* First, the IT team learned to listen carefully to, and work closely with, the Legal team in FAO. Jokes about lawyers abound and it is easy for IT to perceive the Legal team as yet another bureaucratic obstacle to be bulldozed out of the way. But we recognized that Legal has genuine concerns that need to be understood and addressed.
The Legal view is indeed risk-averse – after all, one of the primary roles of the lawyers is to ensure “bad things” don’t happen to the organization and, if they do, to minimize their impact. If you view it as a soccer team, IT can be seen as a striker trying to get goals while Legal is the goalkeeper making sure nobody scores against you. Good teams need a good striker and a good goalkeeper.
* Second, we needed to provide some certainty that, from an IT perspective, cloud-based systems were at least as secure as internal ones. What was interesting was the belief among business users that internal systems are secure systems.
Instead, the reality is that an IT team such as ours has little chance of competing with the highly industrialized IT processes of the big cloud players. The bottom line is our systems, from a purely technical perspective, would be more secure in the cloud than hosted internally. It’s a philosophical question as to whether they are more secure overall since some may argue that cloud providers are also more likely to be attacked than an individual organization.
* Third, the IT and Legal teams jointly put in place a documented process with well-defined responsibilities for approving cloud services. This consists of what we call an Information Security Risk Assessment which is fundamentally a document template containing three sections.
- The first part, compiled by the business unit wanting to use a cloud solution documents the services affected and the FAO data that would be held or processed by those services.
- The second part, compiled by the IT Division, contains an assessment of the information security risks associated with the provider and their services.
- The third part, compiled by the Legal team, contains an assessment of the risks of exposure and the impact of such exposure, and an evaluation of relevant laws in the country where data would be stored or processed and the extent to which its privileges and immunities are likely to be upheld in the country. As well as identifying risks, expected mitigating actions are also documented, and the assessment is signed off by all three business units. In cases where highly sensitive data could potentially be held, the recommendations are transmitted to the senior management of the organization.
Sign up for CIO Asia eNewsletters.