Travel Alberta — Managing the Risks of Cloud Computing
Cloud computing is becoming a preferred option for delivering information technology (IT) services for government agencies and businesses of all sizes and jurisdictions. Organizations must manage the risks of this innovative way of using, sharing and storing data to ensure that sensitive information is protected and the benefits of cloud computing are maximized.
Travel Alberta is an early adopter of cloud computing technology. It moved most of its operations to the cloud in 2011, six years before any cloud computing guidance or policies were developed by the Government of Alberta. Nearly all of Travel Alberta’s corporate data resides in the cloud, including its corporate financial records, internal business documents and personal or proprietary information of its employees and business partners. We performed this audit because it is important government entities are managing the risks of using emerging technologies on the personal and corporate data they hold.
- Travel Alberta does not have an effective information technology risk management process to manage the risks related to its use of cloud computing.
- Board oversight of cloud computing risks is lacking.
- Travel Alberta does not classify its data to identify the level of sensitivity and implement appropriate controls to protect confidential information it has.
- Travel Alberta does not identify laws that apply to its information hosted outside of Canada and ensure it’s in compliance with those laws, as well as with provincial privacy requirements.
- Travel Alberta needs to do a better job of monitoring contracts with its cloud service providers to ensure contract terms address identified risks and the provider’s performance is aligned with expected level of service quality.
More government organizations will be turning to cloud computing to use, store and share information, applications and workloads. There are valuable lessons to be learned and shared from Travel Alberta’s experience that can better position other government organizations to maximize the benefits of cloud computing at the appropriate level of risk.