Shared Responsibility is not Shared Risk! Managing Risk in a Shared Responsibility Environment.

Presenter: David Pearson

In this presentation we will examine how the Security Assessment & Authorization (SA&A) activities can deal with control implementations in multiple places and arrive at a consolidated view of risk and how GRC tools can provide the support. For example, when adopting cloud services, it is tempting to try to transfer risk to the cloud provider – but the cloud provider really has no business in managing risk on your behalf. Instead, it is necessary to understand the controls that the cloud provider has put in place and how they contribute to mitigating risks. This is a complex undertaking that often involves contracts, vendor security assessments, audits, etc. The advent of the ITSG-33 control library and associated Cloud profile goes a long way to helping, especially as cloud service providers align with FedRAMP in the US.