Still growing in deployment worldwide, cloud technology is a popular way to augment IT operations or to even replace traditional IT infrastructures with cloud-based solutions.
Traditional reasons for moving to a cloud environment include saving money from managing on-premises systems, savings on reduced floor space due to systems migrating to clouds, saving on staff by leveraging cloud vendor expertise, and flexibility and adaptability of cloud environments to changing user requirements.
When considering a cloud solution or even when examining options for expanding or reducing cloud investments, knowledge of standards, frameworks and practices addressing cloud technology can be very helpful. From an audit perspective, documented compliance with key cloud standards is essential during an audit. Prospective and existing customers will also appreciate knowing that cloud services are being deployed in compliance with standards.
How to Use a Standard
Depending on the situation, the following are recommended steps to take when applying a standard to a specific activity:
- Identify the situation where a standard may be needed;
- Research existing standards;
- Identify one or more standards that may be applicable;
- Identify the issue(s) to be addressed by the standard(s);
- Search the standard(s) for applicable sections using the table of contents and index (if provided);
- Identify the content that applies to the situation(s);
- Compare current policies and procedures against the standard(s);
- Determine how content from the standard can apply to the situation(s);
- Initiate changes to policies, procedures, etc. that align with the standard(s) via a change management function;
- Conduct validation tests to ensure the changes work as desired;
- Update policies, procedures, etc. to comply with the standard(s);
- Complete all relevant documentation;
- Review changes with senior management to secure approval before implementation;
- Launch implementation via the change management process;
- Launch training and awareness activities to brief employees;
- Schedule a one-month review to ensure the changes are effective; and
- If no changes are needed, initiate a six-month or annual review cycle
If it is determined that compliance with one or more standards must be demonstrated by an assessment or audit, maintain records on all activities in which the standard has been used.
Cloud Standards and Frameworks
The following sections list current cloud standards, frameworks and organizations that develop standards, regulations, legislation, guidance and good practice on cloud technology.
National Institute for Standards and Technology (NIST)
International Organization for Standardization (ISO, www.iso.org)
Organizations That Develop Cloud Standards
The following organizations develop standards for cloud technology, as well as guidance, frameworks and good practice techniques. The ISO and NIST have developed the most standards, while the other organizations have committees and working groups that collaborate on issues that need to be addressed in the development of new standards and refinements to existing standards.
- ASIS International (asisonline.org)
- European Telecommunications Standards Institute (ETSI, etsi.org)
- Information Systems Audit and Control Association (ISACA, isaca.org)
- International Organization for Standardization (ISO, iso.org)
- National Institute for Standards and Technology (NIST, nist.gov)
- Open Grid Forum (OGF, ogf.org)
- Organization for the Advancement of Structured Information Standards (OASIS, oasis-open.org)
- TM Forum Cloud Services Initiative (tmforum.org)
Federal Government
The U.S. Government has programs and legislation that can be applied to cloud technologies and applications.
- Federal Risk and Authorization Management Program (FedRAMP)
- Federal Information Systems Management Act (FISMA)
Professional and Technical Organizations
The following professional organizations provide guidance and recommendations on cloud technology through various committees and working groups.
- Distributed Management Task Force (DMTF, dmtf.org)
- Open Commons Consortium (OCC, occ-data.org)
Are Standards Right for your Organization?
Even if an organization does not need to officially demonstrate compliance with one or more standards, it it highly advisable to provide evidence that standards have been used, in case of a future compliance assessment or audit. Standards, along with various frameworks and regulations, provide excellent guidance for resilience professionals for planning, design, implementation, testing and maintenance activities.
Summary
This article has examined standards and organizations that address cloud technology. The number of standards, regulations and frameworks has grown steadily over the past decade, attesting to the importance of cloud technology and services.
# # # #
Leave A Comment
You must be logged in to post a comment.