Risk management
Use cloud to lower your risk profile.
Any transformation journey includes many different types of risks, including security, compliance, environmental, resiliency, and business. An organization either rejects, accepts and manages, or transfers the risks. The risk management lifecycle is cyclically completed through assessments to identify risks, treatments through the implementation of risk mitigation strategies, and management through continuous monitoring. Efforts and resources to perform risk assessments, treatments, and management can be significantly reduced by moving workloads to the cloud, enabling the business to innovate faster and operate more efficiently.
Start
Develop or identify an industry leading risk management framework. Identify and create an inventory of the high value assets, including but not limited to people, process, technology and data. Organizations must identify, categorize, assess, and quantify:
-
Operational risks
related to infrastructure availability, reliability, performance, and security -
Business risks related to reputation, business continuity, and the ability to quickly respond to changing market conditions
-
Compliance risks for companies obligated to comply with laws, regulations, or rules associated with the industries in which they participate, such as National Institute of Standards and Technology
(NIST) 800-53, Payment Card Industry Data Security Standard (PCI DSS), Health Insurance Portability and Accountability Act of 1996 (HIPAA), and others
Develop the risk profile, determine organizational risk appetite based on each identified event’s impact to the business and acceptable probability of occurrence. Clearly understand the attributes that are contributing to an elevated risk profile. Determine areas that are ripe to reduce risk. Build an initial backlog of stories and a roadmap for lowering your risk profile on the cloud.
Consider using cloud to reduce risks relating to infrastructure operations and failure. Eliminate the need for large upfront infrastructure expenditures and reduce the risk of purchasing assets that may be no longer needed. Depending on the needs of your users, mitigate procurement schedule risks by using cloud to instantly provision and deprovision resources.
Advance
Maintain a strong risk posture in the cloud, without having to
define, build, and maintain hundreds of controls. Remove the
burden of defining, enforcing, and evidencing the configurations
and controls required to ensure the confidentiality, integrity,
and availability of high value assets. Organizations should
consider continuous risk assessments to understand and prioritize
AWS services in an agile manner. Consider a
shift
left
Implement AWS services required for risk management and compliance including:
Continuously monitor, inventory and tag the business’s AWS high value assets to the right categories. Include third party risks in the risk management approach.
Excel
Automate and orchestrate to provide means for the risk management
processes to enforce controls consistently by using
policy
as code
Automating processes and workflows minimizes defects due to human
error by embedding automated controls and tests into the
DevSecOps
pipelines
Consider implementing AWS Control Tower, AWS CloudFormation, Terraform