New COSO Guidance on Managing Risks From Cloud Computing

Companies working to assess and mitigate the risks that result from cloud computing just got some much needed help.

The Committee of Sponsoring Organizations (COSO) published new guidance on the topic last month. The paper, “Enterprise Risk Management for Cloud Computing,” leverages the principles of COSO's “Enterprise Risk Management—Integrated Framework” document to help management and boards better understand the risks and opportunities presented by cloud computing.

“When you engage a third-party cloud service provider, you ultimately are inherently taking on some of their risk,” says Warren Chan, co-author of the paper and a principal at Crowe Horwath. What this publication provides is an “adaptation of the well-established COSO 2004 ERM framework” so that senior management can clearly understand the risks associated with their cloud decisions and the key questions they need to ask, he says.

The paper provides detailed descriptions of the top risks associated with cloud computing, including:

Legal and compliance risks: Cloud service providers can create legal liabilities for their clients if they neglect or fail to fulfill their responsibilities. Additionally, the physical location of data—sometimes obscured in cloud computing arrangements— can raise concerns about legal ownership, availability, and privacy if the data is moved across state or national borders.

Uncertainty about where data resides raises questions about what laws the company is subject to in running its business transactions in the cloud. The Sarbanes-Oxley Act, the Health Insurance Portability and Accountability Act, and a web of complex state, federal, and country-specific data privacy and protection regulations can apply to data that physically resides in the relevant jurisdiction. The COSO paper recommends that companies review contract terms to ensure compliance with applicable data protection laws.

Cloud service provider viability:  Many cloud service providers are new to the business. As a result, companies that enlist their services “might have to face operational disruptions or incur the time and expense of researching and adopting an alternative solution, such as converting back to in-house hosted solutions,” should the provider struggle, the paper stated.

“The cost of switching providers is a hassle,” says Ron Woerner, a professor and director of Cybersecurity Studies at Bellevue University's College of Science and Technology. Companies should understand the risks of transferring their services and data from one provider to another, and how to most easily achieve that, he says.

Reliability and performance issues: “System failure is a risk event that can occur in any computing environment but poses unique challenges with cloud computing,” the paper states.

Just days following the publication of COSO's guidance, for example, Amazon's cloud computing service suffered widespread outages, disrupting hundreds of companies that depend on Amazon every day for data storage. The sudden outage caused by a lightning storm in the Mid-Atlantic region brought down numerous high-profile Websites, including Internet-streaming media-company Netflix, photo-sharing program Instagram, and content-sharing service Pinterest.

“What needs to happen is that the compliance, risk, or security function needs to glean out from this document the key points, and create a one-page summary to make it more easily understood by the business leaders.”

—Ron Woerner,

Professor, Director of Cybersecurity Studies,

Bellevue University's College of Information Technology

Some of the questions companies should ask include: Does the cloud service provider have backups of each data center? Do they have power generators available? What is the history of services outages? “A lot of businesses haven't considered these sorts of questions when going to a cloud provider,” says Woerner.

How much risk the company is willing to take on in such situations will depend on the types of data being moved to the cloud and each company's management team. “You have to find alternatives based on your particular risk profile and the level of comfort your specific situation requires,” says Chan.

Management Considerations

Well before choosing a cloud service provider, the COSO paper stresses that deciding whether to move data to the cloud at all requires an in-depth evaluation by management. This includes an evaluation of both the internal environment—the state of business operations, IT costs, and the backlog of IT projects—and  external environment, including laws and regulations and competitors' use of cloud computing.

As management and boards contemplate the company's cloud computing position, some central questions to consider include:

What is management's overall view of outsourcing functions?

Does the organization anticipate rapid growth that might require using cloud solutions?

Is the organization in a mature market that might require using cloud computing to save costs to remain competitive?

What is the capability and maturity of the organization's current IT function?

Are the organization's operational functions and processes formalized enough to allow for a change in the underlying technology platform?

Who should be involved in the evaluation process, and who makes the decisions?

When deciding to engage with a cloud service provider, the negotiation process is important.  The contracts of most cloud service providers are generally geared toward a mass market, says Chan.  The preferred position for most cloud providers is to offer a one-size-fits-all standard solution that requires a minimum amount of tailoring for each customer. “The same formula is going to be used in their contracts,” he says.

ROLES AND RESPONSIBILITIES

The following excerpt from the COSO paper defines roles and responsibilities of management in respect to cloud computing:

Board of Directors:

Be aware of cloud computing trends and understand management's perspective on the impact of cloud to the industry and its business model

Be aware and have oversight of transformative IT projects such as cloud services

Understand how management is balancing risks with the benefits of cloud as part of its business and technology strategy

Leverage internal audit resources for assurance that cloud initiatives are in alignment with the organization's risk appetite and controls philosophy

Chief Executive Officers:

Define the organization's point of view and policies regarding outsourcing

Understand the impact cloud computing is having on the organization's industry

Be aware of where and how the organization is using cloud computing

Chief Financial Officers:

Provide new disclosures regarding cloud usage in financial reporting

Evaluate and monitor the total cost of ownership and return on investment with

cloud computing

Evaluate tax and accounting benefits of cloud computing versus alternatives

Implement policies and controls over procurement of cloud services

Monitor the financial health of each third-party CSP

Chief Legal Officers:

Ensure that the organization's cloud activities comply with laws and regulations

Monitor for new laws and regulations that would impact the organization's cloud solution or its CSP and establish a plan for compliance

Review and approve cloud services procurement policies

Provide input on data classification policies and processes

Review CSP contracts and ensure protection of the organization's interests and rights

Understand the legal jurisdiction aspects of the organization's operations as they relate to using cloud services hosted in different countries

Chief Information Officers:

Understand and monitor cloud computing's potential to support current business strategies and new business opportunities

Establish overall strategy for leveraging and aligning cloud solutions

Facilitate the integration of cloud solutions into the organization and with the

current IT infrastructure

Assist with incorporating cloud governance into the organization's ERM program

Implement a data classification scheme in conjunction with data owners

Establish cloud processes for resource provisioning, user access management,

and change management

Establish the organization's cloud incident management program

Monitor and enforce CSP service-level agreements

Monitor activities of the CSP and fellow cloud tenant customers

Chief Audit Executive or Internal Auditor:

Perform periodic audits to evaluate the design and effectiveness of the blended control environment in which controls and processes are shared with the CSP

Audit the CSP or review SOC reports to verify the effectiveness of CSP controls relied upon by the organization

Perform periodic compliance audits of data residing on external clouds to verify compliance with data classification polices

Audit CSP spend and contractual compliance

Evaluate cloud governance

Source: COSO.

At minimum, management should demand a right-to-audit clause in each contract. Management should further require that the cloud service provider publish either bi-annually or annually their Service Organization Control (SOC 2) reports, which are audit requirements designed to assure users that a cloud service provider has an effective control system in place to effectively mitigate operational and compliance risks. Preferably, cloud contracts should include a right-to-audit clause.

“Unfortunately, there are a fair number of cloud service providers that do not publish SOC reports and do not grant right-to-audit clauses,” says Chan. The risk here is that if you engage a cloud service provider that doesn't allow you to audit them and doesn't publish SOC reports, “you're somewhat functioning in the dark regarding what controls are in place and how good those controls are,” he says.

Cloud customers should also be alert for pricing change type clauses in their contracts, Chan adds. When or how often can the provider institute a price hike—annually, biannually, or is it not stated?

ERM Measures

A contract cannot prevent all risks, however, so enlisting a cloud services provider may mean making changes, or accepting a different level or set of risks, to the company's business operations. “The framework put forth in COSO's ‘Enterprise Risk Management—Integrated Framework' has established a common language and foundation that can be used to construct an effective cloud governance program tailored specifically for a given cloud solution,” the COSO paper stated.

Performing a risk assessment while engaging the services of a cloud provider is not as simple and straightforward as performing a risk assessment on your organization's own IT systems, says Jim Hietala, vice president of security for The Open Group. “It's important not to overlook that,” he says.

For companies that already have risk-management programs in place, cloud computing is one more risk to think about, says Chris Harding, who leads the Service-Orientated Architecture Work Group and the Cloud Computing Work Group at The Open Group, a forum of customers and suppliers of IT products and services. The challenge is how to plug that risk into existing procedures, says Harding.

Even if management has no interest in cloud computing, companies should still have controls in place to prevent and detect employees' unauthorized use of cloud services. “It comes down to policy and education of the workforce,” says Hietala. For example, the company may choose to limit employees' use of Dropbox or Google's IDrive, downloadable applications which allow for the unsecured sharing of documents across the Internet.

Before long, most companies may not be able to avoid the cloud. Cloud computing is projected to be a $140 billion industry by 2014, according to technology research firm Gartner. Most every company will use some type of cloud service moving forward, says Woerner. “The idea is to determine what fits best in the cloud, and what doesn't fit,” he says.