Domain 2 - Three Lines of Defence?

[leenewcombe]

The Three Lines of Defence (Defense :)) model is a popular Governance model and it seems well-suited to the cloud approach in terms of it's descriptions of those who operate controls, an oversight function and independent audit. The Governance section at the moment seems quite heavily focussed on contractual issues rather than Governance per se and it would benefit from further consideration of governance models.

[rmogull]

link or reference you recommend? I', not familiar with it.

[leenewcombe]

Here you go, one from ISACA and one from the Institute of Internal Auditors:

http://www.isaca.org/Journal/archives/2011/Volume-5/Pages/The-Three-Lines-of-Defence-Related-to-Risk-Governance.aspx and
https://na.theiia.org/standard s-guidance/Public%20Documents/PP%20The%20Three%20Lines%20of%20Defense%20in%20Effective%20Risk%20Management%20and%20Control.pdf