Considering Cloud Computing?

The idea of using the cloud is very appealing to more business leaders.  Licensing, operational support and availability are attractive cost factors that are driving its growing acceptance.  Sarbanes-Oxley, the European Union Data Protection Act, PCI DSS, HIPAA and various state privacy laws are still in play.  Business leaders and auditors need to understand the impact of who owns the controls that ensure compliance.

 Your responsibility for compliance does not go away just because you don't manage the servers, as reported by Jim Buchanan on www.cio.com.  He offers these four points to consider.

1.  What impact to your IT workload?

Check identity access management, data protection and incident response procedures.  Be aware of server locations.  Your European customer data should be on servers located in Europe.  Investigate multi-tenancy and de-provisioning, and what a vendor's offering will mean to your organization.  Encryption will be a factor  you need to consider.

2.  Standards?

Consider which applications you want to move to the cloud.  The standards for cloud computing are not mature yet.  A Forrester executive reports that "SAS70 and ISO 27001 are helpful, but they are point-in-time."  The Cloud Security Alliance is developing a GRC Standards suite that will help you assess your position.

3.  Service Level Agreements

Don't settle for a standard contract.  Even small firms can leverage their position as a new industry or regional client to negotiate terms that protect them.  Due diligence is key.

4.  Security is key

To better understand the risks of moving to the cloud, bring in the Enterprise Risk and IT Security teams up-front.  These professionals can help assess the risk and contribute to a solution, including the costs for mitigating any new risks.