3.3.1 Identify and Accept Responsibility Control Objectives
Being accountable starts with having an in-depth understanding of, and committing to, obligations derived from law, social norms, agreements, organizational values and ethical obligations. This applies to both the organisation as a whole, e.g. obligations related to the business domain in which the organisation is engaged, and to each offering, e.g. specific obligations associated with the profile contractual clauses of a service offering. The organisational level commitment must be taken by senior and executive management. The corresponding objectives are described in the table below:
|
Identifier [13] |
Control Objective |
Lifecycle Phase |
|
1.01 |
The organisation must understand and document relevant obligations in breadth and in depth, whether from law, social norms, agreements, organisational values and ethical behaviour. Understand the impact of not fulfilling the obligations. Accept responsibility for fulfilling these obligations in an accountable and responsible manner. |
1+2 - Governance |
|
1.13 |
Compliance readiness: liaison to external agencies (domestic and foreign). Ensure the organisation tracks external criteria and reporting requirements use a mix of specialised information services, industry associations, professional networks, specialised conferences, and consultants. Maintain the legally-required documentation. |
1+2 - Governance |
|
3.01 |
Define the accountability object: describe the functionality and associated non-functional requirements of the product or service, inventory the data stored and processed, inventory the obligations for which the organisation will be accountable, inventory the assets related to the functionality and obligations and perform an impact assessment. Keep and update a record of assets and impacts. |
3 - Analyse and Design |
Table 4: Identify and Accept responsibility control objectives.
[13] The identifier is solely used as a means to easily cross-reference the control objectives in this and other documents. The control objectives may be organised by process group or by lifecycle phase; the identifiers correspond to the latter structure and have not been modified for this document.
Download the preliminary release of the Cloud Accountability Reference Architecture and the relevant A4Cloud Toolkit.
