The Cloud Risk Management Framework

A Risk Management Framework (RMF) provides a controlled and organized approach that embodies information security and risk management activities into the system development life cycle in a cloud ecosystem.

Risk assessment

Step 1
  • Categorize the information system and the information processed, stored, and transmitted by that system based on a system impact analysis.
  • Identify performance, operational, security and privacy requirements.
Step 2
  • Select, based on the appropriate security requirements, the initial set of security controls for the information system (referred to as baseline security controls).
  • Streamline and adjust the baseline security controls with respect to the organizational evaluation of risk and the conditions of the operational environment.
  • Develop a systematic approach for the continuous monitoring of security control effectiveness.
  • Document all the controls in the security plan.
  • Review and approve the security plan.

Risk treatment

Step 3
  • Implement the security controls and describe how the controls are employed within the information system and its environment of operation.
Step 4
  • Assess the security controls using appropriate assessment procedures as documented in the assessment plan. The assessment determines if the controls are implemented correctly and if they are effective in producing the desired outcome.
Step 5
  • Authorize information system operation based on the determined risk resulting from the operation of the information system and the decision that this risk is acceptable. The assessment is performed considering the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, and other organizations.

Risk control

Step 6
  • Monitor the security controls in the information system regularly, including assessing control effectiveness, logging system and environment operational changes, conducting security impact analyses of these changes, and reporting the security state of the system to designated organizational officials.

Risk Management process for cloud consumers

A greater influence over processes and systems helps organizations to accept risks more comfortably.

A high level of control helps organizations to evaluate alternatives, set priorities, and make sound decisions best suited in the face of an incident.

For a cloud consumer to adopt a cloud-based system successfully, the cloud-specific requirements of the system, deployment model, the architectural landscape for the cloud service and the cloud actors’ responsibilities in ensuring a secured cloud ecosystem must be well understood.

In addition, for business and mission-critical processes, cloud consumers should:

  • Identify all cloud-specific, risk-associated security and privacy controls
  • Make necessary request for Service Agreements and SLAs from the cloud brokers and providers and brokers regarding security and privacy controls in the cloud via contractual means wherever applicable
  • Assess the execution and effectiveness of the adopted security and privacy controls
  • Regularly monitor all identified security and privacy controls

As risk management process can help to leverage between the offerings of opportunities of cloud computing adoption and its associated security risks.

On the other hand, risk assessment can help to determine the readiness of an organization to trust their data, business operations and business continuity, which are prone to insecure transmission, storage and processing, to a cloud provider.

Requirement for risk management in ISO/IEC 27001

It is required for an organization to define and apply an information security risk assessment process that:

  • Establishes and maintains information security risk criteria
  • Ensures consistent output of risk assessments
  • Identifies respective information security risks and risk players
  • Analyzes consequences and possibilities of the risks
  • Evaluates and prioritizes the risks for mitigation

There is a category of risks associated with the adoption of cloud services that include data privacy, availability, service provisioning, malicious activities, and regulatory compliance risks.