Global IT association ISACA has issued a new guide outlining how to implement effective controls and governance for cloud computing. Titled IT Control Objectives for Cloud Computing: Controls and Assurance in the Cloud, it is now available at www.isaca.org/ITCOcloud.

According to the ISACA guide, when enterprises decide to use cloud computing for IT services, business processes are impacted and governance becomes critical to:
·         Effectively manage increasing risk;
·         Ensure continuity of critical business processes that now extend beyond the data centre;
·         Communicate clear enterprise objectives internally and to third parties;
·         Adapt effectively;
·         Facilitate continuity of IT knowledge, which is essential to sustain and grow the business; and
·         Handle myriad regulations

Despite the potential for major cost savings, according to a recent survey of ISACA’s Australian members, less than half (42%) currently include cloud computing strategies within their enterprise. Additionally, the vast majority of these organisations (80%) limit cloud computing to low-risk, non-mission-critical IT services, highlighting the hesitation of businesses to adopt cloud initiatives and the need for guidance in this regard.

"Cloud take-up in Australia is relatively slow compared to other countries. Lower-risk and less contentious data seem to be the first choice for early adopters,” said Tony Hayes, CGEIT, AFCHSE, CHE, FACS, FCPA, FIIA, International Vice President of ISACA and Associate Director-General of the Queensland Department of Communities.

“Data that are sensitive or have some competitive advantage for organisations have been retained internally under close scrutiny. Government agencies are significant investors in IT and, to date, cloud computing has been adopted mainly as a concept internal to government."

Jo Stewart-Rattray, International Vice President of ISACA and Director of Information Security at RSM Bird Cameron, added: "Whilst speaking with CIOs in Australia and the US, the mention of the cloud is met in one of two ways: an enormous groan or a loud cheer.  Of course it will depend upon the context of a business whether cloud offerings will suit its needs. If they do, security and governance around such offerings must be in place within the organisation.

“Due diligence around the proposed service provider and appropriate controls must also be in place to ensure that the organisation’s most valuable asset, its corporate information, is protected from loss, theft, tampering and loss of jurisdictional control."

Cloud computing will be discussed at the Oceania CACS2011 conference to be held in Brisbane from September 18-23. Here, key speakers will discuss issues surrounding the control of cloud computing and risk management, as well as data loss prevention and the metamorphosis of assurance and strategies that organisations can employ. 

www.isaca.org/cloud.