The Governance of Cloud-Based Systems
The Dot Com crash of 2000 and corporate scandals such as Enron highlighted the need for better laws to oversee financial organizations, and also highlighted the need for better corporate governance. IT Governance is the part of corporate governance that includes policies, procedures, and controls that relate to information systems use, performance, Return on Investment (ROI), and risk mitigation
When a company moves services to the cloud it must naturally extend its IT governance to include cloud-based systems and services. Governance includes policies, procedures, and controls that ensure confidence in the accuracy and security of the cloud-based systems, and also ensures the strategic alignment of cloud-based systems with the organizations goals. A key component of the governance process begins with Service Level Agreements (SLA)’s that specify contractual obligations that a cloud vendor must provide and adhere to. One important governance issue that is normally specified in a SLA is limited liability provisions. Fox (2015) states that customers generally want service provider’s liability responsibility to include, among other obligations, coverage for claims arising out of the following:
- Allegations that the cloud services provided by the vendor infringe upon, or violate, the intellectual property or other proprietary rights of any third party.
- Negligence or willful misconduct of the cloud service provider, including its contractors and agents.
- Claims that the cloud service provider including its contractors and agents caused any bodily injury to the customer’s staff, or property damage to the customer’s property.
- A breach of any of the cloud service provider’s data or system security as well as any other customer data privacy obligations.
In contrast, cloud service providers usually try and reduce the scope of their liability towards customers by attempting to negotiate SLA provisions in their favor, for example, trying to limit its liability obligations to customers using a cap on the amount that it is obligated to indemnify the customer for. Customers who agree to caps run the risk of being held accountable for damages that exceed the cap limit even if the damages can be attributed to the provider, provider contractors, and other third-parties that may be associated with the cloud provider (Fox, 2015).
Regarding the governance of cloud-based systems, it is of utmost importance that customers clearly understand that if their IT systems are hosted on a cloud-based system, their IT governance extends to include those systems. Service Level agreements with cloud providers are a method that organizations can use to extend that governance to cloud-based systems which specifies a level of service that a vendor agrees to provide, and contains provisions that specify items such as liability.
Fox, A. (2015, May 07). Common Mistakes Made by Customers and Service Providers when Negotiating Cloud Services Agreements. Retrieved August 10, 2017, from Association of Corporate Counsel, http://www.acc.com/legalresources/quickcounsel/negotiating-cloud-services-agreements.cfm.