audit world slides
TRANSCRIPT
MIS Training Institute© 2012 W. David Snead, P.C. Reproduction Prohibited
Auditing Your Cloud TransactionSession 36
Friday, September 21, 2012
9:45 am
David Snead
Attorney + Counselor
MIS Training Institute Session 36© W. David Snead, P.C.
• Who is your cloud provider?• Why certain legal issues are critical• Non-traditional legal issues• Negotiating your contracts• Creating an auditable partnership
Roadmap
MIS Training Institute Session 36© W. David Snead, P.C.
MIS Training Institute Session 36© W. David Snead, P.C.
• Controller
• Processor
• Transferor / Transferrer
Who is your cloud provider?
MIS Training Institute Session 36© W. David Snead, P.C.
What are the goals of your audit?
Safeguarding assets
Maintaining data integrity
Achieving organizational goals
Using resources wisely
Ensuring legal compliance
MIS Training Institute© 2012 W. David Snead, P.C. Reproduction Prohibited
MIS Training Institute Session 36© W. David Snead, P.C.
Why certain legal issues are critical
• Data Governance• Facility Security• Information Security• Legal• Operations
• Risk Management• Release Management• Resiliency• Security Architecture
MIS Training Institute Session 36© W. David Snead, P.C.
Non-traditional legal issues
• Data Governance• Data Retention:
Can you enforce data retention obligations?
How will you or your provider respond to legal process?
Are you required to monitor compliance regularly?
• Contract issues:
MIS Training Institute Session 36© W. David Snead, P.C.
• Information Security• Policies:
Flow down of security policies to cloud ecosystem
Can you monitor security needs against your security baseline?
• Monitoring:
• Segregation:
Is your data, and subsets, segregated from others?
Non-traditional legal issues
MIS Training Institute Session 36© W. David Snead, P.C.
• Information Security• Documentation:
Get a copy of your provider’s incident response plan
Provider should have the ability to preserve data
• Litigation holds:Determine if response plan adequately delegates
Understand notification procedure
• Breach:
Ensure that procedure meets state law obligations
Non-traditional legal issues
MIS Training Institute Session 36© W. David Snead, P.C.
• Security Architecture• Access:
Are contractual / regulatory requirements covered?
What does your contract say?
Non-traditional legal issues
MIS Training Institute Session 36© W. David Snead, P.C.
Why certain legal issues are critical
• Risk Management• Insurance:
Trust but verify
What do you actually need?
• SLA:Align policies
How frequently does your provider audit?
• Risk assessments:
How are these audits conveyed to you?
MIS Training Institute Session 36© W. David Snead, P.C.
• Operations Management• Documentation:
Do internal policies support your needs?
Have you given your technical needs to provider?
Non-traditional legal issues
MIS Training Institute Session 36© W. David Snead, P.C.
In what country is the provider located?
Where is the provider’s infrastructure?
Will other providers be used?
Negotiating your contracts
MIS Training Institute Session 36© W. David Snead, P.C.
What will happen to the data on termination?
Where will the data be physically located?
Should jurisdiction be split?
How will data be collected, processed, transferred?
Negotiating your contracts
MIS Training Institute© 2012 W. David Snead, P.C. Reproduction Prohibited
MIS Training Institute Session 36© W. David Snead, P.C.
Negotiating your contracts
Reliability
• Demonstrated by metrics• Objective criteria used• Third party vendors consideredContract• Standard SLA may need additional
clauses for response time, fallback options, standards of service
• Static v. flexible SLA
MIS Training Institute Session 36© W. David Snead, P.C.
Security
• Define “breach” • Determine when a breach happens• Assume there will be data breach laws• Review any laws that my currently exist• Understand who will be responsible for security• Create enforceable contract terms• Remember post termination issues• Understand that you may not be made whole
Require your vendor to have skin in the game.
Negotiating your contracts
MIS Training Institute Session 36© W. David Snead, P.C.
Access
• Document data to which you have access
• Limit the number of employees who have access to data
• Create and implement access policies
• Require written notice
• Don’t assume validity
• Create and implement access policies
• Include legal advisor
Negotiating your contracts
MIS Training Institute Session 36© W. David Snead, P.C.
• Understand and define law enforcement access
• Don’t assume your country’s laws will prevail
• Don’t let stereotypes interfere with a legal analysis
• Try to create definition
Access
Understand who has access to data and under
what circumstances.
Negotiating your contracts
MIS Training Institute Session 36© W. David Snead, P.C.
Termination
• Create and implement deletion policies
• Flow down contract terms to vendors
• Do not assume security ends upon termination
• Create and implement deletion policies
When agreement terminates, your rights
terminate.
Negotiating your contracts
MIS Training Institute Session 36© W. David Snead, P.C.
Determine how services will be used
Evaluate cloud structure
Understand data collection, processing and transfer
Security breach notification
High risk regulatory areas
Disposition of data on termination
Toolkit
MIS Training Institute Session 36© W. David Snead, P.C.
W. David SneadAttorney + Counselor
[email protected] / Twitterthewhir.com / Blog