The purpose of this thesis is to analyse how management should act if cloud computing is used to store and handle data. Furthermore the challenges connected to obeying current cloud-legislation are discussed. Throughout the thesis, special attention is given to the Danish Data Protection Act, and how this legislation affects the above mentioned analysis and discussion. To analyse how management should act in relation to the use of cloud computing, firstly an account of management’s main tasks and responsibilities is given. This includes the requirements set forth by the Danish Companies Act to the board and general management, emphasizing two main areas of interest for management: risk assessment and it-governance. Secondly, to identify the areas in which the Data Protection Act influences management’s use of cloud computing, an elaborate account of the legislation is given. The analysis focuses mainly on two issues: advantages and risks of cloud computing. The first part of the analysis therefore looks at why, how and when cloud computing should be used. It is argued that management should consider using cloud computing: to gain access to the advantages; by composing an elaborate and well-researched contract; and when it is worthwhile for the company. The second part is concerned with the risks associated with using cloud computing. The chapter therefore analyses the information security attributes and threats against security connected with cloud computing. It is argued that management must ensure that multiple precautionary security measures are implemented by the cloud-provider and are functioning effectively, to secure the aforementioned attributes and to mitigate the security threats. In the discussion of the thesis, emphasis is on the challenges that management faces with upholding the law when using cloud computing. It is, among other things, argued that the Data Protection Act sets up unnecessary barriers for businesses wishing to use cloud computing by focusing too much on the means by which management must gain the necessary assurance about the level of data protection. Furthermore it is discussed whether the legislation is in keeping with the times, where information technology undergo vast developments, and it is argued that perhaps an update is appropriate.
|Educations||MSc in Auditing, (Graduate Programme) Final Thesis|
|Number of pages||86|