Energy Credit Best Practices – Chapter: Information Technology http://ccro.org © Copyright 2022, CCRO. All rights reserved. 25 become business-process critical or are otherwise not on an organization’s go-forward Standard Operating Procedure. As time progresses and priorities dictate, these solutions are expected to be updated, resulting in these same mid-to-large sized companies closing the gap towards a complete cloud-based Platform in the near future. During the design phase of any cloud platform project, significant consideration should be how Cloud Providers may be leveraged beyond the given project's immediate need and scope. Deciding on a Cloud Provider only based on a current set of high-priority requirements may ultimately lead to longer-term challenges, including higher total costs and difficulties supporting these platforms. A good portion of each Cloud Provider’s functionality is based on other technologies, such as multiple application and website hosting services. These capabilities need to be considered today for future IT Standard Operating Procedure activities. The cloud platform environment is constantly changing and evolving. Given this current change pace, it is recommended to limit cloud platform decisions to a 3-year perspective. These platforms have a significant ability to impact IT’s capability to provide robust, efficient functionality to Credit's business and need to be carefully managed. In a recent publication of CIO Magazine, a relevant quote is worth considering: “A best practice is to ensure that for all requested Cloud Service, [the services] are subjected to proper architecture and Security reviews on any IaaS, PaaS, or SaaS vendor platforms, before being approved for use in the enterprise.” Smith says. “Guidance and guardrails must be established before any public cloud vendor tools can be provided to the organization, including ongoing monitoring of all usage.” “IT, Cybersecurity, and legal must all work together to keep in front of all efforts of business users to procure and consume new Cloud Services,” Smith says. 3.4 System Security and Redundancy 3.4.1 Data Security • Physical Security - As obvious as it may appear, physically securing an IT system often tends to be a frequently overlooked requirement for ensuring overall IT security. As IT Systems become further distributed physically–on-premise, cloud-based, a hybrid of both, or even 3rd party hosted elements – it becomes crucial to adopt a thorough Physical Security approach. Physical Security should consider, at a minimum mechanism for access/egress to physical computing components such as servers, storage arrays, networks/routing devices, or platforms may have unrestricted or quickly accessible access to these components. A large portion of Security breaches occurs simply because someone can walk onto a premise and physically plug a cable into the network. Regular audits of who has physical access to credit IT physical resources this proactive step minimizes the exposure and risk associated with IT security.