Understanding and implementing the 14 Cloud Security Principles – Part 4: Governance framework

 

When it comes to Cloud security guidance, there is one organisation that leads the way. Experts at The National Cyber Security Centre (NCSC) have created the 14 Cloud Security Principles, a framework that highlights key considerations relating to cloud security topics such as operational security, protection of data in transit and secure user management. 

It’s essential for any business wanting to implement a robust Cloud and data security policy to have good knowledge and clear understanding of each of these Principles. So, here at etiCloud, we’re examining each one in a different blog post.

This week we explore Principle 4: governance framework.

What is governance framework?

A security governance framework is a system by which a company or organisation directs and controls IT security. The governance element should outline the accountability framework and offer a specific level of management to ensure any risks are mitigated.

Your service provider should have a security governance framework in place but, if you’re not sure, ask them! From within this framework they will be able to coordinate and direct management of the service they provide, and the information contained within it. If there are any technical controls deployed outside of this framework, there is tangible potential for destabilisation and this should be tackled immediately.

There are numerous benefits of having an effective governance framework in place. It will ensure the procedure, personnel, physical and technical controls continue to function throughout. It should also be capable of adapting to and addressing any changes to the service, new developments or threats.

 

Goals

The NCSC outlines exactly what good governance should look like: 

• “A clearly identified, and named, board representative (or a person with the direct delegated authority) who is responsible for the security of the cloud service. This is typically someone with the title ‘Chief Security Officer’, ‘Chief Information Officer’ or ‘Chief Technical Officer’.

• “A documented framework for security governance, with policies governing key aspects of information security relevant to the service.

• “Security and information security are part of the service provider’s financial and operational risk reporting mechanisms, ensuring that the board would be kept informed of security and information risk.

• “Processes to identify and ensure compliance with applicable legal and regulatory requirements.”

If you’d like to find out more on this Principle, you can read the NCSC’s complete guidance on governance framework here. And if you have any questions or queries about security governance frameworks, please don’t hesitate to contact any of the etiCloud team.

Next up: Operational security