ISACA, a nonprofit association of 95,000 members focused on information assurance and security, has released a new 190-page book with guidance to help organizations assess readiness and controls for leveraging elements of cloud computing. The guide, “IT Control Objectives for Cloud Computing,” outlines questions organizations should ask, governance and assurance considerations to be managed, and the risks and drivers to consider.
ISACA's framework looks at discrete business processes impacted by the cloud where governance becomes critical to managing increasing risk; ensuring continuity of critical business processes outside the captive data center; communication of enterprise objectives internally and to third parties; continuity of IT knowledge; and issues of compliance.
The ISACA guidelines are meant to help organizations navigate the value proposition of the cloud as a proven variable cost proposition, but one that exists in a climate that is still uncertain.
Robert Stroud is a member of ISACA's strategic advisor council, past international VP of ISACA, and a member of ISACA's framework committee, and separately serves as VP of strategy and innovation at CA.
"Our membership has been saying that, with cloud growing in acceptance and adoption, they wanted us to combine our frameworks and standards of which there are a number, and have all the cloud-related material in one place," Stroud says.
Stroud is a longtime advocate for COBIT, the framework for governance and IT assurance in risk and security, and said the mission was to marry this guidance to ISACA's value management and risk management frameworks to the business model for information security.
"The publication assists our members make the right decisions in terms of what applications to take to the cloud, what solutions to leverage whether they are public, private or hybrid," Stroud says. "It has guidance on the controls they need to put in place, how to effectively assure the environment and extend the governance framework they have today to be sure the cloud is delivering the value that's identified in the organization business strategy."
“IT Control Objectives for Cloud Computing” contains two main sections. The first provides general guidance on applications and parts of the business to leverage the cloud for, how to determine value and make effective security and value decisions. The second part provides a comprehensive cloud computing audit and assurance program. Stroud says the guide will help audit teams put proper controls in place and lead users back to proper governance that is already widely used by ISACA member organizations.
Other non-profit cloud associations, including the Cloud Security Alliance are leading adoption of cloud computing with guidelines on security and compliance. Along with audit/assurance guidance, ISACA's book also outlines business case development, standards and good practices for cloud governance and how to establish business goals for the cloud.
ISACA's guide to Sarbanes-Oxley has been downloaded more than 250,000 times. The new guide is free to members for download ($36 for print) and available to non-members in print for $60 or eBook for $50 here.