rmogull
commented
7 years ago link or reference you recommend? I', not familiar with it.
Open leenewcombe opened 7 years ago
rmogull
commented
7 years ago link or reference you recommend? I', not familiar with it.
leenewcombe
commented
7 years ago Here you go, one from ISACA and one from the Institute of Internal Auditors:
http://www.isaca.org/Journal/archives/2011/Volume-5/Pages/The-Three-Lines-of-Defence-Related-to-Risk-Governance.aspx and https://na.theiia.org/standard s-guidance/Public%20Documents/PP%20The%20Three%20Lines%20of%20Defense%20in%20Effective%20Risk%20Management%20and%20Control.pdf
The Three Lines of Defence (Defense :)) model is a popular Governance model and it seems well-suited to the cloud approach in terms of it's descriptions of those who operate controls, an oversight function and independent audit. The Governance section at the moment seems quite heavily focussed on contractual issues rather than Governance per se and it would benefit from further consideration of governance models.