Cloud computing ISO Standards in the pipeline

Alison Holt takes a look at progress towards the goal

“It is important that IT projects in any organisation are governed at a strategic board level and not just by the IT department. In the public sector, implementing IT projects impacts a wide group of stakeholders beyond those of the organisation. There are lots of gains to be made for the public sector from corporate IT governance.” This was the opening remark from Standards New Zealand chief executive Debbie Chin at the recent workshop ‘Corporate governance of information technology’ that was held in Wellington recently. And it set the scene for a wide-ranging debate, the main topics of which are are summarised below. Cloud computing governance Interest in cloud computing is growing rapidly in the International Standards Organisation (ISO) community. Cloud computing delivers economies of scale and can be used to develop, deploy, and maintain business critical systems quickly and flexibly. An international study group is presently looking at Standards for cloud computing. When developed, these Standards will help to address cloud computing challenges including data location and recovery, security, ediscovery, availability, reliability and portability. It is through Standards New Zealand that this country contributes to the development of international Standards, such as the new cloud computing Standard, by participating in ISO committees and running mirror committees locally. Standards New Zealand is scoping a New Zealand cloud computing Standard to ensure the country is recognised as a secure environment to host cloud computing services. Key issues in cloud computing are sovereignty, privacy and portability, and in understanding these requirements this country could be considered a favourable place to host services for an international audience. Digital forensic risk ‘readiness’ The area of digital forensics concerns any digitally-stored evidence. There is some risk in digital forensics — legal, professional, ethical and IT technical risk. However, many organisations have not put in the necessary preparation to handle these risks. At the workshop Dr Brian Cusack, leader of the AUT University Digital Forensic Research Laboratories, discussed a draft working document to provide guidelines to identify, collect and/or acquire and preserve digital evidence. These guidelines will help organisations to identify the specific treatment for digital forensics and to assure the board that digital forensic risks are being managed. Common problems Governing the use of IT means managing reputation risk, financial risk, and operational risk when deploying IT business systems. The standard for corporate governance of IT (AS/NZS ISO/IEC 38500:2010) includes principles that provide a checklist for IT investment decisions and a framework to evaluate, direct and monitor the use of IT in organisations. Owners, board members, directors, partners, senior executives, or people in similar positions can use this Standard to understand and fulfil their legal, regulatory, and ethical obligations for the use of IT within their workplaces.Organisations of all sizes can also use the Standard to save money associated with IT, by avoiding failures. Mark Toomey, a leading expert in top level governance of IT, presented case studies where a lack of governance has caused problems, such as Queensland Health’s payroll and related issues. While he used Australian case studies, these issues are relevant to organisations here. He also discussed common problems in IT projects – often it is not the technology itself he says, but the way organisations use it. Common problems in IT projects include trying to apply one solution to all areas, not understanding fundamental issues, not enough analysis up front, shortened testing times, lack of checking systems regulations and not preparing the workforce for new systems. Governing IT-enabled change involves more than governing technology activities. Any organisational change needs to address people, processes, structure and technology, along with paying attention to every facet of business models and practices. Next steps

Several workshop attendees are looking at developing their own governance framework. There was interest in the Standards New Zealand proposal to develop a ‘CIO Governance Handbook’, which could be used in conjunction with and as a guide to AS/NZS ISO/IEC 38500:2010. * For more information about IT Standards and participation in IT Standards' development, email informationtechnology@standards.co.nz

Join the newsletter!

Error: Please check your email address.

Tags cloud computingisoSpecial ID

Show Comments
[]