Due Diligence for Cloud Computing Service Arrangements

August 3rd, 2010

It does not matter how you start down the path towards cloud computing or outsourcing, but a written RFP that has been vetted by the stakeholders within the organization—IT, legal, compliance, information security, and all of the relevant business groups, is usually a helpful starting point.  

Listed below is a starter set of questions that would normally be posed to help elicit more information and begin to satisfy future service arrangements.   It is implied that when a question is asked below, that the requestor would follow up by obtaining a copy of the document to satisfy the question.

  1. Does the cloud service provider have a written information security policy that maps against the requirements of applicable federal (Gramm-Leach- Bliley Act, Health Insurance Portability and Accountability Act, etc.) and state (Massachusetts, Nevada, etc.) data security laws and any applicable industry standards (International Organization for Standardization, National Institute of Standards and Technology, Payment Card Industry Data Security Standard (PCI DSS), Federal Information Security Management Act)?
  2. Has the cloud service provider had an independent third party audit of its security?
  3. What does the cloud provider’s contract provide in terms of privacy and data protection?
  4. What kind of data will be stored, processed, and/or maintained in the cloud?
  5. Where do the data subjects reside?  (see article on “heat map” discussion  http://wp.me/p3840-17 )
  6. Where will the data be stored?
  7. Where are the servers?
  8. Will the data be transferred to other locations, and if so, when, where, and under what circumstances?
  9. Can certain types of data be restricted to particular geographic areas?
  10. What is the compliance plan for cross-border data transfers?
  11. Has the cloud service provider experienced any data security breaches involving the services in question that have required notification to cloud service clients? What were the circumstances of those breaches?  How many records were compromised? Did the cloud service provider cover the client’s out-of-pocket expenses associated with the breach and indemnify the client for any claims associated with the breach?

There are numerous provisions applicable to Privacy and Data Security contract provisions and several bulleted topics are listed below. The primary scope of these initial provisions is to have a clear and concise definition of terms and this abbreviated list is meant as a starting point in contract discussions.

  1. Define scope of information to be protected
  2. Define reasonable security — reasonable is unfortunately a catch-all phrase that if not defined and agreed to by both parties should never be used in a contract
  3. Define restriction on use and disclosure of sensitive information
  4. Define audit rights and frequency
  5. Define what constitutes a security breach or incident and how that breach is recorded and reported.
  6. Define indemnification and limitation of liability (contract areas that generally give everyone the biggest headaches)
  7. Define compliance with applicable data protection laws based on where the infrastructure and data reside

Let Daniel L. Ruggles  and the team at PM Kinetics, LLC help you navigate the complexities of Cloud Computing, Sourcing & Capital Planning, Vendor Management, IT Security, and Infrastructure planning & execution.