Outsourcing Security? Think Responsibly!

Posted May 18, 2011, 11:27 am by Matt Peterson

Image of Matt

Matt Peterson

All good intentions don’t always end up with the desired result we were originally seeking or desired.  The same can be said when it comes to the ever changing world of information technology and security.  The popular move right now is toward consolidation and hosting systems in the cloud.  While there are many great financial benefits associated with cloud offerings, it’s important to understand the bigger picture in terms of risk and business continuity.

It’s understood that risks change over time that could pose new threats and vulnerabilities to the applications and systems in which are now hosted by a third party.  The agreements in place with your provider will often detail the terms of the agreement, but often lack the information associated with business continuity and assessing risk within the hosted environment.  If you audit and assess your own internal environment, would you want to ensure the same level of protection of your systems and applications that you put in the cloud?  The answer is yes, but how?  Within the SLA (service level agreement) you can request audit results that are common within this industry, such as, SAS 70 Level 2, or ISO 27001.  It may be necessary to conduct your own audit or hire a third party to complete this, if permissible via the SLA.

As the level of threats increase there is a greater need for business impact analysis and disaster recovery.  You must consider your third party providers in which host your applications, data, or systems.  Appropriate measures must be implemented for an adequate business impact analysis depending upon the sensitivity and criticality of the system or application.  The agreement with your cloud provider will detail roles and responsibilities and it’s your due diligence to ensure this agreement is consistent with the overall information security program implemented by your organization.

As the industry continues to evolve and change, it’s important to always understand the big picture of risk management.  This will ensure that all aspects of your business and business partners are covered by the information security program implemented and approved by management.  All levels of risk should be accounted for and accepted.  Read the fine print.  Ask questions.  Be secure.

 External Link for More Information:  http://www.isaca.org/Knowledge-Center/Risk-IT-IT-Risk-Management/Pages/Risk-IT1.aspx

 
Filed under: Uncategorized
Edited May 18, 2011 by Kim
Listed in Communities:


You must be logged in to post comments.