Seeking feedback on the draft Community Cloud Governance Better Practice Guide
- 22
- May
In February this year, I released the final versions of the Legal, Financial and Privacy Cloud Computing Better Practice Guides.
I am now releasing for your review the next Better Practice Guide – Community Cloud Governance – An Australian Government perspective (draft).
- Draft Better Practice Guide – Community Cloud Governance DOC (293KB)
- Draft Better Practice Guide – Community Cloud Governance PDF (358KB)
The purpose of this guide is to provide agencies with guidance on providing a governance structure around Community Clouds. It is based around related frameworks using formal agreements that are managed by well-defined governance structures with clear roles and responsibilities.
It is important that agencies providing cloud services and those agencies consuming those cloud services have a common understanding of the features and how the service is managed.
I would be interested in your views on this draft before we finalise it. Please make your comments via this blog or alternatively by email to aga@finance.gov.au before COB Friday, 8 June 2012.
This guide forms part of the Cloud Framework: a Stream One deliverable of the Australian Government Cloud Computing Strategic Direction Paper. The strategy paper, released in April 2011, positioned government agencies to choose cloud based services if they demonstrate value for money and are adequately secure.
Update: these documents are available on the Department of Finance and Deregulation’s cloud computing page.
loading...
[...] In a blog post on AGIMO’s blog today, AGIMO first assistant secretary Glenn Archer, who leads cloud computing work for the agency, published a draft of a better practice guide for community cloud governance. [...]
[...] Information Management Office (AGIMO) have published a draft better practice guide entitled, Community clould governance : an Australian Government perspective (PDF 358kb) for comment. This entry was posted in Information and Communications Technology and [...]
Comments by Anthony McCarthy on
Better Practice Guide
Community Cloud Governance – An Australian Government perspective
Page 3
Second sub dot point under second dot point under heading ‘Governance’
The term MOG is the first time it is used and therefore should be spelt out in full.
Page 5
One additional dot point should be added to the examples under the heading ‘b) Compliance and Community Clouds’.
This dot point should be ‘Business Continuity Management requirements’ as the business aspects required under a Business Continuity Plan will definitely shape the delivery requirements of a cloud service.
Page 6
Figure 1: Community Cloud Governance Structure
An extra box is required to the right of the ‘Lead Agency’ box and titled ‘CSOC’ for Cyber Security Operations Centre.
There should be a solid line between the ‘Lead Agency’ and the ‘CSOC’ to support the process as required in Page 12 for the responsibilities covered under the Security Management activity.
Also, there should be a dashed line ...
... between the ‘Participating Agency’ and the ‘CSOC’ to support the process as required in Page 13 for the responsibilities covered under the Security Management activity.
Page 7
Attachment 2 (Governance Checklist) is not listed.
Page 14
Second dot point under responsibilities for the Compliance activity
After ‘information management’, I suggest that ‘Carriage Services’ should also be added to give reference to the AGTA policy and in particular the IBNC Services Panel.
Page 17
Attachment 2: Governance Check List
The Audit Report No.41 has been mentioned twice in this attachment.
Should this report be referenced under ‘Governance principles and standards’ at Page 3
General
A consolidated list of all the acronyms used within this document would be helpful.
loading...
Microsoft feedback on the draft Community Cloud Governance Better Practice Guide:
Microsoft commends AGIMO on its desire to provide a well-structured governance framework around the provision and consumption of cloud computing in government. Cloud computing promises to deliver unprecedented levels of choice for consumers of IT functionality, for both the type of service and also the degree of standardisation of those services and their requisite local and global delivery platforms.
However, it is worth remembering that well known admonishment “Eternal vigilance is the price of liberty” as we enter this age of greater choice and apply a far more intentional process to the selection and use of cloud services.
To this end, we suggest AGIMO considers the employment of a formalised, comprehensive Risk Framework, embracing the necessary principles and process as an explicit means of identifying, evaluating, and treating risk. It seems appropriate now, that the area of overall ...
... governance is being considered, to address not only the “what” but also the “how” associated with the assurance of a well-operating and secure set of cloud-related capabilities for Federal government agencies.
The “Draft Community Cloud Governance Better Practice Guide” as it stands, does a good job of calling out some specific areas of likely risk and calls for the use of a “risk assessment” in item 16 of the additional guidance section, but does not point to or define a common risk assessment model that all parties involved in the provision and use of the services may apply.
We note that AGIMO supports the notion of a Principles and Risk approach, as a means of determining the suitability of any particular cloud services for an agency and we encourage consideration of a formalisation of this, by way of a shared Framework for executing such an approach.
AS/NZS ISO 3100:2009 Risk Management – Principles and guidelines, provides a logical international standard from which to draw such a framework and the actual development of such as framework, could be undertaken by government in conjunction with a public consultation process, to ensure the most workable outcome is achieved.
loading...
[...] May, Glenn Archer released the draft Community Cloud Governance Better Practice Guide. Following your feedback we have updated the guide [...]