Discussion & Paper - Cloud Computing and Operational Excellence

profileskollipara1028
Chapter15pdf.pdf

School of Computer & Information Sciences

ITS-532 Cloud Computing

Chapter 15 – Governing the Cloud

Learning Objectives • Define and describe corporate governance. • Define business strategy and provide examples of strategic goals. • Discuss how companies use the Capability Maturity Model (CMM) to measure their

current capabilities. • Define and describe internal controls. • Define and describe IT governance. • Discuss the various types of governance a company must perform. • Discuss the role of Sarbanes-Oxley in corporate IT governance. • Discuss factors to consider when developing governance procedures for the cloud.

Risks and Challenges with Cloud Computing

• Increased Security Vulnerabilities – Shared Responsibility with Cloud provider – Expansion of trust boundaries – Vendor access to the organization’s date

• Reduced Operational Governance Control – Governance control usually less than on-premise IT resources

• Limited Portability Between Cloud Providers – Lack of standards and customized integration

• Multi-Regional Compliance and Legal Issue – Location of data and applications is needed to ensure compliance

The Need for True Financials

• Following the DOT.com crash and corporate scandals such as Enron, Tyco, and WorldCom, pressures emerged from the government, shareholders, and numerous other stakeholders for companies to increase their financial oversight to reduce opportunity for fraud and to restore confidence in corporate financial reporting.

Why IT is Involved

• Because most of the data that drive corporate financial reports originate within data centers, the new era of governance has brought greater visibility and a greater need for controls to IT departments.

Corporate Governance • Corporate governance combines the processes,

policies, laws, and controls that affect how a company operates.

• The governance guides the company’s decision making and administrative processes.

• Corporate governance, is complex and involves people, processes, systems, and more.

Corporate-Governance Process • Components of the corporate-governance process.

Real World: Organization for Economic Cooperation

• In 1999, the Organization for Economic Cooperation and Development (OECD) published the Principles for Corporate Development. It has been revised to address corporate-governance issues.

Understanding Business Strategy

• A strategy is a plan of action designed to achieve one or more particular goals.

• A business strategy comprises the plans a company executes to achieve business goals.

Components of a Business Strategy • Maximizing shareholder value • Reducing or managing costs to maximize profits • Providing a high-quality work environment to attract and

retain employees • Maintaining a high degree of customer satisfaction • Supporting environmentally friendly operations • Developing a sustainable, competitive advantage • Providing accurate reporting of company operations

Real World: Capability Maturity Model (CMM)

• The Capability Maturity Model (CMM) was developed at Carnegie Mellon University to help businesses measure and improve their current capabilities.

• Over time, as a business matures and its skills improve, a company’s CMM scores should increase.

• As scores increase, so too should the predictability and reliability of the business.

Levels of CMM

Inspect What You Expect • Once a company defines its business goals and metrics,

it must inspect the underlying factors that drive business results.

• In other words, rather than take its financials at face value, the company should examine the sources from which the values are derived to ensure that each is accurate and free from fraud.

• This inspection process is known as auditing.

Auditing • Companies must audit the source of the values they measure and report using

internal or external auditors.

Internal Controls • Internal controls allow a company auditor to inspect data values at key stages.

Real World: COSO of the Treadway Commission

• A key aspect of corporate governance is internal controls. An internal control is a process that provides assurance that the objectives of a company’s operational goals and legal compliance requirements are being met, as well as confidence in the accuracy of the reporting of operations.

• The Committee of Sponsoring Organizations of the Treadway Commission (COSO) has defined a model that companies can use to evaluate their internal controls.

The Components of the (expanded) COSO Model

Control Objectives for Information and Related Technology

• Control Objectives for Information and Related Technology (COBIT) is an IT governance framework defined by the Information Systems Audit Control Association (ISACA).

• COBIT defines dozens of processes an IT manager and staff can use to plan, acquire, implement, deliver, support, monitor, and evaluate IT solutions.

IT Governance • IT governance is one of many key types of governance a company must consider.

Real World: Sarbanes-Oxley • In 2002, in the aftermath of the dot-com crash and

corporate scandals that included Enron, Tyco, and WorldCom, Senator Paul Sarbanes of Maryland and Representative Michael Oxley of Ohio co-sponsored a bill.

• Once passed, the law became known as Sarbanes-Oxley. • The law’s goal was to improve confidence in the truthfulness

of company reporting by requiring greater transparency and controls of the data that companies report.

Real World: IT Governance Institute • The IT Governance Institute (ITGI) was formed in 1998

to assist businesses in aligning IT solutions with business strategies.

• The institute conducts research on the global practices and perceptions of IT governance. The institute makes many of its best practices, case studies, and research papers available for sale or download from its website.

SLA Governance Considerations • Who within the company can access the service? • Who within the cloud provider can access the service? • What can those who can access the service do? • Is the solution multitenant? • How is the service secured? • How is the service replicated or collocated? • How can the service be tested and validated? • What is the service uptime?

SLA Governance Considerations Continued

• How and when is the service maintained? • What controls can be implemented and at what

stages of the service? • How are errors and exceptions logged? • How can performance be monitored? • What is the upgrading and versioning process? • What auditing support is provided?

Key Terms

References

Jamsa, K. A. (2013). Cloud computing: SaaS, PaaS, IaaS, virtualization, business models, mobile, security

and more. Burlington, MA: Jones & Bartlett Learning.

Secondary:

Erl, T., Mahmood, Z., & Puttini, R. (2014). Cloud computing: concepts, technology, & architecture. Upper

Saddle River, NJ: Prentice Hall.