Cloud computing – Part 2: Security in the cloud

Security in the cloud

One of the primary concerns with cloud computing is data security. The IDC Enterprise Panel in an August 2008 survey shows ~75% of survey respondents rating data security as a primary concern with cloud computing. What type of internal control framework should be in place to help mitigate this risk?

I have included a link to a good introductory article from techsoup below. In the article, you will also find a link to a 76 page whitepaper published by the Cloud Security Alliance, ‘Security Guidance for Critical Areas of Focus in Cloud Computing, if you are interested in understanding the security issues with more depth.

  • techsoup
  • Additionally, the IIA has for many years through the Global Technology Audit Guides (GTAG) put out excellent guidance on recommended internal control frameworks to address issues related to information technology management, control and security. One of the guides in particular, GTAG 7 is directly relevant to the issue of cloud computing, and I have attempted to pull out some key points from this guide. The full PDF of this guide can be purchased through the IIA website, and is free for download for IIA members.

      Some guidance from GTAG 7 – Information Technology Outsourcing

    – Companies that commit to an IT outsourcing partnership should have a strong governance capability in order to properly manage the outsourced activity and to help ensure the following:
    – Critical to ensure alignment with the organization’s key business objectives and the needs of primary stakeholders
    – Set up a monitoring mechanism to ensure the IT service outsourced are performed according to expectations
    – Changes in IT projects and services across complex portfolios should be managed
    – Establish direct and visible accountability for IT performance
    – Define specific ownership of key contract terms
    – Define well-integrated IT management processes for the client and service provider

    – Elements of a well written contract
    – Service levels and incentives
    – Vendor personnel
    – Data protection, privacy and intellectual property
    – Price protections
    – Third-party assignments
    – Ownership of assets used or created by the IT outsourcing partnership
    – Conflicts among different legal systems
    – Contingency management and change planning
    – Notice of adverse material impacts
    – Right to audit
    – Termination

    – Project and Risk Management
    – Determine the types of compliance risks the organization is exposed to based on the type of outsourced service
    – Identify processes that can have a material impact on compliance risk
    – Establish manual and automated process controls to ensure that all risks are mitigated
    – Define Service Level Agreements (SLAs) with regard to potential compliance risk exposures, which processes will be reviewed, audit responsibilities and frequency, and correctional steps
    – Implement and monitor a robust governance model for overseeing regulatory compliance

    – Key control considerations to be evaluated specific to the service providers’ internal controls
    – Control Environment – governance, policies and procedures, clear definition of roles and responsibilities
    – Security Considerations – physical security and environment controls, personnel security, logical access, business continuity
    – Software Development Life Cycle Controls
    – Change Management Control Considerations – Appropriate system controls should exist to make sure all changes are made properly
    – Human resource policies and procedures – An evaluation of the vendor’s HR policies and procedures is important in the successful implementation and operating effectiveness of designed controls

    The bottom line – Although different frameworks can be adopted to oversee the effectiveness of outsourced activities, the contract remains the most important framework in reviewing a service provider’s work and compliance.

    How to respond when considering Cloud Computing
    • Understand your organization’s needs
    – Quantify the needs
    – Analyze those needs
    – Evaluate how best to address those needs
    • Determine the ROI of any changes

    • Calculate your ROI based on:
    – Achievement of a goal or problem solved
    – Increased speed of transaction processing
    – Generation of reporting and tracking needed to meet funding requirements
    – Elimination of reliance on IT


    Key Insights
    – Cloud computing is here and its’ rapidly replacing on-premises systems
    – There are many benefits, functional productivity
    – Particularly attractive to NFPs
    – Easy to get started

    To the cloud!!


    1 Response to “Cloud computing – Part 2: Security in the cloud”

    1. January 13, 2013 at 7:49 am

      Heya! I hope you do not mind but I decided to post your website: http://nfpauditacctg.
      to my internet directory. I used, “Cloud computing” as your website headline.
      I hope this is ok with you. In case you’d like me to change the title or perhaps remove it completely, email me at tatianaswank@gmail.com. Thank you so much.

    Leave a Reply

    Fill in your details below or click an icon to log in:

    WordPress.com Logo

    You are commenting using your WordPress.com account. Log Out /  Change )

    Google+ photo

    You are commenting using your Google+ account. Log Out /  Change )

    Twitter picture

    You are commenting using your Twitter account. Log Out /  Change )

    Facebook photo

    You are commenting using your Facebook account. Log Out /  Change )


    Connecting to %s


    February 2011
    M T W T F S S
    « Jan   Mar »



    Online Accounting Degree blog feature

    %d bloggers like this: