22   |   Enterprise Risk Management for Cloud Computing   |   Thought Leadership in ERM






         Position    Responsibilities

         Chief       • Understand and monitor cloud computing’s potential to support current business
         Information   strategies and new business opportunities
         Officer
                     • Establish overall strategy for leveraging and aligning cloud solutions

                     • Facilitate the integration of cloud solutions into the organization and with the
                       current IT infrastructure

                     • Assist with incorporating cloud governance into the organization’s ERM program

                     • Implement a data classification scheme in conjunction with data owners
                     • Establish cloud processes for resource provisioning, user access management,
                       and change management
                     • Establish the organization’s cloud incident management program

                     • Monitor and enforce CSP service-level agreements

                     • Monitor activities of the CSP and fellow cloud tenant customers


         Chief Audit  • Perform periodic audits to evaluate the design and effectiveness of the blended control
         Executive     environment in which controls and processes are shared with the CSP
         or Internal
         Auditor     • Audit the CSP or review SOC reports to verify the effectiveness of CSP controls relied
                       upon by the organization
                     • Perform periodic compliance audits of data residing on external clouds to verify
                       compliance with data classification polices
                     • Audit CSP spend and contractual compliance

                     • Evaluate cloud governance


































        w w w . c o s o . o r g