How Kelly Services manages risk in the cloud

March 23, 2011 — CSO — Kelly Services Inc., a Troy, Mich., provider of workforce services, has launched a number of cloud computing initiatives -- for applications such as customer relationship management and messaging and collaboration. CSO contributor Bob Violino recently interviewed Rosie Rivel, senior manager of IT global risk and compliance at Kelly, regarding risk and the cloud.

To continue reading, register here to become an Insider

March 23, 2011 — CSO — Kelly Services Inc., a Troy, Mich., provider of workforce services, has launched a number of cloud computing initiatives -- for applications such as customer relationship management and messaging and collaboration. CSO contributor Bob Violino recently interviewed Rosie Rivel, senior manager of IT global risk and compliance at Kelly, regarding risk and the cloud.

Also see: The cloud security survival guide

CSO: What do you consider the most important risk management issues related to the cloud?
Rivel: From a broad perspective it is important for organizations to recognize that the ownership of the risk still resides within, and it is essential to quickly identify and assess the different engagement [models] for cloud services so that the organization can create a risk management framework that addresses these security and risk issues.

The areas of security and risk management concern would be in the following [areas]: Understanding the legal implications and ensuring Kelly is compliant to the jurisdictions of the data owners as well as the jurisdictions of the physical location of cloud providers' primary and back-up data centers; [and] understanding the complexity of existing in a multi-tenant environment and its impact to our operations, such as security, encryption and access controls at every level. Another example would be operational impact if legal holds on other tenant's data could also suspend access to Kelly Services' data. An emerging issue, as cloud services is a relatively new and growing trend, is the need to harmonize global security and data privacy legislation to accommodate the dynamics of this model.

Get your morning news fix with the daily Salted Hash e-newsletter! Sign up today.

CSO: What types of things is Kelly Services doing to mitigate the risks associated with clouds, and particularly public cloud services?
Rivel: There are several processes Kelly has in place to address the risks related to cloud-based services. Kelly engages the same internal groups as we would to evaluate our internal security and risk management initiatives. The IT organization works in conjunction with the company's legal and purchasing groups to perform a robust vendor assessment from security and risk management capabilities, financial viability, operational processes, regulatory compliance adherence, contractual expectations, just to name a few. The company's Internal Audit and Internal Control groups request audit reports and perform periodic audits to ensure the appropriate security and operational controls are in place to meet our customers' and legislative obligations. Kelly Services' Risk Management team performs a risk assessment based on the new operational model and provides recommendations for remediation efforts as well as implications to Kelly Services' current insurance portfolio.