CSPs, like other enterprises, need to establish processes, policies, and
procedures for managing their IT systems that are appropriate for the
nature of the service offering, can be operationalized in the culture of
the organization, and satisfy relevant external requirements.In designing their service offerings and supporting processes, CSPs
need to:
Address the requirements of their current and planned customer
base
Establish a strong control foundation that will substantially
meet customer requirements, thereby minimizing the need for
infrastructure customization that could reduce efficiencies and
diminish the value proposition of the CSP’s services
Set a standard that is high enough to address those
requirements
Define standardized processes to drive efficiencies
Figure 1 shows a life cycle
approach for determining, implementing, operating, and
monitoring controls over a CSP.
Here is an explanation of each stage of the life cycle:
Define strategy
As a CSP undertakes to build out or take a fresh look at its
service offerings, the CSP should clearly define its business
strategy and related risk management philosophy. What market
segments or industries does the CSP intend to serve?
This strategic decision will drive the decision of how high
the CSP needs to “set the bar” for its controls. This is an
important decision, as setting it too low will make it difficult to
meet the needs of new customers and setting it too high will make it
difficult for customers to implement and difficult for the CSP to
maintain in a cost-effective manner. A clear strategy will enable
the CSP to meet the baseline requirements of its customers in the
short term and provide the flexibility to incorporate necessary
changes while resisting unnecessary or potentially unprofitable
customization.
Define requirements
Having defined its strategy and target client base, the CSP
must define the requirements for providing services to that client
base. What specific regulatory or industry requirements are
applicable? Are there different levels of requirements for different
sets of clients?
The CSP will need to determine the minimum set of requirements
to serve its client base and the incremental industry-specific
requirements. For example, the CSP will need to determine whether it
supports all of those requirements as part of a base product
offering or whether it offers incremental product offerings with
additional capabilities at a premium, now or in a future
release.
Define architecture
Driven by its strategy and requirements, the CSP must now
determine how to architect and structure its services to address
customer requirements and support planned growth. As part of the
design, for example, the CSP will need to determine which controls
are implemented as part of the service by default and which controls
(e.g., configuration settings, selected platforms, or workflows) are
defined and managed by the customer.
Define policies
The CSP needs to translate its requirements into policies. In defining
such policies, the CSP should draw upon applicable industry
standards as discussed in the sections that follow. The CSP will
also need to take a critical look at its staffing model and ensure
alignment with policy requirements.
Define processes and procedures
The CSP then needs to translate its policy requirements into
defined, repeatable processes and procedures—again using applicable
industry standards and leading practices guidance. Controls should
be automated to the greatest extent possible for scalability and to
facilitate monitoring.
Ongoing operations
Having defined its processes and procedures, the CSP needs to
implement and execute its defined processes, again ensuring that its
staffing model supports the business requirements.
Ongoing monitoring
The CSP should monitor the effectiveness of its key control activities on an
ongoing basis with instances of non-compliance reported and acted
upon. Compliance with the relevant internal and external
requirements should be realized as a result of a robust monitoring
program.
Continuous improvement
As issues and improvement opportunities are identified, the CSP
should ensure that there is a feedback loop to guarantee that
processes and controls are continuously improved as the organization
matures and customer requirements evolve.