Seven Rules for Information Governance in the Cloud
A roadmap to information governance in the cloud.
During the media buzz over the official launch of Google Drive last week, we noted that governance and risk management types tend to get anxious over any cloud service simply because they can't ensure that the service provider is handling data and business process to organizational risk tolerances.https://o1.qnsr.com/log/p.gif?;n=203;c=204663295;s=11915;x=7936;f=201904081034270;u=j;z=TIMESTAMP;a=20410779;e=i
Of course, that's just an inherent complication with Google Drive or Dropbox or SkyDrive or any countless number of consumer-targeted cloud services. Facebook is not going to part the veil and let you see its data schema so that you can craft a detailed plan on which messages you can allow to be sent on its platform.
However, with enterprise-class solutions, the role of governance and risk management flips to gathering a ton of information from prospective providers and making sure that, within reason, the provider handles your data and business processes as you would, were they in house.
An interesting piece at CSO.com lists 25 steps (governance is about nothing, if not detail, after all) that your organization should execute before signing on with a cloud provider. The author, a government IT strategist in Australia, says the guidelines basically reflect the same type of diligence you would enact with the decision to outsource a conventional business process. Makes sense on several levels, although a cloud service is inherently more about technical architecture than many common BPO categories.
We aren't going to run through all 25 points here; some are just common sense (make sure the lawyers have time to read the contract!) and if you want to see the entire checklist, be sure to check out the CSO article. Here are three key points that caught our attention, and bear a little further discussion.
Understand the architecture of the cloud service and the proposed solution to ensure the isolation of tenant applications is appropriate and in line with your policies and data security standards. This has always been the bad dream that keeps IT up when it comes to "the cloud" - virtual or not, your application instances and data are running on common resources. Most cloud providers will have a standard list of answers ready, but you and the CTO better be ready for a few rounds of discovery on this one. "Architecture" is something that IT types like to keep close to the vest.
Ensure and validate the cloud service provider's police check and employee vetting procedures. You should be doing this already, for any provider and your own staff. Getting a provider to share this information should not be too difficult, at least on aggregate. But it is essential.
Establish reporting against the organization's compliance requirements. This one might will fall under the common sense umbrella, as well, but don't be afraid to ask for specific reports that your organization has built into its compliance (or governance) programs. Cloud providers aren't going to create new application functionality for you, but if they want your long-term business, they can cut you some specific reports or dashboards. A side note - if you are looking at a cloud solution for a heavily regulated business process, the provider should already have most any compliance report you can imagine. If it doesn't, you may well be looking at a maturity issue.