I would like to distinguish a project impact analysis (PIA) from a risk assessment of the business solution under debate. The former is a business case justification. The latter allows the stakeholders (e.g. CISO, CIO, CEO etc.) to identify potential threats, prioritize those threats into risks and identify the controls that can reduce the risks to acceptable levels.
A due diligence exercise should examine capital outlay, development costs and long-term costs such as continued operations and maintenance. The cloud option (definitions aside) and whether it is a sound business case will be dependent on the cloud provider. Certainly issues such as regulatory compliance, process safety, validated platform can be show-stoppers. However the as-is system and the target cloud provider must be taken into consideration.
In my opinion a risk assessment does not need to be a long drawn out process. It can also be completed in a matter of days. It is the only way to provide management with the tools needed to perform their fiduciary responsibility of protecting the assets of the enterprise in a reasonable and prudent manner. For example, multi-tenancy is likely a regulatory concern and on the surface Amazon Web Services appears to fail this test. Dig a little deeper and it turns out that Amazon Web Services allows a customer to avoid virtual machine co-residency. Now the probability that a “cross-channel attack” will result in data loss is questionable. The purpose of a risk assessment is to quantitatively or qualitatively make that risk decision and approval to operate.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment