Policies are the foundation of corporate governance. They require penalties as well as senior management sponsorship to be effective. Policies are created in response to a requirement such as a standard or requirement benchmark. This standard is the result of either a regulation, which is a legislative requirement, or a contractual requirement such as a contract agreement or industry requirement such as a Payment Card Industry Data Security Standard.
Procedures are methods and instructions on how to maintain or accomplish the directives of the policy. A baseline is the benchmark to evaluate if the goals of the policy have been achieved. A guideline is an arbitrary method of accomplishing a task. It is not a requirement but more of a suggestion.
All of these ultimately need to be audited, either internally or externally (both in some cases).
Conflicting International Legislation
One of the biggest challenges faced while creating a corporate governance framework is conflicting international legislation. And cloud computing exasparates this further since the technology capabilities of cloud offerings make possible the provisioning and consumption of cloud services with greater ease and fewer geographic restraints than previous technology ages.
Since each nation has a deep history of societal values, norms, religious influences, and domestic judicial precedence, there are therefore considerable differences between each nation’s legal system. The term conflict of laws describes the global outcome where each nation’s legal system represents their sovereign expectation of self-rule. This in turn means that what one nation considers lawful might be considered unlawful by another nation.
Evaluation of Legal Risks Specific to Cloud Computing
The ease of availability of cloud services is complicated by the innumerable laws and regulations and various legal risks that exist throughout the globe. Adherence to one legal requirement within a specific geographic region in the world, perhaps where an organization originates, may not cover the stringent or conflicting legal requirements within another geographic region in the world. It is also possible that legal requirements directly conflict as they exist to cover different needs in various world regions. An assortment of legal risks to evaluate before consuming cloud services includes but is not limited to:
- Laws and regulations to protect personally identifiable information (PII)
- Unauthorized access, modification, loss, amendment, or alteration of legally or regulated protected data
- Fines and legal challenges related to the failure to protect data from destruction, alteration, or disclosure
- The adherence to data sovereignty requirements that are mandated by geographic borders (geofencing), nations, unions, and cooperatives
- Legal cases related to tort or criminal matters
- Legal cases related to contractual responsibility and mandated liability
It is also important to remember that Compliance has two primary drivers; internal drivers and external drivers. Internal drivers can include the commitments that the organization requires to meet the spirit of its mission, the strategy to fulfill that mission, the goals in response to the strategy, and the measurable objectives that are designed to meet goals. Organizations must operate under the laws and regulations of the regime where they do business. Therefore, the external drivers of compliance include the law incumbent upon all citizens and visitors of the regime under which an organization does business and any related regulations tied to the industry or process connected to organization’s business.