Moving to the Cloud for computing is no longer optional for many enterprises and hence many of them have already embarked on this journey. However, several them do so without a formalized and effective Risk Management strategy which results in them making unintended news headlines due to a breach. Risk Management is key to protecting the shareholder value and include strategic risks, financial risks, operational risks, and damage risks.
Enterprise Risk Management
As outlined by paper by North Carolina State University1, Enterprise Risk Management is an approach to develop a holistic, portfolio view of the most significant risks to the achievement of the entity’s most important objectives. This is a top down approach driven by the Executive Management and Board of Directors as they are the ones who have the enterprise view of the organization and they are viewed as being ultimately responsible for understanding, managing, and monitoring the most significant risks affecting the enterprise.
Because risks constantly emerge and evolve, it is important to understand that ERM is an ongoing process. The diagram in Figure 1 illustrates the core elements of an ERM process. It is important to focus on the oval shape to the figure and the arrows that connect the individual components that comprise ERM. The circular, clockwise flow of the diagram reinforces the ongoing nature of ERM. Once management begins ERM, they are on a constant journey to regularly identify, assess, respond to, and monitor risks related to the organization’s core business model.
Enterprise Risk Management Approach on Cloud Computing
Risk Management is not a new concept and organizations have been doing this for decades as managing risk is key to succeeding in business. However, the approach that was adopted by many was a siloed approach. Each Business Unit or Functional leader was tasked with managing risk in their own department and over time this led to a lot of issues resulting in the formation of Enterprise Risk Management approach.
Cloud Computing is a classic example of why traditional risk management will not work as it traverses across different areas. Software-as-a-Service solutions are highly appealing as they are primarily OPEX based and offer an on-demand consumption model. Hence, these solutions are highly popular as the traditionally the business units would subscribe to them within their P&L without requiring involvement of IT and cumbersome CAPEX approval process. Traditionally, IT was opposing these solutions due to the security and data privacy issues. Over time, better governance has been implemented in enterprises as Cloud Suppliers have strengthened security and there are proper Cloud Security frameworks that have evolved to manage the risks. The upside and downside risks are articulated, and the risk-based performance management approaches are replacing the traditional risk management.
The frameworks associated with Cloud computing cover requirements of the users, cloud service providers risk assessment, third-party agencies review, and continuous monitoring. Vendor IT Risk Assessment include items such as:
- Formal Security program adopted by the provider including dedicated security officer, external auditors and senior management oversight
- Third Party Assessments such as SOC2, ISO etc.
- Critical programs such as BCP, DR, Asset destruction, recovery and security operational incident management
- Penetration Test results
- Vendor Security Assessment and oversight
Enterprise Risk Management Approach for Data Services
Risk Management for Data should include
- Leak of sensitive and confidential information
- Loss of User Data
- Access Control Lists compromised
- Data Classification mismatch
- Data Integrity compromised
Although GDPR imposed by EU has created an upheaval in the enterprises having operations in Europe several of the principles apply to data services in general. The data protection principles stipulated by GDPR include:
- Lawfulness, fairness and transparency – Essentially the privacy policy needs to state the type of data being collected and why it is being collected
- Purpose limitation – collect data for a specific purpose and collect it only for as long as you need to complete that purpose
- Data Minimization – process only the personal data that you need to achieve the processing purpose.
- Accuracy – every reasonable step must be taken to erase or rectify data that is incomplete or inaccurate
- Storage limitation – delete personal data after a predefined time when it is not necessary. Data retention policies should be set, and compliance ensured
- Integrity and Confidentiality – personal data should be processed in a manner that ensures appropriate security and protection against accidental loss, destruction or damage.
In Summary, since enterprises can rarely avoid Cloud Computing or dealing with personal and sensitive data, they should adopt formalized approaches to Risk Management and the sponsorship needs to come from Executive Management and Board of Directors. ISO, PCI, GDPR and several other certifications mandate compliance but regardless of the need for the enterprise to be certified, shareholders are mandating this to protect their value.