Download Publication
CloudWatch2 Risk Based Decision Making Mechanisms For Cloud Service In The Public Sector
Release Date: 10/27/2016
Administrations or PAs, and Small and Medium-sized Enterprises or SMEs) are still in need of
“meaningful” understanding of the security and risk management changes the cloud entails,
in order to assess if this new computing paradigm is “good enough” for their security
requirements. Traditional ICT risk management approaches usually adopt one-size-fits-all
methodologies relying on (security) experts, which are usually not adequate for small
organisations and Public Administrations (PA) that use relatively simple IT-components. One
of the main drivers of CloudWatch2 is to develop a simplified cloud risk
assessment/management approach, called “risk profile” in this document, with the requisite
that SMEs/PAs need simple, flexible, efficient and cost-effectivecloud security solutions.
This deliverable proposes a risk profiling methodology to assist PAs with the risk assessment
process from the perspective of a cloud service customer (CSC) procuring a suitable cloudbased service. The proposed approach also provides information to cloud partners (e.g.
cloud brokers) and CSPs, on the risk management methodology for cloud adoption used by a
(prospective) customer organization. Despite the fact that the main focus of this deliverable
being on PAs, we also discuss the appropriateness of the suggested risk profile methodology
for SMEs (to be further expanded inDeliverable 3.5 or D3.5).
This incremental report also presents a fresh approach to the problem of leveraging risk
profiles by analysing, from the risk management perspective, the specification of security in
mechanisms like Service Level Agreements (SLA) as a promising approach to empower PAs
(and also SMEs) in assessing and understanding their cloud requirements.
The next version of this deliverable (i.e. D3.5) will present the validation results of the
presented risk profiles, both for SMEs and PAs, based on real-world use cases and end-user
feedback. In addition D3.5 will further elaborate on end-user mechanisms/tools for
instantiating the proposed risk profiling methodology.
Download this Resource
Prefer to access this resource without an account? Download it now.
Acknowledgements
Marina Bregkou
Senior Research Analyst, CSA EMEA
Damir Savanovic
Damir Savanovic (M) is an Associate Director - Cloud Controls Lead at Willis Towers Watson, leading a team of subject matter experts to address compliance and control requirements for multiple compliance frameworks within information and cybersecurity for a global financial institution.
As a security evangelist and subject matter expert in the areas of security governance, risk and compliance, data protection with over...
Jesus Luna
Nicholas Ferguson
Theodora Dragan
Lucio Scudiero
Related Certificates & Training
.png){kind=logo}
Learn the core concepts, best practices and recommendation for securing an organization on the cloud regardless of the provider or platform. Covering all 14 domains from the CSA Security Guidance v4, recommendations from ENISA, and the Cloud Controls Matrix, you will come away understanding how to leverage information from CSA's vendor-neutral research to keep data secure on the cloud.
Learn more
For those who want to learn from the industry's first benchmark for measuring Zero Trust skill sets, the CCZT includes foundational Zero Trust components released by CISA and NIST, innovative work in the Software-Defined Perimeter by CSA Research, and guidance from renowned Zero Trust experts such as John Kindervag, Founder of the Zero Trust philosophy.
Learn more