IG & Cloud Computing Roundtable Report
InfoGovANZ members came together on 18 July for a thought-provoking roundtable on the impacts of cloud computing adoption on information governance. Dr Peter Chapman InfoGovANZ advisory board member chaired the roundtable which was hosted by Ferrier Hodgson. Several significant topics were addressed and discussed including:
· Information benefits and risks posted by cloud adoption
· Information security and governance considerations
· Best practice standards and governance frameworks
While the value and benefits of cloud computing were well known, the general feeling from the table was that many organisations either did not fully appreciate or mitigate the security, privacy and information control risks posed by cloud computing adoption. It was noted that well-established cloud computing providers have been working towards providing improved monitoring and control tools for their clients; however organisations have been challenged by the need to implement infrastructure flexibility without losing oversight and control of their information.
The table generally agreed that many existing security and governance frameworks offered sufficiently broad guidance to cover most governance and control issues pertinent to cloud computer, however cloud computing increased the difficulty of ensuring that adopted standard and frameworks were implemented consistently throughout the enterprise infrastructure.
It was noted that the ISO 27000 series of best practice information security controls were extended through the introduction of ISO 27018 and ISO 27017 in 2014 and 2015 respectively. These two new standards provide additional guidance regarding controls and best practice for information security and the protection of personally identifiable information in cloud environments. The additional controls referenced in these new standards highlight several information management risks which are often heightened following cloud adoption including (but not limited to):
· Unclear security responsibilities
· Lack of clarity regarding data ownership
· Heavy reliance upon virtual rather than physical security controls
An overarching point raised by several participants was that before organisations sought to extend their infrastructure and technological footprint, they would be well served by ensuring they are identifying and classifying organizational information appropriately. This often overlooked element of information management and governance is a critical foundation for ensuring security of organisational information, whether it is stored on-premise or in the cloud.
InfoGovANZ would like to thank the members who attended the roundtable for their valuable contributions and willingness to share their professional and academic knowledge.