3.5 Accountability Control Framework Alternative for SME

Typically, small businesses do not have a structured and formalised approach to dealing with governance and organisational processes. Likewise, medium enterprises that do not have a specific focus on delivering e-services or make an extensive use of IT, usually lack the staff and expertise to define an IT governance or formalise IT processes. Nevertheless, accountability is relevant for all businesses. We are therefore proposing an alternative to the governance-led approach defined in sections 3.3 and 3.4 above: this section proposes a set of guidelines that can be employed by SMEs. Note that, similarly to the control framework defined in section 3.3, the adoption of this set of guidelines does not mean that the business will be automatically in compliance with laws and regulations.

Our approach is to identify and make explicit key principles that underpin a simplified accountability control framework. This is not a simple mapping exercise: it is analogous to trying to identify the closed set of universal and unequivocal principles which are behind the rules of our society – an impossible task. The list we propose is only the result of a “best effort” pragmatic exercise, and is neither complete nor accurate. A sincere and proactive adoption of these principles, as opposed to just a tick-the-box checklist approach, should lead the organisation to operate in an accountable manner.

• Embrace responsibilities: Obligations are not limited to what is defined in the law or in contracts, as social norms, especially ethical behaviour and eco-responsibility, also result in obligations. Promises made publicly and “values” at the root of the business equally translate into obligations. Providers are also encouraged to undertake obligations that assist customers to achieve compliance. While creating and maintaining a document that lists this full set of obligations is not generally achievable, having a short document listing the categories of obligations and identifying the main ones is very useful to ensuring alignment across the whole organisation and providing consistency over time. Sectorial associations and specialised publications are a good source to identify the obligations specified in the law and in social norms.
• Promote transparency: An accountable organisation must be willing to explain and ready to demonstrate its practices to its customers and statutory stakeholders in a transparent manner^[15] . This includes, but is not limited to, information on the financial and legal status, descriptions and terms of services, the supply chain, the technology used, operational processes, and safeguards deployed^[16]. A service provider, acting in a chain of accountability, must also be willing to provide access to information and systems as required by their customers to comply with obligations and demonstrate accountability.
• Support participation: The organisation must have the mechanisms in place to allow the customer participation and consent, in particular over the use of protected information in the context of accountability for data protection. Hidden practices, such as the use of data beyond what is explicitly agreed with the customer, are not allowed for accountable organisations. Policies, as well as terms and conditions, must be clearly stated, in a manner which can be understood by non-experts. An organisation should not collect data beyond what it is required to collect to fulfil its obligations.
• Foster individual accountability: The organisation must adopt an accountability mindset. This in particular means that every staff member commits to an ethical behaviour and is both open (transparent) and ready to explain what has been done. To the extent possible, mechanisms should be in place to be able to trace actions to their authors. The organisation should deploy separation of duty authorisation profiles to the extent they do not create a significant point-of-failure due to limited staffing^[17].
• Plan for contingencies: Handling contingencies is an integral part of the provided services. This implies that a 360-degree risk analysis and risk treatment plan has been performed, identifying the potential failure points and ensuring adequate remedies will be provided in case of failures^[18]. These failures can be of an organisational nature (e.g. loss of staff), technological nature (e.g. software vulnerability, system crash), environmental nature (e.g. earthquake, flooding, storms, accidents), financial nature (e.g. inability to secure funding, loss of business), legal nature (e.g. litigation, change in laws and regulations), to cite just a few. When relevant, the risk analysis must be coupled with an impact assessment focused on impacts to the service customer and its clients. The mechanisms to receive, handle and respond to customer complaints must be in place. Communication with customers and other stakeholders in case of issues must be proactive.
• Commit responsibly: The organisation must ensure it has the means to fulfil its commitments and obligations prior to agreeing to provide a service. This means that adequate means are being deployed in areas such as staffing, training, production resources, technology maturity, service management and monitoring tools, etc. This does not exclude the use of emerging and non-mature techniques or technologies, but means that the customer is aware of the situation and has accepted the associated risks. The organisation must be ready and willing to respond and provide remedy in case of incident, breach, or other failure to render the promised service, whether originating internally or from a third-party. This might require securing a liability insurance cover when processing highly sensitive, valuable, or high-risk data, although remedies are not always in the form of a financial compensation. It may also require obtaining some retainers to mobilize external help in case specific high-impact events occur.
• Adopt best practices: Best practices on providing services are available from many sources, in many forms, from cookbook-style methodologies to complete frameworks associated with certification or attestations. The organisation should be aware of these various schemes and adopt those that are most applicable to their profile (line of business, size, market segment, etc.). These best practices provide a baseline service-level at a minimum cost compared to building a custom solution, as the later requires an often expensive analysis specific to the organisation or the offering. Similarly, the adoption of model contracts, with well-defined properties and operational consequences leading to balanced responsibilities, is advisable.
• Manage the supply chain: Cloud-based solutions often involve a provisioning chain through which the services of many suppliers are composed to provide the solution. Being accountable for the solution means that the organisation is not only accountable for what it operates, but also for what is operated by third-parties. As a consequence, the organisation must understand the commitments of its third-parties, their level of accountability, and how these will compose to meet its obligations. The approach to risks and handling of incidents is a key factor to consider. A best practice consists in using a limited set of suppliers with blanket service agreements, used across the whole solution portfolio, hereby handling separately the design and implementation of the solution and the selection of the supplier. Contracts must be managed, regularly reviewed, and the third-parties must regularly provide evidence that they are operating in an accountable way (for example by means of audits or certifications). See [11] for additional recommendations.
• Collect and protect evidence: Providing an account to stakeholders relies on evidence gathered during the operational phase of the service. The collection, archival, and protection of evidence are therefore key to behaving in an accountable manner. This is not limited to application logs, but should also include the logs of the various management systems and the logs of non-IT processes, such as signup sheets or recording authorisations. While a simple verbal “yes” may be operationally sufficient, an accountable approach requires that this be documented. Likewise, interactions with customers, stakeholders and other third-parties must be documented and traceable. A service provider must also be willing to provide evidence as required by their customers to comply with obligations and demonstrate accountability.
• Demonstrate accountability: The SME must be able to demonstrate its compliance with obligations. This involves the creation of an account (see section 4.1) either at regular intervals (e.g. a yearly reporting cycle) or as required by contract or regulation (e.g. in case of the investigation of a breach by the DPA). Contracts and certification/attestation requirements will often mandate the use of external auditing services to perform an analysis of compliance.

The above list addresses the topic of accountability, but not what the organisation is accountable for. An additional set of principles and actions needs to be identified for that, and this list depends on the topic for which accountability is provided; e.g.:

• Accountability for availability – this caters to uptime service agreement, backup, resilience to natural disasters, etc.
• Accountability for security – this caters to the integrity and confidentiality of data and processes
• Accountability for data protection – this addresses the use and protection of confidential data, as defined by regulation, and includes privacy and security requirements applicable to that data.

Note that these additional sets of principles and actions are not in the scope of this architecture document, which solely focuses on accountability.

In addition, national or regional laws and regulations may define specific accountability responsibilities or mandate certain accountability controls when an organisation processes certain types of data or operates in certain sectors. The good faith application of the above list of principles cannot, in most cases, be a substitute for what is legally required. Refer to [21] for a further discussion of this topic in the data protection domain.

[15] As an example, for the data protection domain, a cloud provider should, voluntarily and where possible in advance, make available to cloud customers all the information which the provider might reasonably expect a customer to be entitled to in order to be satisfied that personal data will be processed appropriately and that the customer can account to a cloud subject for that processing (cf. [21])

[16] Trade-offs have to be considered because disclosing some information, such as the supply chain or safeguards, may lead to an increased operational risk (cf. [21])

[17] It is important to ensure that risks based on missing, ill or departing personnel are considered when defining separation-of-duty authorisation profiles for small organisations.

[18] It must be noted that, depending on the regulations specific to the domain, some risks cannot simply be accepted and must instead be treated.