Information Security Governance: Government Considerations for the Cloud Computing Environment
How users can take advantage of the cloud computing environment’s benefits without experiencing excessive security risks or new legal or regulatory compliance challenges.
Information security governance mechanisms enable organizations to better manage information security. These mechanisms are especially critical when migrating information assets to a cloud computing environment (CCE)—a process federal government agencies are considering because of the numerous benefits possible in a CCE, including reduced costs, on-demand services, and increased deployment flexibility.
Operating in a cloud, however, also increases security risks and can complicate legal and compliance issues. So if federal agencies adopt a CCE, they must also invest in an information security governance mechanism.
Booz Allen Hamilton’s study, “Information Security Governance: Government Considerations for the Cloud Computing Environment,” explores one information security governance framework and its key considerations for the federal government. Especially valuable for agency leadership, information security professionals, and information security governance personnel, the study shows how users can take advantage of the CCE’s benefits without also experiencing excessive security risks or new legal or regulatory compliance challenges.
“Information Security Governance” introduces Booz Allen’s information security management and governance framework, which has already been successfully deployed in numerous client environments. The framework is comprised of a system of management and functional processes and based on evolving international standards1 and planned evolution of the National Institute of Standards and Technology (NIST) Risk Management Framework.2 When applied to any of the four major cloud computing deployment models, its processes can be modified to most effectively plan and govern information security.
The study finds that implementation of a strategic information security management and governance framework is key to the successful transition of information systems to a CCE. Using a framework to guide the transition to and operations in the CCE can enable an organization to maximize its benefits in the cloud while addressing the cloud’s inherent risks.
Associates Jamie Miller and Larry Candler and Consultant Hannah Wald were members of the Booz Allen team that contributed to this study.
1. ISO/IEC 27001 Information Technology – Security Techniques – Information Security Management Systems – Requirements.
2. NIST SP 800-39 Managing Risk from Information Systems.
study posted November 23, 2009
