The National Institute of Standards and Technology (“NIST”) released a report today which highlighted the fact that organizations who deploy cloud applications need to pay cloase attention to security and management risks associated with the emerging technology. Computerworld reported that “[w]ith the wide availability of cloud computing services, lack of organizational controls over employees engaging such services arbitrarily can be a source of problems…[and] without proper governance, the organizational computing infrastructure could be transformed into a sprawling, unmanageable mix of insecure services.”
The author of the report, Mr. Tim Grance, stated that the goal of the report was not to instill fear in federal IT managers, but rather to prepare them for the inevidable migration to a cloud-centric environment. Grance stated that “[p]ublic cloud computing is a very viable choice for government agencies[…]but you have to be careful. You got to make sure that [cloud computing] is part of a coherent overall strategic process.”
The report goes on to state that a shift to the cloud environment may “exacerbate” the threat of internal hacking, raise questions about data ownership and control, and make risk assessment and management harder. Corporate counsel needs to take the lead in advising how organizations are going to develop its internal and external processes and controls. This does not mandate that legal counsel “know everything” when it comes to information management, but rather which controls are most pertinent to the representative organization.
As I’ve stated before, there is no such thing as a “one-size-fits-all” approach to developing a culture of ethical conduct, transparency, legal compliance, and sound business practice. Legal counsel needs to provide best practice recommendations, not prescriptions, that are designed to optimize corporate performance and accountability in the interest of shareholders and the broader economy.