+44 20 3290 3020 [email protected]

How to engage continuous oversight in the cloud

New and emerging technologies, such as AI, edge computing and IoT devices are all linked in some ways to cloud computing services. The rise of cloud computing has created new challenges for information assurance professionals. With third-party outsourced services, often through cloud connections, being increasingly leveraged and the expanding use of employee-owned computing devices (BYOD), this also creates potentially significant, new risks to organizations. These are all in addition to the longstanding information security threats and vulnerabilities that have existed for many years, and some for many decades. The breach landscape is not any prettier. To date, according to breach level index , records lost or stolen since 2013 are almost at 15 billion – the equivalent of 71 lost or stolen records per second. Even once the initial goal of establishing information security, privacy controls and processes are met, along with meeting all applicable legal requirements for security and privacy compliance, information assurance professionals cannot simply stop and pat themselves on their backs. There is a crucial next step that is often overlooked — the continuing need to maintain those levels on an ongoing basis. Invisibility: the risk and compliance struggle Organizations must identify all invisible risks stemming from poorly managed applications, weak network security, unpatched web components, and much more. Additionally, the invisible processes that define policies and procedures, implementations steps, enable performance measurements and management of change must be brought to light. Finally, organizations must recognize the existence of an invisible budget that keeps the governance, risk management and compliance heart ticking. Continuous oversight is a must Continuous oversight activities provide visibility into the real-time metrics and the current status of security and privacy levels, at any point in time, to facilitate the most effective maintenance of ongoing management. These oversight activities, applicable to all types and sizes of organizations, include: continuous in-house assurance, continuous external cloud assurance, continuous improvement and continuous supply chain management. Where to start? How can those tasked with enterprise information security, privacy program management and associated risk management responsibilities be most effective at staying on top of new threats? In addition, how can these agents identify new vulnerabilities, ensuring all legal requirements for data protection and privacy are addressed? To start, companies must define, identify and categorize systems, applications, and data according to confidentiality, availability and integrity (CIA). Next, they must research and identify legal requirements for compliance; this is critical to ensure that continuous compliance encompasses all laws, regulations, contracts and required privacy and security notices – to name a few. Finally and most importantly, organizations must identify and plan for addressing risks on an ongoing basis. This can be done by performing risk assessments, assigning findings, mitigating responsibilities and implementing continuous improvement. How to implement? A common oversight in many organizations is failing to formally assign responsibilities for continuous oversight of information security, privacy and compliance requirements and risks. Key responsibilities need to be identified and documented to be effective. For continuous oversight, management and improvement, these responsibilities fall […]

Send this to a friend