Sharing the compliance burden: who’s responsible?

By nature, cloud computing necessitates greater transparency and control in comparison with traditional, on premise IT solutions. Organisations are essentially giving direct access to their systems to the cloud service provider (CSP), significantly increasing the number of potential failure points as systems become more complex and stakeholders more varied.  It is essential, therefore, to determine whose responsibility it is to ensure governance standards for performance, security, confidentiality and integrity are met.

With more and more organisations making the move to cloud services, managers need to realise how risks to their business will increase or evolve over time, in order to maintain watertight security. A good service provider will help you to do this; a bad (or badly managed) provider could end up being a weak link in the chain. This is why it is so important for businesses to build a strong and collaborative relationship with their CSP, in order to effectively share the burden of compliance.

The division of labour between you and your provider heavily depends on the governance standard in question:

ISO 27001

In order to become ISO 27001 certified, a risk assessment must be undertaken at least annually or in the event of significant changes to the information system. Working with a service provider that is also ISO 27001 certificated will help to further offset risk, as they too will have to complete the necessary risk assessments to identify and mitigate any threats to data security.

However, even if a CSP is certificated, they are not necessarily accountable for the integrity of your data. Contracts should be in place, detailing where responsibility lies between parties. It remains the organisation's duty to define comprehensive SLAs within these contracts, stating how services will be delivered, how they will be measured and any associated penalties.

PCI DSS

Unlike ISO 27001, PCI DSS is more prescriptive in that it outlines specifics as to how networks and firewalls must be designed and configured in order to provide a minimum level of segregation between system components, rather than allowing the organisation to decide based on risk.

The merchant is ultimately responsible for end-to-end compliance and must consequently ensure it is very clearly defined in any third party contracts, such as with a CSP. A 'Roles & Responsibilities' table is typically used to assign owners to each individual PCI DSS requirement, and includes any tasks that require joint ownership.

Business Impact Level: IL3

IL3 is designed to identify and assess technical information risk for documents and assets of various classification levels that correlate to the Government's security classification hierarchy. These range from IL 0 (information that would have no impact if compromised) to IL6 (information that would have severe consequences if compromised).

IL3 is used for any data that could disadvantage, damage or cause embarrassment to major UK companies, government bodies or diplomatic relations. It has recently come to prominence due to the G-Cloud framework, which has introduced pan-government accreditation, increasing the number of CSPs able to serve departments holding IL3 data. The accreditation process uses ISO 27001 as a baseline – any CSP that is ISO 27001 certificated can be accredited by the same body to IL2.

Sarbanes-Oxley

Sarbanes-Oxley (SOX) is legislation that was introduced primarily to reduce the opportunity for commercial fraud. It aims to ensure all accounting activities can be audited so that if fraud takes place, it won't go unnoticed.

As well as making sure your own internal systems are compliant, any organisation using a SaaS accounting system must ensure that the applications and deployment models of the SaaS provider are also fully compliant in terms of retention capacity and accessibility.

In addition, contractual agreements with CSPs must ensure controls are implemented that prevent unauthorised access to the information, therefore preventing records being changed or deleted.

If governance and compliance is something you want to learn more about you can read our white paper, Sharing the Governance Burden: Getting Compliant in the Cloud.

Save