Making Your Move to the Cloud a Success
- Treat Cloud Computing adoption and use as a strategic business decision.
- Make informed decisions, considering both business and operational needs and the benefits that can be provided by Cloud Computing.
- Communicate Cloud Computing arrangements and agreements to internal parties to ensure proper alignment and consistent oversight.
- Periodically review organizational strategies and the contribution of IT to ensure that Cloud initiatives maximize value delivery, risk management and resource utilization.
The Cost/Benefit Principle
- Clearly document expected benefits in terms of rapid resource provisioning, scalability, capacity, continuity and the cost reductions that the Cloud services offer.
- Define the true life-cycle cost of IT services provided internally or through a provider to have a basis for comparing expected and received value.
- Balance cost with functionality, resilience, resource utilization and business value.
- Look beyond cost savings by considering the full benefits of what Cloud services and support can provide.
- Periodically evaluate performance against expectations.
The Enterprise Risk Principle
- Consider the privacy implications of co-mingling data within the virtualized computing environment.
- Evaluate privacy requirements and legal restrictions, considering client needs as well as provider restrictions and capabilities.
- Determine the accountability addressed in SLAs, the ability to monitor performance and available remedies.
The Capability Principle
- Understand the human and technical resource capabilities that exist in the current infrastructure and how a Cloud strategy will impact the need for these or other resources.
- Define the capabilities that a Cloud provider will make available as well as constraints on these resources, including periods of unavailability or priority of use.
- Consider emergency situations and resource requirements necessary to determine causes, stabilize the environment, protect sensitive and private information, and restore service levels.
- Determine how policies, practices and processes currently support the use of technology; how transitioning to a Cloud solution will require policy, practice and process changes; and the impact these changes will have on capabilities.
- Ensure that service providers can demonstrate that personnel understand information security requirements and are capable of discharging their protection responsibilities.
- Ensure that internal staff have the skill and expertise to coordinate activities with Cloud providers and that they are engaged in Cloud service acquisition and ongoing management.
- Ensure that effective channels of communication are provided with provider management and key specialists, particularly for problem identification and resolution.
The Accountability Principle
- Understand how traditional responsibilities are assigned and implemented within the existing organizational structure and as a part of policies and practices to determine how these are addressed within Cloud solutions.
- Determine how responsibilities between tenant and provider organizations for Cloud solutions are assigned and how communications between accountable individuals and groups will be facilitated.
- Ensure that processes and procedures provide a mechanism to ensure that responsibilities are accepted and accountabilities are clearly assigned.
- Maintain within the governance structure a means of reviewing performance and enforcing accountabilities.
- Consider the risk to the enterprise as part of the enterprise risk management program, the impact of potential lapses in assigned responsibilities, or the impact of not being able to assign accountabilities.
The Trust Principle
- Clearly define confidentiality, integrity and availability requirements for information and business processes.
- Understand how reliance on Cloud Computing solutions may impact trust requirements.
- Structure the efforts of security, risk management and assurance professionals within both tenant and provider organizations to ensure that trust requirements are known and satisfied.
- Monitor changes in business use of Cloud Computing, vulnerabilities associated with Cloud solutions, and implementations across tenant and supplier environments to ensure that threats to trust can be identified and resolved.
- Ensure that Cloud infrastructure, platform and software service providers understand the importance of trust and create solutions that can be trusted.
- Provide ongoing assurance that information and information systems can be trusted.
ISACA's Guiding Principles for Cloud Computing Adoption and Use is available as a free download  .