Cloud computing has been one of the fastest growing markets in recent years. The general problem is that due to the rapid growth of cloud, organizations are not keeping up with the changes and therefore cannot adequately control and govern business processes, which therefore remain immature.
Cloud is “Booming business,” Google, Amazon and Microsoft are investing more and more in cloud services these days. Large, medium and small businesses can use these services, which in the process can add value to business processes (Source: http://www.rtlnieuws.nl/). However, the control issue surrounding cloud computing leaves much to be desired. In controlling risks, standards frameworks can be used. Industry has helped set these standard frameworks. Examples of frameworks include COBIT, ISO, ITIL and maturity models such as the Capability Maturity model (CMM). These are proven methodologies with years of applications and assessments. However, the question is whether these models are also aligned with cloud computing, as this requires a different type of approach.
In recent years, much theory has been developed in academia on the governance of IT (IT governance). Also, much theory has been developed in the field of cloud computing. However, not much academic research has been done on the combination between governance and cloud because it is a relatively new concept. The American Accounting Association (2014) argues that cloud governance should not be a particular area of focus, but rather should be incorporated into general information technology (IT) governance and be responsive to change in doing so. On the other hand, the additional risks of the cloud are different and therefore require a specific approach rather than a general one.
Before determining how an organization can govern and control the cloud, it is important to understand what processes are important to the cloud. The main emphasis in academic theory is on characteristics, benefits and applications. Cloud processes are to some extent similar to those for general IT. Consider processes such as continuity management, incident management, change management and data management. However, the cloud has a different impact on these processes due to interaction between cloud vendors and users via the Internet (read: cloud). This creates additional challenges such as determining who is responsible for the data, the access and security of the data on the Internet, the increased complexity in the customer/supplier chain and laws and regulations that apply to the location of the cloud data center.
In short, it can be said that there is a need from practitioners for models with new insights into the management of risk and setting a clear framework. This was the basis of the research conducted for this purpose. The research focused on the development of a maturity model for companies to support decision-making around cloud computing. This maturity model used the Hevner method as a guide and also used the CMM method during development. In a maturity model, the first step is the development of a classification scheme. Based on the theory, a distinction was made between the control (governance) and the mastery (management) of the cloud. Governance refers to the security of and around cloud. Based on the theory, the following classification scheme was created.
The second step for developing a maturity model involves developing a questionnaire. The questionnaire is used in this model to collect data where a maturity score can be determined. The questionnaire in this study covers the risks and controls surrounding the cloud. These questionnaires verify whether the risks have actually been identified by an organization and/or the relevant control measures have been implemented to mitigate it. The questionnaires around risks are based on academic theory. The control measures used the COBIT5 framework because it includes controls.
The third step of this study involves determining maturity levels. The level aggregates the maturity score. This allows differences within organizations to be distinguished. A level is established for each process. In addition, the CMM method prescribes two types of classifications. These are “staged” and “continuous.” Here the continuous classification was chosen, since it is focused on analysis and is more flexible with regard to determining a maturity level. In addition, the ISO/IEC 15504 rating scale was used to determine the score for a level. Based on this, the maturity levels below were created.
After the maturity model was created, it needed to be verified for structure, consistency and relevance. For this purpose, an expert panel of 10 people was interviewed with backgrounds in IT audit and IT management, taking into account years of experience with the cloud and expertise. This came out to an average of 5 years of cloud experience and an average of 7.5 years of expertise experience. The results were used for improvement and as a theoretical foundation for the maturity model.
The usefulness of the maturity model can be explained from two perspectives, academic and practical. The academic usefulness of the model is that it was the first attempt to develop a maturity model that included both risks and controls. The model distinguished itself by focusing on both aspects rather than just the risks. In addition, the model takes into account the impact of cloud on controls and governance. For practitioners, this model also offers opportunities. The interviews revealed that the model offers new insights regarding cloud and its control. In addition, this model helps with decision-making around cloud and can effectively support auditors in audits.
If you would like to read the entire study, please contact me via LinkedIN:
https://nl.linkedin.com/in/luukpouwels
