Thought Leadership in ERM   |  Enterprise Risk Management for Cloud Computing  |    15






                   Management needs to have a precise understanding of the   A CSP’s system failure or security breach is likely to affect
                   controls it is relinquishing to its CSP as this understanding   multiple customers. When these types of events occur,
                   will determine the specific monitoring controls that   the CSP’s initial focus will be to resolve the issue for its
                   management should implement. In the case of a publicly   cloud environment; that is, the CSP is unlikely to focus
                   held company, added precautions should be applied if   on addressing the issues of each tenant individually. As
                   management is relinquishing those controls that affect   a result, management’s incident response plan should
                   management’s financial statement assertions. Migrating to   not rely solely on its CSP unless management is willing
                   cloud computing does not mean management can be worry  to accept the worst-case scenario for CSP support if an
                   free.                                             adverse incident were to occur.

                   Maintaining the control environment of the organization’s   The following examples elaborate on the inherent risks and
                   cloud solution might be a joint responsibility of   related mitigation controls for situations related to cloud
                   management and the CSP it engages. Third-party    solution system failure (i.e., reliability) and cyber-attacks:
                   audit reports of a CSP (such as SOC reports) include
                   a complementary user entity controls component that   System Failure – System failure is a risk event that
                   defines the responsibilities of the customers of the CSP’s   can occur in any computing environment. In the event
                   services, thus explicitly excluding these duties from the   of a catastrophic system failure and multiple tenants
                   CSP’s control responsibilities. Consequently, management   simultaneously requiring support, lower-priority
                   must be sure to incorporate the complementary user entity   organizations might not receive the required service level
                   controls into the organization’s control environment. In   response from the CSP.
                   some situations, there is added complexity in those cases
                   where the contracted CSP has subcontracted (i.e., carve-  Controls that can mitigate the risk of system failure
                   outs) some of its responsibilities to another provider. If this
                   is the case, SOC reports from all applicable CSPs should   • Engage other CSPs that have the same solution as your
                   be obtained in order to have a complete understanding   primary CSP and maintain copies of your organization’s
                   of outsourced controls. Optimally, to prevent this type of   data so it can easily be deployed to the backup CSP;
                   complex situation from materializing, the CSP contract
                   should preclude any form of subcontracting.        • Implement processes to monitor system availability;
                   An organization using hybrid or public cloud computing   • Implement automated tools that provide resources on
                   solutions should validate the control activities of its   demand for the cloud solution from another service
                   CSP to ensure that they align with management’s risk   provider; and
                   appetite. The organization should also periodically verify
                   the effectiveness of the controls maintained by the CSP.   • Review service-level agreements to ensure that the CSP
                   Depending on the selected cloud service delivery model,   will provide adequate response in the event of system
                   control responsibility between the organization and its CSP   failures.
                   might be shared in the areas of implementation, technology
                   operations, and user access administration.       Cyber-attacks – Every organization has an inherent risk of
                                                                     cyber-attacks on its systems. The consolidation of multiple
                   Risks – Reliability, performance,                 large organizations on a CSP’s infrastructure presents to
                   high-value cyber-attack target                    hackers a larger and possibly a more well-known target.
                                                                     Consider a situation in which a small and obscure company
                   Response – Incident management                    is sharing the cloud infrastructure of a high-profile
                                                                     organization or CSP; the small company’s likelihood of
                   An organization needs to evaluate its CSP’s capability to   being a target of a cyber-attack escalates to the same level
                   provide adequate incident response in addition to its own   as that of the well-known organization or high-profile CSP.
                   incident response procedures for system disruption and
                   data theft scenarios.











                                                                                                        w w w . c o s o . o r g