storm clouds kenneth r. ledger director, risk management
TRANSCRIPT
Storm Clouds
Kenneth R. LedgerDirector, Risk Management
Ken’s Top 5 Storm Clouds1. Not knowing what you want2. Misunderstanding standards3. Not having a plan B4. Trusting but not verifying5. Governance and disclosure
1. Not Knowing What You Want
• Different needs have different challenges (SaaS, IaaS, mobility, cost)
• Understand the nature of the data in you are putting in the cloud
• Long term intent• Security, disaster recovery,
scheduled outages, QOS• Are you okay if the provider
accesses data if so, why/how/when
2. Misunderstanding standards
• Many providers will quote standards, know what they mean.
• Standards provide assurances of external audit
• SSAE 16 Type II - attestation• CICA 9110 – audit standards• ISO 27001 - security
3. Not having a plan B
• Can you recover your data if a supplier fails
• Can you recover the apps to use the data
• Services can start small and grow to become a key control
• Is there an alternate supplier
4. Trusting but not verifying
• Have a plan to audit• SSAE16 provides independent
assurance, but to specified control objectives
• Ensure control objectives align with internal control needs
• Consider potential for fraud
5. Governance & Disclosure
• Cloud solutions may become a material part of your business
• Material changes must be disclosed (NI 51-102)
• Potential to cause a material weakness in controls
• Know what to disclose and when
Defining leadership in global energy services through people, innovation,
and technology —The path for others to follow.