The risks associated with cloud services are the same as those associated with traditional IT systems. Below is an example of a tailored risk assessment that can be signed off at a level based on the agency’s risk appetite. Answers are provided in this section to questions raised in the document Cloud Considerations.
Using this briefing note, you will learn how RIS assessments can be right-sized for Cloud environments.
Risk assessment is the responsibility of agencies
A risk assessment is the first step in the Cabinet’s decision-making process regarding cloud adoption. Agency risk assessment processes can benefit from DIA’s tools and guidance.
What is an agency’s role in leading?
There are risks associated with cloud service providers as they require new ways to operate. In this way, agencies are best positioned to assess their own risks.
Risk assessments are driven by business context
A good understanding of the business context is crucial to effectively use cloud services. Also, risk assessments should be proportional to their importance in terms of time and effort. Therefore, it is important to determine whether the particular data involved raises any concerns regarding privacy or sovereignty.
If the initial assessment determined that the risks were negligible, a detailed risk assessment was rarely required. When significant risks exist, a detailed risk assessment is usually necessary. By completing a risk assessment, an agency can understand and mitigate risks, and establish residual risk positions.
Evaluation of cloud risks
Cloud computing entails determining the risk and value of information. Understanding the agency’s risk appetite is essential before accepting an operating model and terms of service from a cloud provider. The purpose of the cloud assessment tool is to add cloud-specific content to a risk assessment.
As you proceed through the Cloud RIS assessment, the following questions will be asked:
- Privacy: How secure is the data when it is stored in the cloud or in the country where the information is stored? How is the cloud provider managing encryption and keys?
- Is your data kept separate from the data of others by the cloud provider’s processes and infrastructure?
- How does your cloud provider handle disaster recovery, business continuity, and incident management? Because the data centers are geographically separated, will latency be an issue? Can your data be sufficiently cleaned up when your service is terminated, and do the SLAs apply to your use?
You would want answers to all of these questions if you were operating the service yourself. It may be helpful to ask how a company taking care of your information can ensure that it is secure.
Information risks must be assessed, but assessing them is just the beginning of effective management. Organizations should focus on managing information risks through treatments (decision-making and the implementation of controls) when resources are limited.
A cloud considerations questionnaire is normally completed by the service provider, who would normally spend the most time and effort on it.
If you are assessing the service’s risk, it is important to consider the amount of information you are providing.
There are risks and benefits to using cloud services.
Before implementing cloud computing, risk assessments should be performed.
The risk of jurisdiction
Cloud service providers typically have operations in countries where data is stored, processed, or transmitted. A lot of people refer to ‘data sovereignty and ‘jurisdictional risks’ interchangeably.
