Securing the CloudISACA Issues New Guidance for Cloud Security and Vendor Contracts
"There is a big difference between public and private cloud computing," says Vael, chairman of the Knowledge Board for the Information Systems Audit and Control Association, a nonprofit association that includes 95,000 IT professionals in 160 countries. "Data location, for instance, is a concern, and today cloud computing providers can provide that information," but organizations have to ask the right questions, upfront.
Vendor management is key. The use of cloud computing or virtualization in financial-services, healthcare and government environments is a concern; and because all of those industries are heavily regulated, certain security guidelines and mandates must be met. In the payments realm, for instance, the PCI Security Standards Council recently issued guidance that specifically addresses encryption standards for payment card transactions in virtual environments. ISACA's new guidelines address PCI requirements as well as other common industry standards for data protection.
During this interview with Information Security Media Group, Vael discusses:
- Security management in the cloud;
- Steps organizations should take upfront to determine how stable and secure a particular cloud service provider is before signing a contract;
- Questions that can help an organization understand how prepared a cloud provider is for business continuity and disaster recovery.
Vael is chief audit executive at Smals, a Belgian IT organization with more than 1,800 people working for the Belgian federal government. He has more than 15 years of experience in evaluating, designing, implementing and monitoring solutions on risk and information security management, incident and business continuity management, data protection/privacy, and IT audit. An ISACA member for more than 15 years, Vael also serves as vice president of the ISACA Belgium Chapter, chair of ISACA's Cloud Computing Task Force and Knowledge Board, member of ISACA's Strategic Advisory Council, and past chair of the ISACA Communities Committee. He has been a visiting lecturer at Antwerp Management School since 1997 and a deputy member of the Flemish Privacy Commission since 2010.