A performance audit into the maturity of cloud computing governance at seven Agencies has found the State’s current approach could be strengthened through increased collaboration between Agencies.
In his Report 16 of 2021 Cloud computing in SA Government, Auditor-General, Andrew Richardson examined the extent of services and data the Agencies moved to a cloud environment as well as the type of cloud service models they used and the associated costs.
Mr Richardson said the State’s current cloud approach to computing could be strengthened through increased collaboration between Agencies with centralised reporting to either the Department of the Premier and Cabinet (DPC), or some form of inter-Agency forum.
He said the aim would be to help Agencies while they moved their services to the cloud by providing guidance, risk mitigation, a more consistent approach to managing cloud computing and the integration of security governance.
The Auditor-General said the use of cloud computing could also help Agencies increase their business and innovation opportunities, lower their operational costs, introduce infrastructure efficiencies and increase operational scalability.
He said that like any outsourced arrangement in the public sector however, risk remained with the Agency.
Mr Richardson said the level of governance over cloud computing exercised by most of the Agencies could be improved in such areas as risk assessment; annual independent assessments; cloud computing service level agreements; and cloud computing policies and procedures.
The Auditor-General made six key recommendations for the Agencies to develop policies and procedures to support their cloud computing activities; involve ICT security teams during the evaluation of new cloud services; perform a risk assessment before implementing a cloud computing service; annually review provider’s security certificates and independent ICT security reports; ensure contract arrangements for cloud service providers included service levels for responsiveness, throughput, availability, reliability and redundancy; and that regular reviews be conducted to ensure access is appropriately applied.
The Auditor-General’s 28-page Report can be accessed at this PS News link and the Audit team was Andrew Corrigan, Brenton Borgman, Tyson Hancock, Abhinav Tomar and Spoorthy Chitti.
