An audit of Travel Alberta found Alberta’s tourism agency is not managing the risks of its use of cloud computing, potentially exposing itself to data loss, privacy breaches and business interruptions.
In a December 2019 report on Managing the Risks of Cloud Computing at Travel Alberta, Auditor General Doug Wylie found board oversight over cloud-related risks was lacking, and it had no processes to assess, respond, monitor, report and document the risks associated with its use of cloud computing.
“Cloud computing can offer service improvements and a more cost efficient level than traditional IT systems, but as data travels over the Internet and is housed in the cloud, it could potentially expose sensitive data to unauthorized users,” Wylie said. “Effective processes to manage the risks of cloud computing are essential to protect both Travel Alberta’s corporate information, as well as the data it retains on behalf of its tourism partners and clients.”
Wylie said Travel Alberta needs to do a better job in:
- managing its contracts with its cloud service providers to ensure the contract terms address identified risks and the provider’s performance meets the expected level of service quality
- classifying its data to identify the level of sensitivity, and implement appropriate contractual terms to protect confidential information
- identifying laws that apply to its information being hosted outside of Canada and ensure compliance with those laws, as well as with provincial privacy requirements
Wylie conducted the audit on Travel Alberta as an early adopter of cloud computing technology, having moved to the cloud in 2011 – six years before any cloud computing guidance or policies were developed by the Government of Alberta. The Government of Alberta plans to transition many of its computing systems and applications to the cloud in the near future.
“While our audit examined how Travel Alberta is managing the risks related to its use of the cloud, the findings in this audit can provide valuable lessons to be learned and shared with other government organizations to maximize the benefits of cloud computing, and at the appropriate level of risk,” Wylie said.