BRINGING AGILITY IN CLOUD RISK MANAGEMENTWorkshop

UBS

Ed Simmons

T-Systems

Ryan Skipp

LEGAL DISCLAIMER Open Data Center Alliance, Inc. is NOT a law firm. The information provided or referenced in this Best

Practices document regarding possible regulatory compliance obligations or risk assessment / management related to such obligations are not intended, in any way, as legal advice to you. Our publishing of this Best Practices document and your review or use of it is NOT intended to create, nor does it create, any attorney client relationship between Open Data Center Alliance, Inc. and you. We encourage you to seek proper, independent legal advice from an appropriate advisor before making any decisions that might impact your legal duties or rights or might impose any legal liability on you.

Any reference to any laws/regulations/rules in this document may not be a complete list of the laws/regulations/rules that impact your circumstances. Also, applicable laws/regulations change frequently, and the application of laws/regulations by courts and government agencies can vary greatly.

Thus, all information provided or referenced in this Best Practices document is provided to you on an “AS IS” and “AS AVAILABLE” basis. If you rely on any of this information you do so at your own risk and you are totally and solely responsible for the consequences of your actions, including (without limitation) all legal liability and legal consequences. 2

OBJECTIVES Discuss ODCA Best Practice Paper: Improving Agility in Cloud Risk Management Rev. 1.0Workshop

• Risk Management Challenges in the Enterprise• Best Practices to Improve Agility in Cloud Risk Management• Discuss Implementation Experiences

Collaboration, interaction and discussionQ&A

3

URL to white paper and materials: http://bit.ly/1rh5X94

RETHINK RISK MANAGEMENT The Benefits offered by cloud computing to innovate and transform value proposition, compete in the marketplace, and accelerate growth and customer satisfaction

>> mandates a high rate of velocity and agility in identifying, assessing, selecting, and implementing cloud-based services

Business leaders expect cloud adoption to be rewarding, well managed, and within acceptable risk and compliance limits, driving the need to

>> rapidly adapt and rethink traditional risk management processes to deliver agile, sustainable outcomes

4

RISK MANAGEMENT - GOALSMature, robust, right-sized, and agile risk management practices to support rapid assessment and optimization of cloud computing risks

Strategic view of cloud risk management

Consistent, sustainable, simple, and integrated risk management across the enterprise

5

[Q] RISK CHALLENGES – EXERCISE 1Discuss Cloud Risk Management Challenges

[Workshop material page # 2]

6

[A] RISK CHALLENGES – EXERCISE 1 Cloud Risk Management Challenges

• Value perception and lack of agility• Siloed management of risk• Security as a proxy for all risk• Risk language• Prioritization of risk management• Complexity

7

[Q] – RISK BEST PRACTICES [EXERCISE 2]

Discuss Cloud Risk Management ChallengesDiscuss Best Practices for Risk Management[Workshop material page # 4]

8

[A] – RISK BEST PRACTICES [EXERCISE 2]

Objective Best PracticePromote Safe Cloud Adoption [1] Enterprise focus

[2] Risk appetite[3] Standardization

Inject Agility and Velocity in Risk Management

[4] Agility[5] Right-sizing[3] Standardization

Integrate and Sustain Cloud Risk Management

[6] Integration[7] Sustainability

Minimize Waste in Risk Management

[8] Continuous process improvement

9

[Q] RISK APPETITE – EXERCISE 3Discuss Cloud Risk Management ChallengesDiscuss Best Practices for Risk Management Setting cloud risk appetite[Workshop material page # 6]

10

[A] RISK APPETITE – EXERCISE 3

11

Risk Appetite Dimension

Level:Conservative

Level: Balanced

Level: Expansionary

Information Security No appetite to use cloud for confidentialand highly confidential information

On-premises cloud can be used forconfidential and highly confidential information

Off-premises cloud is acceptable forconfidential and highly confidential information

Service Criticality (Use cloud for which services and business processes)

No appetite to adopt cloud for coreand mission-critical services

Cloud is acceptable for core services

Cloud is considered for core and mission criticalservices

Service Location and Jurisdiction

Services hosted only in domesticJurisdiction

Hosting in foreign jurisdictions is permittedfor private information

Hosting in foreign jurisdictions is permittedfor confidential and highly confidentialinformation

Type of cloud service providers

Leading edge, established players

Leading edge, established players

Bleeding edge, start-ups

[Q] STANDARDIZING RISK MANAGEMENT –EXERCISE 4

Discuss Cloud Risk Management ChallengesDiscuss Best Practices for Risk Management Setting cloud risk appetite Standardization of Risk mitigation – Discuss how[Workshop material page # 8]

12

[A] STANDARDIZING RISK MANAGEMENT – EXERCISE 4

13

The handout describes common risks, and ODCA usage models to help manage risks. Review the risk types, and mitigation plans

[Q] RISK RIGHT-SIZING - EXERCISE 5

Discuss Cloud Risk Management ChallengesDiscuss Best Practices for Risk Management Setting cloud risk appetite Standardization of Risk mitigation – Discuss howDiscuss risk right-sizing[Workshop material page # 14]

14

[A] RISK RIGHT-SIZING - EXERCISE 5

15

Cloud risk management processes should be right-sized based on the level of risk

FURTHER INFORMATION Discuss Cloud Risk Management Challenges Discuss Best Practices for Risk Management Setting cloud risk appetite Standardization of Risk mitigation – Discuss how Discuss risk right-sizing Agility, Integration, Kaizen, and Sustainability: Refer to

the best practice paper (Improving Agility in Cloud Risk Management)

16

CONCLUSION Risk Management is an integral competency of mature enterprises

ODCA best practice paper provides guidance to rethink and tune the Enterprise risk management practices to meet the agility requirements of Cloud adoption

We encourage adoption of the best practices in real life situations – Please visit the ODCA web site for further information (http://www.opendatacenteralliance.org/library)

17

18

19

© 2 0 1 4 O p e n D a t a C e n t e r A l l i a n c e , I n c . A L L R I G H T S R E S E R V E D .