Critical.
Authoritative.
Strategic.
Subscribe to CIO Magazine »

ISACA issues Cloud computing guide to help enterprise increase value and manage risk

CIOs remain polarised on the benefits of Cloud computing
ISACA international vice-president and RSM Bird Cameron director of information security, Jo Stewart-Rattray

ISACA international vice-president and RSM Bird Cameron director of information security, Jo Stewart-Rattray

For all the talk of Cloud computing, the governance issue remains, for many enterprises, the great unknown. Cloud computing inevitably impacts business processes, making governance vital to managing risk and adapting to take advantage of new opportunities.

Industry body, ISACA, is looking to change that, issuing a new guide for implementing controls and governance.

Entitled, IT Control Objectives for Cloud Computing: Controls and Assurance in the Cloud, the guide looks at business case development, standards and practices to assist with governance and how to establish business goals for the Cloud. It also outlines risk considerations and responsibilities, and a Cloud computing management audit/assurance program.

According to a survey of ISACA’s Australian members, less than half — 42 per cent — currently include Cloud computing strategies within their enterprise. And 80 per cent of these organisations limit Cloud computing to low-risk, non-mission-critical IT services.

"Cloud take-up in Australia is relatively slow compared to other countries," said ISACA international vice-president and the Queensland Department of Communities associate director-general, Tony Hayes.

"Lower-risk and less contentious data seem to be the first choice for early adopters."

Hayes said organisations retain sensitive data and that which holds competitive advantage for organisations.

“Government agencies are significant investors in IT and, to date, Cloud computing has been adopted mainly as a concept internal to government," he said.

ISACA international vice-president and RSM Bird Cameron director of information security, Jo Stewart-Rattray, said CIOs remain polarised about Cloud computing.

"While speaking with CIOs in Australia and the US, the mention of the Cloud is met in one of two ways: An enormous groan or a loud cheer,” she said.

“Of course it will depend upon the context of a business whether Cloud offerings will suit its needs. If they do, security and governance around such offerings must be in place within the organisation.

Due diligence around the proposed service provider and appropriate controls must also be in place, she said, to ensure corporate information, is protected from loss, theft, tampering and loss of jurisdictional control.

Key questions for Cloud governance

ISACA’s guidance recommends enterprises ask the following key questions:

  • What is the enterprise’s expected availability?
  • How are identity and access managed in the Cloud?
  • Where will the enterprise’s data be located?
  • What are the Cloud service provider’s disaster recovery capabilities?
  • How is the security of the enterprise’s data managed?
  • How is the whole system protected from internet threats?
  • How are activities monitored and audited?
  • What type of certification or assurances can the enterprise expect from the provider?

ISACA will hold its Oceania CACS2011 conference to be held in Brisbane from 18-23 September, which will explore issues such as control, risk management, data loss prevention and assurance for Cloud strategies.

Follow Georgina Swan on Twitter: @swandives

Follow CIO Australia on Twitter: @CIO_Australia

Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.

More about: ACA, ACS, CA Technologies, Hayes, RSM Bird Cameron
References show all

Comments

1

Lily Hunt

Mon 08/08/2011 - 23:10

NOW they get around to a non-authoritative guide on the control principles of cloud computing? I've been a CISA for 18 years and have seen both the organisation and the designation become less and less relevant. Disappointing.

2

Craig Wright

Sat 27/08/2011 - 09:24

Ms Rattray is a plagiarist and hence a fraud.

I wrote on this topic three years ago now (http://gse-compliance.blogspot.com/2008/06/tisk-tisk-tisk.html).

Her feeble excuse for fraudulently stating the writings as her own was that she had planned to add a reference later. Really? Adding a reference when more than half the article has been stolen and fraudulently promoted as her own? For that matter, would not the adding of a reference have been better justified BEFORE publication? If you have been published for three months and have not made an attempt to update a document, does that not seem as if you have basically intended to fraudulently promote it as your own?

3

Craig Wright

Sat 27/08/2011 - 14:15

Ms Rattray is a plagiarist and hence a fraud.

I wrote on this topic three years ago now (http://gse-compliance.blogspot.com/2008/06/tisk-tisk-tisk.html).

Her feeble excuse for fraudulently stating the writings as her own was that she had planned to add a reference later. Really? Adding a reference when more than half the article has been stolen and fraudulently promoted as her own? For that matter, would not the adding of a reference have been better justified BEFORE publication? If you have been published for three months and have not made an attempt to update a document, does that not seem as if you have basically intended to fraudulently promote it as your own?

Post new comment

The content of this field is kept private and will not be shown publicly.
Users posting comments agree to the CIO comments policy.
Login or register to link comments to your user profile, or you may also post a comment without being logged in.
Related Coverage
Related Whitepapers
Latest Stories
Community Comments
Tags: cloud computing, enterprise, ISACA, ISACA Tony Hayes, Jo Stewart-Rattray, Tony Hayes
Latest Blog Posts
Whitepapers
  • Customer Case Study: Yarra Valley Water Turns to Enterprise Software to Improve Information Flow
    “We don’t need to wait till month-end for management reports—they’re now available whenever we need them. We have much more efficient management, as everyone across the organization is looking at the same set of figures. Read on.
    Learn more »
  • Virtualise, Manage, Backup, Consolidate
    Datacenter sprawl is one of the larger challenges that datacenter managers are facing today. Over time, applications, servers, and storage can create many unique architectures across the IT infrastructure. This can introduce complexity, increase costs, and compromise business-critical application performance and availability. Read on.
    Learn more »
  • Top 10 Mistakes in Data Centre Operations: Operating Efficient and Effective Data Centers
    For years, the data centre industry has accepted that human operational error, not poor data centre design or engineering, is the number one cause of data centre downtime. Now is the time for companies to evaluate their data centre operations programs. They must be able to clearly articulate operational requirements and design an operations program based on the risk profile of the data centre. However, the road to creating an industry-best operations program will not be easy, especially for those companies whose core expertise is not in business critical facilities. Read on.
    Learn more »
All whitepapers
rhs_login_lockGet exclusive access to Invitation only events CIO, reports & analysis.
Recent comments