Cloud risk and compliance has been saved
Article
Cloud risk and compliance
Understand the landscape and meet requirements.
Chapter summary
IT system failings, power cuts, insider fraud, cyber attacks from criminal gangs and hostile states… the list of risks facing companies is a long one. Failure to comply with legal and regulatory requirements is another major risk, the consequences of which, in terms of fines and other penalties imposed by the authorities, can be far worse than the harm caused other operational risk loss events.
Understand the operational and compliance risks of outsourcing
Moving services to the cloud
Cyber security
Cyber risk deserves special attention. Security must be tight. The risk of intruders gaining access to IT systems on the internet, and even to closed systems, has forced organisations to improve security. Yet attacks keep coming and corporate defences are breached with depressing regularity. Companies need to be aware of the overall cyber threats facing them, what specific threats could materialise when they move to the cloud and the additional security measures that should be taken. They also need to assess the cloud provider’s cyber security procedures to make sure they meet the customer’s needs.
Legal and regulatory compliance
Complying with national laws and regulations on data is a problem that must be addressed. Who owns the data? In which countries should the data be stored? Who is permitted to access the data stored in another country? Data hosted on cloud services and other internet platforms is subject to the laws and regulations of the country where the data is stored. The European Union also has rules that apply to data held outside its territory. The General Data Protection Regulation (GDPR), which came into effect in May 2018, is designed to improve data protection for EU citizens whose data is collected, stored and processed by organisations; but the regulation’s scope extends to companies using servers outside the EU, if those servers hold data on EU citizens. The full implications of GDPR must be understood.
Key recommendations
- A risk management framework within the organisation should be created for the cloud. It is essential to understand the operational and compliance risks of outsourcing.
- Plotting a route through all the risks and regulatory complexities will ensure the company gets the benefits it set out to get from the cloud.
- Proper due diligence should be standard for any outsourcing initiative to understand the key risks and embed controls into the contract. Supplier risk has to be factored into the equation.
- The risk of intruders gaining access to IT systems has forced organisations to improve security. Cyber risk deserves special attention. Security must be tight.
- Complying with national laws and regulations on data is a thorny problem that must be addressed and the full implications of GDPR must be understood and adhered to.
Recommendations
Decoding the future
IT Risk Management. Disrupted.