, processes, people,and vendors, it can better focus onrevenue growth and improved profitability.It is only through a well-defined andcarefully maintained risk managementprogram that you can provide anaggregated view of the risk that a companyis willing to accept. The generalized view isthat you assess the value of the asset,assess the loss expectancy probability,and then quantify whether the organizationis willing to accept the risk of loss orwhether steps should be taken to mitigatethe chances of that loss. Securityprofessionals are encouraged to regularlyconduct careful analysis to developresponsible programs and build in thenecessary controls and auditingcapabilities to mitigate threats and maintaina reasonable security program thatprotects organizational assets, givenbudgetary resources.The cloud computing risk assessmentpolicy requires buy-in from the very top.This program should be audited, andpolicies defined that explicitly state whocan accept risk on behalf of theorganization.If you have a well-developed riskmanagement program in place, then youhave identified your critical assets andestablished appropriate levels ofprotection. By moving some or all of yourbusiness applications to the cloud, yougain the additional benefits of yourproviders business continuity planning andprotection from unthinkable events, suchas natural disasters. Seamless failover to aredundant data center thousands of milesaway provides shareholders with increasedcomfort in knowing their business isprotected and secure.At NaviSite, we continue to see disasterrecovery and business continuity initiativesgaining increased corporate focus as adirect result of the migration of ERPapplications to the cloud. For example, apublicly traded company outsourced itsfinancial applications to NaviSite. Howeverthey did not have a business continuity anddisaster recovery (BCDR) plan.As we worked with them on their riskmanagement program - identifying risks,evaluating the value of the assets, andlooking at annualized loss expectancies tobuild out the level of assurance theyneeded - they realized the economicargument and value for enabling seamlessfailover to a redundant site across thecountry.Management went back to the Board ofDirectors and quickly received approval.The company now has a solid disasterrecovery program in place with annualtesting to ensure business continuity. Theydid not initially understand the risk itsshareholders were incurring until itdeveloped a formal risk managementprogram, and by quantifying that risk thecompany was able to take appropriatesteps to mitigate and protect itselfadequately while ensuring businesscontinuity.
  8. 8. 8MANY OF THE NEEDSTO CHANGE SECURITYPLANS ARE NOT ARESULT OFCORPORATESTRATEGIES BUTEVOLUTIONS OFCOMPLIANCEREQUIREMENTS.Step 3:CREATE A SECURITY PLAN THATSUPPORTS YOUR BUSINESS GOALSYour cloud computing security planshould include goals with measurableresults that are consistent with providingsupport for the growth and stability of thecompany. The plan should includecompliance programs, technologies, andprocesses with very specific results. Forexample, a growing IT services companymay pursue a data center complianceprogram, such as SSAE 16 (thesuccessor to the SAS 70 standard) aservice management framework whichrequires in-depth audits of controlactivities that include: securitymonitoring, change management,problem management, backup controls,physical and environmental safeguards,and logical access. Goals shouldinclude:• Specific date for completion• Verification of achievement, such as aService Organization Controls (SOC)report• Measurable expected result, such as areduction in reported incidents by fivepercent, improvement of risk mitigationby reduction of Annualized LossExpectancy (ALE) by ten percent, orsuccessful passing of customer auditsincreasing by twenty percentThe security plan in many waysbecomes a natural extension of theprevious two steps. For example, if aU.S. company is planning for an IPO,becoming compliant with the Sarbanes-Oxley Act (SOX) requirement isessential. Section 404 of SOX explicitlyrequires management and the externalauditor to report on the adequacy of thecompanys Internal Control on FinancialReporting (ICFR). Companies have toassure that the data is valid and has notbeen altered. It is primarily theresponsibility of the IT group to ensureSOX compliance.Many of the needs to change securityplans are not a result of corporatestrategies but evolutions of compliancerequirements. For example, at NaviSite,we help clients maintain compliance withthe Health Insurance Portability andAccountability Act of 1996 (HIPAA). TheHealth Information Technology forEconomic and Clinical Health Act(HITECH) addresses the privacy andsecurity concerns associated with theelectronic transmission of healthinformation and it extends the privacyand security provisions of HIPAA. Bypartnering with cloud providers,organizations are more nimble and canmore easily modify their security plans tosupport evolving corporate strategies orregulatory requirements.
  9. 9. 9Step 4:ESTABLISH CORPORATE-WIDE SUPPORT &ALIGNMENTA key element of a successful cloudcomputing security plan is theinvolvement and support of the planacross the organization. Many securitydepartments build out vast arrays ofpolicies that are difficult to implementacross the organization. Prioritizingthese policies and ensuring that they arenot in conflict with other policies fromdifferent departments is essential forestablishing support and acceptance.A given security policy may not rely onthe latest technology or provide the mostsecure results, but balancing ease ofdeployment and organizationalacceptance with security is a necessarytradeoff. Organizations need to establishlevels of security that meet businessgoals and comply with regulatoryrequirements and risk managementpolicies, but that can be centrallymanaged and conveniently implementedacross the organization with minimalnegative impact to productivity.Recognize that it is impossible tocompletely eliminate risk, but it isprudent to mitigate it in a reasonablemanner.At NaviSite, we have found that the keyis to take time to gain a solidunderstanding of how a companydevelops its products and services anddelivers them to its customers. Themajority of your time spent buildingsupport for security policies should notbe spent in writing those policies, butinstead should be spent in learning howthe business truly functions so thatsecurity can better contribute to itssuccess, and not be viewed as ahindrance or a daily obstacle.For example, we have worked withmanufacturing companies that werebuilding highly sensitive products. In onecompany, the security team designed asecurity plan that was so restrictive theplant had to ignore the mandatedcontrols to function productively. This ledto the failure of the third-party audit andultimately a recall of the productmanufactured with the circumventedcontrols. We also worked with aninsurance company that developed anapplication for estimating the cost ofinsurance that secured the data sourcesused by the application; they wrotesecurity policies such that they restrictedinternal departments from viewing criticaldata needed to perform their jobs.Companies need to ensure that thesecurity plan is not only aligned with thegoals of the organization, but also withthe goals of the major departments thatwill be implementing it. Gaining thisacceptance streamlines adoptionthroughout the organization.GAINING ACCEPTANCEON SECURITY POLICYAND PROCEDUREAHEAD OF TIMESTREAMLINESADOPTIONTHROUGHOUT THEORGANIZATION.
  10. 10. 10Step 5:CREATE SECURITY POLICIES,PROCEDURES, AND STANDARDSA set of guidelines is important to ensurethat all compliance measures areidentified and the entire organization isdriving toward achievement of the samegoals. For example, for a healthcareprovider, it may be important to provideHIPAA- and HITECH-compliant healthcare services to new and existingpatients. In order to do so, theorganization must build security policiesthat define the constraints in the handlingof Protected Health Information (PHI),procedures that define the process ofacquiring PHI, and guidelines thatencourage the general adoption of bestpractices.When you are audited for SOX, PCI DataSecurity Standard (DSS), or any otherrelevant compliance standard that affectsyour business, the auditor will look atexisting policies, how you haveimplemented them, and whether they arebeing followed throughout yourorganization. Every company auditedwants to make sure it passes the audit,and if you have completed all theprevious steps outlined in this process, itwill make it easier for you to createsecurity guidelines that can beconsistently enforced.New clients often ask, “What’s theeasiest way to create security policies,procedures, and standards,” and theanswer is simple—turn to best practices.When it comes to establishing securityguidelines, it is much easier, morepractical and productive to edit than it isto create. Assuming you have gonethrough the previous four steps, securityand compliance teams have had toestablish many of the policies necessaryto address business requirements. Readeverything you can and apply bestpractices to creating policies that alignwith business goals, develop proceduresthat are realistic and that will beacceptable to the organization, andwherever possible turn to industrystandards to guide you.Cloud services are a major advantagefor growing organizations that have notyet embedded established policies andprocedures into the company. Theenterprise can rely on the best practicesthe service provider has developed overyears of experience in similarenvironments.As with many enterprise cloud serviceproviders, including NaviSite, changemanagement is a clearly defined processgoverned by well-established guidelines.Each change must be approved by theproper personnel, and then implementedin a quality assurance environment.Once it is tested and approved through auser acceptance procedure, it isintroduced to the end-user community inthe least intrusive manner possible witha clearly defined back-out procedure inplace in case there are unforeseenproblems or issues with user adoption.By turning to high-performance cloudcomputing, the enterprise candramatically reduce the learning curvefor developing security policies,procedures, and standards.Organizations can accelerate theadoption of best practices for protectingenterprise resources by adopting provensecurity methodologies.
  11. 11. 11AUDIT AND REVIEWOFTEN CHECKLISTIt is important to review the security planon a regular basis, report onachievements of goals, and audit thecompliance of the organization to thesecurity policies and procedures. If it ispart of your overall business plan, athird-party audit can provide an impartialreview of the controls and report oncompliance to established programs,such as SSAE 16, PCI DSS, or SafeHarbor. Some industries mandate audits,and U.S. publicly traded companies haveto conduct internal audits every quarterwhen they release financial statements.Understanding the auditingrequirements for your business and thefrequency of your audits is essential notonly for ensuring compliance withrelevant requirements but also formaintaining best practices for securingenterprise resources.For example, SSAE 16 Audits areconducted every six months but atNaviSite we conduct internal auditsevery three months to ensure ongoingcompliance and provide assurance thatour data centers and our supportinfrastructure remain current with SSAE16 requirements. The SSAE 16 Audit isaligned with our security goals because itassures customers that our processes,procedures, and controls have beenformally reviewed. It also demonstratesour compliances with Section 404 of theSarbanes-Oxley Act. By auditing andreviewing the results regularly,companies can implement a constantaudit cycle that ensures that the controlsremain in place and that that they arebeing followed. If problems occur, theycan be identified and remediated beforethe next audit cycle.Step 6:AUDITAND REVIEW OFTEN
  12. 12. 12CONTINUOUSIMPROVEMENTCHECKLISTA well-developed security plan will allowfor the continuous improvement ofsecurity and compliance. At a minimum,annually review your cloud computingsecurity plan with senior executives andyour cloud services provider, and revisegoals and objectives as needed. Reviewand edit security policies andprocedures, and actively report back tothe organization the accomplishments ofthe security and compliance teams.Many companies believe that once theyhave solid policies and procedures inplace they do not need to revisit them—but your industry and your business willchange over time, and the technologyavailable to support your security planwill evolve. Just ten years ago remoteworkers had limited access to enterpriseapplications, but rapid advances in VPNtechnology and massive demand forsecure remote access have driven mostcompanies to develop policies andprocedures to support a mobileworkforce. And the technology to supportthese policies and procedures areenabling businesses to provide theflexibility for employees to work fromvirtually anywhere.Review all of your generally acceptedsecurity policies at least annually. AtNaviSite, we review our security policieson an even more frequent basis. Anannual review is designed into somecompliance policies; if that’s the case foryour business consider reviewing yoursecurity policies every six months so youhave the time to evaluate your currentpolicies, update them when needed andchange procedures when necessarybefore your next audit. Continuousimprovement is the key to your securityplan. Understanding the dynamic natureof your business and constantlyevaluating security requirements are thefoundation for implementing a successfulcontinuous improvement strategy.Step 7:CONTINUOUSLY IMPROVE
  13. 13. 13Properly managed cloud infrastructureprovides better security than mostenterprise data centers, applications,and IT infrastructure. It allows companiesto more efficiently deploy scarcetechnical personnel. Use this provenprocess and the summary checklistprovided in Appendix A as an easy guideto structuring your cloud computingsecurity plan.Selecting a stable cloud service providerwith world-class data centers, enterprisecloud computing infrastructure,application expertise, and a provensecurity methodology will help theenterprise reap the financial rewards ofcloud computing while implementing asecurity framework optimized for therequirements of cloud architectures.These seven steps are meant to serveas a framework to guide companies asthey develop a secure cloud-computingplan. By following these guidelines,organizations can structure security andcompliance programs to take advantageof the financial benefits of managedcloud applications and services whilemeeting organizational security andcompliance objectives.ABOUT NAVISITEFor more information about secure cloudcomputing services from NaviSite,please visit www.navisite.com or send ane-mail to us at webinfo@navisite.com orcall us at 1.888.298.8222 to discuss yoursecure cloud computing requirements.ConclusionFOR MOREINFORMATIONTO LEARN ABOUTCLOUD SERVICESFROM NAVISITE,VISIT: www.navisite.com
  14. 14. AppendixA:7 STEPS TO DEVELOPINGACLOUD SECURITY PLAN CHECKLISTBy following these seven steps to developing a secure outsourcing plan developed by NaviSite, the enterprise can relyon a proven methodology for cost-effectively and securely outsourcing IT services.STEP 1: REVIEW YOUR BUSINESS GOALS Understand your business goals and direction Develop cloud security policies based on cross-departmental input that includes insights from seniormanagement and all of the stakeholders Ensure that all security policies are aligned with strategicgoals, and that the procedures are practical andpragmaticSTEP 2: MAINTAIN A RISK MANAGEMENT PROGRAM Develop and maintain a risk management programcentrally, and view it holistically Carefully define exactly who is authorized to accept riskon behalf of the enterprise Implement a well-defined and carefully maintained riskmanagement program so you can provide an aggregatedview of the risk that a company is willing to accept Ensure that security professionals regularly conductcareful analysis to develop responsible programs andbuild in the necessary controls and auditing capabilitiesto mitigate risks and protect organizational assets Gain executive-level buy-in to the cloud computing riskassessment policy, and for publicly traded companies,gain Board-level approval if necessary Consider seamless failover to a redundant data centerand disaster recovery planning integral to riskmanagementSTEP 3: CREATE A SECURITY PLAN THAT SUPPORTSYOUR BUSINESS GOALS• Develop goals with measurable results that areconsistent with providing support for the growth andstability of the company• Include compliance programs, technologies, andprocesses with specific metrics• Work with your cloud service provider to ensure that yoursecurity plan is nimble enough to support evolvingcorporate strategies or regulatory requirementsSTEP 4: ESTABLISH CORPORATE-WIDE SUPPORT• Gain the approval of your cloud computing security planfrom not only executive management but also thegeneral workforce• Make sure security policies are not in conflict with otherpolicies from different departments, and that they are nottoo time-consuming• Establish levels of security that can be centrallymanaged and conveniently implemented across theorganizationAppendix A, Page 1
  15. 15. AppendixA:7 STEPS, CONTINUEDSTEP 5: CREATE SECURITY POLICIES, PROCEDURES,AND STANDARDS Establish a set of guidelines to ensure that all compliancemeasures are identified Make sure that compliance requirements are reflected inyour policies and procedures Ensure that auditors can clearly review your policies andhow you have implemented so they can that they arebeing followed. Design a comprehensive, layered approach based on asecurity framework to address common regulatoryrequirements. This will make it easier to adopt andmaintain security procedures that can be audited so youcan achieve your security and compliance goals.• Turn to this 7-step plan as the foundation for your internalaudits. If you don’t have these steps in place, you won’thave a structure that auditors can easily follow• Read everything you can and apply best practices tocreating policies that align with business goals.• Develop procedures that are realistic and that will beacceptable to the organizationSTEP 6: AUDIT AND REVIEW OFTEN• Review the security plan on a regular basis, report onachievements of goals, and audit the compliance of theorganization to the security policies and procedures• If it is part of your overall business plan, turn to a third-party audit to provide an impartial review of the controlsand report on compliance to established programs• Understand the auditing requirements for your businessand the frequency of your audits not only for ensuringcompliance with relevant requirements but also so youcan implement best practices for securing enterpriseresources• Audit and review the results regularly to ensure that thecontrols remain in place and that that they are beingfollowed• If an audit reveals any potential security or complianceproblems, ensure they are remediated before the nextaudit cycleSTEP 7: CONTINUOUSLY IMPROVE• Annually review your cloud computing security plan withsenior management and your cloud services provider• Re-establish goals• Review and edit security policies and procedures• Actively report back to the organization theaccomplishments of the security and compliance teamsThese steps should be implemented sequentially, and it isan iterative process based on best practices and focusedon continuous improvement.By following these guidelines, organizations can structuresecurity and compliance programs to take advantage of theeconomic advantages of managed cloud applications andservices while meeting organizational security andcompliance objectivesAppendix A, Page 2

×