Domain 2: Governance and Risk Management
2 views
Skip to first unread message
alex
May 13, 2009, 1:34:32 PM5/13/09
to Cloud Security Alliance
Hi,
It's been my experience that Enterprise Risk Management (ERM) has a
very specific connotation and meaning in most organizations that is a
different aggregate focus from Information Risk Management (IRM), the
function that typically sits under the CISO.
Is the purpose of Domain 2 to apply management science to securing the
cloud, or is it to focus on how IRM reports up to the ERM group on
"cloudy" specifics?
Before you say "both" I'll offer that IRM for cloud computing seems to
fit the language of the first document, and that the relationship
between IRM & ERM is feels so particular to the organization at hand
that guidance is not only not needed there, but specificity is
unwarranted.
I'm going to suggest we change the focus away from ERM and onto IRM,
as a focus there is what is needed (IMHO) to give meaning to both
Domain 3, and the development of metrics categories required for
knowledge in various other domains.
Yours,
Alex
It's been my experience that Enterprise Risk Management (ERM) has a
very specific connotation and meaning in most organizations that is a
different aggregate focus from Information Risk Management (IRM), the
function that typically sits under the CISO.
Is the purpose of Domain 2 to apply management science to securing the
cloud, or is it to focus on how IRM reports up to the ERM group on
"cloudy" specifics?
Before you say "both" I'll offer that IRM for cloud computing seems to
fit the language of the first document, and that the relationship
between IRM & ERM is feels so particular to the organization at hand
that guidance is not only not needed there, but specificity is
unwarranted.
I'm going to suggest we change the focus away from ERM and onto IRM,
as a focus there is what is needed (IMHO) to give meaning to both
Domain 3, and the development of metrics categories required for
knowledge in various other domains.
Yours,
Alex
Jeff
May 20, 2009, 12:45:47 PM5/20/09
to Cloud Security Alliance
The reason I chose to define this in the context of ERM is due to the
nature of the business risk presented. Information may be a core of
an organizations strategy to use the cloud but then again it may not.
Business process and business functions may be sourced to the cloud
presenting real business risk not only to information but to an
organization's supply chain and operational environment that has
financial impacts. This then presents supply chain risk, operational
risk, and financial risk to the organization which feeds the need for
an ERM view. Separating this to only information removes the
enterprise approach and lessons that impact. It also relegates the
security focus to only information when there is much more at stake.
The examination of a cloud service provider cannot only focus on
information risk but all aspects of risk when examining the viablity
and service offerings of the provider.
We may be called the Cloud Security Alliance but the tenacles of risk,
security and assurance must reach into every facet of the enterprise
and become established as a core function of each element.
nature of the business risk presented. Information may be a core of
an organizations strategy to use the cloud but then again it may not.
Business process and business functions may be sourced to the cloud
presenting real business risk not only to information but to an
organization's supply chain and operational environment that has
financial impacts. This then presents supply chain risk, operational
risk, and financial risk to the organization which feeds the need for
an ERM view. Separating this to only information removes the
enterprise approach and lessons that impact. It also relegates the
security focus to only information when there is much more at stake.
The examination of a cloud service provider cannot only focus on
information risk but all aspects of risk when examining the viablity
and service offerings of the provider.
We may be called the Cloud Security Alliance but the tenacles of risk,
security and assurance must reach into every facet of the enterprise
and become established as a core function of each element.
alex
May 21, 2009, 11:32:27 AM5/21/09
to Cloud Security Alliance
Hi Jeff,
I can see that. I was probably drawing more on my (admittedly small)
experience of helping IRM programs integrate with overall ERM
approaches - which up to now has never really addressed the politics
surrounding cloud computing.
It's been my experience that "where computing lies" is viewed by other
LOBs mainly as someone else's problem (namely, IT's problem). There
may be an impact on outsourcing the information processing concerned
with supply chain or financial operations, but the "availability"
concern for outsourced applications is not the responsibility of the
CFO, for example, it is still the responsibility of the CIO/CSO (and
in most cases where I've worked with an actual CRO, their
responsibility is simply the validation of risk expression around the
CIA triad for IT assets w/regards to IT risk). Of course, aspects of
the cloud (SaaS, certainly) might actually represent moving control
away from the CIO to a rather unqualified LOB executive, and in this
case the outcome of the IRM risk expressions would be more politically
relevant in the context of larger ERM concerns.
Yours,
Alex
I can see that. I was probably drawing more on my (admittedly small)
experience of helping IRM programs integrate with overall ERM
approaches - which up to now has never really addressed the politics
surrounding cloud computing.
It's been my experience that "where computing lies" is viewed by other
LOBs mainly as someone else's problem (namely, IT's problem). There
may be an impact on outsourcing the information processing concerned
with supply chain or financial operations, but the "availability"
concern for outsourced applications is not the responsibility of the
CFO, for example, it is still the responsibility of the CIO/CSO (and
in most cases where I've worked with an actual CRO, their
responsibility is simply the validation of risk expression around the
CIA triad for IT assets w/regards to IT risk). Of course, aspects of
the cloud (SaaS, certainly) might actually represent moving control
away from the CIO to a rather unqualified LOB executive, and in this
case the outcome of the IRM risk expressions would be more politically
relevant in the context of larger ERM concerns.
Yours,
Alex
Karen W
Jul 6, 2009, 4:18:22 PM7/6/09
to Cloud Security Alliance
I'd like to add some perspective to this thread - albeit a little
late.
Cloud computing crosses multiple areas of risk management, but to push
it to ERM as a general "bucket" may cause us to lose useful structure.
In particular, the risks that must be addressed are:
IT Risk
Data Management Risk - depending on the org this can be seen as a
business risk or an IT risk.
Legal Risk
Financial Risk
Governance structures for Cloud are well described already if we apply
ValIT and CobiT governance guidance - my suggestion is that we use
those to define how management makes informed decisions about Cloud
Risk. We should define process and structure, and the "what"
framework for Cloud governance, and somehow ensure that the
prescriptive guidance for "how" is covered in the other domains.
My $.02.
Karen
late.
Cloud computing crosses multiple areas of risk management, but to push
it to ERM as a general "bucket" may cause us to lose useful structure.
In particular, the risks that must be addressed are:
IT Risk
Data Management Risk - depending on the org this can be seen as a
business risk or an IT risk.
Legal Risk
Financial Risk
Governance structures for Cloud are well described already if we apply
ValIT and CobiT governance guidance - my suggestion is that we use
those to define how management makes informed decisions about Cloud
Risk. We should define process and structure, and the "what"
framework for Cloud governance, and somehow ensure that the
prescriptive guidance for "how" is covered in the other domains.
My $.02.
Karen
Reply all
Reply to author
Forward
0 new messages