Cloud Computing Governance Framework – Cloud Computing Governance (Informative)
What is Cloud Computing Governance?
At the most abstract level, governance seeks to ensure that what we are governing is doing the right things right:
- Are we doing the right things?
- Are we doing them the right way?
- How do we know?
Cloud computing governance is a view of IT governance focused on accountability, defining decision rights and balancing benefit or value, risk, and resources in an environment embracing cloud computing. Cloud computing governance creates business-driven policies and principles that establish the appropriate degree of investments and control around the lifecycle process for cloud computing services.
This ensures all enterprise expenditures related to cloud are aligned with the business objectives, promote data integrity across the enterprise, encourage innovation, and mitigate the risk of data loss or non-compliance with regulations. It recognizes that cloud computing increases the pervasive nature of IT and ensures enterprise-level decision-makers are able to address the overall IT investment, resource requirements, opportunities for value, and implications of risk – regardless of organization or delivery provider.
Landscape of Governance Models and Standards
The landscape of governance models and standards includes models and standards that satisfy the following criteria:
- Driven by business governance while addressing IT governance
- Global and not specific to any geography
- Not specific to any one industry domain
- Align with existing governance models and standards
The following standards, frameworks, and best practices are considered in the light of these criteria:
- TOGAF 9.1 is an Open Group standard. This Enterprise Architecture framework provides guidelines on architecture governance, a practice and orientation by which Enterprise Architectures and other architectures are managed and controlled at an enterprise-wide level.
- COBIT 5 is a framework for governance of enterprise IT that complements the COSO framework for corporate governance. The latest version, COBIT 5, has incorporated the Risk IT and Val IT frameworks of COBIT 4.1, and removed the confusing control objectives.
- ITIL v3 contains best practice and process guidance for governance of service strategy and service management that is foundational to cloud computing governance.
- The SOA Governance Framework, an Open Group standard, addresses the subset of corporate governance that is focused on the governance of SOA.
- ISO/IEC 38500:2015 is an ISO/IEC standard for IT governance. Aspects of this are also included in COBIT 5.
- Val IT™ from the IT Governance Institute (ITGI), based on the COBIT 4.1 framework, provides principles and processes for evaluation and selection of IT-enabled business investments, and benefit realization and delivery of value from those investments.
- Risk IT™ from the IT Governance Institute (ITGI), based on the COBIT 4.1 framework, provides principles and processes for the risk management of IT-enabled business investments.
- Calder-Moir IT, an implementation of the ISO/IEC 38500 standard, provides a way of organizing IT governance issues and tools.
- COSO is a framework of internal controls developed by the Committee of Sponsoring Organizations (COSO) in the US.
- Balanced Scorecard is an approach to determining organizational performance based on non-financial (such as customer satisfaction) as well as financial metrics.
The table shows the evaluation of these standards against the criteria. Cloud computing governance is subsequently represented in the context of those standards that address both business and IT governance.
|
Standard/ |
Specific to |
Geo-neutral |
Existing Standards Alignment |
In/Out |
1 |
TOGAF Governance (TOGAF 9.1) |
Driven by business addressing IT |
Yes |
Yes |
In |
2 |
COBIT 5 |
Driven by business addressing IT |
Yes |
Yes |
In |
3 |
ITIL v3 |
Driven by IT aligned with business |
Yes |
Yes |
In |
4 |
SOA Governance |
Driven by business addressing IT |
Yes |
Yes |
In |
5 |
ISO/IEC 38500 |
IT-specific |
Yes |
Yes |
Out |
6 |
Val IT |
Driven by business addressing IT |
Yes |
Yes |
Out |
7 |
Risk IT |
Driven by business addressing IT |
Yes |
Yes |
Out |
8 |
Calder-Moir IT Governance Framework |
IT-specific |
Yes |
Yes |
Out |
9 |
COSO |
Driven by business |
Yes |
Yes |
Out |
10 |
Balanced Scorecard |
Driven by business |
Yes |
Yes |
Out |
The standards, frameworks, and best practices that are considered as part of the landscape are those that address both the business and IT aspects of governance:
- TOGAF 9.1 – architecture governance
- COBIT 5
- ITIL v3
- The Open Group SOA Governance Framework
The other standards, frameworks, and best practices are not considered as part of the landscape for the reasons listed below, in addition to the fact they are more specific to IT:
- ISO/IEC 38500 – overlaps with ITIL v3 and COBIT 5.
- Val IT – overlaps with COBIT 5 and is based on COBIT 4.1.
- Risk IT – overlaps with COBIT 5 and is based on COBIT 4.1.
- Calder-Moir IT – overlaps and is based on ISO/IEC 38500.
- COSO – business governance framework, addressed by COBIT.
- Balanced Scorecard – addressed by COBIT.
Position of the Cloud Computing Governance Framework in the Landscape
The figure illustrates the scope and relationship of the Cloud Computing Governance Framework with other industry frameworks. It shows the position of the Cloud Computing Governance Framework in relation to other forms of governance within the enterprise.
The figure shows how the frameworks in the landscape of governance models and standards are related. It is divided vertically into domains of increasing strategic significance, from left to right, with each domain supporting the next. IT governance and Enterprise Architecture (EA) governance align with each other and are part of a single technology governance domain.
The Open Group Cloud Computing Governance Framework is intended for use by enterprises as they establish cloud computing governance. The Cloud Computing Governance Framework is a subset of overall business governance which includes IT and EA governance. It contains the unique characteristics from all types of governance that are essential to cloud computing governance.
Business governance addresses the overarching governance of the business which is enabled by the governance of IT and EA. The Cloud Computing Governance Framework will include the decision rights and accountability of the business related to cloud computing.
IT governance (COBIT) addresses business value creation through optimization of IT benefits, value-delivery, risk, and resources. The Cloud Computing Governance Framework includes specific aspects of IT governance that are unique to cloud computing value creation, benefits, risk, and resource optimization.
EA governance (TOGAF) supports enterprise governance by providing the architecture vision, standards, and principles to achieve the future state business model through business and IT architecture disciplines. EA governance aligns to IT governance and is considered a key management process for effective IT governance (COBIT – APO03 Manage Enterprise Architecture). The Cloud Computing Governance Framework includes specific aspects of EA governance required for cloud computing governance.
ITIL v3 addresses service governance including service strategy, design and operations of business, and IT services. The Cloud Computing Governance Framework includes the specific cloud computing governance characteristics for business and IT service strategy, design, and operation.
The Cloud Computing Governance Framework builds upon the foundation established by The Open Group SOA Governance Framework. The Cloud Computing Governance Framework references existing elements of the SOA Governance Framework and includes additions or modifications that are specific for cloud computing governance.
In summary, sound business, IT, EA, service management, and SOA governance are essential to effective cloud computing governance.