As organisations adopt cloud services it is critical to identify any risks this can create and to develop a control framework to assess, monitor and mitigate any threats.
The starting point for this process is the identification of all types of cloud services being leveraged and then performing an assessment to identify any potential risks these service can create. The next step is identifying mitigating actions and establishing risk tolerance levels enabling effective risk and service monitoring to help manage and mitigate any threats to any business operations.
However, too many organisations currently rely on their service providers to manage and mitigate these risks, or feel the risks are not material or relevant. However, we believe it is crucial to undertake this analysis for any businesses leveraging a cloud service providers as it can help inform management and is a critical part of an organisations aggregated risk management profiling.
As part of our approach, we believe organisations should undertake an assessment of their cloud service usage and identify the business processes and data being used along with a formal risk assessment to establish the criticality and importance to maintaining robust business operations.
We believe organisations should assess and consider a number of key aspects of each service being used across the organisation.
- Vendor Profile including stability, experience, contract terms, data protection capabilities.
- Service Profile including delivery locations, data backup, SLA’s, cyber protection.
- Data Profiles including identification of PII and other sensitive data types.
- Service Risks including impact assessments, likelihood, estimated potential loss from outage…
Using the outcome of this assessment process businesses could define robust monitoring, controls and risk tolerance thresholds for each service, and incorporate these into their overall risk management framework.