Storm Clouds

Kenneth R. LedgerDirector, Risk Management

Ken’s Top 5 Storm Clouds1. Not knowing what you want2. Misunderstanding standards3. Not having a plan B4. Trusting but not verifying5. Governance and disclosure

1. Not Knowing What You Want

• Different needs have different challenges (SaaS, IaaS, mobility, cost)

• Understand the nature of the data in you are putting in the cloud

• Long term intent• Security, disaster recovery,

scheduled outages, QOS• Are you okay if the provider

accesses data if so, why/how/when

2. Misunderstanding standards

• Many providers will quote standards, know what they mean.

• Standards provide assurances of external audit

• SSAE 16 Type II - attestation• CICA 9110 – audit standards• ISO 27001 - security

3. Not having a plan B

• Can you recover your data if a supplier fails

• Can you recover the apps to use the data

• Services can start small and grow to become a key control

• Is there an alternate supplier

4. Trusting but not verifying

• Have a plan to audit• SSAE16 provides independent

assurance, but to specified control objectives

• Ensure control objectives align with internal control needs

• Consider potential for fraud

5. Governance & Disclosure

• Cloud solutions may become a material part of your business

• Material changes must be disclosed (NI 51-102)

• Potential to cause a material weakness in controls

• Know what to disclose and when

Defining leadership in global energy services through people, innovation,

and technology —The path for others to follow.