more than Security Cloud Law or Legal Cloud?
more than Security Governance principles
more than Security Governance principles 1. Context definition Which organisation/ structure? Which roles and responsibilities? 7. Monitoring & evaluation Which key performance indicators (KPI)? What Balanced Scorecards (BSC)? 6. Communication & information Which information? How to communicate? 2. Strategic alignment How to fulfil the business needs? 3. Value creation Which projects? Which investments? 4. Risk mitigation Which threats? What protection? 5. Resource optimisation Which competencies? How much budget? Which infrastructure?
1. Cloud context definition How to govern the cloud: which management and monitoring processes should be implemented, which roles and responsibilities? Objective : Ensure effective and sustainable management processes transparent business decisions clear lines of responsibility Ensure compliance Contractual agreements Regulatory (data privacy, SOX..) Disclosure laws Legal investigation
2. Strategic alignment How to fulfil the business needs? Objective : Facilitating the achievement of the business objectives business on focus by cloud solutions Ensure applications satisfy the business requirements
3. Value creation Ensure business contribution Objective : Create value thru cost (pay for use) service immediacy service availability scalability (traffic peeks...) mobility (info everywhere)
4. Risk mitigation Which threats? How to protect? Objective : Implement risk management within the cloud computing model information security in alignment with regulatory and organisation standards confidentiality : prevent unauthorised access encryption, customer control integrity malware protection, process segregation availability (continuous service) SLA, customer data safeguards
Objective : Efficient & effective delivery of services 5. Resource optimisation Are resources used efficiently and effectively? Service level agreements (SLA), aligned with business requirements Incident mgt : detection, identification, remediation and follow-up Cost control : budget and actual cost follow-up. Asset mgt : ensure control of systems and data ; proper migration
6. Communication & information Which information? How to communicate? Objective : Ensure timely and adequate communication Service information (availability, performance, maintenance ) Solution documentation (user guides, training, releases )
7. Monitoring & evaluation Which key performance indicators (KPI)? How to audit? Objective : Ensure services comply with requirements and expectations Follow up of service indicators according SLA : performance metrics auditability : right to audit, service certifications (SAS70)
more than Security Conclusion 1. Context definition Clear roles & responsibilities Regulatory and contractual compliance 7. Monitoring & evaluation SLA performance mgt Audit agreements 2. Strategic alignment Strategic business focus fulfil business requirements 3. Value creation Service oriented (flexibility) 6. Communication & information Timely communication Adequate doc/training 4. Risk mitigation Risk management Information security management 5. Resource optimisation Service level agreement (SLA) Cost control
Jean-Pierre Palante Rue Edouard Dereume, 65 1330 Rixensart Mobile: +32.478.32.26.99 Fax: +32.2.652.48.17 E-mail: jp.palante@qap.eu Website: www.qap.eu Patrick Soenen Champ des Pétrales, 6 1332 Genval Mobile: +32.477.75.78.61 Fax: +32.2.654.05.95 E-mail: p.soenen@qap.eu Website: www.qap.eu 12