December 4, 2013 - Companies seeking to improve information security without incurring significant expense are increasingly turning to the cloud for security as a service (SecaaS), which promises low costs and high flexibility. But when cloud security is already a concern, outsourcing security services themselves to the cloud poses a significant set of risks to address. A new free, downloadable white paper from global IT association ISACA evaluates the impact of SecaaS on an enterprise and outlines 10 key questions to ask—and answer—before deploying it.

According to Security as a Service: Business Benefits With Security, Governance and Assurance Perspectives, among the key questions to ensure risks are managed are:

1. Which cloud service model is best suited for our needs?
2. Where will the information be located and what retention policies apply?
3. How will the information be protected (what physical and logical controls will be in place)?
4. How will we include the provider and outsourced services in the business continuity and disaster recovery plans?
5. Can data be transferred to another provider if the contract is terminated?

“Enterprises can outsource information security services, but they cannot outsource accountability for security,” said Patrick Hanrion, CISM, CISSP, CNE, director of Security and Privacy, McGladrey LLP, and author of the white paper. “Answering these questions helps to ensure that controls are in place to protect the enterprise’s information assets.”

The ISACA guide emphasizes that companies utilizing SecaaS must still know the information and IT assets that are critical to them and manage the risk associated with using a vendor to protect these assets.

“Without this vital understanding, there is no way for the enterprise to determine which security services it needs and which threats it needs to protect against,” said Hanrion.

Security as a Service outlines strategies for addressing risk, as well as key governance and assurance considerations based on guidance in the COBIT framework.