3.3.4 Identify and Implement Control Objectives
Once risks and impact are identified, they must be treated adequately, which is the object of these controls. The nature of the controls addressing the needs of the organisation is different from the ones addressing software or service offerings, but both are subjects to what must be transparently reported through the accountability process (see Table 7).
|
Identifier |
Control Objective |
Lifecycle Phase |
|
1.03 |
Treat the organisational risks in an accountable and responsible manner, while keeping the ability to demonstrate due-diligence. |
1+2 - Governance |
|
1.04 |
Ensure the organisation deploys the necessary means for the fulfilment of the obligations, in terms of resources, personnel, funding, authority and executive leadership. Ensure the organisation is aligned on the objectives. |
1+2 - Governance |
|
1.07 |
Ensure that accountability principles and requirements are built in across all relevant organisational processes. Avoid operating the program as a silo or an afterthought. |
1+2 - Governance |
|
1.12 |
Maintain a registry of job (function) profiles in relationship with the obligation and identify sensitive positions, define recruiting criteria and continuous training programs. Ensure legal compliance re. staff. |
1+2 - Governance |
|
1.14 |
Deploy techniques and tools supporting authorisation based on duty segregation. Use tools guaranteeing that all actions are logged and allow the identification of the agent and of the authoriser, within the constraints of the law. |
1+2 - Governance |
|
3.03 |
Define, maintain, and validate risk treatments and associated controls. Ensure continuous monitoring of the state and effectiveness of the risk treatment plan, eg. with metrics and dashboards. |
3 - Analyse and Design |
Download the preliminary release of the Cloud Accountability Reference Architecture and the relevant A4Cloud Toolkit.
