ISGcloud: a Security Governance Framework for Cloud Computing

Security risks to organizations' information assets are hindering the development of cloud computing services. A comprehensive security governance process is needed to foster the massive adoption of cloud services and to facilitate the deployment of a security culture within any company. In this paper, we present a framework focused on the security governance of the cloud computing environment (ISGcloud), which has been built upon standards. Its principal components are based on the ISO/IEC 38500 governance standard and on the ISO/IEC 27036 outsourcing security draft. We propose a systematic collection of activities and their related tasks which detail how security governance can be deployed during the entire cloud service lifecycle. Furthermore, the whole framework is formally modelled following the SPEM 2.0 specification that provides a standardized interface with which to automate and integrate our proposed process. The theoretical definition of our proposal is also accompanied by a practical example of its application, which provides specific details of ISGcloud framework's implementation.