
Compliance in the Cloud


Vasyl Nair, Chief Risk Officer, Mine Super
You’ve secured funding and support to launch your new cloud-based strategy with a business case, vendor short list and project plan all finalised. Well, how about understanding your compliance obligations?
Whilst moving to the cloud has become an increasingly popular business strategy, securing compliance in the cloud can be significantly more difficult. The task of Googling a “cloud compliance checklist” is likely to surface more questions than answers. You’ll likely spend more time filtering through sales material than finding any practical guidance on the topic.
Seek technical help
Fortunately, you’re not alone and the places to ask for help aren’t always obvious. Whilst larger organisations typically have in-house risk and legal teams, it may not be as easy for Chief Information Officers who don’t have access to dedicated internal resources. As a result, you may need to carefully consider the cost-benefit of hiring or appointing external technology risk professionals or compliance specialists with prior cloud experience to help you achieve your objectives.
You may also want to consider audit firms that offer consulting services or specialised businesses such as managed security service providers. Whether you hire or outsource this capability, the key to delivering quality outcomes is by ensuring you have the right mix of capabilities to understand your compliance obligations and deliver your project.
Louis Leung, Executive General Manager Group Risk and Compliance, Mine SuperDetermine what’s important
Once you have capabilities sourced, you’ll need to identify what your compliance obligations are. This is where investing time upfront will help you mitigate the emergence of last-minute surprises that can derail a project. You might consider:
1. Internal policy obligations – surprisingly, internal policies are a great place to start. This is where the rest of your management team have already summarised key obligations across your business. You’ll find vital clues on where to go for more information on a wide range of topics such as privacy, vendor due diligence and technology security.
2. Legislative obligations – consider the legal jurisdictions your business (and short list of cloud providers) operate in and whether any offshore obligations apply. At minimum you should be considering privacy and data retention laws in addition to any other legal domains that are relevant to your business and what’s being moved into the cloud.
3. Regulatory guidance – are there any regulators that oversee your business and do they have a documented posture in relation to cloud-based arrangements? In Australia, licensed financial services entities must meet specific requirements set out by the local regulator for outsourcing arrangements that involve the cloud.
4. Contractual obligations – depending on what is being moved into the cloud, you might also want to review existing contracts in place with suppliers and customers. This includes reviewing your cloud service provider to understand how your risks are being managed. For example, who will be liable when your cloud provider experiences a problem that impacts your service and causes a downstream contractual breach?
5. Industry standards – pay attention to any certifications or assurance your business provides to suppliers and customers. Industry standards or audit requirements (such as IT General Controls) may result in additional work required to maintain compliance.
Getting it done
Don’t be too surprised if you end up with a laundry list of compliance driven work that seems larger than the work set down in your original implementation plan. Your compliance checklist can serve as your obligations register. You can quickly identify recurring themes to group these into key risks that affect your business. For example, you’ll likely identify availability, security, vendor, data migration and strategy as key risk themes linked to work areas.
Once you have your compliance obligations grouped by risks, you should start considering what controls are required to manage these risks (which may include the risk of breaching compliance obligations) and how these are integrated into your overall implementation plan.
At this stage you should also consider the need to document any contingency plans required to address how you will handle potential breaches. For example, if you had a major data breach will your team be able to quickly map the critical path to resolution? The same logic should be applied to managing IT security incidents and general business continuity.
Ensuring you document this end-to-end process is vital as this will help you later when you need to provide evidence to your auditors on how you’ve identified your compliance obligations, your compliance risks and how these are being effectively managed as you transition to the cloud.
Featured Vendors
EDITOR'S PICK
Essential Technology Elements Necessary To Enable...
By Leni Kaufman, VP & CIO, Newport News Shipbuilding
Comparative Data Among Physician Peers
By George Evans, CIO, Singing River Health System
Monitoring Technologies Without Human Intervention
By John Kamin, EVP and CIO, Old National Bancorp
Unlocking the Value of Connected Cars
By Elliot Garbus, VP-IoT Solutions Group & GM-Automotive...
Digital Innovation Giving Rise to New Capabilities
By Gregory Morrison, SVP & CIO, Cox Enterprises
Staying Connected to Organizational Priorities is Vital...
By Alberto Ruocco, CIO, American Electric Power
Comprehensible Distribution of Training and Information...
By Sam Lamonica, CIO & VP Information Systems, Rosendin...
The Current Focus is On Comprehensive Solutions
By Sergey Cherkasov, CIO, PhosAgro
Big Data Analytics and Its Impact on the Supply Chain
By Pascal Becotte, MD-Global Supply Chain Practice for the...
Technology's Impact on Field Services
By Stephen Caulfield, Executive Director, Global Field...
Carmax, the Automobile Business with IT at the Core
By Shamim Mohammad, SVP & CIO, CarMax
The CIO's role in rethinking the scope of EPM for...
By Ronald Seymore, Managing Director, Enterprise Performance...
Driving Insurance Agent Productivity with Mobile and Big...
By Brad Bodell, SVP and CIO, CNO Financial Group, Inc.
Transformative Impact On The IT Landscape
By Jim Whitehurst, CEO, Red Hat
Get Ready for an IT Renaissance: Brought to You by Big...
By Clark Golestani, EVP and CIO, Merck
Four Initiatives Driving ECM Innovation
By Scott Craig, Vice President of Product Marketing, Lexmark...
Technology to Leverage and Enable
By Dave Kipe, SVP, Global Operations, Scholastic Inc.
By Meerah Rajavel, CIO, Forcepoint
AI is the New UI-AI + UX + DesignOps
By Amit Bahree, Executive, Global Technology and Innovation,...
Evolving Role of the CIO - Enabling Business Execution...
By Greg Tacchetti, CIO, State Auto Insurance
Read Also
Three Ways to Help Your Company Combat Common Security Mistakes
Rewriting The Rules On Global Payments With Localized Payment Methods
Smart Data Sales Automation
Marketing & Sales Technology In B2b –An Overlooked Accelerator For...
How Marketing Analytics Is Changing Life Insurance Sales
B2b Marketing: People-Based Within Account-Based Marketing
