By Goran Novkovic, MESA Member, CQA, CSQE, ITIL, APM, PMP, PEng
This blog is part of a series called Manufacturing in the Cloud. This series aims to assist manufacturing organizations to evaluate how they can overcome challenges and maximize cloud computing benefits. As cloud computing services mature both commercially and technologically, this is likely to become relatively easier to achieve.
Service Level Agreement (SLA) with a Cloud Service Provider (CSP) is a live document that must be well-understood and negotiated between Cloud Service Customer (CSP) and Cloud Service Provider (CSP) so that the manufacturing organization as CSC can successfully manage and satisfy all security and regulatory compliance requirements in the cloud. Both parties have an interest to come to an agreement.
When the manufacturing organization signs the SLA as a legally binding agreement with the CSP, it should not stop here because things are not done. They are actually never done.
Managing SLA is a continuous process. SLA should be constantly monitored, updated and improved to meet the business needs of the manufacturing organization. This is a critically important process, which provides many opportunities for continuous improvements in satisfying statutory, regulatory and contractual obligations for the manufacturing organization.
- From the CSP perspective, they have to satisfy the laws and regulations governing their own business, as well as the legal obligations defined by the SLA. For example, the CSP cannot make multiple copies of data outside of its own national borders if this is not legally permitted, and it cannot sell data to someone else to make a profit.
- On the other hand, CSC must satisfy regulatory requirements with the organizations and regulatory bodies they do business with.
Why? Because there are so many elements in ISO 27001 and other standards, recommendations and best practices (e.g. NIST 800 Special Publications) that manufacturing organizations can use to secure its data and software applications while satisfying regulatory compliance requirements.
Goran is Director in Cyber-Kinetic Security practice with PwC. He is Professional Engineer with 17 years of experience in Operational Technology/ Industrial Control Systems Cybersecurity. Goran provides expertise in OT/ICS cybersecurity management and combines it with IT/OT convergence, industrial intelligence and innovative technology solutions (Big Data. AI, ML, IoT/IIoT, Industrial Analytics). Goran is helping manufacturing organizations to define their cybersecurity goals and objectives, to determine where they currently are and where they want to be in terms of organizational cybersecurity and digital transformation. He is working with manufacturing organizations to successfully manage OT/ICS challenges by establishing strong OT Cybersecurity Governance, defining OT Cybersecurity Frameworks and developing OT Cybersecurity Programs from scratch. His approach to OT/ICS Cybersecurity includes addressing safety and security of information, technology, people and facilities. Goran is helping manufacturing organizations to improve cybersecurity culture by developing and delivering cybersecurity training and awareness programs. Goran takes cybersecurity initiatives as opportunities for optimization, improvement and innovation for every manufacturing organization no matter the size or industry sector.