![Page 1: Storm Clouds Kenneth R. Ledger Director, Risk Management](https://reader034.vdocument.in/reader034/viewer/2022051620/56649f1c5503460f94c32967/html5/thumbnails/1.jpg)
Storm Clouds
Kenneth R. LedgerDirector, Risk Management
![Page 2: Storm Clouds Kenneth R. Ledger Director, Risk Management](https://reader034.vdocument.in/reader034/viewer/2022051620/56649f1c5503460f94c32967/html5/thumbnails/2.jpg)
Ken’s Top 5 Storm Clouds1. Not knowing what you want2. Misunderstanding standards3. Not having a plan B4. Trusting but not verifying5. Governance and disclosure
![Page 3: Storm Clouds Kenneth R. Ledger Director, Risk Management](https://reader034.vdocument.in/reader034/viewer/2022051620/56649f1c5503460f94c32967/html5/thumbnails/3.jpg)
1. Not Knowing What You Want
• Different needs have different challenges (SaaS, IaaS, mobility, cost)
• Understand the nature of the data in you are putting in the cloud
• Long term intent• Security, disaster recovery,
scheduled outages, QOS• Are you okay if the provider
accesses data if so, why/how/when
![Page 4: Storm Clouds Kenneth R. Ledger Director, Risk Management](https://reader034.vdocument.in/reader034/viewer/2022051620/56649f1c5503460f94c32967/html5/thumbnails/4.jpg)
2. Misunderstanding standards
• Many providers will quote standards, know what they mean.
• Standards provide assurances of external audit
• SSAE 16 Type II - attestation• CICA 9110 – audit standards• ISO 27001 - security
![Page 5: Storm Clouds Kenneth R. Ledger Director, Risk Management](https://reader034.vdocument.in/reader034/viewer/2022051620/56649f1c5503460f94c32967/html5/thumbnails/5.jpg)
3. Not having a plan B
• Can you recover your data if a supplier fails
• Can you recover the apps to use the data
• Services can start small and grow to become a key control
• Is there an alternate supplier
![Page 6: Storm Clouds Kenneth R. Ledger Director, Risk Management](https://reader034.vdocument.in/reader034/viewer/2022051620/56649f1c5503460f94c32967/html5/thumbnails/6.jpg)
4. Trusting but not verifying
• Have a plan to audit• SSAE16 provides independent
assurance, but to specified control objectives
• Ensure control objectives align with internal control needs
• Consider potential for fraud
![Page 7: Storm Clouds Kenneth R. Ledger Director, Risk Management](https://reader034.vdocument.in/reader034/viewer/2022051620/56649f1c5503460f94c32967/html5/thumbnails/7.jpg)
5. Governance & Disclosure
• Cloud solutions may become a material part of your business
• Material changes must be disclosed (NI 51-102)
• Potential to cause a material weakness in controls
• Know what to disclose and when
![Page 8: Storm Clouds Kenneth R. Ledger Director, Risk Management](https://reader034.vdocument.in/reader034/viewer/2022051620/56649f1c5503460f94c32967/html5/thumbnails/8.jpg)
Defining leadership in global energy services through people, innovation,
and technology —The path for others to follow.