“Board members need a clear understanding of cloud computing benefits and how to maximize them through effective governance practices,” said Marc Vael, CISA, CISM, CGEIT, CISSP, an ISACA board member and chief IT audit executive at Smals. “This requires the board to see cloud computing not as an IT project, but rather as a business strategy.”
According to ISACA’s Cloud Governance: Questions Boards of Directors Need to Ask, boards should address the following five questions to determine the strategic value that cloud services are expected to provide and the impact that the cloud may have on resources and controls:
1. Do management teams have a plan for cloud computing? Have they weighed the value and opportunity costs?
2. How do current cloud plans support the enterprise’s mission?
3. Have executive teams systematically evaluated organizational readiness? For example, are the right skills available? Do cloud processes conflict with other established processes? Do cloud plans conflict with enterprise culture?
4. Have management teams considered what existing investments might be lost in their cloud planning? Does the adoption of a cloud service nullify already-made technology investments that have not reached their planned end date, and is that noted and approved?
5. Do management teams have strategies for measuring and tracking the value of cloud return vs. risk?
“The answers to these questions will help determine the enterprise’s readiness to adopt cloud computing and also help ensure that the necessary governance is in place,” said Vael. “The COBIT 5 framework for governance and management of IT can also help enterprises manage investments such as cloud services. COBIT 5 helps ensure consistent practices to maximize value and manage risk.”
ISACA’s white paper, “Cloud Governance: Questions Boards of Directors Need to Ask,” is available as a free download at www.isaca.org/cloud-governance. The COBIT 5 framework is a free download at www.isaca.org/cobit.
