Archive for March, 2012

Top Cloud Computing Risks – Have you planned your mitigation strategies?


Cloud Computing seems to be the flavor of the season for Chief Information Officers (CIOs). Several surveys have indicated that a majority of CIOs rank cloud computing as one of their top technology priorities in 2012.  The allure of “moving to the cloud” is obvious. Cloud computing combines the benefits of flexibility, scalability and cost effectiveness as organizations typically only pay for what they use and do not have to maintain costly technology infrastructure in house. 

However before your institution moves operations to the cloud, it is worthwhile to keep in mind and plan for the following potential risk considerations:


Return on Investment (ROI): Though Cloud computing offers benefits as mentioned above, it is important that you have a clear understanding of the potential ROI. How do the current technology processing costs of your organization measure against the anticipated total “cost of ownership” of a cloud based solution? Does the service provider have adequate scale, responsiveness and quality control measures to provide for a seamless transition of your current business processes to the provider’s platform? This will determine to a large extent whether your organization will realize the promised benefits and ROI.


Data and Intellectual Property Loss: Before moving your IT infrastructure to cloud service provider, your organization must perform the due diligence necessary to understand the provider’s internal controls, hiring practices (background checks etc.) and access controls to protect your confidential data and intellectual property. Ask your provider for a copy of the Statement on Standards for Attestation Engagements No. 16 (SSAE 16). This report will typically contain an assessment of the provider’s internal controls, physical and logical access protections, intrusion prevention and detection, firewall configurations etc.


Non Compliance with Regulations: If your institution is subject to regulations such as Sarbanes-Oxley Act (SOX), Payment Card Industry (PCI) security standards, and the Gramm-Leach-Bliley Act (GLB Act) you will need to ensure that the Service Provider’s systems and processes are able to support your efforts to maintain compliance. Even though a portion of your information processing will be performed outside your firm, your organization will remain responsible for maintaining compliance for all processes including those that are performed outside your firm. If the provider or their hosted technology platform and applications reside in a different geography it is critical they maintain similar internal and technology controls as required by the laws and regulations that your institution is subject to.


Systems and information availability: This is especially critical for organizations that provide electronic banking and other web based services. Your provider should guarantee service levels that support the provision of 24x7x365 access for your bank’s customers to perform transactions and access account information. A key safeguard here will be to obtain an iron clad Service Level Agreement (SLA) that guarantees real time systems and data availability. A thorough due diligence to check the reputation and reliability of your service provider in this regard is a must.


Business continuity planning: Assess if your provider has a sound and fully tested Business Continuity Plan to provide continuity of operations in the event of a disaster. The Business Continuity plan should cover recovery of information, impact assessment, communication protocols and business resumption strategies. It is a good idea to conduct a Disaster Recovery / Business Continuity simulations with your provider periodically to test if the plan works as intended.

March 22, 2012 at 3:52 pm Leave a comment

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 26 other followers