Seite 77 - Cloud Migration Version 2012 english

77 
e.g. based on ITIL or COBIT, as a structured basis for performing the many 
different security management tasks such as patch, configuration, change, 
system and application management. The best scenario would be for the 
Cloud provider to offer certification summaries, e.g. ISO 27001, SSAE 16 
(
formerly SAS 70), EuroCloud Star Audit (Chapter 4.2: Certification) etc.  
Business continuity management should be established and implemented 
on the basis of BSI Standard 100‐4 or BS 25999 to protect the Cloud from 
serious disruptions and crises. Tests and drills should be performed on a 
regular basis in order to check the effectiveness of these business continuity 
procedures. Cloud users and the Cloud provider should categorise in 
advance the priority of Cloud services for recovery. 
In addition, Cloud users outside of the geographical storage location of the 
data should also take the Cloud provider's headquarters into consideration. 
As most of today's established Cloud providers have their headquarters in 
the USA, they are governed by US law, e.g. the Patriot Act, which gives the 
US government access to users' data without having to inform the data 
owners (Chapter 3: What to discuss with a Lawyer). 
3.2.3
Using risk management to prevent security incidents   
The blind transfer or utilisation of information and IT services to or from the 
Cloud without sufficient precautions is like piloting an aircraft through thick 
clouds by sight alone, when there is a strong risk the pilot becomes 
disoriented and is unable to stay on his course.
32
Yet this does not mean that flying in cloudy weather is inadmissible or 
particularly dangerous. On the contrary! Instrument flight rules apply to 
more than 90% of all flights even in bad weather conditions. 
The metaphor of the pilot in thick Cloud cover can and should be used to 
illustrate the usage of Cloud services.  
Risks faced by users of Cloud services are strategic and contract‐related risks 
inherent to the relationship between the Cloud user and the Cloud provider. 
These are clarified in the chapter of this book on legal and tax aspects. On 
the other hand, these are also operational IT risks which arise from the 
relative unreliability of these services. 
32
An expanded version of this chapter can be found under