Search for Well Architected Advice
< All Topics
Print

Evaluate governance requirements

Evaluate governance requirements:

Evaluating governance requirements is essential for ensuring that your workloads align with the organization’s policies, rules, and frameworks designed to achieve business goals. Governance requirements, which can influence technology choices, workload design, and operational practices, need to be thoroughly understood and incorporated to ensure compliance and risk management. By integrating governance requirements into your workloads, you ensure conformance and the ability to demonstrate adherence to your organization’s standards.

Understand Governance Requirements

  • Engage Governance Stakeholders: Involve stakeholders such as risk management, compliance officers, and security teams to understand the governance requirements. Regular workshops, meetings, and discussions help capture the full scope of policies, rules, and frameworks that influence operational practices and technology choices.
  • Identify Relevant Policies and Frameworks: Gather information on applicable governance frameworks (e.g., ISO 27001, ITIL, SOC 2) and internal policies that affect how workloads should be designed and operated. These frameworks may include requirements around data retention, incident management, or access control.

Integrate Governance Requirements into Workloads

  • Define Control Objectives: Translate governance requirements into actionable control objectives for your workload. This may include setting requirements for data encryption, access management, compliance audits, and operational best practices.
  • Incorporate Controls into Workload Design: Design and configure workloads to meet governance control objectives. For instance, enforce access controls using AWS IAM to ensure compliance with internal governance rules, and enable encryption for data at rest and in transit.

Conformance and Demonstration of Compliance

  • Continuous Monitoring for Compliance: Use monitoring tools such as AWS Config and AWS CloudWatch to continuously track workload configurations and detect deviations from governance requirements. Establish compliance rules in AWS Config to ensure that resources meet governance policies.
  • Compliance Auditing and Reporting: Implement auditing mechanisms to periodically evaluate conformance with governance requirements. Use AWS Audit Manager or AWS CloudTrail to collect and review evidence that demonstrates compliance, such as logs of policy enforcement, configuration history, and audit trails.

Prioritize Based on Business Impact

  • Assess Business Impact of Governance Compliance: Evaluate how meeting or failing to meet governance requirements affects business goals and risk management. Prioritize adherence to governance controls that are critical to maintaining business continuity, security, and regulatory compliance.
  • Risk and Cost Considerations: Assess the potential risks and costs associated with non-compliance, such as fines, reputational damage, or operational disruptions. Use this analysis to determine which governance requirements are high-priority for implementation and monitoring.

Regularly Review and Update Governance Requirements

  • Ongoing Review of Governance Policies: Governance requirements may evolve based on changes in regulations, business direction, or internal risk appetite. Regularly engage governance stakeholders to stay updated on new policies or changes to existing requirements and adapt your workload accordingly.
  • Adapting Workloads to Governance Changes: Be proactive in updating workload configurations, monitoring, and reporting mechanisms to align with updated governance requirements. Establish change management processes to ensure that all changes are documented and approved.

Support Governance Through Cross-Functional Collaboration

  • Collaborate Across Teams: Foster collaboration between governance, compliance, security, and operations teams to ensure a shared understanding of governance requirements and how they should be implemented in practice. Regular communication ensures that teams remain aligned and compliant.
  • Empower Teams with Governance Tools: Provide teams with the tools and resources needed to understand and implement governance requirements effectively. Train development and operations teams on how governance impacts their roles and how they can support compliance in their day-to-day activities.

Supporting Questions

  • What governance frameworks (e.g., ITIL, COBIT) are you required to follow, and how do they influence your architecture decisions?
  • How do you ensure that all teams and processes comply with your organization’s governance policies?
  • What mechanisms are in place to review and update governance requirements as your business evolves?
  • How do governance requirements shape decisions around access control, data management, and system reliability?
  • How do you adapt workloads to changes in governance policies or frameworks?

AWS Services that may apply

  • AWS Organizations: Helps manage multiple AWS accounts centrally, allowing you to apply governance policies and enforce service control policies (SCPs) across the organization.
  • AWS Control Tower: Provides pre-configured landing zones for setting up governance and best practices across multiple AWS accounts.
  • AWS Config: Continuously monitors and evaluates AWS resource configurations to ensure they comply with governance requirements.
  • AWS Service Catalog: Enables governance by allowing administrators to create and manage a catalog of approved products for deployment.
  • AWS Audit Manager: Helps automate the collection of evidence for audits to demonstrate compliance with internal policies and external regulations.
  • AWS Security Hub: Aggregates security findings to validate that workloads meet the governance requirements defined by organizational security policies.

Roles and Responsibilities

  • Chief Information Officer (CIO) or IT Governance Officer:
    • Responsibilities:
      • Establish and maintain governance frameworks (e.g., ITIL, COBIT) across the organization.
      • Ensure compliance with internal governance policies.
      • Review and approve architectural decisions and resource allocations to ensure they comply with governance policies.
      • Oversee access control policies and ensure they align with governance requirements.
  • Compliance Officer:
    • Responsibilities:
      • Define governance requirements based on applicable regulations, policies, and industry frameworks.
      • Collaborate with workload teams to ensure governance requirements are incorporated into workload design and operations.
  • Security Architect:
    • Responsibilities:
      • Design security controls to align with governance requirements, such as data encryption, identity, and access management.
      • Ensure workload security configurations comply with governance policies and conduct periodic reviews
  • Security Engineer (or Compliance Officer):
    • Responsibilities:
      • Ensure that architectural decisions comply with security policies and governance requirements.
      • Implement security controls and enforce governance rules (e.g., encryption, IAM policies).
      • Regularly audit and monitor governance controls related to cloud usage and infrastructure.
  • Operations Manager:
    • Responsibilities:
      • Monitor operational compliance with governance requirements using tools like AWS Config.
      • Implement processes for auditing, logging, and reporting conformance to governance standards.

Artefacts

  • Governance Requirement Documentation: Detailed records of organizational policies, regulatory requirements, and governance frameworks that influence workload design and operations.
  • Governance Policies: High-level documentation outlining your organization’s governance framework (e.g., ITIL, COBIT) and how it applies to cloud infrastructure and architecture.
  • Control Objective Documentation: Records detailing the specific control objectives based on governance requirements, including data retention, access control, and security measures.
  • Compliance Audit Reports: Reports generated periodically to demonstrate conformance with governance policies, including audit trails and records of policy enforcement.
  • Service Control Policies (SCPs): In AWS Organizations, SCPs define governance rules and restrictions at an account level. These should be well-documented to clarify how accounts are governed.
  • Access Control Matrix: A detailed table that defines which users, roles, or groups have access to specific AWS resources and the permissions they hold.
  • Audit Logs and Access Reviews: Documentation of regular audits and access reviews to ensure governance policies are being followed and access is controlled appropriately.
Table of Contents