Page 20 - COSO Guidance
P. 20
12 | Enterprise Risk Management for Cloud Computing | Thought Leadership in ERM
Risk Profile Impact of CSPs computing solution ultimately is converting its organization’s
and Fellow Cloud Tenants ERM component universe into a combination of its own
ERM component universe and the ERM component
An organization moving from a dedicated internal universe of its contracted CSP. Exhibit 5.3 depicts
computing environment to a public or hybrid cloud this concept.
Exhibit 5.3 Combined ERM Component Universe of an Organization with Its CSP
The organization’s data and processes are hosted in a As part of its cloud risk assessment process, management
shared environment with other cloud tenants. The behavior may need to consider risk-related information about
and events of the CSP and fellow tenants could have its fellow tenants – for example, their identities, the
a direct impact on the organization. Since the risks to applications they deploy, and their likelihood of becoming
which a CSP is exposed can have an impact on its cloud targets of cyber-attacks.
customers, these risks must be incorporated into the risk
profile of all the organizations using the CSP’s solutions. Consequently, management’s ERM program should
This blending of environments is likely to change the address the combined universe of its own organization’s
organization’s risk profile and therefore require new and ERM components along with the ERM components of the
different controls. This combining of risk profiles might also CSP. Management needs to identify the risks and events
extend to fellow tenants that are sharing the same cloud that could affect its own organization and those that could
infrastructure resources. affect its CSP and fellow cloud tenants.
w w w . c o s o . o r g
