New report provides guidance from a cross-section of Canadian experts on governance, risk and compliance (GRC) in the cloud.
The Toronto Cloud Business Coalition – a group of more than 60 Canadian experts drawn from the IT management, cloud services provider, channel, academic, VC/corporate finance and consulting communities – has published a new document examining best practices in cloud marketing, cloud sales approaches and compensation, and cloud channel development.
Cloud Governance, Risk and Compliance (GRC) was co-created by a working group of six Canadian professionals, spanning multiple critical domains:
- Andrew Nunes, Partner in Business and Technology Law at Fasken Martineau DuMoulin
- Dave Collings, SMB IT leader (and author of Do IT Lean)
- Matt Ambrose, PwC Technology Advisory Leader. Private Company Services
- Stefano Tiranardi, National Manager, Enterprise Security, Technical Sales and Services at Symantec
- Roy Hart, CIO of Seneca College
- Jerrard Gaertner, Adjunct Professor of Computer Science at Ryerson University, Lead Instructor (Big Data) and Academic Adviser at the University of Toronto (School of Continuing Studies) and Executive Director, Digital Legacy Institute
Collectively, this group was able to approach GRC from many different directions, considering legal requirements, IT operations, management strategy, security issues and audit and compliance. As a result, the Cloud Governance, Risk and Compliance (GRC) best practices document delivers guidance that will help businesses who are adopting or expanding cloud operations to understand and plan for the issues that connect cloud with corporate governance imperatives.
As with all TCBC Best Practices documents, the Cloud GRC whitepaper is comprised of three primary sections: a discussion of the business context defining the topic, analysis of the business objectives that shape the requirement for new approaches in go-to-market activity, and best practices identified by the TCBC working group. The 15-page document closes with a “Final guidance” section containing responses to the question, “If you are contemplating moving a workload to the cloud, or trying to develop or enhance your approach to GRC for workloads already in the cloud, you should consider…”
Definitional/context issues
There are today no generally-recognized governance guidelines that a Canadian business can refer to as a means of identifying the process needed to establish effective governance and controls over new cloud-based workloads, or even over the migration of current workloads to the cloud. However, there are principles that apply more broadly to governance, risk and compliance that can be (and are) extended to the cloud. Chief amongst these is the need to align cloud governance with IT governance and controls, which in turn are (or ought to be) aligned with overall corporate governance strictures. Conceptually, this implies a bi-directional approach to cloud GRC: oversight and structure flows from corporate governance down to IT and data governance, extending to the issues involved in assessing and contracting with the cloud supplier, while the controls used to manage risk and compliance build upward to support corporate objectives.
Business objectives and best practices
The necessary connections between corporate and cloud GRC are echoed through the Business Objectives and Best Practices sections of the report. Under the business objectives header, the working group identified corporate requirements in governance, risk and compliance, and then drilled down into cloud-specific issues that must be addressed in order to ensure alignment between cloud systems and overarching corporate responsibilities. This analysis starts with the observation that cloud “introduces new governance issues;” and that while “these tend to fall into IT’s lap…they are not IT issues: they affect (and should be exposed to) HR, legal and senior management.” The whitepaper then states that many of the ‘risk’ issues associated with cloud are more properly seen as broader IT issues; however, there are important tactical considerations in dealing with these issues in the cloud. The discussion on compliance begins by noting that “there are two different compliance-related cloud issues: the need to include cloud processing and transmission as part of compliance exercises, and the impact of cloud use on compliance tasks.” The second aspect may be non-trivial: depending on compliance audit requirements and cloud configuration, cloud may “have a material impact on audit and compliance costs, which affect the overall value of a cloud solution.”
The best practices section of the document describes the key actions and benefits of a six-step process: identify cloud-specific risk issues, articulate the nature of the risks, assigning responsibility for specific issues, document remedies that apply in the event of a performance issue, review assumptions, actions and responsibilities with stakeholders, and align the understandings of risks, actions and responsibilities in the cloud governance process with overall corporate governance policies. The section describes how this approach can be applied to real-world cloud challenges: management of sensitive or regulated data or responding to a breach. The “final guidance” section expands on the best practices advice by identifying considerations that should be reviewed through the development of a cloud GRC framework.
About the whitepaper
The Cloud Go-to-Market whitepaper is available immediately to TCBC members through the site’s library. Non-members can purchase individual copies for $995, or can instead consider joining the coalition as individuals or as corporate members.
