The Information Systems Audit and Control Association (ISACA) released a white paper this month that reinforces its suggested practices to bolster cloud security, privacy, and compliance.
The report said that with the rise of hyperconnected businesses and environments that “often erase traditional boundaries between internal and external domains,” it is critical that organizations conduct continuous oversight to keep cloud environments secure.
Namely, ISACA suggests that the following pillars are key to maintaining a secure cloud environment:
- Continuous assurance for data and processes, including continuous monitoring, risk awareness, and compliance throughout the full data lifecycle;
- Continuous cloud assurance in a way that’s tailored to each type of service and associated type of cloud;
- Continuous supply chain management of oversight for cloud vendors and subcontractors to ensure they remain compliant with internal protocol and requirements;
- Continuous improvement (CI) to maintain relevant and effective cloud service security, privacy, and compliance, to provide risk and maturity level metrics, and to indicate where improvements are needed.
From those pillars, ISACA suggested the following actions to realize those key practices:
- Gain support of executive leaders to implement continuous monitoring activities for the organization’s cloud services;
- Implement continuous oversight, assurance, and compliance for each cloud service the organization adopts;
- Normalize legal requirements for privacy protections throughout all cloud services;
- Maintain continuous oversight of all cloud services throughout the entire supply chain to remain aware of information security, privacy, and compliance risk;
- Establish, implement, and enforce policy that govern continuous cloud use and monitoring;
- Train and remind personnel involved in continuous cloud oversight regularly and frequently;
- Understand the shared responsibility model with cloud service providers.
Having a program that specifically conducts these actions would be a preferable strategy that organizations can pursue to ensure the continuous oversight of their cloud environments, ISACA added.
Overall, the report states that taking these steps will help reinforce real-time information security, support proactive accountability for controls and risk management internally and among third party vendors, and ensure that proper controls are in place with ongoing information system and common controls authorization.