The document discusses enterprise risk management for cloud computing. It provides an overview of cloud computing and its growth. It then discusses how the COSO enterprise risk management framework can be applied to managing risks in a cloud computing environment. The framework includes five components - governance and culture, strategy and objective setting, performance, review and revision, and information communication and reporting. It examines each component and the principles within and provides guidance on how organizations can implement them for effective cloud computing risk management.
This document discusses cloud computing security and outlines several key points:
1. It introduces cloud computing and discusses how it has reduced upfront costs for companies while allowing resources to scale as needed.
2. It then outlines some of the major security concerns for cloud computing, including whether cloud providers can securely manage large numbers of customers and sensitive data.
3. The document proposes several cloud computing models and architectures aimed at improving security, governance, compliance and establishing trust in cloud systems.
DAM 2018 Review, What's next 2019 ?
Facts and Trends of the 2018 DAM Market, what's rock, what matters for Brands ? How to Select a DAM solution and more...
The document discusses security issues related to cloud computing. It provides an introduction to cloud computing, discussing its evolution and key concepts. The majority of the document focuses on security challenges in cloud computing, addressing issues such as administrative access to servers and applications, virtual machine vulnerabilities, encryption and data protection, and identity management. It also discusses security advantages and disadvantages of cloud environments.
The introduction of cloud computing and cloud sourcing requires an appropriate cloud governance strcuture to ensure a secured computing environment and to comply with all relevant organizational information technology policies. As such, organizations need a set of cloud governance capabilities that are essential when effectively implementing and managing cloud services.
This presentation provides a detailed coverage on Cloud services: Software as a Service, Platform as a Service, Infrastructure as a Service, Database as a Service, Monitoring as a Service, Communication as Services. Service providers- Google, Amazon, Microsoft Azure, IBM, Sales force.
Constan4ne Karbalio4s gave a presenta4on to the Chief Privacy Officers Council on privacy issues in cloud compu4ng. He discussed that while cloud compu4ng provides benefits like cost savings and scalability, it also poses privacy and security risks if not properly governed. Research shows most organiza4ons are adop4ng cloud technologies without adequate vendor evalua4on, employee training, or privacy policies to protect sensi4ve data in the cloud. The real problem is that cloud migra4on is occurring in an ad hoc manner without proper oversight and controls, despite the growing use of cloud compu4ng by organiza4ons.
This Presentation provides a detailed insight about Collaborating Using Cloud Services Email Communication over the Cloud - CRM Management – Project Management-Event
Management - Task Management – Calendar - Schedules - Word Processing –
Presentation – Spreadsheet - Databases – Desktop - Social Networks and Groupware.
This document discusses cloud computing security and outlines several key points:
1. It introduces cloud computing and discusses how it has reduced upfront costs for companies while allowing resources to scale as needed.
2. It then outlines some of the major security concerns for cloud computing, including whether cloud providers can securely manage large numbers of customers and sensitive data.
3. The document proposes several cloud computing models and architectures aimed at improving security, governance, compliance and establishing trust in cloud systems.
DAM 2018 Review, What's next 2019 ?
Facts and Trends of the 2018 DAM Market, what's rock, what matters for Brands ? How to Select a DAM solution and more...
The document discusses security issues related to cloud computing. It provides an introduction to cloud computing, discussing its evolution and key concepts. The majority of the document focuses on security challenges in cloud computing, addressing issues such as administrative access to servers and applications, virtual machine vulnerabilities, encryption and data protection, and identity management. It also discusses security advantages and disadvantages of cloud environments.
The introduction of cloud computing and cloud sourcing requires an appropriate cloud governance strcuture to ensure a secured computing environment and to comply with all relevant organizational information technology policies. As such, organizations need a set of cloud governance capabilities that are essential when effectively implementing and managing cloud services.
This presentation provides a detailed coverage on Cloud services: Software as a Service, Platform as a Service, Infrastructure as a Service, Database as a Service, Monitoring as a Service, Communication as Services. Service providers- Google, Amazon, Microsoft Azure, IBM, Sales force.
Constan4ne Karbalio4s gave a presenta4on to the Chief Privacy Officers Council on privacy issues in cloud compu4ng. He discussed that while cloud compu4ng provides benefits like cost savings and scalability, it also poses privacy and security risks if not properly governed. Research shows most organiza4ons are adop4ng cloud technologies without adequate vendor evalua4on, employee training, or privacy policies to protect sensi4ve data in the cloud. The real problem is that cloud migra4on is occurring in an ad hoc manner without proper oversight and controls, despite the growing use of cloud compu4ng by organiza4ons.
This Presentation provides a detailed insight about Collaborating Using Cloud Services Email Communication over the Cloud - CRM Management – Project Management-Event
Management - Task Management – Calendar - Schedules - Word Processing –
Presentation – Spreadsheet - Databases – Desktop - Social Networks and Groupware.
This presentation will give complete information regarding security issues related to cloud computing. To learn cloud computing fill up a simple form.
http://bit.ly/aDegGN
The document provides an overview of Microsoft Azure services categorized into Compute, Data, Network, and App services that can be used in public cloud or on-premises cloud environments. It also discusses how Microsoft System Center 2012 R2 and Windows Server 2012 R2 products integrate with Microsoft Azure to provide management capabilities across on-premises, service provider, and Microsoft Azure environments.
The document provides an overview of cloud computing risks from an assurance perspective. It discusses cloud computing terminology, major public cloud services, assessing public cloud risk, trends and issues. The presentation covers cloud service models, deployment models, benefits and risks of public clouds, assurance frameworks like CSA's Cloud Controls Matrix, and key controls in areas like compliance, data governance, facility security, information security, and operations management.
The document is a presentation about cloud security and the Cloud Security Alliance (CSA). It introduces CSA as a non-profit organization focused on best practices for cloud security. It outlines CSA's research projects including the Cloud Controls Matrix to help organizations assess cloud security controls. It also discusses some of the key differences in security for cloud computing compared to traditional IT, such as shared responsibility models and the top security threats in cloud environments.
In the last few years, cloud computing has grown from being a promising business concept to one of the fastest growing segments of the IT industry. Now, recession-hit companies are increasingly realizing that simply by tapping into the cloud they can gain fast access to best-of-breed business applications or drastically boost their infrastructure resources, all at negligible cost. But as more and more information on individuals and companies is placed in the cloud, concerns are beginning to grow about just how safe an environment it is. This paper discusses security issues, requirements and challenges that cloud service providers (CSP) face during cloud engineering. Recommended security standards and management models to address these are suggested for technical and business community.
The document discusses the major security concerns organizations have regarding cloud environments. The top concerns include: data loss/leakage due to the ease of sharing data in the cloud (69% of organizations), data privacy and confidentiality (66%), accidental exposure of cloud credentials (44%), difficulty performing effective incident response in the cloud (44%), and legal/regulatory compliance challenges (42%). Other concerns include data sovereignty/residence/control, as organizations may not know where their data is physically stored.
Global Cyber Attacks Stats
What is Computing Security?
Cloud Computing, Models and Security Demystified
New Security Challenges of Cloud Computing
Security Dimensions – The CIA Triad
Scope of Cloud Computing Security
Security Challenge Eco-system
Vulnerabilities, Threats and Exposure Points
Attacks – Modes and Types
The Notorious Nine – Cloud Security Threats
Methods of Defence
Tenets of Security Control
Security Life Cycle
Cloud Security Components and Governance
Tiered Cloud Security Handling Framework
Bottom-line
Take-aways
mandate from senior management
This document discusses the relationship between information security and compliance teams and how their alignment is important for managing risks when using cloud computing. It notes that security and compliance teams sometimes have differing priorities that can cause friction. However, the use of cloud computing, where many security controls are managed by external providers, requires close coordination between the two functions. The document provides recommendations for how security and compliance teams can forge a stronger alliance, including through the use of cross-functional "tiger teams" and toolset standardization. Close collaboration is needed to effectively evaluate cloud security and ensure regulatory compliance.
Home
Editor’s Note
Risk Management
Frameworks
for Cloud Security
Sections:
Introduction
Cloud Computing background
Securing the Cloud
Virtualization
Mobile Cloud Computing
User safety & energy consumption
Author’s proposal
Conclusion
In order to make cloud computing to be adopted by users and enterprises, security concerns of users should be rectified by making cloud environment trustworthy, discussed by Latif et al. in the assessment of cloud computing risks[2].
We address the questions related to:
security concerns and threats over general cloud computing,
(2) the solutions for these problems and
(3) mobile users safety in convergence with energy consumption.
Evaluation Of The Data Security Methods In Cloud Computing Environmentsijfcstjournal
This document discusses methods for ensuring data security in cloud computing environments. It begins by introducing cloud computing models including infrastructure as a service (IaaS), platform as a service (PaaS), and software as a service (SaaS). The main goals of data security - confidentiality, integrity, and availability - are then described. Several methods for data security are proposed, including data fragmentation where sensitive data is divided and distributed across different domains. Encryption techniques are also discussed as ways to protect confidential data during storage and transmission. Overall, the document aims to evaluate approaches for addressing key issues around securing user data in cloud systems.
SOME SECURITY CHALLENGES IN CLOUD COMPUTINGHoang Nguyen
There are several security challenges with cloud computing including issues of trust, broad attacking surfaces, and data breaches. Ensuring data integrity and privacy is difficult when data is outsourced to cloud storage. Techniques like encryption, secure auditing, and proofs of data redundancy can help address some of these challenges, but protecting access patterns and enabling secure computation outsourcing remain open problems.
What makes the next-generation firewall better than the traditional firewalls in protecting your data from hackers? Know more information from Netmagic!
IOSR Journal of Computer Engineering (IOSR-JCE) is a double blind peer reviewed International Journal that provides rapid publication (within a month) of articles in all areas of computer engineering and its applications. The journal welcomes publications of high quality papers on theoretical developments and practical applications in computer technology. Original research papers, state-of-the-art reviews, and high quality technical notes are invited for publications.
This document provides a framework for classifying and rating IT vendors in the cloud computing environment. It begins by defining various classifications for cloud computing based on products, business type, deployment method, servicing model, and technical capabilities. It then discusses factors for rating vendors, such as corporate viability, market offerings, and customer service. Finally, it proposes using these classifications and ratings to map vendors on a "market map" to categorize them as market leaders, major players, up-and-comers, etc. based on capabilities, momentum, market share, and other parameters.
This white paper outlines the gaps in providing a secure
browser, including research into data breach trends and
provides a practical solution for centralizing and securing
browsers. The solution includes combining Citrix and
Bitdefender technologies in an innovative approach centered
on new virtualization and hypervisor introspection
technologies.
Gartner predicts that nearly 40% of enterprise IT application spend will be shifted to cloud versus on-premise by 2020.
However, most IT departments evaluate and select cloud-based apps based on their many business productivity benefits but a number of critical security and performance issues need to be considered at the same time.
This white paper details some of the major considerations you will need to focus on when looking for cloud app security. You will also learn about:
Limitations of existing products
Integrated cloud security gateway approach
Malware and data security challenges
And much, much more
The document discusses how organizations can leverage the COSO Enterprise Risk Management Framework to manage cyber risk in today's digital age. It outlines how the digital revolution has increased connectivity but also vulnerabilities, expanding organizations' risk profiles. The COSO Framework addresses this evolution by highlighting risk management's role in strategy and performance. The summary then maps out how organizations can view their cyber risk profile through the Framework's key components: governance, strategy, performance, review/revision, and information/communication.
The document is a summary report of the 2023 Global Cybersecurity Outlook study conducted by the World Economic Forum in collaboration with Accenture. Some of the key findings from the study include:
- Business and cyber leaders now believe that a catastrophic cyber event in the next two years is likely due to increased global geopolitical instability.
- 43% of organizational leaders think it is likely their organization will experience a cyberattack that materially affects them in the next two years.
- Data protection and cybersecurity concerns created by geopolitical fragmentation are increasingly influencing business operations and investment decisions.
- In response, leaders plan to strengthen third-party controls and re-evaluate business partners and countries. However,
Mobile, Cloud, Security, Cognitive and AnalyticsKate Morphett
The document summarizes key trends in digital business identified by the IBM Center for Applied Insights. Some of the main trends discussed include the growth of hybrid cloud environments, with leading organizations using hybrid cloud to power digital transformation and next-generation initiatives. Specific examples are provided of how hybrid cloud has helped organizations like a Russian theatre and Finnish airline drive digital transformation. The document also briefly discusses trends in resiliency, security, and other areas.
The document discusses how businesses have become increasingly reliant on technology and interconnected networks, leaving them more vulnerable to cyber risks. It outlines how COSO can be used as a framework to help organizations manage cyber risks and controls. Specifically, it describes how the five components of internal control - control environment, risk assessment, control activities, information and communication, and monitoring activities - relate to cyber risk management and can help organizations take a holistic, risk-based approach to addressing this challenge in a secure, vigilant and resilient manner.
This presentation will give complete information regarding security issues related to cloud computing. To learn cloud computing fill up a simple form.
http://bit.ly/aDegGN
The document provides an overview of Microsoft Azure services categorized into Compute, Data, Network, and App services that can be used in public cloud or on-premises cloud environments. It also discusses how Microsoft System Center 2012 R2 and Windows Server 2012 R2 products integrate with Microsoft Azure to provide management capabilities across on-premises, service provider, and Microsoft Azure environments.
The document provides an overview of cloud computing risks from an assurance perspective. It discusses cloud computing terminology, major public cloud services, assessing public cloud risk, trends and issues. The presentation covers cloud service models, deployment models, benefits and risks of public clouds, assurance frameworks like CSA's Cloud Controls Matrix, and key controls in areas like compliance, data governance, facility security, information security, and operations management.
The document is a presentation about cloud security and the Cloud Security Alliance (CSA). It introduces CSA as a non-profit organization focused on best practices for cloud security. It outlines CSA's research projects including the Cloud Controls Matrix to help organizations assess cloud security controls. It also discusses some of the key differences in security for cloud computing compared to traditional IT, such as shared responsibility models and the top security threats in cloud environments.
In the last few years, cloud computing has grown from being a promising business concept to one of the fastest growing segments of the IT industry. Now, recession-hit companies are increasingly realizing that simply by tapping into the cloud they can gain fast access to best-of-breed business applications or drastically boost their infrastructure resources, all at negligible cost. But as more and more information on individuals and companies is placed in the cloud, concerns are beginning to grow about just how safe an environment it is. This paper discusses security issues, requirements and challenges that cloud service providers (CSP) face during cloud engineering. Recommended security standards and management models to address these are suggested for technical and business community.
The document discusses the major security concerns organizations have regarding cloud environments. The top concerns include: data loss/leakage due to the ease of sharing data in the cloud (69% of organizations), data privacy and confidentiality (66%), accidental exposure of cloud credentials (44%), difficulty performing effective incident response in the cloud (44%), and legal/regulatory compliance challenges (42%). Other concerns include data sovereignty/residence/control, as organizations may not know where their data is physically stored.
Global Cyber Attacks Stats
What is Computing Security?
Cloud Computing, Models and Security Demystified
New Security Challenges of Cloud Computing
Security Dimensions – The CIA Triad
Scope of Cloud Computing Security
Security Challenge Eco-system
Vulnerabilities, Threats and Exposure Points
Attacks – Modes and Types
The Notorious Nine – Cloud Security Threats
Methods of Defence
Tenets of Security Control
Security Life Cycle
Cloud Security Components and Governance
Tiered Cloud Security Handling Framework
Bottom-line
Take-aways
mandate from senior management
This document discusses the relationship between information security and compliance teams and how their alignment is important for managing risks when using cloud computing. It notes that security and compliance teams sometimes have differing priorities that can cause friction. However, the use of cloud computing, where many security controls are managed by external providers, requires close coordination between the two functions. The document provides recommendations for how security and compliance teams can forge a stronger alliance, including through the use of cross-functional "tiger teams" and toolset standardization. Close collaboration is needed to effectively evaluate cloud security and ensure regulatory compliance.
Home
Editor’s Note
Risk Management
Frameworks
for Cloud Security
Sections:
Introduction
Cloud Computing background
Securing the Cloud
Virtualization
Mobile Cloud Computing
User safety & energy consumption
Author’s proposal
Conclusion
In order to make cloud computing to be adopted by users and enterprises, security concerns of users should be rectified by making cloud environment trustworthy, discussed by Latif et al. in the assessment of cloud computing risks[2].
We address the questions related to:
security concerns and threats over general cloud computing,
(2) the solutions for these problems and
(3) mobile users safety in convergence with energy consumption.
Evaluation Of The Data Security Methods In Cloud Computing Environmentsijfcstjournal
This document discusses methods for ensuring data security in cloud computing environments. It begins by introducing cloud computing models including infrastructure as a service (IaaS), platform as a service (PaaS), and software as a service (SaaS). The main goals of data security - confidentiality, integrity, and availability - are then described. Several methods for data security are proposed, including data fragmentation where sensitive data is divided and distributed across different domains. Encryption techniques are also discussed as ways to protect confidential data during storage and transmission. Overall, the document aims to evaluate approaches for addressing key issues around securing user data in cloud systems.
SOME SECURITY CHALLENGES IN CLOUD COMPUTINGHoang Nguyen
There are several security challenges with cloud computing including issues of trust, broad attacking surfaces, and data breaches. Ensuring data integrity and privacy is difficult when data is outsourced to cloud storage. Techniques like encryption, secure auditing, and proofs of data redundancy can help address some of these challenges, but protecting access patterns and enabling secure computation outsourcing remain open problems.
What makes the next-generation firewall better than the traditional firewalls in protecting your data from hackers? Know more information from Netmagic!
IOSR Journal of Computer Engineering (IOSR-JCE) is a double blind peer reviewed International Journal that provides rapid publication (within a month) of articles in all areas of computer engineering and its applications. The journal welcomes publications of high quality papers on theoretical developments and practical applications in computer technology. Original research papers, state-of-the-art reviews, and high quality technical notes are invited for publications.
This document provides a framework for classifying and rating IT vendors in the cloud computing environment. It begins by defining various classifications for cloud computing based on products, business type, deployment method, servicing model, and technical capabilities. It then discusses factors for rating vendors, such as corporate viability, market offerings, and customer service. Finally, it proposes using these classifications and ratings to map vendors on a "market map" to categorize them as market leaders, major players, up-and-comers, etc. based on capabilities, momentum, market share, and other parameters.
This white paper outlines the gaps in providing a secure
browser, including research into data breach trends and
provides a practical solution for centralizing and securing
browsers. The solution includes combining Citrix and
Bitdefender technologies in an innovative approach centered
on new virtualization and hypervisor introspection
technologies.
Gartner predicts that nearly 40% of enterprise IT application spend will be shifted to cloud versus on-premise by 2020.
However, most IT departments evaluate and select cloud-based apps based on their many business productivity benefits but a number of critical security and performance issues need to be considered at the same time.
This white paper details some of the major considerations you will need to focus on when looking for cloud app security. You will also learn about:
Limitations of existing products
Integrated cloud security gateway approach
Malware and data security challenges
And much, much more
The document discusses how organizations can leverage the COSO Enterprise Risk Management Framework to manage cyber risk in today's digital age. It outlines how the digital revolution has increased connectivity but also vulnerabilities, expanding organizations' risk profiles. The COSO Framework addresses this evolution by highlighting risk management's role in strategy and performance. The summary then maps out how organizations can view their cyber risk profile through the Framework's key components: governance, strategy, performance, review/revision, and information/communication.
The document is a summary report of the 2023 Global Cybersecurity Outlook study conducted by the World Economic Forum in collaboration with Accenture. Some of the key findings from the study include:
- Business and cyber leaders now believe that a catastrophic cyber event in the next two years is likely due to increased global geopolitical instability.
- 43% of organizational leaders think it is likely their organization will experience a cyberattack that materially affects them in the next two years.
- Data protection and cybersecurity concerns created by geopolitical fragmentation are increasingly influencing business operations and investment decisions.
- In response, leaders plan to strengthen third-party controls and re-evaluate business partners and countries. However,
Mobile, Cloud, Security, Cognitive and AnalyticsKate Morphett
The document summarizes key trends in digital business identified by the IBM Center for Applied Insights. Some of the main trends discussed include the growth of hybrid cloud environments, with leading organizations using hybrid cloud to power digital transformation and next-generation initiatives. Specific examples are provided of how hybrid cloud has helped organizations like a Russian theatre and Finnish airline drive digital transformation. The document also briefly discusses trends in resiliency, security, and other areas.
The document discusses how businesses have become increasingly reliant on technology and interconnected networks, leaving them more vulnerable to cyber risks. It outlines how COSO can be used as a framework to help organizations manage cyber risks and controls. Specifically, it describes how the five components of internal control - control environment, risk assessment, control activities, information and communication, and monitoring activities - relate to cyber risk management and can help organizations take a holistic, risk-based approach to addressing this challenge in a secure, vigilant and resilient manner.
NIST Cyber Security Framework: 4 Steps for CIOs - Deloitte CIO - WSJSherry Jones
The document summarizes key recommendations from a National Institute of Standards and Technology (NIST) cybersecurity framework for critical infrastructure providers. It recommends that CIOs take four steps: 1) conduct a self-assessment to identify gaps in their cybersecurity practices based on the framework; 2) build consensus around adopting the framework by tying it to existing risk management programs; 3) focus on continuous improvement by working towards higher implementation tiers; and 4) collaborate with industry peers to share threat information. Adopting the voluntary framework may help organizations better manage cybersecurity and legal risks.
Asia's Financial Services on the Cloud 2018: Regulatory Landscape Impacting t...accacloud
Regulations play a crucial role in enabling or limiting cloud adoption by financial services institutions in Asia. This report provides an update on regulatory landscapes across nine Asia markets. It finds that while some regulators are clarifying outsourcing rules to help firms comply, restrictions still exist. The report recommends regulators break down barriers by having technology-neutral rules, clearer processes for cloud adoption, and distinguishing critical vs non-critical services. This would help firms benefit from cloud computing's efficiencies while managing risks.
The document discusses principles for successful cloud adoption, including establishing a Chief Cloud Officer (CCO) and Cloud Business Office (CBO). The CCO focuses on building strategy based on leadership, communication, and people. The CBO manages cloud services adoption and helps control costs. Key aspects of cloud adoption discussed are governance, migration, operations, and economics optimization.
Navigating Cloud Trends in 2024 Webinar DeckPrecisely
According to Gartner, “85% of organizations will embrace a cloud-first principle by 2025”, and as customers expectations become more demanding, understanding the intricacies of cloud migration and modernization is crucial. However, cloud migration and modernization projects do not always go according to plan and understanding essential trends can guide you through potential pitfalls. From the evolution of multi-cloud strategies to the surging influence of AI and automation, our experts will unravel key insights, enabling organizations to harness the power of cloud computing for unprecedented success and operational efficiency.
Join this session to learn actionable insights around moving to the cloud in 2024 and empower your organization for success in the cloud-first era!
This document discusses the development of a framework for quantifying cyber risk, known as cyber value-at-risk. It provides background on the World Economic Forum's Partnering for Cyber Resilience initiative, which aims to address global cyber risks. The initiative has focused on raising awareness, issuing guidance, and proposing an assessment framework. This report summarizes the goals of quantifying key components of cyber risk, such as vulnerabilities, asset values, and attacker profiles. It identifies challenges to robust quantification and suggests next steps toward a standardized approach to incorporate cyber risk measurement into enterprise risk management.
Getting Better at Risk Management Using Event Driven Mesh Architecture - Ragh...Nordic APIs
A presentation given by Raghavan Sadagopan, Sr. Director from CapitalOne & Lakshmi Narayana, Sr. Lead Software Engineer from CapitalOne, at our 2024 Austin API Summit, March 12-13.
Session Description: Managing Risk is critical to the success of an organization. Managing Risks starts with identifying potential Risks which in the digital world are signals emanating from varying source systems. Identifying potential risks real-time enables organizations to mitigate / better prepare for potential exposures. The session will share our point of view on implementing an API centric event mesh architecture that routes events in real-time through a scalable and resilient cloud-native service on AWS.
Risk & compliance magazine compressed Mirror Review
Recent cyber security meltdowns in some of the leading sectors of the world have led to a higher demand for security requirements. It has become more expensive and resource intensive to protect financial assets like payment card data and personal health information. This scenario has therefore developed an innate need for a higher level of risk management.
This document summarizes interviews with 20 CISOs and CIOs from ACSC member organizations on the current state of board engagement in cybersecurity. The key findings are organized around five elements of the relationship between boards and management: 1) Boards currently have limited expertise in cybersecurity issues; 2) Cybersecurity is not consistently integrated into corporate strategies and budgets; 3) Metrics and measurements to evaluate cybersecurity performance are still maturing; 4) Structures for board oversight of cybersecurity can be improved; 5) Management seeks to build board expertise to facilitate more strategic partnerships on balancing digital transformations and cybersecurity risks. The document provides recommendations to advance board engagement.
Manage and Transform Your Shipping | Logistics BPO Services| WNSRNayak3
WNS provides end-to-end BPM and BPO services, and digital transformation solutions for shipping and logistics companies. Partner with WNS to optimize and transform your business operations. Visit- https://www.wns.com/industries/shipping-and-logistics
The document outlines nine key steps that companies can take as part of a digital transformation journey to disrupt themselves before competitors do. The steps include: 1) designing an end-game disruptive business model, 2) analyzing gaps between the current and future models, 3) determining how to execute the transition, 4) architecting new technology, 5) auditing legacy systems, 6) building out a dual-speed IT architecture, 7) establishing a data security strategy, 8) maintaining security during transformation, and 9) using transformation as an opportunity to escalate security standards across the enterprise. Taking these steps can help traditional firms successfully transition to competing in the new digital landscape.
Managing Risk in the Cloud -The Role of ManagementSatchit Dokras
This document discusses management's role in managing risk in the cloud. It recommends adopting a lifecycle approach to cloud risk assurance that involves 6 phases: 1) Discovering all cloud services in use, 2) Culling unnecessary or risky services, 3) Consolidating redundant services, 4) Implementing controls on the remaining services, 5) Collaboration between IT and users on new services, and 6) Communicating to stakeholders about improvements made to securely manage risk from cloud services. This lifecycle approach helps organizations right-size, right-manage, and right-trust their cloud services.
The implementation of IT governance is important to lead and evolve the information system in agreement with stakeholders. This requirement is seriously amplified at the time of digital area considering all the new technologies that has been lunched recently (Big DATA, Artificial Intelligence, Machine Learning, Deep learning...). Thus, without a good rudder, every company risks getting lost in a sea endless and unreachable goals.
This paper aims to provide decision-making system that allow professionals to choose IT governance framework suitable to desired criteria and their importance based on a multi-criteria analysis method (WSM), we did implement a case study based on our analysis in a Moroccan company. Moreover, we present better understanding of IT Governance aspects such as standards and best practices.
Our article goes into a global objective that aims to build an integrated generated meta-model for better approach of IT Governance.
Most organizations have good enterprise-level security policies that define their approach to maintaining, improving, and securing their information and information systems. However, once the policies are signed by senior leadership and distributed throughout the organization, significant cybersecurity governance challenges remain. In this workshop I will explain the transforming organizational security to strengthen defenses and integrate cybersecurity with the overall approach toward security governance, risk management and compliance.
This document discusses the importance of establishing a cyber risk framework that is integrated into an organization's enterprise-wide risk management process. It provides questions that organizations should consider to help identify and assess cyber risks. It also describes three hypothetical cyber risk scenarios involving ransomware infection, and discusses potential impacts, losses, and mitigation strategies for each scenario.
This document discusses a case study of implementing a Configuration Management Database (CMDB) for an organization called Catalyst. A CMDB plays an important role in supporting many ITIL processes, but Catalyst was facing challenges with manual processes, diverse tools and data models across different locations. Successfully implementing a CMDB that can centrally collect harmonized data based on an agreed core data model is important. However, collecting, maintaining and ensuring quality of the data in the CMDB requires effort and resources.
বাংলাদেশের অর্থনৈতিক সমীক্ষা ২০২৪ [Bangladesh Economic Review 2024 Bangla.pdf] কম্পিউটার , ট্যাব ও স্মার্ট ফোন ভার্সন সহ সম্পূর্ণ বাংলা ই-বুক বা pdf বই " সুচিপত্র ...বুকমার্ক মেনু 🔖 ও হাইপার লিংক মেনু 📝👆 যুক্ত ..
আমাদের সবার জন্য খুব খুব গুরুত্বপূর্ণ একটি বই ..বিসিএস, ব্যাংক, ইউনিভার্সিটি ভর্তি ও যে কোন প্রতিযোগিতা মূলক পরীক্ষার জন্য এর খুব ইম্পরট্যান্ট একটি বিষয় ...তাছাড়া বাংলাদেশের সাম্প্রতিক যে কোন ডাটা বা তথ্য এই বইতে পাবেন ...
তাই একজন নাগরিক হিসাবে এই তথ্য গুলো আপনার জানা প্রয়োজন ...।
বিসিএস ও ব্যাংক এর লিখিত পরীক্ষা ...+এছাড়া মাধ্যমিক ও উচ্চমাধ্যমিকের স্টুডেন্টদের জন্য অনেক কাজে আসবে ...
it describes the bony anatomy including the femoral head , acetabulum, labrum . also discusses the capsule , ligaments . muscle that act on the hip joint and the range of motion are outlined. factors affecting hip joint stability and weight transmission through the joint are summarized.
This document provides an overview of wound healing, its functions, stages, mechanisms, factors affecting it, and complications.
A wound is a break in the integrity of the skin or tissues, which may be associated with disruption of the structure and function.
Healing is the body’s response to injury in an attempt to restore normal structure and functions.
Healing can occur in two ways: Regeneration and Repair
There are 4 phases of wound healing: hemostasis, inflammation, proliferation, and remodeling. This document also describes the mechanism of wound healing. Factors that affect healing include infection, uncontrolled diabetes, poor nutrition, age, anemia, the presence of foreign bodies, etc.
Complications of wound healing like infection, hyperpigmentation of scar, contractures, and keloid formation.
Leveraging Generative AI to Drive Nonprofit InnovationTechSoup
In this webinar, participants learned how to utilize Generative AI to streamline operations and elevate member engagement. Amazon Web Service experts provided a customer specific use cases and dived into low/no-code tools that are quick and easy to deploy through Amazon Web Service (AWS.)
How to Setup Warehouse & Location in Odoo 17 InventoryCeline George
In this slide, we'll explore how to set up warehouses and locations in Odoo 17 Inventory. This will help us manage our stock effectively, track inventory levels, and streamline warehouse operations.
ISO/IEC 27001, ISO/IEC 42001, and GDPR: Best Practices for Implementation and...PECB
Denis is a dynamic and results-driven Chief Information Officer (CIO) with a distinguished career spanning information systems analysis and technical project management. With a proven track record of spearheading the design and delivery of cutting-edge Information Management solutions, he has consistently elevated business operations, streamlined reporting functions, and maximized process efficiency.
Certified as an ISO/IEC 27001: Information Security Management Systems (ISMS) Lead Implementer, Data Protection Officer, and Cyber Risks Analyst, Denis brings a heightened focus on data security, privacy, and cyber resilience to every endeavor.
His expertise extends across a diverse spectrum of reporting, database, and web development applications, underpinned by an exceptional grasp of data storage and virtualization technologies. His proficiency in application testing, database administration, and data cleansing ensures seamless execution of complex projects.
What sets Denis apart is his comprehensive understanding of Business and Systems Analysis technologies, honed through involvement in all phases of the Software Development Lifecycle (SDLC). From meticulous requirements gathering to precise analysis, innovative design, rigorous development, thorough testing, and successful implementation, he has consistently delivered exceptional results.
Throughout his career, he has taken on multifaceted roles, from leading technical project management teams to owning solutions that drive operational excellence. His conscientious and proactive approach is unwavering, whether he is working independently or collaboratively within a team. His ability to connect with colleagues on a personal level underscores his commitment to fostering a harmonious and productive workplace environment.
Date: May 29, 2024
Tags: Information Security, ISO/IEC 27001, ISO/IEC 42001, Artificial Intelligence, GDPR
-------------------------------------------------------------------------------
Find out more about ISO training and certification services
Training: ISO/IEC 27001 Information Security Management System - EN | PECB
ISO/IEC 42001 Artificial Intelligence Management System - EN | PECB
General Data Protection Regulation (GDPR) - Training Courses - EN | PECB
Webinars: https://pecb.com/webinars
Article: https://pecb.com/article
-------------------------------------------------------------------------------
For more information about PECB:
Website: https://pecb.com/
LinkedIn: https://www.linkedin.com/company/pecb/
Facebook: https://www.facebook.com/PECBInternational/
Slideshare: http://www.slideshare.net/PECBCERTIFICATION
How to Make a Field Mandatory in Odoo 17Celine George
In Odoo, making a field required can be done through both Python code and XML views. When you set the required attribute to True in Python code, it makes the field required across all views where it's used. Conversely, when you set the required attribute in XML views, it makes the field required only in the context of that particular view.
1. C o m m i t t e e o f S p o n s o r i n g O r g a n i z a t i o n s o f t h e T r e a d w a y C o m m i s s i o n
By
The information contained herein is of a general nature and based on authorities that are subject to change. Applicability of the information to
specific situations should be determined through consultation with your professional adviser, and this paper should not be considered substitute
for the services of such advisors, nor should it be used as a basis for any decision or action that may affect your organization.
July 2021
Mike Grob | Victoria Cheng
E n t e r p r i s e R i s k M a n a g e m e n t
ENTERPRISE RISK
MANAGEMENT
FOR
CLOUD COMPUTING
2. This project was commissioned by the Committee of Sponsoring Organizations of the Treadway Commission
(COSO), which is dedicated to helping organizations improve performance by developing thought leadership
that enhances internal control, risk management, governance, and fraud deterrence.
COSO is a private-sector initiative jointly sponsored and funded by the following organizations:
American Accounting Association (AAA)
American Institute of CPAs (AICPA)
Financial Executives International (FEI)
The Institute of Management Accountants (IMA)
The Institute of Internal Auditors (IIA)
Committee of Sponsoring Organizations
of the Treadway Commission
c o s o . o r g
Preface
COSO Board Members
Paul J. Sobel
COSO Chair
Douglas F. Prawitt
American Accounting Association
Jennifer Burns
American Institute of CPAs (AICPA)
Daniel C. Murdock
Financial Executives International
Jeffrey C. Thomson
Institute of Management Accountants
Patty K. Miller
The Institute of Internal Auditors
Authors
Mike Grob
Principal, Consulting
Crowe LLP – Chicago
Victoria Cheng
Managing Director, Consulting
Crowe LLP – Chicago
3. c o s o . o r g
Enterprise Risk Management | Enterprise Risk Management For Cloud Computing | i
Committee of Sponsoring Organizations of the Treadway Commission
July 2021
Research Commissioned by
Research Commissioned by
E n t e r p r i s e R i s k M a n a g e m e n t
ENTERPRISE RISK
MANAGEMENT
FOR
CLOUD COMPUTING
5. c o s o . o r g
Enterprise Risk Management | Enterprise Risk Management For Cloud Computing | iii
Introduction 1
Enterprise Risk Management with a Cloud
Computing Environment 3
Governance and Culture 5
Strategy and Objective-Setting 9
Performance 13
Review and Revision 21
Information, Communication, and Reporting 23
Conclusion 25
Appendix A. Roadmap to Cloud Computing 27
Appendix B. Roles and Responsibilities 30
Appendix C. Glossary and Definitions 33
About the Authors 35
About COSO 36
About Crowe 36
Contents Page
6. c o s o . o r g
iv | Enterprise Risk Management | Enterprise Risk Management For Cloud Computing
7. c o s o . o r g
Enterprise Risk Management | Enterprise Risk Management For Cloud Computing | 1
Since the first introduction of cloud computing, the cloud has
grown and expanded. Prior to the 2020 COVID-19 pandemic,
in April 2019 Gartner valued it as a $214 billion market in 2019
with anticipated growth of 16.5% to $250 billion in 2020 and
15.7% to $289 billion in 20214
. Based on the pandemic and the
need for remote work, the expansion of cloud computing was
faster and accelerated the implementation timeline for many
organizations. A year and a half later, in November 2020,
Gartner reported worldwide public cloud service revenue
was $243 billion in 2019, estimated a 6% increase to $258
billion in 2020, and projected an18% increase to $305 billion in
20215
. These represent a 3% increase in 2020 estimates and
5.5% increase in 2021 estimates a year and a half later.
Leveraging cloud computing in some industries may have
been a strategic advantage at one point. What the pandemic
brought to light was the need for more remote and flexible
work environments and the IT infrastructure to support the
organization in that effort. Utilizing cloud computing has
become an essential element to compete in the marketplace.
The speed at which cloud computing can be procured and
implemented is one of its many valuable traits. However,
facing the inertia of accelerated access to cloud based
capabilities, some organizations may not have had the
capacity to implement appropriate controls designed to
mitigate the risks in their cloud environments.
INTRODUCTION
There are several definitions
of cloud computing
“Cloud computing is a model for enabling
ubiquitous, convenient, on-demand network
access to a shared pool of configurable
computing resources (e.g., networks, servers,
storage, applications, and services) that can
be rapidly provisioned and released
with minimal management effort or service
provider interaction.1
”
- National Institute of Standards
and Technology (NIST)
. . .
“Paradigm for enabling network access
to a scalable and elastic pool of shareable
physical or virtual resources with self-service
provisioning and administration on-demand.2
”
- International Organization
for Standardization (ISO)
. . .
“The practice of storing regularly used computer
data on multiple servers that can be accessed
through the Internet.3
”
- Merriam-Webster
. . .
In the simplest terms, cloud computing is a
computing model that utilizes pooled resources
over the internet. The management of the
underlying servers and processes may be
outsourced to another organization.
. . . . . . . . .
1 The NIST Definition of Cloud Computing Special Publication 800-145 – September 2011
https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-145.pdf
2 ISO/IEC 17788:2014 Information technology — Cloud computing — Overview and vocabulary – October 2014
https://www.iso.org/obp/ui/#iso:std:iso-iec:17788:ed-1:v1:en
3 Merriam-Webster
4 https://www.gartner.com/en/newsroom/press-releases/2019-04-02-gartner-forecasts-worldwide-public-cloud-revenue-to-g
5 https://www.gartner.com/en/newsroom/press-releases/2020-11-17-gartner-forecasts-worldwide-public-cloud-end-user-spending-to-grow-18-percent-in-2021
8. c o s o . o r g
2 | Enterprise Risk Management | Enterprise Risk Management For Cloud Computing
The Committee of Sponsoring Organizations of the Treadway
Commission’s (COSO’s) Internal Control – Integrated
Framework (2013) and Enterprise Risk Management –
Integrating with Strategy and Performance framework (2017)
provide a comprehensive foundation for governance and
control of cloud computing and cloud security. The COSO
Enterprise Risk Management (ERM) framework provides
a construct for organizations to establish governance,
identify and respond to risks, monitor performance, maintain
communications, and adjust as there are changes to the
organization or its business objectives, or to the industry
or its environment. The COSO Internal Control framework
also provides a tool to use, typically in the performance
component of the COSO ERM framework, to assess risks and
risk responses.
The purpose of this publication is to provide a guide to
establishing cloud computing governance leveraging COSO’s
frameworks. We also provide a roadmap to implement cloud
computing (Appendix A. Roadmap to Cloud Computing) and
describe appropriate roles and responsibilities (Appendix B.
Roles and Responsibilities). This publication acknowledges
that many organizations will have a hybrid IT environment
(using both in house/on-premise IT resources as well as
cloud computing resources). This publication will focus solely
on cloud computing considerations.
Organizations are at various points of maturity in adopting
and implementing cloud computing. Those at initial stages
will benefit from this guidance. Those who have completed
an implementation can still use this guide to evaluate and,
when needed, retroactively implement enhanced governance
and controls. Bolstering cloud governance will reduce the
organization’s risk and allow for more efficient and effective
use of cloud computing and monitoring in a multi-cloud
environment.
9. c o s o . o r g
Enterprise Risk Management | Enterprise Risk Management For Cloud Computing | 3
COSO Infographic with Principles
MISSION, VISION
& CORE VALUES
STRATEGY
DEVELOPMENT
BUSINESS
OBJECTIVE
FORMULATION
IMPLEMENTATION
& PERFORMANCE
ENHANCED
VALUE
ENTERPRISE RISK MANAGEMENT
Review
& Revision
Information,
Communication,
& Reporting
Performance
Strategy &
Objective-Setting
Governance
& Culture
1. Exercises Board Risk
Oversight
2. Establishes Operating
Structures
3. Defines Desired Culture
4. Demonstrates
Commitment
to Core Values
5. Attracts, Develops,
and Retains Capable
Individuals
6. Analyzes Business
Context
7. Defines Risk Appetite
8. Evaluates Alternative
Strategies
9. Formulates Business
Objectives
10. Identifies Risk
11. Assesses Severity
of Risk
12. Prioritizes Risks
13. Implements Risk
Responses
14. Develops Portfolio
View
15. Assesses Substantial
Change
16. Reviews Risk and
Performance
17. Pursues improvement
in Enterprise Risk
Management
18. Leverages Information
and Technology
19. Communicates Risk
Information
20. Reports on Risk,
Culture, and
Performance
Diagram 1. COSO Enterprise Risk Management – Integrating with Strategy and Performance Framework
A cloud computing environment is complex, whether
deployed in a public, private or hybrid cloud environment.
Its management is equally complex as it requires integration
of numerous operating functions with a web of third party
service providers. Similarly complex is the integration of
cloud governance within the holistic ERM process and
framework an organization uses.
The 2004 COSO Enterprise Risk Management Framework
was updated to the 2017 COSO Enterprise Risk Management
– Integrating with Strategy and Performance to focus on the
importance of identifying and addressing risk in strategic
settings and in driving an organization’s performance. With
this update, organizations are provided a robust framework
that applies to the governance and management of their
cloud computing environment.
ENTERPRISE RISK MANAGEMENT WITH
A CLOUD COMPUTING ENVIRONMENT
An organization’s management is responsible for managing
the risk to the organization. Management must incorporate
the board and key stakeholders into the ERM program so
that risk management is integrated with the organization’s
strategy and business objectives. Effective ERM involves
multiple departments and functions; it should be integrated
into the strategy of the organization and embedded into its
culture. Successful ERM goes beyond internal controls to
address governance, culture, strategy, and performance.
Effective cloud computing and cloud enterprise risk
management is integrated within the organization to support
the organization’s strategy and objectives, align with the
culture, and enhance value.
2017 COSO Enterprise Risk Management – Integrating with Strategy and Performance
10. c o s o . o r g
4 | Enterprise Risk Management | Enterprise Risk Management For Cloud Computing
The COSO Enterprise Risk Management framework itself is a
set of principles organized into five interrelated components:
1. Governance and Culture: Governance sets the
organization’s tone, reinforcing the importance of, and
establishing oversight responsibilities for, enterprise
risk management. Culture pertains to ethical values,
desired behaviors, and understanding of risk in
the entity.
2. Strategy and Objective-Setting: Enterprise risk
management, strategy, and objective-setting work
together in the strategic-planning process. A risk
appetite is established and aligned with strategy;
business objectives put strategy into practice while
serving as a basis for identifying, assessing, and
responding to risk.
3. Performance: Risks that may impact the achievement
of strategy and business objectives need to be
identified and assessed. Risks are prioritized by
severity in the context of risk appetite. The organization
then selects risk responses and takes a portfolio view
of the amount of risk it has assumed. The results of this
process are reported to key risk stakeholders.
4. Review and Revision: By reviewing entity
performance, an organization can consider how
well the enterprise risk management components
are functioning over time and in light of substantial
changes, and what revisions are needed.
5. Information, Communication, and Reporting:
Enterprise risk management requires a continual
process of obtaining and sharing necessary
information, from both internal and external sources,
which flows up, down, and across the organization.6
The following chapters explain how to apply the COSO
Enterprise Risk Management – Integrating with Strategy
and Performance framework by evaluating each component
as well as the 20 principles to cloud computing governance
followed by guidance on how to apply the principles to cloud
computing. This guide provides a structure to utilize the
COSO ERM framework in thinking through cloud computing
risks. Cloud computing strategy, risks, and ERM should be
embedded in the overall ERM program within an organization,
as cloud computing is another tool to help an organization
achieve its business strategy and create value.
COSO Infographic with Principles
MISSION, VISION
& CORE VALUES
STRATEGY
DEVELOPMENT
BUSINESS
OBJECTIVE
FORMULATION
IMPLEMENTATION
& PERFORMANCE
ENHANCED
VALUE
ENTERPRISE RISK MANAGEMENT
Review
& Revision
Information,
Communication,
& Reporting
Performance
Strategy &
Objective-Setting
Governance
& Culture
1. Exercises Board Risk
Oversight
2. Establishes Operating
Structures
3. Defines Desired Culture
4. Demonstrates
Commitment
to Core Values
5. Attracts, Develops,
and Retains Capable
Individuals
6. Analyzes Business
Context
7. Defines Risk Appetite
8. Evaluates Alternative
Strategies
9. Formulates Business
Objectives
10. Identifies Risk
11. Assesses Severity
of Risk
12. Prioritizes Risks
13. Implements Risk
Responses
14. Develops Portfolio
View
15. Assesses Substantial
Change
16. Reviews Risk and
Performance
17. Pursues improvement
in Enterprise Risk
Management
18. Leverages Information
and Technology
19. Communicates Risk
Information
20. Reports on Risk,
Culture, and
Performance
Diagram 2. COSO Enterprise Risk Management – Integrating with Strategy and Performance Framework –
20 Principles tied to the 5 Components
. . . . . . . . .
6 2017 COSO Enterprise Risk Management – Integrating with Strategy and Performance
2017 COSO Enterprise Risk Management – Integrating with Strategy and Performance
11. c o s o . o r g
Enterprise Risk Management | Enterprise Risk Management For Cloud Computing | 5
GOVERNANCE AND CULTURE
Table 1.1 COSO Enterprise Risk Management – Integrating with Strategy and Performance Framework –
Governance and Culture Principles7
Principle Description
1. Exercises Board Risk
Oversight
The board of directors provides oversight of the strategy and carries out governance
responsibilities to support management in achieving strategy and business objectives.
2. Establishes Operating
Structures
The organization establishes operating structures in the pursuit of strategy and business
objectives.
3. Defines Desired Culture The organization defines the desired behaviors that characterize the entity’s desired culture.
4. Demonstrates Commitment
to Core Values
The organization demonstrates a commitment to the entity’s core values.
5. Attracts, Develops and
Retains Capable Individuals
The organization is committed to building human capital in alignment with the strategy and
business objectives.
1 Exercises Board Risk Oversight
An organization’s governance and culture begin with its board
of directors and management. While management defines its
business objectives and culture, the board of directors should
provide oversight to the strategy and objectives. A diverse
board with members who collectively have a broad spectrum
of knowledge within the industry, the organization, technology,
governance and compliance, and finance, is needed to provide
the necessary expertise to monitor management’s activities to
realize the organization’s business objectives.
The board of directors should use their oversight role to ask
questions of the organization related to:
• how technology can help the organization achieve its
objectives,
• how technology may increase or decrease an
organization’s risk (including third party risk),
• what are the current and future cloud trends and industry
technology shifts,
• what is the impact of cloud computing to the organization
(including retirement of on-premise infrastructure),
• how does the organization’s strategy align with its cloud
service provider’s strategy, and
• how does the organization compare to its peers and
benchmarks.
. . . . . . . . .
7 2017 COSO Enterprise Risk Management – Integrating with Strategy and Performance
12. c o s o . o r g
6 | Enterprise Risk Management | Enterprise Risk Management For Cloud Computing
2 Establishes Operating Structures
Before an organization migrates to cloud computing,
the organization needs to define the framework and
governance. The organization should have organizational
structures in place to support its business objectives. These
organizational structures should be looked at for how they
could support cloud computing (i.e., will there be additional
roles defined, will there be dotted line reporting, where is the
responsibility?).
To create the necessary governance structures, the
organization may decide to put together a Cloud Computing
Steering Committee to ensure proper oversight is given
over what processes, applications and data migrate to
cloud computing. This Cloud Computing Steering Committee
should ensure appropriate cloud governance structures are
in place, such as policies, procedures, oversight to avoid
shadow IT (IT resources that are not approved by the IT
department), and an organizational structure to monitor cloud
computing performance. Ongoing, the Cloud Computing
Steering Committee can reinforce lessons learned and
reinforce the risk culture.
Cloud computing activities will affect multiple areas within
the organization. For example, Legal, Finance, Information
Technology, Risk, Vendor Management, Compliance, Internal
Audit, and all impacted operational departments, should work
collaboratively with transparency over the cloud computing
adoption and monitoring processes.
Additionally, the organization needs to work with its cloud
service providers (CSPs) to define the operating structure and
responsibilities for the organization, its CSP, and its CSP’s CSP,
if applicable. For example, if a software as a service (SaaS)
cloud service provider uses operating system and database
services from an infrastructure as a service (IaaS) provider,
the organization’s CSP, the SaaS company, also has a CSP,
the IaaS company. Clear roles and performance measures
between vendors is essential to good governance.
A defined responsibility assignment matrix, such as a RACI
(responsible – accountable – consulted – informed) matrix,
applied to the assigned personnel, creates accountability
and communication as well as the open, forward thinking,
collaborative culture the organization seeks to achieve with
cloud computing. Open communication channels and proper
involvement of individuals at each RACI level enhances the
understanding and entrenching of a risk mindset into the
culture of the organization. See Appendix B – Roles and
Responsibilities for major roles needed in cloud computing.
3 Defines Desired Culture and
4 Demonstrates Commitment to Core Values
Creating a cloud-aware culture throughout the organization
is necessary to enforce governance consistently across the
organization. Management sets the tone for cloud culture,
usage, data privacy, data security, and cyber security.
Cloud computing may be utilized in any department within
an organization; therefore, it is necessary for all personnel
to understand their role and the enterprise risks related
to cloud computing. A cloud computing lens needs to be
integrated into cross functional planning processes to ensure
transparency. Viewing cloud computing as part of a holistic
strategy, versus each department finding an independent
solution to meet a business need, is essential to a good
cloud governance model. Defining accountable individuals
demonstrates the organization’s commitment to core values.
Another factor is understanding the culture and value of
the CSP partners. Utilizing a CSP makes them an extension
of the organization. Understanding this relationship and
selecting appropriate partners will reflect and enforce the
organization’s culture and core values.
5 Attracts, Develops and Retains
Capable Individuals
As part of its human capital management, the organization
should identify the internal resources needed to manage
cloud governance. Appropriate training should be developed
and provided so employees can properly operate in a cloud
computing environment. Some cloud computing tasks can
be incorporated into existing functions with some additional
training and nuances for differences in cloud computing. End
user roles will be different than those responsible for cloud
vendor management, or user administration. Regardless of
the role, the organization’s culture and values should show
through in establishing the framework for cloud computing
governance.
The utilization of a CSP shifts certain responsibilities for
technology to the CSP organization; likewise, it shifts the
human capital management to the CSP. Understanding the
CSP’s approach to human capital management and how it
complements the organization’s capabilities is a way to look
at cloud computing human capital management as part of the
holistic ERM process.
13. c o s o . o r g
Enterprise Risk Management | Enterprise Risk Management For Cloud Computing | 7
Table 1.2 Key Activities for Cloud Computing – Governance and Culture Principles
Principle Description Cloud Computing ERM Key Activities
1. Exercises Board Risk
Oversight
The board of directors provides oversight
of the strategy and carries out
governance responsibilities to support
management in achieving strategy and
business objectives.
Board of directors understands cloud computing,
trends, and potential impact on the organization
and industry.
2. Establishes Operating
Structures
The organization establishes operating
structures in the pursuit of strategy and
business objectives.
The organization establishes a Cloud Computing
Steering Committee to oversee the migration and
implementation of cloud computing.
3. Defines Desired Culture The organization defines the desired
behaviors that characterize the entity’s
desired culture.
Executive management defines the cloud usage
culture and how cloud computing can be utilized
to support the organization’s mission, vision, core
values, strategy, and business objectives.
4. Demonstrates Commitment
to Core Values
The organization demonstrates a
commitment to the entity’s core values.
The Cloud Computing Steering Committee
promotes cloud governance accountability through
communication and follow-up.
5. Attracts, Develops and
Retains Capable Individuals
The organization is committed to
building human capital in alignment with
the strategy and business objectives.
The organization defines the necessary talent and
identifies, attracts, trains, develops, manages,
rewards, and retains diverse individuals capable
of building an inclusive environment who perform
and manage cloud governance activities
throughout the organization.
14. c o s o . o r g
8 | Enterprise Risk Management | Enterprise Risk Management For Cloud Computing
15. c o s o . o r g
Enterprise Risk Management | Enterprise Risk Management For Cloud Computing | 9
STRATEGY AND OBJECTIVE-SETTING
Table 2.1 COSO Enterprise Risk Management – Integrating with Strategy and Performance Framework –
Strategy and Objective Setting Principles8
Principle Description
6. Analyzes Business Context The organization considers potential effects of business context on risk profile.
7. Defines Risk Appetite The organization defines risk appetite in the context of creating, preserving and realizing value.
8. Evaluates Alternative
Strategies
The organization evaluates alternative strategies and potential impact on risk profile.
9. Formulates Business
Objectives
The organization considers risk while establishing the business objectives at various levels that
align and support strategy.
6 Analyzes Business Context
While cloud computing offers ease of entry and quick
changes, prior to migrating to the cloud an organization
should formally define its overall cloud computing strategy
and objectives for moving to the cloud. There are many
reasons to move some or all of the IT environment to the
cloud, but to obtain benefit and value, an IT organization must
work with the business functions to understand the goals
and strategy and help create a cloud computing strategy that
supports the business. This cloud strategy should be vetted
with management as well as other stakeholders, such as
board members, to assess other influences and direction.
Per the 2017 ERM framework, business context includes
the “trends, events, relationships and other factors that
influence, clarify or change the company.”9
The COVID-19
pandemic changed the business context for many
organizations. As a result, many companies needed to
quickly change their cloud computing strategy to enable
employees to remotely access systems and data. Microsoft
CEO Satya Nadella expressed in April 2020, “We’ve seen two
years’ worth of digital transformation in two months.”10
The cloud strategy will also focus on the opportunities
related to cloud computing, such as the ease of use with
intuitive user interfaces, fewer customizations, faster
speed of deployment, and easier scalability. These all
enable innovation and digital transformation which allow
the organization to quickly pivot and support new business
objectives.
In a more established organization without major changes in
business objectives, the cloud strategy may be focused on
efficiency – with easier maintenance for the IT department,
and cost savings due to only using storage and computing
that is needed vs. maintaining for peak capacity.
The cloud strategy includes what is needed to support the
organization, its objectives, and its growth. The underlying
mission, vision and values for the organization, and its “why,”
is reflected in the cloud strategy. The cloud strategy provides
guidance for infrastructure and application migrations and
acquisitions.
. . . . . . . . .
8 2017 COSO Enterprise Risk Management – Integrating with Strategy and Performance
9 2017 COSO Enterprise Risk Management – Integrating with Strategy and Performance
10 https://www.microsoft.com/en-us/microsoft-365/blog/2020/04/30/2-years-digital-transformation-2-months/
16. c o s o . o r g
10 | Enterprise Risk Management | Enterprise Risk Management For Cloud Computing
The cloud strategy may include a multi-cloud strategy,
multiple cloud deployment models, and multiple cloud
delivery models. (See Appendix C. Glossary and Definitions)
Additionally, the cloud strategy may be a multi-year roadmap,
so the immediate strategy and approach versus the end
result will look different, with different risks and potentially
different vendors used along the way.
The cloud strategy and the use of CSPs will affect the
organization’s risk profile which will need to be analyzed.
Different CSPs, due to their ERM governance, their vendor’s
ERM governance, and their customers’ ERM governance,
may have different impacts to the organization’s risk profile.
7 Defines Risk Appetite
Once the cloud strategy is determined, the organization must
evaluate the risks to that strategy and assess whether its
risk appetite is affected. This understanding will help the
organization determine the appropriate outcome of detailed
cloud computing scenario assessments to inherent and
residual risk and likelihood and impact assessments based
on different cloud deployment models, cloud delivery models,
or specific CSPs during the ERM Performance component.
For example, part of a hybrid IT environment may include the
use of in-house managed application for data analytics over
sensitive data, while an enterprise resource planning (ERP)
application is on a cloud SaaS, and devops (a combination of
development and IT operations) on a private PaaS (platform
as a service). Management’s analysis of inherent risk and
residual risk would allow the organization to choose the
appropriate IT environment for the organization.
As illustrated in the ring in Diagram 3 below, a cloud strategy
can create risk to the organization. It is possible the cloud
strategy does not align with the business strategy, or there
could be new risks to the execution of the business strategy
due to the use of cloud computing. For example, the cloud
strategy and cloud applications may only support a subset
of the organization’s products or service lines. There could
be other implications from the cloud strategy, such as,
concentration at one CSP, resulting in potential vulnerabilities
or a higher risk profile. When these are properly managed
and addressed, the organization will enhance performance.
The organization needs to define its risk appetite as it
regards the cloud strategy. The organization may determine
that its risk appetite for different types of data is different,
e.g., employee personally identifiable information (PII) is
different from customer data where the customer is another
business organization. Similarly, the organization may
have different availability requirements and recovery time
objectives for different applications, e.g., an ordering system
may have a higher requirement than a training system. With
this knowledge and understanding, the organization can
assess what is suitable for a cloud computing strategy and
its cloud strategy may differ for different parts (e.g., business
units, departments) of the organization depending on the risk
appetite related to those processes.
P
o
s
s
i
b
i
l
i
t
y
o
f
s
t
r
a
t
e
g
y
not aligning Implications f
r
o
m
t
h
e
s
t
r
a
t
e
g
y
c
h
o
s
e
n
R
isk to strategy & perform
an
c
e
STRATEGY,
BUSINESS
OBJECTIVES &
PERFORMANCE
MISSION, VISION &
CORE VALUES
ENHANCED
PERFORMANCE
Diagram 3. COSO Enterprise Risk Management in the Context of Mission, Vision, Core Values,
and as a Driver of an Entity’s Overall Direction and Performance
2017 COSO Enterprise Risk Management – Integrating with Strategy and Performance
17. c o s o . o r g
Enterprise Risk Management | Enterprise Risk Management For Cloud Computing | 11
. . . . . . . . .
11 2017 COSO Enterprise Risk Management – Integrating with Strategy and Performance
8 Evaluates Alternative Strategies
Defining the initial cloud strategy allows the organization
to objectively review alternatives and assess them under
the lens of “creating, preserving, and realizing value.”11
As various cloud strategy, and cloud delivery and cloud
deployment models are reviewed, the organization should
look at its risk profile, its ability to achieve business
objectives, and how those objectives eventually drive
growth, productivity, efficiency, and value.
Something to consider as the organization thinks through
and evaluates alternative strategies, is how that strategy
will impact its innovation opportunity. Traditional on-premise
systems have been known to accumulate what is referred to
as technology debt. Technology debt can be summarized as
the cost to maintain existing systems plus opportunity cost of
not prioritizing modern systems.
Common sources of technology debt include:
• Overly customized packaged software – implementing
an ERP system that is heavily customized can inhibit
an organization’s ability to take updates from the
software vendor.
• Poor technical solutioning – selecting the shorter
or more familiar approaches to addressing a business
requirement when there is a more strategic
long-term option.
• Obsolete technology – outdated operating systems,
software packages and infrastructure.
Organizations with a high amount of technology debt typically
have increased risks and higher costs (both to maintain
and retire debt. To determine the appropriate course of
action, organizations must weigh the costs that contribute
to higher technology debt (as illustrated in Diagram
4), against the alternatives that would retire the debt.
Similarly, organizations who have not invested effectively in
technology may have increased risks and higher costs due
to lost efficiency and effectiveness related to technology
deployment and related matters.
As organizations evaluate cloud alternatives and review
their technology debt, they should balance the costs
against changing processes to fit a specific application’s
functionality, time to implement an alternative solution,
additional cyber security risks due to multi-tenancy.
ON PREMISES SOLUTION CLOUD SOLUTION
PRINCIPAL
Cost of original
design decisions
INTEREST
Cost to maintain old code
or poor technology solutions
OPPORTUNITY COST
Inability to utilize
new technology/ideas
REPLACEMENT COST
Cost to replace
technology
INNOVATION OPPORTUNITY
Inability to utilize
new technology/ideas
OPERATIONAL COST
Cost to monitor, manage
downtime, poor performance
SUBSCRIPTION FEE
Cost to
cloud provider
Diagram 4. Elements Contributing to Technology Debt vs Alternative Costs
18. c o s o . o r g
12 | Enterprise Risk Management | Enterprise Risk Management For Cloud Computing
Table 2.2 Key Activities for Cloud Computing – Strategy and Objective Setting Principles
Principle Description Cloud Computing ERM Key Activities
6. Analyzes Business Context The organization considers potential
effects of business context on risk profile.
The organization assesses the impact of different
cloud strategies (cloud deployment models, cloud
delivery models, etc.) on the achievement of the
strategy and business objectives.
7. Defines Risk Appetite The organization defines risk appetite in
the context of creating, preserving and
realizing value.
The organization defines its risk appetite for cloud
governance addressing cloud risks such as data
privacy, access, reliability, compliance, and cyber
security.
8. Evaluates Alternative
Strategies
The organization evaluates alternative
strategies and potential impact on
risk profile.
The organization considers alternative cloud
strategies and impact on business objectives.
9. Formulates Business
Objectives
The organization considers risk while
establishing the business objectives at
various levels that align and support
strategy.
The organization defines cloud objectives to
support business objectives .
9 Formulates Business Objectives
Once the cloud strategy is defined, cloud objectives should
be defined to support the business objectives. The cloud
objectives should include a cloud security model as part of
cloud governance.
Business strategies and objectives are updated as the
organization grows or in reaction to external events. These
updates drive continued evaluation of the cloud strategy
within the context of the ERM framework. Additionally, risk
appetite can change over time and should be regularly
updated as well.
19. c o s o . o r g
Enterprise Risk Management | Enterprise Risk Management For Cloud Computing | 13
10 Identifies Risk
Cloud computing risk can come from the internal or external
environment and can impact strategic, financial, operational,
compliance, and/or reporting objectives. It is critical to identify
risks that will affect the performance and achievement of the
cloud computing strategy and thereby, the achievement of
business objectives and the creation of value.
When an organization adopts cloud computing, it is
shifting one or more IT responsibilities to an outside party.
There is great upside to this approach, given that most
organizations can find a strategic partner who performs
these responsibilities as their core competency. However,
although delegating these responsibilities moves where
they are performed, it does not remove the risk. Risk (and
responsibilities for mitigating such risk) will vary depending
on the deployment model. One could argue that the most
common risk an organization can make is misconceiving
what party owns the controls for a given risk. The
organization responsible for a control affects the risk impact
for the organization.
Gartner estimates that by 2025, 99% of cloud security failures
will be the fault of the customer.13
Organizations should no
longer be questioning if the cloud is secure enough for them.
The more appropriate question to ask is: “Is the organization
using the cloud securely?”
Organizations can transfer some activities to their cloud
service providers, but they cannot transfer all their risk.
For example, if their cloud service provider does not
perform an agreed upon activity, such as patching, and that
vulnerability was utilized to breach the organization’s data,
the organization will still need to handle the fall out and
breach of trust of its customers and the lost data, even if the
organization wasn’t directly at fault.
When using a CSP, the organization’s risk profile becomes
intertwined with that of the organization’s cloud vendor. In a
multi-cloud environment, the use of multiple cloud vendors
complicates and entangles the ERM framework with that of
many other vendors as illustrated in Diagram 5. Additionally,
some CSPs will use another CSP for support, thus enmeshing
even more vendors. Many organizations have a multi-cloud
environment and use multiple CSPs. What happens at one
organization may have an impact on another organization.
For example, a cloud outage at a PaaS will affect a SaaS CSP
that utilizes the PaaS for its underlying infrastructure.
PERFORMANCE
Table 3.1 COSO Enterprise Risk Management – Integrating with Strategy and Performance Framework –
Performance Principles12
Principle Description
10. Identifies Risk The organization identifies risk that impacts the performance of strategy and business objectives.
11. Assesses Severity of Risk The organization assesses the severity of risk.
12. Prioritizes Risks The organization prioritizes risks as a basis for selecting responses to risks.
13. Implements Risk Responses The organization identifies and selects risk responses.
14. Develops Portfolio View The organization develops and evaluates a portfolio view of risk.
. . . . . . . . .
12 2017 COSO Enterprise Risk Management – Integrating with Strategy and Performance
13 https://www.gartner.com/smarterwithgartner/is-the-cloud-secure/
20. c o s o . o r g
14 | Enterprise Risk Management | Enterprise Risk Management For Cloud Computing
Misunderstanding Responsibility
Some form of delegation is expected in all cloud
environments. As illustrated in Diagram 6, there is shared
responsibility in many cloud delivery and cloud deployment
models. However, many organizations underestimate the
responsibilities that they still own or share with the CSP. This
is particularly important when dealing with IaaS and PaaS
models but is also prevalent with SaaS. It is important to
remember that while organizations can shift responsibility,
they cannot outsource their risks. Here are some questions
to highlight common areas of misconception.
• What portion of the environment is multi-tenant?
To a certain extent, sharing exists in all cloud
environments. The important thing is to understand what
is shared and who controls the boundaries. Multitenancy
can mean a lot of different things.
• What access controls is the organization responsible for
managing?
All cloud deployment models require that some level
of access controls is managed by the subscribing
organization. There is often shared responsibility
(between the organization and the CSP) for areas
such as firewalls, VPNs (virtual private networks) and
multifactor authentication. CSPs who provide these
capabilities often leave configuration and enforcement
up to the subscribing organization.
• To what extent is infrastructure redundancy managed by
the cloud provider?
Organizations should not make the broad assumption
that all aspects of the cloud are redundant by default.
The cloud service provider indeed owns a significant
portion of the responsibility, but depending on the
deployment model, ownership may lie with another party.
CUSTOMER
CUSTOMER
CUSTOMER
CUSTOMER
CSP’S
CSP
CSP’S
CSP
CSP
CSP CSP
ORGANIZATION
Diagram 5. COSO Enterprise Risk Management Integrating with Strategy and Performance Framework –
With Organization and CSP Represented
21. c o s o . o r g
Enterprise Risk Management | Enterprise Risk Management For Cloud Computing | 15
11 Assesses Severity of Risk and
12 Prioritizes Risks
Once identified, cloud computing risks should be prioritized
and assessed for severity. Assessment can be qualitative
and quantitative and should account for risk impact and risk
likelihood. Additionally, it should be assessed at multiple points
in time and throughout the organization for different types
of data. For example, the same risk, user access, may have
different severity depending on what the cloud application is
and what the cloud deployment and delivery model is such as
the difference between a custom application managed on a
private IaaS cloud versus a public SaaS application managed
by a CSP with an underlying PaaS CSP supporting it.
When evaluating specific CSPs, cloud deployment models,
and cloud delivery models, the organization defines the
risks, assesses the risks, and prioritizes the risks prior
to selecting an approach and vendor. Once the CSP is
determined, appropriate risk responses are created to
address the specific risks and scenarios presented by the
CSP. Risk responses include acceptance, avoidance, pursuit,
reduction, and sharing.
13 Implements Risk Responses
Risk responses are implemented and evaluated to assess
the residual risk and to determine where the organization
falls within its risk appetite and risk capacity. As illustrated in
Diagram 7, the goal is to fall within the risk tolerance.
Diagram 6. Responsibility by Cloud Deployment Model and Cloud Service Delivery Model
Risk
Target
Performance
Risk appetite Risk capacity
Risk profile
Tolerance
A
Diagram 7. COSO ERM – Risk Profile
2017 COSO Enterprise Risk Management – Integrating with Strategy and Performance
Legend
22. c o s o . o r g
16 | Enterprise Risk Management | Enterprise Risk Management For Cloud Computing
While there are five primary risk responses, the main one for
cloud computing will be reduction.
• Accept – Accepting cloud computing risks is possible
in certain scenarios where the organization may feel
constrained, such as accepting the risk profile of other
fellow cloud tenants. The organization must evaluate this
against their risk tolerance thresholds.
• Avoid – Generally, avoidance may only work in certain
situations, such as, the organization selects a nation
based PaaS versus an international PaaS to address
specific data privacy requirements, the organization
decides certain data types, such as intellectual property,
cannot be posted to a public cloud, or the organization
implements a full private cloud solution. Even with these
scenarios, there will still be some additional risks that
will arise and need to be addressed through reduction
and mitigation.
• Pursue – When migrating to the cloud, additional
opportunities are generated to create, preserve and
realize value for the organization frequently by allowing
the organization to further innovation and digital
transformation and increase efficiencies.
• Reduce – Incorporating additional cloud governance
and monitoring controls can reduce risk. This is the most
common risk response for cloud computing to mitigate
the inherent risks within technology along with the
additional risks brought onto the organization using cloud
computing and outsourcing to CSPs.
• Share – There is a limit to which sharing is an
appropriate response for cloud computing. There are few
risks, such as cyber breaches, that can be addressed to
some extent through buying cyber insurance and thus
sharing the risk. However, the primary risks of cloud
computing cannot be shared.
Diagram 8. 2013 COSO Internal Control –
Integrated Framework18
– With
Organization and CSP Combined View
Control Environment
Risk Assessment
Control Activities
Information &
Communication
Monitoring Activities
O
p
e
r
a
t
i
o
n
s
R
e
p
o
r
t
i
n
g
C
o
m
p
l
i
a
n
c
e
Entity
Level
Division
Operating
Unit
Function
Use of the 2013 COSO Internal Control – Integrated
Framework is one approach to structure and develop the
risk reduction responses for cloud computing risks. It is also
critical to recognize the integration of the organization’s
internal control framework and that of the CSPs as illustrated
in Diagram 8. The CSP’s internal controls (as represented
by the cubes within the larger cube) become a part of the
organization’s internal controls (as represented by the larger
cube). In all cloud delivery models, a portion of processes
and controls will be outsourced to the CSP. The organization
relies on the CSP to perform those internal controls. The
organization needs to understand and review the CSP’s
control design to ensure it adequately addresses the risk,
and also monitor the effective execution of the controls.
The Performance component of the COSO Enterprise Risk
Management – Integrating with Strategy and Performance
focuses on risk responses. The following expands on a few
recommended responses for typical cloud computing risks.
. . . . . . . . .
18 2013 COSO Internal Control – Integrated Framework
23. c o s o . o r g
Enterprise Risk Management | Enterprise Risk Management For Cloud Computing | 17
RISKS – Reliability and vulnerability
RESPONSE
Performance monitoring, security monitoring,
and incident response
An organization should first seek to partner with a CSP with high
reliability. Then the organization needs to monitor its CSP for
performance and up time.
In most cloud delivery models, the CSP will manage the infrastructure
and should be performing security and vulnerability assessments. The
output of these assessments and how the CSP responds and remediates
any issues should be shared with and monitored by the organization.
The CSP should have appropriate incident response measures in place to
identify their own incidents. Additionally, the CSP should have processes
in place for the organization to report incidents to them and for the
organization to track progress on their incidents. Since the management
of the application and service is coupled, the incident response should be
coupled as well.
RISKS – Multi-tenancy, data leakage, and data theft
RESPONSE
Data classification, data destruction, security
In the case of public cloud and multi-tenancy, there is
a higher risk of data theft or leakage. The organization
should thoroughly assess what data can be adequately
secured if put on the cloud. Performing a data classification
exercise to categorize and assess data risks can help
to define parameters and what data (along with what
applications) should be put on what type of cloud
deployment model and cloud delivery model. The
organization should assess how much control they
want to have over the data.
Beyond a data classification policy, the organization
should also enforce a data destruction policy. This way
the organization does not keep excessive, or potentially
outdated data in the cloud. Maintaining personal data in
the cloud for analytics may decouple the data from notice
requirements and enable the organization to use personal
data outside of expressed permissions which may violate
privacy regulations.
Security around the data can be gained through the
implementation of secure access service edge (SASE)
solutions. SASE includes networking and security
components such as secure web gateways, CASB (cloud
access security broker), advanced threat protection,
and zero trust network access. SASE includes network
security mechanisms that provide a layer of connectivity
and security to apply the organization’s security policies
between the on-premise or remote users and devices to
connect to the cloud.
24. c o s o . o r g
18 | Enterprise Risk Management | Enterprise Risk Management For Cloud Computing
RISKS – Cyber attacks
RESPONSE
Incident management
There are many types of cyber security threats to cloud computing. The most common include malware injections, denial of
service (DoS), API attacks, and access hijacking. The use of open source technology may increase the risk to cyber-attacks
as vulnerabilities are common knowledge. While cyber security is a risk to both on-premise and cloud computing, there is an
additional risk due to multitenancy. The multi-tenant model could make an organization a higher value target.
The organization needs to understand the processes the CSP has to monitor and detect potential threats and how they take
action. Additionally, the organization needs a mechanism to notify the CSP of incidents and manage incidents with the CSP.
RISKS – Compliance
RESPONSE
Monitor internal and external environment, vendor monitoring
Regulations evolve and organizations change over time. Therefore, an
organization’s regulatory compliance needs also change. An organization
needs to monitor its internal environment to understand the changes
the organization has undertaken and the impact on its compliance
requirements. Likewise, the organization needs to monitor its external
environment to assess additional or changing compliance requirements.
Additionally, the organization needs to monitor its CSP vendors to assess
the compliance capabilities of the CSP and what, if any, additional steps
the organization must perform in order to become compliant.
RISKS – Single points of failure
RESPONSE
Redundancy, business continuity plans, and incident response
As all data and transactions will need to pass through the internet in a
cloud computing environment, there is the single point of failure in the
connection. An organization should look at what redundancy options are
available in a cloud computing environment so traffic can be rerouted, if
needed. When implementing a cloud tool, an organization should design
for failure. Additionally, an organization should have business continuity
plans in place including short term and medium-term work arounds.
Consistent with the risk of general system reliability, the incident
response process is critical to getting back online.
25. c o s o . o r g
Enterprise Risk Management | Enterprise Risk Management For Cloud Computing | 19
RISKS – Shadow IT
RESPONSE
Policies and procedures and security prevention tools
Policies and procedures to establish expectations with employees on
what are allowable cloud computing services and vendors, who can
procure services, and what data can be moved to the cloud can
provide a framework to reduce unauthorized cloud activity.
Additionally, firewalls, proxy servers, and web filters, can further
reduce the amount of shadow IT being used in an organization.
These configurations need to be consistently maintained and applied
in order to be effective as new software and websites are released.
Organizations can also configure data loss prevention tools to monitor
and restrict data from exiting the organization.
Table 3.2 summarizes common cloud computing risks and possible risk
responses. While it illustrates common risks and responses, it is not a
complete list of all cloud computing risks.
Table 3.2. Summary of Common Cloud Computing Risks and Risk Responses
Cloud Computing Risks Cloud Computing Risk Responses
Reliability and vulnerability • Vendor due diligence processes
• Performance monitoring processes
• Security monitoring processes
• Incident response processes
Multi-tenancy, data leakage, data theft • Data classification policies
• Data destruction policies
• Security processes
Single point of failure • Data redundancy
• Business continuity policies
• Incident response processes
Compliance • External environment monitoring processes
• Internal environment monitoring processes
• Vendor monitoring processes
Cyber attacks • Incident management processes
Shadow IT • Cloud computing policies
• Data loss prevention processes
• Security monitoring processes
26. c o s o . o r g
20 | Enterprise Risk Management | Enterprise Risk Management For Cloud Computing
14 Develops Portfolio View
Since cloud computing is part of the overall IT strategy which
supports the business strategy, a portfolio view of the risks
needs to be developed. This includes assessing public, private,
and risks in hybrid cloud models and how the use of different
CSP vendors affects the overall cloud strategy which is a part
of the overall IT environment supporting the organization.
This also involves reviewing cloud computing within business
processes to see how its use affects the business units, which
can vary. For example, the impact of a risk related to business
continuity of an ERP on the Finance department (which may
delay reporting or payments) will be very different than on the
production floor (which may disrupt manufacturing).
Cyber security risk should be considered when thinking
through cloud computing risks. Cyber threats should be
looked at holistically with other ERM risks. It is worth
noting, the impact of a cyber risk could also be different in
different situations, such as, the impact of a cyber breach to
a forecasting tool that the Financial Planning and Analysis
department uses will be different to a cyber breach to a
financial data warehouse that the same department uses.
When assessing the portfolio view of cyber security risk, the
organization’s cloud computing usage should be reviewed
against its data classification policies.
As the organization reviews cloud computing risks, they
should look at them holistically from different perspectives
and departments and across all related cloud systems. These
holistic risks should be looked at from strategic, financial,
operational, compliance, and reporting objectives point of view
and interlaid into the overall ERM risk portfolio.
Table 3.3 Key Activities for Cloud Computing – Performance Principles
Principle Description Cloud Computing ERM Key Activities
10. Identifies Risk The organization identifies risk that
impacts the performance of strategy
and business objectives.
The organization assesses internal and external
(including industry, CSP, and the CSP’s vendors)
environment to identify cloud computing risk.
11. Assesses Severity of Risk The organization assesses the severity
of risk.
The organization considers risk impact and risk
likelihood in assessing cloud computing risk
throughout the organization.
12. Prioritizes Risks The organization prioritizes risks as a
basis for selecting responses to risks.
The organization prioritizes risks and risk responses
to address cloud computing risk.
13. Implements Risk Responses The organization identifies and selects
risk responses.
The organization designs processes and controls to
implement risk responses.
14. Develops Portfolio View The organization develops and
evaluates a portfolio view of risk.
The organization views cloud computing risk
holistically with risks to strategic, financial,
operational, compliance, and reporting objectives.
27. c o s o . o r g
Enterprise Risk Management | Enterprise Risk Management For Cloud Computing | 21
REVIEW AND REVISION
15 Assesses substantial change
ERM is an ongoing, iterative process. It is not meant to
be performed in a vacuum and shelved; likewise, it is not
meant to be taken out and updated annually and ignored
in between. ERM should be embedded into the way an
organization operates.
ERM should be updated whenever there are significant
changes to the environment, organization, or CSP, and
decisions on implementing and integrating cloud-based
services can constitute or prompt substantial changes.
Management is accountable for routinely evaluating risks
and identifying situations where risk may rise above the
organization’s risk appetite. In 2020, this included changes
caused by the COVID-19 pandemic. Many organizations
rushed to facilitate a remote workforce. Often this
included an expansion of cloud computing applications
to enable employees to interact with technology and
operate effectively outside the office. Another substantial
change could include additional geographic locations an
organization is doing business; the CSPs the organization
chooses to work with may need to change in order to provide
the appropriate coverage to address latency or address
disaster recovery, or they may need additional CSPs to
support the efforts.
As noted in the prior section, external changes in the
regulatory and compliance environment may also impact
cloud computing. and should be monitored. For example,
Singapore’s amended Personal Data Protection Act will be
effective starting February 2021 which includes requirements
for data breach notification.
Technology is continually advancing in cloud computing.
These advances add additional options for cloud security
and migrations which the organization needs to routinely
evaluate to see how these may affect business objectives
and their ability to create additional value for the
organization.
Other substantial internal changes could include mergers,
acquisitions, and divestures. Often organizations will have
a transition service agreement in a divesture and that could
add another layer of complexity to the of managing cloud
contracts, access, etc.
Management should be assessing and evaluating its culture
as well. As we have seen in the COVID-19 pandemic, remote
work has changed the culture for many organizations.
Table 4.1 COSO Enterprise Risk Management – Integrating with Strategy and Performance Framework –
Review and Revision Principles14
Principle Description
15. Assesses Substantial Change The organization identifies and assesses changes that may substantially affect strategy
and business objectives.
16. Reviews Risk and Performance The organization reviews entity performance and considers risk.
17. Pursues Improvement in
Enterprise Risk Management
The organization pursues improvement of enterprise risk management.
. . . . . . . . .
14 2017 COSO Enterprise Risk Management – Integrating with Strategy and Performance
28. c o s o . o r g
22 | Enterprise Risk Management | Enterprise Risk Management For Cloud Computing
16 Reviews Risk and Performance
The cloud computing governance process must be
reviewed to identify improvement points. Cloud computing
governance process enhancements may include the use of
balanced scorecards. The cloud vendors must be assessed
against their service level agreements which typically
include availability. Cloud contracts should continue
to be reviewed before evergreen and auto renewals.
Vendors should be audited or System and Organization
Controls (SOC) reports should be obtained and reviewed.
An organization should also assess changes for its CSPs.
Major items such as a breach, even if it did not affect the
organization, could impact the organization’s ability to
achieve its business objectives in the immediate future.
Vendor assessments could result in situations that raise
risks higher than the organization’s risk appetite. In those
instances, the organization needs to review the risks and
take appropriate action to address the risks. Additionally,
controls maintained and performed by the organization
should also be reviewed for compliance. Review of
control performance could be performed by management,
Compliance or by Internal Audit.
The cloud computing and cloud governance processes
should be operational with defined roles and embedded into
all levels of the organization. Cloud computing governance
should not be performed in a bubble; it should be a collective
effort across the organization. Risks should be reviewed to
ensure the actual residual risk after performance of controls
is within risk tolerance levels. Results should be incorporated
into the overall ERM process.
17 Pursues Improvement in Enterprise
Risk Management
Performance reviews must be taken on the cloud computing
process, not just the cloud vendors as part of cloud
governance and supplier management. The organization
should use the risk and performance reviews to update
the cloud governance program, processes, and controls.
Additionally, the organization should look at how the cloud
governance and cloud processes are feeding into the overall
organizational ERM processes. The organization should
assess the level of collaboration across departments in
the cloud governance program and seek to improve the
ERM process with updates. Also, the organization should
utilize the output of the ERM process and apply updates and
outputs to the cloud governance program.
Table 4.2 Key Activities for Cloud Computing – Review and Revision Principles
Principle Description Cloud Computing ERM Key Activities
15. Assesses Substantial
Change
The organization identifies and
assesses changes that may
substantially affect strategy and
business objectives.
The organization assesses internal and external changes
and impact to business strategy and objects as well as
the affect they will have on cloud computing strategy
or how cloud computing can provide effective
infrastructure to realize the changes.
16. Reviews Risk and
Performance
The organization reviews entity
performance and
considers risk.
The organization reviews the cloud governance
program. Also, perform cloud governance activities to
review CSPs and cloud risks.
17. Pursues Improvement in
Enterprise Risk Management
The organization pursues
improvement of enterprise risk
management.
The organization assesses the cloud program for
improvements to be applied to the overall organization
ERM program.
29. c o s o . o r g
Enterprise Risk Management | Enterprise Risk Management For Cloud Computing | 23
18 Leverages information and technology
An organization should leverage technology to support the
ERM function in the identification, communication, response,
and management of cloud computing risk. Information to
monitor cloud governance could be from a variety of sources
including monitoring applications, Internal Audit testing and
assessments, vendor management systems, and governance
and compliance tools.
In addition to financial rating agencies which may assess an
organization’s financial health, there are multiple IT security
organizations that collect data and can provide a security
score on a website, vendor, or CSP. These security ratings
provide insight into the security posture of the CSP. There are
also organizations that assess reputational risk which can be
included in vendor evaluations. These tools along with other
cloud monitoring tools to assess the cloud infrastructure
and services state (performance, availability, etc.) can be
leveraged to manage cloud computing. These external tools
should be used to capture new information that could impact
the cloud computing governance program.
Some technology may be available from the CSP for the
organization to utilize. Other times the CSP may leverage
technology tools to gather and share information on the
performance of its responsibilities for the organization.
19 Communicates Risk Information
A key component of good governance is clear
communication and reporting. Without current information
provided to the appropriate individuals, suitable decisions
cannot be made. Information should be reported and
transparent between all appropriate parts of the cloud
computing governance program. Open communication and
data sharing ensure all parties are aware of updated impacts
to risks and risk responses. It also facilitates a shared and
holistic risk management culture within the organization with
all departments taking part and being accountable.
As cloud computing is adopted within an organization,
the roles and responsibilities for individuals will change.
Changes to their responsibilities by application or process
should be communicated to the employees. The organization
should continue to reinforce its risk aware culture via
multiple communication channels. The organization should
communicate the cloud governance program is part of the
overall ERM program and ensure each employee’s role is
understood.
The Cloud Computing Steering Committee should be updated
on the cloud transition and ongoing cloud computing
performance.
INFORMATION, COMMUNICATION,
AND REPORTING
Table 5.1 COSO Enterprise Risk Management – Integrating with Strategy and Performance Framework –
Information, Communication, and Reporting Principles15
Principle Description
18. Leverages Information Technology The organization leverages the entity’s information and technology systems to
support enterprise risk management.
19. Communicates Risk Information The organization uses communication channels to support enterprise risk
management.
20. Reports on Risk, Culture and
Performance
The organization reports on risk, culture and performance at multiple levels and
across the entity.
. . . . . . . . .
15 2017 COSO Enterprise Risk Management – Integrating with Strategy and Performance
30. c o s o . o r g
24 | Enterprise Risk Management | Enterprise Risk Management For Cloud Computing
There should be clear communication avenues between
the organization and the CSPs. These will be needed for
escalating issues as well as for periodic updates and
management of the vendor and relationship.
20 Reports on Risk, Culture and Performance
The board of directors should be updated on the cloud
strategy and the impact it is having on business objectives.
The organization should also be reporting on cloud
computing performance as well as conveying progress
on cultural change management and the risk culture
throughout the organization. Culture is slow to change
within an organization; it takes time. Open and transparent
communication helps create the cooperative culture needed
within an organization. Reporting should be made available
at all levels of the organization so that consistent messaging
is provided, and progress and changes are understood
throughout.
Different levels of the departments will need to communicate
different updates to the board. For instance, the first line,
management, should communicate changes to the cloud
strategy and business objectives. Compliance, part of
the second line, should communicate on CSP monitoring
and risks. Internal Audit, as the third line, should report
independently and objectively on the organization’s cloud
computing and activities including communicating issues
where risks were not addressed by the first and second lines.
Table 5.2 Key Activities for Cloud Computing –
Information, Communication, and Reporting Principles
Principle Description Cloud Computing ERM Key Activities
18. Leverages Information
Technology
The organization leverages the
entity’s information and
technology systems to support
enterprise risk management.
The organization utilizes available and implement as
appropriate additional platforms to leverage and
consolidate cloud computing information and
technology data to support enterprise risk management.
19. Communicates Risk
Information
The organization uses communication
channels to support enterprise risk
management.
The organization employs communication channels
throughout those involved in cloud computing to
support enterprise risk management.
20. Reports on Risk, Culture
and Performance
The organization reports on risk,
culture and performance at multiple
levels and across the entity.
The organization reports on cloud computing risk
and performance at multiple levels and across the
organization.
31. c o s o . o r g
Enterprise Risk Management | Enterprise Risk Management For Cloud Computing | 25
CONCLUSION
Cloud computing is one of many technology options
available for organizations to utilize. A structured adoption
of cloud computing, including a holistic cloud computing
governance program that addresses the associated risks
and is incorporated into the ERM program, will enable
an organization to derive the most value and enable the
organization to achieve its strategic objectives.
For an organization to maintain a competitive edge, it
will need to use its IT strategy to empower the business.
Integrating cloud computing into the IT strategy and turning
the IT organization into a strategic partner can provide many
of the tools and framework needed for the organization to
succeed.
Cloud computing risks must be identified and managed in the
context of the organization’s broader ERM program. While
tasks, processes, and maintenance can be outsourced,
accountability for risks cannot. The ownership of the risks
will remain with the organization who will need to monitor
the internal controls within the organization and of its CSPs.
In order to use cloud securely, organizations should invest
and implement a variety of security tools. The organization
will need to leverage available technology to continue
to monitor, report, and update assessments of the cloud
computing technology, vendors, and ERM program. Senior
management and the governing body should also ensure that
the internal audit activity has included cloud-based services
in its risk-based planning process, to provide independent
assurance and advice.
Organizations that have already embarked on the path to
cloud computing without an ERM framework can and should
still add cloud governance to their processes. Since the
cloud governance process should be incorporated into the
ongoing activities related to business strategy, IT strategy,
and cloud computing, the cloud governance should be
continually updated and revised based on new information.
If an organization has not created a cloud governance
program, it can do so at any time and continue to refresh as
changes occur. By incorporating cloud governance into the
organization’s cloud computing processes, the organization
is better positioned to manage risks that threaten the
strategy and objectives of the organization.
The use of the COSO Enterprise Risk Management –
Integrating with Strategy and Performance framework
enables cloud computing to be integrated with the
organization’s ERM function. The cloud computing
governance approach provides a holistic view of cloud
computing throughout the organization. Governance and
communication and reporting dovetails with the cloud
strategy, performance, and monitoring and revision. This
is undertaken with a view that the implementation of
cloud computing will coalesce the CSP’s cloud computing
governance processes with those of the organization.
32. c o s o . o r g
26 | Enterprise Risk Management | Enterprise Risk Management For Cloud Computing
33. c o s o . o r g
Enterprise Risk Management | Enterprise Risk Management For Cloud Computing | 27
APPENDIX A.
Roadmap to Cloud Computing
Planning a cloud adoption strategy is a methodical process.
This section provides considerations for migrating traditional
on-premise workloads to cloud computing. It is focused
primarily on IaaS and PaaS.
This roadmap represents an ideal state where governance
and strategy are fully contemplated at the beginning of
an organization’s cloud journey. However, situations and
an organization’s focus may change and, therefore, the
cloud strategy may need to shift as well. Additional cloud
computing governance can be added in retroactively and at
different stages of the process as a checkpoint to reassess
and redirect efforts as needed.
Phased Approach
Highlighted below are the four basic phases of a successful
cloud migration journey. Interlaid into the phased cloud
migration approach is when to incorporate the COSO ERM
framework components.
At beginning of the cloud migration, prior to the detailed
assessment of the IT environment, the organization should
define the cloud governance and culture. A Cloud Computing
Steering Committee can provide oversight and structure
the responsibility matrix. Once the oversight structure is
established, the organization can work to define its cloud
strategy in relation to the organization’s overall mission and
strategic objectives during the ERM strategy and objective-
setting.
Assess
During this phase, organizations assess their IT
portfolio where infrastructure discovery and application
rationalization is performed. While assessing infrastructure
discovery, ‘as-is’ infrastructure landscape is analyzed and
details such as server configuration, utilization parameters,
network segmentation, storage allocation, and dependencies
are collected.
During the application rationalization process, applications
are grouped depending on the factors such as application
complexity, criticality (including future business trends), and
dependencies. Each application is assigned a migration path
to follow during migration phase. Total cost of ownership
(TCO) analysis is performed wherein ‘as-is’ spend is
compared against ‘to-be’ spend in the cloud. Typically, at this
stage, organizations identify teams to successfully execute
the cloud roadmap and prepare a migration plan. Usually, the
cloud offers cost savings due to only paying for storage and
computing power based on usage and by shifting costs to
operating expenses (over capitalized expenses).
As the migration path is defined, this is a good point to
review the cloud performance using the ERM
performance component in the framework. Risks to the cloud
should be identified and mitigation steps put in place.
Build
During this phase, organizations can build a foundation to
host a cloud environment that accounts for scale, security,
governance, networking, and identity. It is called the landing
zone. A poorly planned foundation can cause organizations
to face delays, confusion and downtime, and jeopardize the
success of the cloud migration. The objective of setting up a
cloud landing zone is to build the foundation to develop, test,
deploy, monitor, and maintain. Governance, management
and subscriptions are established while defining the landing
zone. Network, compute, storage, database, management,
monitoring, security, continuous integration and continuous
development (CICD), application migration, and analytics
capabilities are established. Activities are assigned to
resources to drive transformation, establish governance,
create a cloud center of excellence, define security at all
levels, fulfill compliance, design policies, define architecture,
and detail plans for transformation (people, process and
technology).
34. c o s o . o r g
28 | Enterprise Risk Management | Enterprise Risk Management For Cloud Computing
Migrate
During this phase, applications and workloads are migrated
to the cloud landing zone as per the migration path defined
during the assessment phase. Depending on how large an
application portfolio an organization has, cloud migration is
an iterative process to migration workloads. These iterations
are essentially different waves or move groups based on
the dependency matrix and business priority defined in the
migration plan during the assessment phase.
As the cloud is setup and expanded, the cloud governance
should be continually reviewed and revised to assess
changes to the environment or organization.
Optimize
Depending on how mature the organization is, the landing
zone setup to establish the foundation of the cloud
environment can be started small and then expanded.
Mature organizations usually start with enterprise scale.
During the optimization phase, the cloud environment
is refined to make it more efficient. It is an ongoing and
continuous process as the environment evolves.
Once the cloud is operational the organization should
leverage the cloud for ERM information, communication,
and reporting. This will allow the organization to report on
the cloud and CSP.
STRATEGY & OBJECTIVE-SETTING
PERFORMANCE
REVIEW & REVISION
INFORMATION, COMMUNICATION & REPORTING
GOVERNANCE & CULTURE
ASSESS
BUILD
MIGRATE
OPTIMIZE
Diagram 10. The Roadmap to the Cloud should include the COSO ERM Framework
Tactical Migration Strategies
There are six different migration paths available to migrate
workloads to the cloud, each carrying its own risks. This
is also called the 6 R methodology. These migration paths
are assigned during the assessment phase of the cloud
migration. The cloud migration is carried out primarily
through adoption of one of the “R” approaches mentioned
below.
Retain
This approach tends to be applicable to a hybrid IT
environment in which the organization is not ready to
move their entire workload to the cloud. This is typically a
temporary approach to “retain” some of the on-premise
workloads until the organization is prepared for a full
transition. Cloud transitions can be an extended project and
may include some temporary (or permanent) retention of on-
premise services.
Rehost
This is the easiest approach for cloud migration. This
approach would entail the organization’s current servers and
workloads be translated to the desired cloud environment
without the need for any changes to the software or platform.
For many migrations, some workloads can simply be
rehosted while others will require a more involved approach.
This is frequently referred to as lift and shift.
Replatform
Some workloads may require changes to the platform it
runs on. This might entail changing the operating system the
software runs on or transferring the data to a new database
engine. While some workloads may translate directly to a
cloud platform, others may require replatforming.
35. c o s o . o r g
Enterprise Risk Management | Enterprise Risk Management For Cloud Computing | 29
Repurchase
This approach represents the option to switch products
entirely, typically to a SaaS application. This approach is
usually followed for third party products which have been
running on-premise and their licenses cannot be ported in
the cloud version of the same product e.g., commercial off-
the-shelf (COTS) applications.
Refactor
Workloads will often require architectural changes to fully
leverage cloud native services. Refactoring might include
changing the organization’s solutions by rebuilding software
to be containerized so the organization can utilize cloud
resources at their maximum efficiency. Older monolithic
software solutions might not translate well to the cloud and
could benefit from refactoring. Refactoring software may
entail some level of replatforming the final solution as well.
Retire
This approach is followed for the assets and applications
which are identified to be decommissioned in the migration
plan during the assessment phase of the cloud migration.
This might entail workloads that have already successfully
been transitioned to the cloud, or possibly a solution that is
no longer necessary in a cloud environment.
In the table below, we highlight the risks and benefits of the
primary migration approaches.
Table 6.1. Tactical Cloud Migration Approach Risks and Benefits
Approach Benefits Risks
Rehost • Higher speed of migration
• Reduced risk of migration
• CSP + partner ecosystem of tools to natively support
this migration approach
• It could be automated/tool assisted
• May not use PaaS services
• Inherit potentially same performance
characteristics
• Limited retirement of technical debt
Replatform • Uses cloud services with no code change required
• No dependency on underlying physical hardware platform
• Migration to newer platform
• Opportunity to modernize technology stack
• Automated tool assistance available in some cases
• Migration could be time consuming and
costlier
• Requires additional planning and coordination
Repurchase • Eliminates dependency on custom hardware or
proprietary technology platforms
• Could be direct adoption of SaaS solution eliminating the
overhead of maintaining application and infrastructure
• Careful evaluation of partners/vendors
needed
• Some use cases can grow in time and effort
• Data migration is required
Refactor • Utilizes cloud native features
• Increases efficiency and agility at improved cost
• Adapts to modern customer needs
• Eliminates dependency on customer hardware and
proprietary technology platforms
• Improves user experience
• It could be complicated, expensive and could
impact migration timeline.
• It requires a good understanding of all aspects
of the application, compliance, regulatory
requirements, security, code, design etc.
• Some use cases can go grow in time
and effort
36. c o s o . o r g
30 | Enterprise Risk Management | Enterprise Risk Management For Cloud Computing
APPENDIX B.
Roles and Responsibilities
A strong ERM program to govern cloud activities requires senior management to take on additional responsibilities. The following
describes the assignment of key cloud responsibilities.
Depending on the size and complexity of the organization, some of these positions may not have a direct match; therefore, please
use these as a guide and align or combine to appropriate individuals within the organization. Additionally, to the extent possible,
organizations should align the cloud governance responsibilities with existing ERM responsibilities.
Table 7.1. Roles and Responsibilities in the Cloud
Position Position Responsibilities
Board of
Directors
• Be aware of cloud computing trends and understand management’s perspective on the impact of cloud to the
industry and its business model
• Be aware and have oversight of transformative IT projects such as cloud services
• Understand how management is balancing risks with the benefits of cloud as part of its business and technology
strategy
• Leverage Internal Audit resources for assurance that cloud initiatives are in alignment with the organization’s risk
appetite and controls philosophy
• Participate in the ERM process
Chief
Executive
Officer
• Define the organization’s business strategy and how cloud computing enables it
• Define the organization’s point of view and policies regarding outsourcing
• Understand the impact cloud computing is having on the organization’s industry
• Be aware of where and how the organization is using cloud computing
• Participate in the ERM process
Chief
Financial
Officer
• Provide new disclosures regarding cloud usage in financial reporting
• Evaluate and monitor the total cost of ownership and return on investment with cloud computing and internal IT services
• Evaluate tax and accounting benefits of cloud computing versus alternatives
• Implement policies and controls over procurement of cloud services
• Monitor the financial health of each CSP
• Participate in the cloud governance process
• Participate in the ERM process
Chief
Legal
Officer
• Ensure that the organization’s cloud activities comply with laws and regulations
• Monitor for changes in the organization that could result in additional compliance needs
• Monitor for new laws and regulations that would impact the organization’s cloud solution or its CSPs
• Review and approve cloud service procurement policies
• Provide input on data classification policies and processes
• Review CSP contracts and ensure protection of the organization’s interests and rights
• Understand the legal jurisdiction aspects of the organization’s operations as they relate to using cloud services
hosted in different countries
• Participate in the cloud governance process
• Participate in the ERM process
37. c o s o . o r g
Enterprise Risk Management | Enterprise Risk Management For Cloud Computing | 31
Table 7.1. Roles and Responsibilities in the Cloud
Position Position Responsibilities
Chief Risk
Officer
• Manage the organization’s overall ERM efforts including the incorporation of cloud computing
• Monitor changes to the organization and the overall environment
• Coordinate with the Chief Compliance Officer on CSP compliance
• Monitor and assess changes to culture
Chief
Compliance
Officer
• Monitor for changes in the organization that could result in additional compliance needs
• Establish a plan for compliance for new regulations that impact cloud activities
• Monitor the organization’s cloud activities against compliance requirements
• Participate in external reviews, such as for SOC 2, PCI-DSS or regulatory compliance
• Monitor CSPs for applicable compliance
• Participate in the cloud governance process
• Participate in the ERM process
Chief
Information
Officer or
Chief
Technology
Officer
• Understand and monitor cloud computing’s potential to support current business strategies and new
business opportunities
• Establish overall strategy for leveraging and aligning cloud solutions for new products and services
• Facilitate the integration of cloud solutions into operations and the organization and current IT infrastructure
• Enable the change and the success of the organization in the cloud
• Assist with incorporating cloud governance into the organization’s ERM program
• Implement a data classification scheme in conjunction with data owners
• Establish cloud processes for resource provisioning, user access management, and change management
• Establish the organization’s internal cloud incident management program
• Establish processes and protocols with CSPs for incident management
• Participate in the ERM process
Chief
Information
Security
Officer
• Establish strategy and oversight to secure information and technology assets in the cloud
• Enable the change and the success of the organization in the cloud
• Perform cyber security assessments, such as penetration assessments or review the results from cloud vendors
• Ensure adequate security controls are established for cloud-based services
• Monitor cloud-based services for indicators of cyber-attacks or internal misuse of resources
• Participate in the cloud governance process
• Participate in the ERM process
Chief Audit
Executive
• Perform risk-based audits to evaluate the design and effectiveness of the blended control environment in
which controls and processes are shared with the CSP
• Audit the CSP or review SOC, PCI-DSS, or other regulatory compliance reports to verify the effectiveness of
CSP controls relied upon by the organization
• Perform periodic compliance audits of data residing on external clouds to verify compliance with data
classification polices
• Audit CSP spend and contractual compliance
• Evaluate cloud governance
• Participate in the cloud governance process
• Participate in the ERM process
Privacy
Officer
• Maintain the organization’s privacy program
• Review the data classification policies and what data may migrate to the cloud
• Monitor how CSPs comply with the organization’s privacy requirements
• Participate in the ERM process
Cloud
Computing
Steering
Committee
• Provide oversight over the cloud migration process
• Monitor the organization to ensure overall cloud governance is incorporated into processes
• Participate in the ERM process
38. c o s o . o r g
32 | Enterprise Risk Management | Enterprise Risk Management For Cloud Computing
Table 7.1. Roles and Responsibilities in the Cloud
Position Position Responsibilities
Strategic
Sourcing or
Procurement
• Coordinate with business process owners to define requirements for cloud computing vendors
• Maintain an approved list of cloud vendors
• Evaluate potential CSPs for fit
• Participate in the ERM process
Vendor Risk
Management
• Define vendor management policies for CSPs
• Monitor CSP service-level agreements
• Monitor activities of the CSP and fellow cloud tenant customers
• Participate in the ERM process
Technology
Architect
• Design the overall technology strategy for the organization including the cloud strategy and environment,
including systems and software
• Implement and maintain the overall IT environment
Network
Engineer
• Design and implement network architecture to enable the availability of the systems and applications in and
out of the cloud
• Maintain cloud infrastructure (IaaS and PaaS)
• Optimize network software
• Implement and maintain communication and hardware connections in and out of the cloud
Security
Engineer
• Design strategy and implement tools to protect the security, confidentiality, integrity, and privacy of the
cloud environment
• Monitor the cloud environment for potential threats
• Manage incident response for the organization
• Liaise with the CSP for incident response
DevOps
Engineer
• Maintain processes for development and operations for the cloud
• Create functional, scalable, fault tolerant applications for the cloud
QA Engineer • Test systems and application changes for the cloud
• Prepare data for business continuity planning for the cloud
System/
Application
Administrator
• Maintain application user administration and security for the cloud systems and applications
• Manage system configuration
• Monitor managed services for cloud processes
• Manage maintenance for cloud systems, as necessary
CSP
Relationship
Managers
• Note, there will be multiple, based on different departments
• Maintain relationship and contacts with CSPs
• Escalate incidents with CSP when necessary
• Monitor and enforce CSP service-level agreements
End Users • Safe and appropriate usage of cloud applications and tools
• Understanding of data privacy and security practices
39. c o s o . o r g
Enterprise Risk Management | Enterprise Risk Management For Cloud Computing | 33
APPENDIX C.
Glossary and Definitions
The introduction provided three definitions of cloud
computing. Again, in the simplest terms, cloud computing is
a computing model that utilizes pooled resources over the
internet. The management of the underlying servers and
processes may be outsourced to another organization. The
following outlines some key cloud terms used throughout this
paper.
Cloud Computing Terminology
Common cloud computing terminology is explained below:
• Cloud Service Provider (CSP) – A vendor that
provides cloud computing services that could include
infrastructure, networking, or business applications.
• Managed System Provider (MSP) – A vendor that
manages an organization’s IT needs. A CSP is an MSP,
but an MSP does not have to be a CSP, an MSP could
manage non cloud processes as well.
• Managed Cloud Services – The managed services
provided by the organization’s CSP. These will vary
based on the delivery method and the contract.
• Multi-cloud – An organization that utilizes multiple
deployment models, delivery models, and/or different
platforms with different public cloud service providers
is in a multi-cloud environment. Multi-cloud can
be a strategic decision; although, it can arise from
uncoordinated efforts by different departments.
• Multi-tenant – With most CSP technology solutions, a
customer is a single tenant among many tenants sharing
common resources and technologies. The multi-tenant
concept affects how resources are organized and
provided to the CSP’s customers. For example, a cloud
customer’s data might be housed in a single large data
storage platform that is shared with the data of multiple
tenants of the same cloud solution.
• Cloud Access Security Broker (CASB) – a security
application that resides between cloud users and cloud
applications to apply the organization’s security policies
to the cloud resources. CASBs are used to protect data
and enforce security policies.
• Secure Access Service Edge (SASE) – applies cloud-
based policy and delivers secure cloud access. SASE
focuses on networking and security.
• Containerization – is a method to manage workloads
and services which facilitates automation.
Cloud Deployment Models
The most common cloud computing deployment models
include:
• Private cloud – A private cloud is created only for one
organization and managed by the organization or a CSP.
• Community/Partner cloud – A community or partner
cloud is shared by organizations with common interests
(e.g., mission, industry collaboration). It might be
managed by the community organizations or a CSP.
• Public cloud – A public cloud is managed by a CSP who
makes the services available to people or organizations
who want to use or purchase them.
• Hybrid cloud – A hybrid cloud is composed of two
or more clouds (private, community, or public)
environments that must include a private cloud and
remain unique entities with communication between
each cloud entity. Hybrid clouds are used to provide
flexibility on workloads.
• Government cloud – A government cloud is designed
for government organizations or institutions to meet
government requirements on security. These may be
managed by a government or by a CSP.
40. c o s o . o r g
34 | Enterprise Risk Management | Enterprise Risk Management For Cloud Computing
Cloud Service Delivery Models
The most common cloud computing delivery models include:
• Infrastructure as a Service (IaaS) – The CSP provides an
entire virtual data center of resources (e.g., computing
resources, and storage resources).
• Platform as a Service (PaaS) – The CSP provides
proprietary tools that facilitate the creation of
application systems and programs that operate on the
CSP’s hosted infrastructure.
• Software as a Service (SaaS) – The CSP provides a
business application that organizations can use to
perform specific functions or processes (e.g., email,
customer management systems, enterprise resource
planning systems).
Pricing Models
The most common cloud computing pricing models include:
• Subscription – Paying a fee typically based on licenses
or seats. This is frequently used for SaaS and is usually
set at monthly interval.
• Usage – Based on usage, which may include storage
used, computational power, time, bandwidth, backup,
and/or support.
• Tiered – Fee levels based on usage or features. This
could be tied to a subscription-based or usage-based
model.
• Combined – A pricing model that may take aspects of
pay as you go, tiered, and/or subscription.
• Dynamic – A pricing model that adjusts based on supply
and demand. Users can pay the current demand price,
or they can pay a reserved price and obtain resources
at a set time.
• Market – Pricing can differ if the organization uses on-
demand time vs setting a price limit. Pricing changes are
based on supply and demand at the time of service. If
the organization set a price limit, like a reverse auction,
and the price goes down to the organization’s price, the
organization’s workload will be executed.
• Advertisement – Pricing is typically either low or free,
but the user is subject to advertising to use the system.
41. c o s o . o r g
Enterprise Risk Management | Enterprise Risk Management For Cloud Computing | 35
ABOUT THE AUTHORS
Mike Grob, Principal, Crowe LLP
Mike Grob is a Principal in Crowe LLP’s Consulting Practice. In this role, he leads cloud
transformation services and assists clients in modernizing their IT services. He is a
Microsoft Certified Professional in Azure and Dynamics.
Mike has a BS in Media and Communications Strategy from Michigan State University.
Victoria Cheng, Managing Director, Crowe LLP
Vicky is a Managing Director in the Consulting Practice at Crowe LLP. She focuses on IT risk
management and cloud governance.
Vicky graduated from the University of Illinois. Vicky is a CPA licensed in Illinois and a CISA.
She is a member of AICPA, ICPAS, IIA, and ISACA.
42. c o s o . o r g
36 | Enterprise Risk Management | Enterprise Risk Management For Cloud Computing
ABOUT COSO
ABOUT CROWE
This publication contains general information only and none of COSO, any of its constituent organizations or any of the
authors of this publication is, by means of this publication, rendering accounting, business, financial, investment, legal, tax or
other professional advice or services. Information contained herein is not a substitute for such professional advice or services,
nor should it be used as a basis for any decision or action that may affect your business. Views, opinions or interpretations
expressed herein may differ from those of relevant regulators, self-regulatory organizations or other authorities and may reflect
laws, regulations or practices that are subject to change over time. Evaluation of the information contained herein is the sole
responsibility of the user. Before making any decision or taking any action that may affect your business with respect to the
matters described herein, you should consult with relevant qualified professional advisors. COSO, its constituent organizations
and the authors expressly disclaim any liability for any error, omission or inaccuracy contained herein or any loss sustained by
any person who relies on this publication.
Originally formed in 1985, COSO is a joint initiative of five private sector organizations and is dedicated to helping organizations
improve performance by developing thought leadership that enhances internal control, risk management, governance, and fraud
deterrence. COSO’s supporting organizations are the American Accounting Association (AAA), the American Institute of
Certified Public Accountants (AICPA), Financial Executives International (FEI), the Institute of Management Accountants (IMA),
and The Institute of Internal Auditors (IIA).
Crowe LLP is a public accounting, consulting, and technology firm with offices around the world. Connecting deep industry
and specialized knowledge with innovative technology, our dedicated professionals create value for our clients with integrity
and objectivity. By listening to our clients, we learn about their businesses and the unique challenges they face. We forge
each relationship with the intention of delivering exceptional client service while upholding our core values and strong
professional standards. We invest in tomorrow because we know smart decisions build lasting value for our clients, people,
and profession.
43. Committee of Sponsoring Organizations
of the Treadway Commission
c o s o . o r g
E n t e r p r i s e R i s k M a n a g e m e n t
44. c o s o . o r g
Committee of Sponsoring Organizations of the Treadway Commission
E n t e r p r i s e R i s k M a n a g e m e n t
ENTERPRISE RISK
MANAGEMENT
FOR
CLOUD COMPUTING