Five Questions Boards of Directors Need to Ask About Cloud Governance

Wednesday, May 01, 2013

InfosecIsland News


The many benefits of cloud computing include helping enterprises become more efficient, agile, innovative and flexible, but achieving those benefits depends on a number of factors, including the involvement of the board of directors. ISACA, a nonprofit, independent association of more than 100,000 governance, risk, security and assurance professionals worldwide, has issued new guidance outlining key questions for boards of directors to ask to ensure their enterprise’s cloud initiative is in line with business objectives and the organization’s risk tolerance.

“Board members need a clear understanding of cloud computing benefits and how to maximize them through effective governance practices,” said Marc Vael, CISA, CISM, CGEIT, CRISC, CISSP, an ISACA board member and chief IT audit executive at Smals. “This requires the board to see cloud computing not as an IT project, but rather as a business strategy.”

According to ISACA’s Cloud Governance: Questions Boards of Directors Need to Ask, boards should address the following five questions to determine the strategic value that cloud services are expected to provide and the impact that the cloud may have on resources and controls:

  1. Do management teams have a plan for cloud computing? Have they weighed the value and opportunity costs?
  2. How do current cloud plans support the enterprise’s mission?
  3. Have executive teams systematically evaluated organizational readiness? For example, are the right skills available? Do cloud processes conflict with other established processes? Do cloud plans conflict with enterprise culture?
  4. Have management teams considered what existing investments might be lost in their cloud planning? Does the adoption of a cloud service nullify already-made technology investments that have not reached their planned end date, and is that noted and approved?
  5. Do management teams have strategies for measuring and tracking the value of cloud return vs. risk?

“The answers to these questions will help determine the enterprise’s readiness to adopt cloud computing and also help ensure that the necessary governance is in place,” said Vael. “The COBIT 5 framework for governance and management of IT can also help enterprises manage investments such as cloud services. COBIT 5 helps ensure consistent practices to maximize value and manage risk.”

ISACA’s white paper, “Cloud Governance: Questions Boards of Directors Need to Ask,” is available as a free download at Additional resources on cloud are at, and the COBIT 5 framework is a free download at Cloud governance will be discussed in depth at ISACA’s World Congress: INSIGHTS 2013, taking place 10-12 June 2013 in Berlin, Germany.

Source: ISACA

Possibly Related Articles:
Cloud Governance
Post Rating I Like this!
Don O'Neill Every organization has information it cannot afford to lose. The remedy for the loss of proprietary information and data lies not in better Cyber Security hygiene, perimeter defense, or defense in depth measures. Instead the remedy can be found in a far more muscular and critical inquiry by consumers themselves into the actual risk of loss of proprietary information and data they cannot afford to lose and cannot protect. That inherent risk is heightened in the joint use of cloud computing with the Internet and a supply chain of third party participants and outsource vendors.

In the Internet as public commons, there is no overarching responsibility for making the Internet safe; instead safety depends on cooperation and responsible choices by the commoners who use it. Considering the widespread Cyber Security risk associated with Internet use, why is the default option with respect to Internet use one of use not nonuse? Indiscriminately applied, the presumed use option only serves to enable Cyber crime whose bad actors threaten competitiveness and national security. Instead the default option on Internet use should be nonuse.

Just as a programmer needs to explicitly check boundary conditions in specifying inputs to a procedure, acquisition managers and enterprise executives need to establish pre-conditions for using cloud computing or the Internet and not simply exercise the default option of use.
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.