These risks, as well as others that an enterprise might identify, must be managed effectively. A robust risk management
program that is flexible enough to deal with continuously evolving information risks should be in place. In an
environment where privacy has become paramount to enterprise customers, unauthorized access to data in the cloud is a
significant concern. When embarking on an agreement with a cloud provider, an enterprise must take an inventory of its
information assets and ensure that data are properly classified and labeled. This will help to determine what should be
specified when drafting a service level agreement (SLA), any need for encryption of data being transmitted or stored, and
additional controls for information that is sensitive or of high value to the organization.
As the link that defines the relationship between the business and the cloud provider, the
SLA is one of the most effective tools the enterprise can use to ensure adequate protection
of information entrusted to the cloud. The SLA will be the tool where customers can specify
if joint control frameworks will be utilized and describe the expectation of an external,
third-party audit. Clear expectations regarding the handling, usage, storage and availability
of information must be articulated in the SLA. Additionally, requirements for business
continuity and disaster recovery (discussed previously) will need to be communicated in the
agreement.
Information protection will evolve as a result of a strong, comprehensive SLA that is
supported by an equally strong and comprehensive assurance process. Structuring a
detailed and complete SLA that includes specific rights to audit will assist the enterprise
in managing its information once it leaves the organization and is transported, stored or
processed in the cloud
No comments:
Post a Comment