The IT Certification Resource Center

Featured Deal

Get CompTIA, Cisco, or Microsoft training courses free for a week.
Learn More ❯

10 Questions to Ask Before Deploying Security as a Service

Rolling Meadows, IL, USA (4 December 2013) — Companies seeking to improve information security without incurring significant expense are increasingly turning to the cloud for security as a service (SecaaS), which promises low costs and high flexibility. But when cloud security is already a concern, outsourcing security services themselves to the cloud poses a significant set of risks to address. A new white paper from global IT association ISACA evaluates the impact of SecaaS on an enterprise and outlines 10 key questions to ask — and answer — before deploying it.

According to Security as a Service: Business Benefits With Security, Governance and Assurance Perspectives, among the key questions to ensure risks are managed are:

  1. Which cloud service model is best suited for our needs?
  2. Where will the information be located and what retention policies apply?
  3. How will the information be protected (what physical and logical controls will be in place)?
  4. How will we include the provider and outsourced services in the business continuity and disaster recovery plans?
  5. Can data be transferred to another provider if the contract is terminated?

“Enterprises can outsource information security services, but they cannot outsource accountability for security,” said Patrick Hanrion, CISM, CISSP, CNE, director of Security and Privacy, McGladrey LLP, and author of the white paper. “Answering these questions helps to ensure that controls are in place to protect the enterprise’s information assets.”

The ISACA guide emphasizes that companies utilizing SecaaS must still know the information and IT assets that are critical to them and manage the risk associated with using a vendor to protect these assets.

“Without this vital understanding, there is no way for the enterprise to determine which security services it needs and which threats it needs to protect against,” said Hanrion.

Security as a Service outlines strategies for addressing risk, as well as key governance and assurance considerations based on guidance in the COBIT framework. The paper is free at


With more than 110,000 constituents in 180 countries, ISACA ( helps business and IT leaders maximize value and manage risk related to information and technology. Founded in 1969, the nonprofit, independent ISACA is an advocate for professionals involved in information security, assurance, risk management and governance. These professionals rely on ISACA as the trusted source for information and technology knowledge, community, standards and certification. The association, which has 200 chapters worldwide, advances and validates business-critical skills and knowledge through the globally respected Certified Information Systems Auditor (CISA), Certified Information Security Manager (CISM), Certified in the Governance of Enterprise IT (CGEIT) and Certified in Risk and Information Systems Control (CRISC) credentials. ISACA also developed and continually updates COBIT, a business framework that helps enterprises in all industries and geographies govern and manage their information and technology.

Participate in the ISACA Knowledge Center:

Follow ISACA on Twitter:

Join ISACA on LinkedIn: ISACA (Official),

Like ISACA on Facebook: