IT Audits of Cloud and SaaS

Date Published: 1, May 2010

Moore’s Law has been operating for decades without signs of slowing down, which leads to new
technologies and, thus, new challenges for IT auditors. In recent months, cloud computing and
Software as a Service (SaaS) have led the “bleeding edge” of IT. Therefore, IT auditors need to
understand these technologies, establish an approach for identifying the key risks and develop
effectual audits of the technologies for those risks. However, the risk-based approach (RBA)
process for cloud computing is complicated by the fact that all of the technologies and controls are
housed outside the entity being audited.1, 2, 3
A key to IT audits of cloud computing and SaaS is to choose a framework for the components that
assists an effective risk assessment of those technologies. Once a proper risk assessment is
produced, the IT audit becomes a natural extension of auditing for the identified risks, especially
where controls have not adequately mitigated the risk. This RBA is the common approach for audits
of various types today.
Components of Cloud Computing
Much has been written about cloud computing, SaaS and data centers, but often those
technologies are melded as a composite service referred to as cloud computing. Actually, there is a
simple framework for thinking about cloud computing that should help IT auditors in performing a
risk assessment. The components are Infrastructure as a Service (IaaS) and Software as a Service
(SaaS)—almost identical to the way we think of the body of technologies internal to an entity.
Cloud Computing: IaaS
Services of IaaS components replace or supplement the internal infrastructure. The key decision
factors for management in deciding to move to IaaS (outsourcing part of its infrastructure) and
choosing the appropriate vendor are usually efficiency-related. For instance, it takes one full-time
employee (FTE) “blank amount of time” per year to manage about 70 servers. If the entity has a
server farm, it can outsource those costs to an effective data center and reduce costs significantly.
In addition, when the entity needs to upgrade its software, or acquire a new software application,
the consideration of infrastructure is probably an insignificant consideration regarding cost,
assuming the choice in IaaS provider was sufficiently sophisticated, and requires little to no
changes to its own infrastructure.
There is also the accounting consideration. Usually, infrastructure costs are substantial and,
according to the Generally Accepted Accounting Principles (GAAP), are treated as a capital
expense (CAPEX). However, if the infrastructure is outsourced, the expense associated with the
IaaS infrastructure usually becomes an operating expense (OPEX). In the US, this leads to a tax
advantage regarding income taxes.
Thus, some of the key factors for management when choosing the IaaS provider are flexible
performance (including scalability) and availability while achieving physical and virtual security
needs.
There are various ways to break down IaaS, but here is one way:
• Connectivity
 • Network services and management
• Compute services and management
• Data storage
• Security
Connectivity obviously refers to reliable access to the Internet and connectivity to associated
systems and technologies, for instance, data storage to application servers. Examples of risks
would be availability/downtime and speed of access.4 The average entity experiences one day per
annum of downtime.
Network services and management includes not only providing network capabilities, but managing
the network, monitoring the network and providing for efficient access through aspects such as load
balancing. Examples of these risks are scalability for new technologies or expanding the level of
transactions, availability, secured transmissions, and the level of access (e.g., load balancing).
Compute services and management include appropriate resources such as core, processors,
memory and managing the operating system (OS). Examples of the risks are availability (including
system failure) and scalability.
There has been significant growth in data centers over the last few years, and data centers are
becoming more sophisticated in the scope of services. Examples of the risks for data storage
include the obvious: security of data, recovery, availability and scalability. The security and recovery
issues are particularly important. Management should ensure that the data storage aspect of IaaS
can provide an appropriate level of physical and logical security and an appropriate recovery
methodology to ensure a timely recovery if the data center is involved in a disaster.
Security issues are more or less ubiquitous for IaaS and include physical security, especially data
storage, and logical security. They include security from unauthorized access by malicious intruders
and rogue employees of the IaaS provider. In fact, the latter is an increased risk to the user entity
that needs to be addressed via adequate controls by the service entity.
Risks are always determined within contextual circumstances to the entity—for example, the
industry, its own business processes, the current economy and other circumstances peculiar to the
entity at that time. Some of the other issues that may be risks are ownership, insurance, project
management and performance reporting.
Mitigating controls could be discoverable from a SAS 70 Type II audit report. If one exists for the
IaaS provider, the IT auditor should certainly read it to see what level of assurance can be gained
for the specific, identified risks. Controls the provider should be employing include best practices in
security, support (e.g., IT Infrastructure Library [ITIL] v3) and business recovery.
Cloud Computing: SaaS
Some of the key points in deciding to use SaaS, or a particular vendor, are the complexity of the
environment, the need to buy smaller pieces/modules, compatibility with existing systems and IT
(including programming platform), ease of purchase, ease of integration, project management,
scalable infrastructure, and billing/costs (metering).
There are various ways to break down SaaS, but here is one framework:
• Business process modeling
• Evaluation and analysis
• Process execution
Business process modeling involves the need to fit together workflow/business process structure,
applications and data, organizational structure, and the integration of existing systems. Evaluation
and analysis includes process cost accounting, balanced scorecards, service level agreements
(SLA), process warehouse and optimization. Process execution includes workflow control,
applications integration (enterprise application integration [EAI]), service orchestration (service-
oriented architecture [SOA]), populating databases/conversion and business activity monitoring.
Other issues include document and content management, collaboration, systems management and
administration, and various aspects of management of SaaS.
Examples of risks would be related to these areas. Some examples include an improper fit of the
business process to the application, inadequate connectivity between applications and data,
improper integration with existing systems, and inadequate monitoring of SaaS business processes
and events. Obviously, the SLA is a key audit objective. There is also a risk of cost control and
estimates; that is, it is possible that the move could end up costing the entity more rather than less.
One example of cost control is the metering/billing aspect of SaaS, which presents an area of
potential risk.
IT Assurance Framework
ISACA’s IT Assurance Framework™ (ITAF™) includes a section (3630.6) on outsourcing and third-
party activities (see figure 1). Cross-references are included—COBIT® PO4, PO7, PO8, PO9, AI2
and AI5, and ISACA IT Audit and Assurance Guidelines (formerly IS Audit Guidelines) G4, G18,
G32 and G37. These referenced documents provide useful technical assistance in conducting an IT
audit for cloud computing.
p>Obviously, the fact that a third party is involved means direct auditing of the service entity may
not be practical or even possible. ITAF also supplies a list of potential documents that could provide
service audit information that should be relevant (see figure 2).
Conclusion
Auditing cloud computing in one sense is like auditing any new IT—understand the IT, identify the
risks, evaluate mitigating controls and audit the risky objects. The understanding and risk
assessment can be enhanced with a good framework to think about the IT and risks and, thus,
assist the IT auditor in conducting an effectual risk assessment. The IaaS/SaaS framework
described here is intended to assist IT auditors in performing their duties associated with cloud
computing.
 Cloud Risk—10 Principles and a Framework for Assessment

Date Published: 1, September 2012

The benefits of cloud computing (specifically Software as a Service [SaaS]) over in-house
development are clearly articulated and well known, and they include rapid deployment, ease of
customisation, reduced build and testing effort, and reduced project risk. Similarly well known are
Infrastructure as a Service (IaaS) benefits, which include reduction in cost, movement from capital
expenditure to operational expenditure and agility.1 A consensus on the risk of cloud computing is,
however, more difficult to achieve because the industry is lacking a structured framework for risk
identification and assessment. In addition, businesses struggle with identifying and following a road
map for cloud implementation. Paradoxically, from a small to medium-sized enterprise perspective,
migrating to the cloud may in fact mitigate risk.2 For example, the likelihood of server
misconfiguration or poor patch management leading to a successful attack is greatly reduced, as is
the risk of data loss due to less use of portable media.
Recent high-profile outages and security breaches serve to further confuse businesses as they
attempt to correlate their current internal control environment and proposed controls for the cloud
with the external incidents chronicled in the press. For example, in April/May 2011, cloud risk came
to widespread attention with the consecutive failures of Sony, VMware and Microsoft cloud-based
services.3
Literature Review
Over the last few years, a plethora of documents have been written containing risk exposure, ad
hoc guidance and control checklists to be consulted when considering cloud computing. Most of
these are deep on security concerns but narrow across the breadth of IT risk where a
comprehensive framework for assessment is needed.
Having said that, the International Organization for Standardization (in particular ISO/IEC JTC 1/SC
27) is embarking on the development of a series of standards that aims to formally address risk
management of cloud computing services. The risk profile for cloud migration itself is also in a state
of flux, as existing offerings are maturing and new offerings are emerging. Examples include new
cloud offerings such as Data as a Service (DaaS) and the emergence of cloud service brokers, who
provide intermediation, monitoring, transformation/portability, governance, provisioning and
integration services in addition to existing cloud services.
In 2009, the European Network and Information Security Agency (ENISA) produced a document
titled ‘Cloud Computing: Benefits, Risks and Recommendations for Information Security’. This
document collates 35 types of risk identified by 19 contributors, and identifies eight top security risks
based on ENISA’s view of indicative likelihood and impact.4 In March 2010, the Cloud Security
Alliance (CSA) published ‘Top Threats to Cloud Computing V1.0’, which includes the top seven
threats as identified by its members.5 More recently, in April 2011, the Open Web Application
Security Project (OWASP) released a ‘pre-alpha list’ of its top 10 cloud security risks derived from a
literature review of other publications and sources.6 In May 2011, the National Institute of Standards
and Technology (NIST) released a draft titled ‘Cloud Computing Synopsis and Recommendations
(Special Publication 800-146)’, which provides a deep analysis of risk, but again no coherent
framework. Figure 1 gives a comparison of the top types of risk identified by the CSA, OWASP and
ENISA, showing the variation in both content and ranking.
In July 2011, ISACA released IT Control Objectives for Cloud Computing: Controls and Assurance
in the Cloud, which provides a comprehensive guide to cloud controls taken from COBIT, Val IT and
Risk IT. The ISACA publication7 critiques a number of standards, certifications or frameworks,
including COBIT, ENISA, CSA, NIST, ISO 27001, the American Institute of Certified Public
Accountants (AICPA) Service Organisation Control (SOC) 1 Report, AICPA Trust Services
(SysTrust), CSA’s Cloud Security Matrix, FedRAMP, Health Information Trust Alliance (HITRUST),
BITS Shared Assessment Program and Jericho Forum® Self-assessment Scheme (SAS). In doing
so, the publication highlights both the need for a consistent and broadly accepted risk assessment
framework and the fact that its existence still remains elusive.
A Framework for Assessment
The ISO/IEC 9126 standard (Information technology—Software product evaluation—Quality
characteristics and guidelines for their use), when used in conjunction with a deep security
assessment, is valuable for putting more structure and coherence around assessing the suitability
of new vendors and new technologies, including cloud offerings. The objective of this international
standard is to provide a framework, comprising six quality characteristics, for the evaluation of
software quality. However, it also appears to be useful for SaaS, Platform as a Service (PaaS) and
IaaS cloud assessments.
The types of risk identified in the reviewed literature can map directly to ISO/IEC 9126 (as shown
in figure 2). In addition, the standard can be used to derive a superset of risk that is currently not
coherently articulated in the industry. The example shown in figure 2 is based on an assessment by
Force.com conducted by the author several years ago, and may not reflect the current offering from
Salesforce.com.
The security-related risk can be assessed in a similar structured approach by assessing against
selected ISO 2700x, COBIT and NIST 800-53 controls that are applicable to the exposures within
cloud computing. As an example, figure 3 shows a cross-reference of the security-related risk
(identified in the literature reviewed) to COBIT 4.1 DS5 Ensure systems security.
The Ten Principles of Cloud Computing Risk
The ten principles of cloud computing risk8 help to give context to the frameworks for assessment
previously discussed, and they can be used as an overall road map for migration to cloud
computing. The road map is based on four guiding principles:
1. Vision—What is the business vision and who will own the initiative?
2. Visibility—What needs to be done and what are the risks?
3. Accountability—Who is accountable and to whom?
4. Sustainability—How will it be monitored and measured?
The ISACA Business Model for Information SecurityTM (BMISTM)9 (figure 4) was used as an
overarching framework for risk and security.
Based on BMIS, these 10 principles of cloud computing risk provide a framework for cloud
computing migration which is presented here in a case study.
This case study considers moving a risk management business function (e.g., a home loan
mortgage insurance calculation) to the cloud. The business function is part of the decision-making
process within the end-to-end home loan business process shown in figure 5. In this process, an
application is received and acknowledged, various calculations are performed, and a decision is
made regarding whether to lend money.
The business benefit of placing this function in the cloud is that it will allow branches, call centres,
brokers and other channels to use the same code base and avoid replicating the calculations in
multiple places. The use of the cloud will also reduce paper handling and host system access and
the associated security required. There is also a potential business driver for allowing customers
access to their own data if placed on the public cloud.
The first step in the framework is to formulate and communicate a vision for the cloud at an
enterprise and business-unit level. The first two principles relate to this vision:
1. Executives must have oversight over the cloud—The business as a whole needs to recognise
the value of the cloud-based technology and data. There must be constant vigilance and continuous
monitoring of risk to these information assets, including ensuring compliance with appropriate laws,
regulations, policies and frameworks. This is related to the governance dimension of BMIS. In the
case study, the head of the retail banking department obtains briefings from internal and/or external
business and technical experts to understand the technology and its alignment to the business
objectives. The individual then sets a ‘tone from the top’, mandating policies and structures to ensure
that this alignment is maintained within industry standards and regulatory constraints.
2. Management must own the risks in the cloud—The management of the relevant business unit
must own the risk associated with its use of cloud services, and must establish, direct, monitor and
evaluate commensurate risk management on an on-going basis. This is related to the organisation
dimension of BMIS. In the case study, the business decides to assign ownership of the complete
(business and IT) risk of the initiative to the retail bank operational risk manager, who works with the
departmental IT risk manager to plan actions covering both the business and technical risk involved.
Once the vision is articulated and the risk management organisation is in place, the next step in the
road map is to ensure visibility of what needs to be done and the risk of doing it. There are three
principles related to ensuring visibility:
3. All necessary staff must have knowledge of the cloud—All users of the cloud should have
knowledge of the cloud and its risk (commensurate with their role in the organisation), understand
their responsibilities and be accountable for their use of the cloud. This is related to the human factors
dimension of BMIS. In the case study, the home lending line-of-business owner and the IT manager
work together to ensure that the involved business and technology staff have the appropriate skills to
embark on the cloud initiative or that the needed expertise is obtained externally.
4. Management must know who is using the cloud—Appropriate security controls must be in place
for all uses of the cloud, including human resources practices (e.g., recruitment, transfers,
terminations). This is related to the people dimension of BMIS. In the case study, the home lending
line of business owner must ensure that the necessary background checks, segregation of duties,
least privilege and user access review controls are in place in the business, IT and cloud service
provider. This will require working with the IT manager and the possible engagement of external
assessment organisations.
5. Management must authorise what is put in the cloud—All cloud-based technology and data
must be formally classified for confidentiality, integrity and availability (CIA) and must be assessed
for risk in business terms, and best practice business and technical controls must be incorporated
and tested to mitigate the risk throughout the asset life cycle. This is related to the technology
dimension of BMIS, and it is where the ISO 9126-based framework for assessment is used in this
road map.
In the case study, the home loan mortgage insurance calculation process uses sensitive data such
as customer identity, date of birth and taxable income. The CIA rating of the business data is an
average of high, based on the assessment provided in figure 6.
A more complete CIA analysis might also consider detailed business requirements, data retention
requirements, and privacy and regulatory requirements.
Once this assessment is completed, the asset can be mapped to potential cloud deployment
models. Based on the profile of high concern in the case study, management decided that the
process should be considered for migration to a private cloud. In this type of deployment, the
calculation can be made accessible to the various stakeholders with their heterogeneous client
devices, but still provide an acceptable level of security over the data. A key consideration would be
the limited scalability or agility that a private cloud would offer compared to a public cloud. In this
case, the retail banking executive decides to deploy to a private cloud until customer access
becomes a compelling requirement.
As the next step, the risk associated with a cloud implementation must be assessed against the risk
associated with the incumbent in-house system, and also against the option of acquiring a new
internally operated system. The framework for assessment could be used for each of these options,
to assess risk areas such as deficient vendor or internal support, application complexity, and
application reliability. In the case study, an assessment of the existing loan mortgage insurance
application identified an aging application with overreliance on a single vendor and limited disaster
recovery.
The current risk assessment may have identified a value-at-risk (VaR) of US $20 million per year
and a need to spend approximately US $1 million–$2 million, stabilising and securing the existing
system. The as-is risk profile for the current in-house system (using the risk associated with
deficient characteristics from the ISO 9216 framework) is shown in figure 7.
The risk profile for the business process after moving it to a private cloud (using the combined ISO
9126 and COBIT assessment framework) is shown in figure 8. A similar risk assessment (as well
as an assessment of relative business value) should be conducted on the other option—an
internally operated and hosted system.
Movement of the business function to a private cloud reduced the VaR to around US $2 million per
annum by removing the exposure to aging, poor-performing technology, and removing the user and
data security risk of having multiple copies of the system and data in circulation. At a more detailed
level, an organisation may have an overall scorecard covering the combined ISO 9126 and COBIT
frameworks; a detailed control assessment of applicable preventive, detective and impact controls;
and a risk assessment for each risk showing inherent (prior to control) and residual (after control)
impact and likelihood.
The third step in the cloud computing road map is accountability. In the case study, the business
owner works with the operational risk manager to develop a matrix of roles and responsibilities,
shown in figure 9.
This accountability extends to process, architecture and culture through the next three principles:
6. Mature IT processes must be followed in the cloud— All cloud-based systems development
and technical infrastructure processes must align with policy, meet agreed business requirements,
be well documented and communicated to all stakeholders, and be appropriately resourced. This is
related to the process dimension of BMIS. In the case study, the retail bank operational risk manager
ensures that relevant policies are in place and communicated, and that a mapping of policy clauses
to the assessment framework is included. A gap analysis is then performed against IT development
and support processes and included in the risk and control profile.
7. Management must buy or build management and security in the cloud—Information risk and
security, as well as its monitoring and management, must be a consideration in all cloud investment
decisions. This is related to the architecture dimension of BMIS. In the case study, the departmental
IT risk manager is involved in all aspects of the initiative, including vendor evaluation and
management, technology review, security assessment and design, and the final investment decision.
8. Management must ensure cloud use is compliant—All providers and users of the cloud must
comply with regulatory, legal, contractual and policy obligations; uphold the values of integrity and
client commitment; and ensure that all use is appropriate and authorised. This is related to the culture
dimension of BMIS. In the case study, the retail banking operational risk manager works with the
compliance manager to ensure that all policies, regulations and employee codes of conduct are in
place; training is performed; and compliance is periodically reviewed. The operational risk manager
works with the IT risk manager and vendor manager to ensure that processes are in place to similarly
assess compliance within the cloud service provider.
The final phase in the cloud computing road map is sustainability, and there are two related
principles:
9. Management must monitor risk in the cloud—All cloud-based technology developed or acquired
must enable transparent and timely reporting of information risk and be supported by well-
documented and communicated monitoring and escalation processes. This is related to the enabling
and support dimension of BMIS. In the case study, the retail banking operational risk manager and
departmental IT risk manager work together to develop an ongoing cloud risk and security monitoring,
reporting and escalation process. Ideally, this process includes regular information and escalations
from the cloud service provider.
10. Best practices must be followed in the cloud—All cloud-based systems development and
technical infrastructure related processes must consider contemporary technology and controls to
address emerging information risk identified through internal and external monitoring. This is related
to the emergence dimension of BMIS. In the case study, the departmental IT risk manager and IT
resources involved in the cloud initiative undertake continuing education on cloud technology and
related risk through formal education, industry contacts and associations such as ISACA.
Conclusion
This article has reviewed some of the existing guidance to keep in mind when considering cloud
computing, suggested ISO 9126 as a valuable standard for a more structured and coherent
assessment of cloud offerings, and proposed ten principles of cloud computing risk loosely based
on BMIS and cloud assessment road map consisting of four guiding principles: vision, visibility,
accountability and sustainability.
The framework suggested is not a panacea, as variations occur in each of the different service
models (SaaS, PaaS or IaaS) and deployment models (public, community, private, or hybrid).
Variations also occur depending on whether the private/community clouds are onsite, outsourced or
virtual (virtual private clouds). A cloud-consuming business needs to be aware of risk variations
within each cloud model and remain accountable for risk and security regardless of the cloud model
or the contractual obligations of the cloud service provider.
The proposed framework could be tailored to map to these various cloud models, and it could be
expanded by mapping to detailed controls within ISO 27001, COBIT, NIST and other guidance and
regulatory requirements in various industries. Another area of development is an expansion of the
trade-offs between the various quality characteristics (in particular, functionality, reliability and
efficiency) and the ways that various cloud offerings address the issue of consistency vs. availability
vs. partitioning.
 Cloud Computing Risk Assessment: A Case Study

Date Published: 1, July 2011

Cloud computing has come a long way from being a mere buzzword to a meaningful tool with a lot
of potential for consumers of technology products and services. The adoption of cloud computing
has accelerated in the last few years, and it continues to undergo phenomenal growth. 1
Just as in the early days of the Internet, there are many unknown variables in cloud computing. Due
to its nebulous nature, it is important to understand the risks associated with utilizing cloud
computing. It is not just a new technology; it is a different way of doing business.
Case Study
Company A is a start-up that offers business software branded as BusinessExpress. Company A
offers BusinessExpress as a Software as a Service (SaaS) solution. The demand for SaaS
solutions is expected to grow rapidly. With SaaS, customers enjoy all the benefits of cloud solutions
such as not having to host their software in-house2 (figure 1).
Company A’s core competency is performing software development, not providing hosting
solutions. Infrastructure as a Service (IaaS) cloud service providers (CSPs) specialize in providing
hosting solutions. Leveraging an IaaS CSP for hosting has allowed Company A to remain focused
on its core competency. There are several other benefits of utilizing an IaaS CSP, such as: 3
• The ability to offer the software solution on a variety of hardware platforms such as
Windows, UNIX and Linux
• Rapid scalability
• Pay-as-you-go capabilities
• Resource availability
Due to the numerous benefits of IaaS, Company A leapt into a cloud computing arrangement. The
cloud’s economies of scale and flexibility are both a friend and a foe from a security point of
view.4 The chief information officer (CIO) of the company engaged an information systems (IS)
auditor to conduct a review and assess the risks of offering a SaaS solution and adopting IaaS
cloud computing for this arrangement. The following paragraphs describe the steps followed by the
IS auditor to conduct the exercise. This exercise will help the CIO in determining what Company A
needs to protect, prioritizing the risks and determining a response.
To conduct a risk-based assessment of the cloud computing environment, there are generic risk
frameworks such as the Committee of Sponsoring Organizations of the Treadway Commission
(COSO) Enterprise Risk Management—Integrated Framework. There are also IT domain-specific
risk frameworks, practices and process models such as ISO 27001 and IT Infrastructure Library
(ITIL). Bottom-up guidance specific to cloud computing also exists from various bodies such as the
Cloud Security Alliance (CSA), European Network and Information Security Agency (ENISA), and
the US National Institute of Standards and Technology (NIST). The Cloud Controls Matrix released
by CSA is designed to provide security principles to guide cloud vendors and assist prospective
cloud clients in assessing overall security risks of a CSP. The NIST guidelines on security and
privacy in public cloud computing (NIST Special Publication [SP] 800-144), which are currently in
draft form, contain the guidelines required to address public cloud security and privacy. The Risk IT:
Based on COBIT® framework from ISACA fills the gap between generic risk management
frameworks and domain-specific frameworks based on the premise that IT risk is not purely a
technical issue.
The IS auditor of Company A chose the Risk IT framework, supplemented with an understanding of
the Cloud Controls Matrix, ENISA’s cloud computing risk assessment and the NIST guidelines.
Risk IT provides a list of 36 generic high-level risk scenarios, which can be adapted for each
organization. Starting with the set of generic risk scenarios helps ensure that the IS auditor does not
overlook risks and attains a more comprehensive view of IT risk. Further, Risk IT offers an
extensive mapping between the generic risk scenarios and the COBIT control objectives that are
customizable for each situation. Figure 2 illustrates the mapping between the high-level risk
scenarios and the corresponding COBIT control objectives created by the IS auditor for the cloud
computing arrangement.
Leveraging Risk IT in conjunction with a widely accepted IT governance and controls framework
such as COBIT makes the risk identification robust and the risk assessment process effective and
efficient. This leads to a model that is extensible and reusable and that can scale up to IT risks
affecting the entire company.
Once the risks and COBIT control objectives were defined, they were used by the IS auditor to
develop a risk-based audit program. Figures 3–105 represent a selection of the audit program for
the higher-risk areas in figure 2. Figure 11 represents a summary of the specific risks and gaps
after conducting the audit.
Due to competing resources, the prioritization of risks related to cloud computing needs to occur,
and appropriate action should be taken based on the risk appetite of the company. Appropriate
action includes a combination of the following:
• Implement controls.
• Transfer risk(s).
• Avoid risk(s).
• Accept risk(s).
The audit highlighted that Company A needs to mitigate several risks. However, implementing too
many controls may not be the best risk-mitigation approach because the benefit from implementing
controls should outweigh the cost. Other risk-mitigation measures such as transferring, avoiding or
accepting the risk are worth considering as well.
Once the company aligns IT risk with the organization’s overall business risk and remediates
unacceptable security controls, the company is better prepared to harness the power of cloud
computing.
Conclusion
Businesses are realizing the power of cloud computing, and its use is increasing. This case study
represents a one-time attempt at risk assessment of the cloud computing arrangement. The risk
assessment helped uncover some of the key risks, prioritize those risks and formulate a plan of
action. Given the evolving nature of risks in cloud computing, no longer can one-time risk
assessments suffice. As newer risks emerge, risk assessments need to evolve and the mitigation
approach needs to innovate. A risk assessment needs to occur before an enterprise enters into a
cloud computing arrangement—to help avoid surprises and minimize the costs of implementing and
maintaining controls.