The article focuses on the tier 3 security risks related to the operation and use of cloud-based information systems. To prevent and mitigate any threats, adverse actions, service disruptions, attacks, or compromises, organizations need to quantify their residual risk below the threshold of the acceptable level of risk. The risk-based approach of managing information systems is a holistic activity that needs to provide a disciplined and structured process that integrates cloud-based information system's security and risk management activities into the system development life cycle. Adopting a cloud-based solution for an information system requires cloud Consumers to diligently identify their security requirement, assess each prospective service provider's security and privacy controls, negotiate SLA and SA and build trust with the cloud Provider before authorizing the service. A thorough risk analysis coupled with secure cloud Ecosystem orchestration introduced in this article, along with adequate guidance on negotiating SLAs, are intended to assist the cloud Consumer in managing risk and making informed decisions in adopting cloud services.