The following are personal study notes on the topic of enterprise governance and risk management.
There are a few variations of the definition of governance, but for the sake of this summary, the following definition from ISACA will be used:
The method by which an enterprise evaluates stakeholder needs, conditions and options to determine balanced, agreed-upon enterprise objectives to be achieved. It involves setting direction through prioritization, decision making and monitoring performance and compliance against the agreed-upon direction and objectives.
I want to point out that there are several different perspectives and overlaps happening within some of the definitions of governance and risk management out there. Some are purely in the perspective of the organization as a whole, others are in the perspective of cloud and/or security and information technology specifically, so it’s important to know from which context you’re looking at this.
According to Graham Thompson in CCSK study guide, there are 4 primary domains.
| Domain | Summary |
|---|---|
| Governance | Policies, processes, and internal controls that dictates how an organization is run. |
| Enterprise risk management | Managing overall risk for the organization aligned with governance and risk tolerance. |
| Information risk management | Adresses risk to information and information technology. |
| Information security | Tools and practices used to manage risk to information. |
He states that it can be summarized in the following way:
Governance → Enterprise risk management → Information risk management → Information security
| Tools | Description | Example |
|---|---|---|
| Contracts | Legally binding contract agreements | Service Level Agreement |
| Cloud Provider Assessments | Due diligence process | Contract reviews and provider-supplied audit |
| Compliance reporting | Standards and scopes | FedRAMP or PCI DSS |
ENISA lists the following risk management components:
NIST SP-800-39 defines risk management with the following steps, summarized:
| Step | Summary |
|---|---|
| Risk framing | Establish how to assess, respond to, and monitor risk. |
| Assessing risk | Identify, prioritize, and estimate risk. |
| Responding to risk | Determine a course of action required to respond to risk. |
| Monitoring risk | Verify ongoing effectiveness of risk response measures. |
Looking closer at risk management as it relates to the cloud, consider the different cloud service and deployment models. The models have different profiles of responsibility and trade-offs, both of which will impact the risk management strategy.
There are in general two types of risk here: