Information Security Governance Papers
| Paper Title | Information Security Governance: Government Considerations for the Cloud Computing Environment |
|---|---|
| The Abstract of The Paper |
Information Security Governance Government Considerations for the Cloud Computing Environment Introduction “Cloud computing is a model for enabling convenient, Outcomes of Effective Information on-demand network access to a shared pool of configurable Security Governance in a CCE computing resources (e.g., networks, servers, storage,
• Strategic Alignment—Information security applications, and services) that can be rapidly provisioned practices aligned with the agency’s and released with minimal management effort or service enterprise strategy and agreed-upon risk provider interaction.” 1 profile Moving information assets to a cloud computing • Value Delivery—A standard set of environment (CCE) offers the cloud user the potential information to effectively manage and for reduced costs, on-demand self-service, ubiquitous monitor cloud provider security controls network access, location-independent resource pooling, rapid elasticity, and measured service. CCEs • Risk Management—An understanding of are offered in a variety of deployment and service accepted risk exposure models, as this paper describes, each with its own • Performance Measurement—A characteristics for cost/benefit, efficiency, flexibility, measurement process with feedback on risk, and cloud consumer control. Although the progress made potential cost savings and flexibility advantages of operating in the cloud are compelling, cloud users need to understand the security risks, compliance complications, and potential legal issues inherent in the CCE. Federal agencies desiring to take advantage relevant to that framework to help inform agency of cloud computing benefits will need to invest in leaders, information security professionals, and proactive and strategic management of the new information security governance participants on how environment. To do so, they must implement or to take advantage of the benefits of the CCE without modify information security management systems and exposing their mission to excessive information governance programs to mitigate security risks and security risk or potential legal and regulatory comply with their legal, regulatory, and contractual compliance failures. security requirements. Information security governance is the mechanism As with the adoption of other new technologies and through which organizations can ensure effective service offerings, transition to the CCE will likely be management of information security. Booz Allen evolutionary, not revolutionary. Many organizations, Hamilton developed the information security particularly federal agencies, will migrate some management and governance framework presented capabilities to the cloud while maintaining existing in this paper. We have also customized it for—and computing environments for other capabilities, thus implemented it in—several government and commercial operating in a hybrid mode for the foreseeable future.2 client environments. The focus of this paper is the The goal of this paper is to present an information adaptation of our information security governance security governance framework and key considerations model for federal government entities planning to 1 Please see http://csrc.nist.gov/groups/SNS/cloud-computing/index.html. 2Cloud Computing User Transition Framework (C3F), Booz Allen Hamilton, 2009. 1 |
| Web Link | http://www.slideshare.net/BoozAllen/information-security-governance-government-considerations-for-the-cloud-computing-environment |