Our Governance and Compliance Service

Our Governance and Compliance service

Ensuring governance and compliance in cloud environments is a primary concern for highly regulated and security-conscious organisations on their cloud adoption journey. However, governance is more than just the legal obligations and regulatory bodies. True organisational governance includes people, processes, and tooling which are then reinforced by cloud policies and controls to ensure that consistent compliance standards are used throughout the cloud environments.

Based on a decade of experience deploying Cloud at Scale™ securely within financial services institutions, Sourced applies the principle that there is no single methodology for the implementation of controls. Instead, Sourced consults with its clients to understand their risk posture and fashions strategies for specific risk vectors and their respective control in a layered arrangement consisting of:

Control Policy Objectives

Business, Risk, Security, Regulatory and Technology teams co-develop control policies and objectives into a framework which outlines organisational standard and benchmark measures for designing, operating and managing controls and maintaining their effectiveness.

Preventative Controls

Will introduce mechanisms to ensure that an elevated risk position cannot be achieved under any circumstances.

Detective Controls

Will ensure that an elevated risk position due to either a failure or dispensation against a preventative control is reported.

Corrective Controls

Will introduce mechanisms Will perform an automated response to return a risk position back to a normal level.

Control Policy Testing and Reporting

To ensure large scale compliance of controls across an enterprise with their objectives, there must be tools and processes to continuously evaluate controls for their effectiveness and compliance with policies to ensure that cloud posture is consistent with policy directives.

All three control approaches to cloud compliance require the same process of analysis, definition of policy and control objectives, engineering, and maintenance of the controls in an operational environment. Cloud providers’ commercial advantage centres around a very high rate of innovation and access to new services. Unique to cloud providers, these features are generally released as enhancements into existing running environments as opposed to a traditional opt-in update or licensing process.

The control systems must therefore be able to interpret these new features, assess their risks, understand changes to the risk posture, and distribute controls continuously, and with a high frequency. The rate of innovation now exceeds hundreds of features per provider every quarter, and therefore the control system must be capable of distributing changes at a high velocity.