Dual Governance Streams
CIF is a membership-based not-for-profit organisation answerable to its members. It has two separate governance streams: one for business activity (the Management Board responsible for administration, development, finance and similar) and one for governance of the CIF Code of Practice scheme (the Code Governance Board). This sheet is primarily concerned with governance issues related to the Code of Practice.
Code Governance Board
CIF established the Code Governance Board to have responsibility for overseeing CIF’s Code of Practice (‘Code’). To that end the Code Governance Board oversees the conduct of the administration of the CIF Code by reviewing CIF’s management activity and processes. The Code Governance Board discharges some of its responsibilities directly and otherwise delegates to its committees. The Code Governance Board’s responsibility is limited to overseeing the CIF Code. The responsibility for the day-to-day management and operation of CIF’s business lies with its Management Board directors and members.
CIF members elect a party of 12 representatives and independent advisors to sit on the Code Governance Board of CIF. The Code Governance Board is chaired by a member representative on a bi-annual basis. Membership of the Code Governance Board is bi-annual and made up as follows:
- 4 Members from industry
- 3 Members from end-user organisations
- 3 Members from independent advisors (academics, IT standards champions, influencers, etc).
- 2 Members from IT legal practice
An additional 4 non-voting seats will be reserved for representatives of formally recognised partner organisations that are aligned to the Code by specialism (e.g. technology or security standards) or by international focus (extending the reach of the Code).
The Code Governance Board is responsible for the following:
- approving the CIF Code ‘s goals, objectives and strategies
- identifying the principal risks of the CIF Code ‘s operations and scope and overseeing the implementation of appropriate risk assessment systems to manage these risks
- reviewing and approving changes to the CIF Code
- reviewing and approving the CIF Code ‘s financial performance to ensure it operates viably
- monitoring participant appeals, third party complaints and operational standards and consistency associated to the operation of the CIF Code
- assessing its own effectiveness in fulfilling its responsibilities, including monitoring the effectiveness of individual Representatives
- ensuring the integrity of the CIF Code ’s internal control system and management information systems.
Development and Maintenance of the Code
The Code will be developed by CIF under the direction of the Management Board.
All changes to the Code shall be approved by the Code Governance Board, which shall also provide guidance as to the Code’s goals, objectives and strategies.
Collaboration with Standards Organisations and Related Bodies
By nature of the industry CIF will need to operate on an international stage as the Cloud has no geographic boundary (though our legal remit will focus initially on the UK). CIF will collaborate and endorse appropriate security and technical interoperability standards that are outside of, but complement, the Code.
CIF participates in the activities of ISO/IEC JTC1 SC38 which includes cloud computing via CIF’s participation in the corresponding committee of the British Standards Institution.
CIF also actively cooperates with other industry bodies with similar interests. It has a formal liaison relationship with the Computer Security Alliance (CSA) and includes coverage of the CSA’s Consensus Assessments Initiative Questionnaire in the Code.