The Cloud Industry Forum (CIF) and cyber-security expert Trend Micro have launched an intelligence paper aimed at helping senior business leaders to make better business decisions about cloud computing. Entitled ‘Assurance in the Cloud’, the report explores the challenges that the Board of any contemporary enterprise that is moving to the cloud now faces – namely, how to audit and how to deliver assurance in a ‘virtual’ world.
Designed as a business review, rather than a technical one, and compiled with input from leading experts from the industry and the legal community, the paper looks at some of the most pressing challenges around cloud deployment and the ways in which organisations can manage and mitigate the risks. It encompasses issues relating to legal, regulatory and compliance frameworks to enable business leaders to ask the pertinent questions about who has access to their data, where it is being held, and what technical and contractual measures are in place to protect it.
Company directors have a legal responsibility under the Companies Act 2006 to act within their powers to exercise independent judgement, reasonable care, skills and diligence to promote the success of their companies. Data security falls firmly within this remit and it is therefore critical that Board members have a full understanding of the threat landscape and can seek assurance on, and have full oversight of, the following:
- Data security: What technical measures are in place to maintain the integrity of your data? Are you clear on the roles and responsibilities associated with different cloud deployment models? Do you understand the threats and how they can be addressed?
- Contracts: What recourse do you have regarding the termination of your contract? Who owns the data and who can access it? Who is responsible for damages and fines?
- Regulation and compliance: How is your business impacted by regulation? Have you taken steps to ensure compliance with the General Data Protection Regulation (GDPR)? Have you considered data location and data sovereignty?
Bill McGee, SVP and General Manager, Cloud and Data Centre Security at Trend Micro, commented: “The rise of cloud computing mean that the whole Board needs to be involved in technology decisions in a way that they’ve never had to before – and for many, that will be a real challenge. The upcoming introduction of the GDPR, and the potentially massive punitive measures it will bring, makes that involvement and understanding all the more important. You can’t just outsource responsibility for your data; you’ve got to satisfy yourself and the regulators that your data, and by extension your business, is protected. This isn’t about the technology per se, but knowing the questions that you need to ask to get assurance that your company’s data is being looked after.
“We’ve compiled this guide to get the whole of the senior management team thinking about the risks that their organisations are facing, and ultimately enable them to make better and more informed business decisions when it comes to cloud. If you understand your attitude to risk, you can make the appropriate measured decisions, and ultimately grow your business,” Bill continued.
Dr. Richard Sykes, Chairman of the Cloud Industry Forum, added: “The nature and the role of IT within organisations has changed significantly over the last few years; it has never been more important. Done well, technology – cloud in particular – is the route to success, but, at the same time, the consequences of getting it wrong can be significant for both the organisation and for the directors themselves. Boards cannot afford to take their eye off the ball and it’s critical that business leaders can get a handle on the legal, regulatory and technical issues they are now grappling with – indeed, they are legally obliged to do so.”
