Skip to main content

Governance

  1. 3.27Institutions considering the use of Cloud Computing should define a clear strategy and architectural roadmap which covers the target IT environment, the transition from the current environment to the target and the operating model, including any organisational change or additional skillsets that maybe necessary.
  2. 3.28Institutions should establish an approved and documented governance framework for effective decision-making and proper management and control of risks arising from the use of Cloud Computing and Outsourcing of Cloud Computing to Outsourcing Service Providers. The governance framework should:
    1. a.Define the roles and responsibilities for the operation and management of the Cloud Computing arrangement, security controls and risk management controls. Where an Outsourcing Service Provider is involved, the division of roles and responsibility between the Institution and the Outsourcing Service Provider should be clearly defined;
    2. b.Define the process to conduct a risk-based analysis to identify and classify the IT Assets involved in or deployed by the Cloud Computing arrangement based on criticality and confidentiality;
    3. c.Require the maintenance and updating of the log of IT Assets in the cloud environment including their ownership;
    4. d.Establish appropriate policies, procedures, and controls to govern the use of Cloud Computing covering risk management, due diligence on the Outsourcing Service Providers and access, confidentiality, integrity, and recoverability of IT Assets outsourced; and
    5. e.Set out the steps for management and review of the contract between the Institution and the Outsourcing Service Provider, where Cloud Computing services are outsourced.
  3. 3.29Senior Management of the Institution should be responsible for the assessment, understanding and monitoring of the Institution’s reliance on Outsourcing Service Providers for material Cloud Computing services.
  4. 3.30Institutions should maintain up-to-date and accurate documentation pertaining to the Cloud Computing arrangement for review, audit, supervision, and other purposes, including but not limited to:
    1. a.Rationale and an appropriate strategy for implementing the Cloud Computing arrangement;
    2. b.Materiality and risk assessment and conclusion;
    3. c.Outsourcing risk assessment, other initial security-related risk assessments and their conclusions (further guidance on assessments provided in subsection “Outsourcing”);
    4. d.Due diligence or suitability assessments conducted on the Outsourcing Service Provider and conclusions;
    5. e.Description of the Cloud Computing arrangement including but not limited to:
      1.  i.Name of Outsourcing Service Provider and any sub-contractors;
      2.  ii.Level of reliance on Outsourcing Service Providers;
      3. iii.Type of Cloud Computing service models (i.e. Software as a service - SaaS, Infrastructure as a service - IaaS etc.) and deployment models used (i.e. private, public etc.);
      4. iv.IT Assets in scope including their criticality and ownership;
      5.  v.Services/products selected;
      6. vi.Parties involved; and
      7. vii.Delivery locations.
    6. f.Contract and other legal documentation pertaining to the arrangement with the Outsourcing Service Provider (further guidance provided in subsection “Outsourcing”).