WHAT TO HAVE IN MIND?
The move towards cloud computing is exciting for many businesses. Not only are they able to realize cost savings through lesser maintenance of their own IT systems, many cloud tools enable new levels of sharing, collaboration and ease of access, which can transform the way businesses work.
However, wider adoption of cloud computing leads to increased scrutiny, both from users and regulators. The availability, integrity and confidentiality of data remains critical for any business regardless of whether it is stored on site or in the cloud. Thus prior to entering any hosting or cloud arrangement, companies should have a robust process in place to evaluate the service.
As a starting point, organisations need to determine the type of cloud service they intend to use. Services to be deployed must be rated with respect to the function and criticality of the business. Also:
- Involve the IT or security team early in partnership with the business. That way, security and compliance issues can be addressed upfront, allowing business decision makers to conduct a risk-reward assessment prior selecting the right vendor.
- Check whether the provider is security certified (eg: ISO 27000 or IRAP).
- Ask what happens to your data at the end of the contract – how is it removed from the providers hardware?
- Check what happens to any hardware used to store your data that reaches its end of life? How is it destroyed or recycled?
- How are information breaches or incidents reported - response time and process?
- What compliance requirements do you have – is data to be hosted locally?
- What rights do you have to audit the supplier or at least review their internal audit reports?
- How sustainable is the organisation – is it a relatively new supplier or does it have a proven track record?
- How does the contract deal with access control and change management procedures?
- What are the business continuity arrangements in the event of a disaster?
- How does the contract deal with these type of information security requirements?
- Ensure Service Levels Agreements meet the expectations of the business.
As technology continues to evolve at a rapid pace, it is fundamental to stay abreast with regulatory changes that impact the use of cloud services to ensure continued compliance. Also, find a way to gain comfort that service providers continue to focus on ensuring high standards of data security, availability and integrity.
Protecht is the leading provider of Enterprise Risk Management software to Australian federal government agencies and industry. We have spent the last months enhancing our own security framework, gaining the ISO27000 certification in 2016. If you are interested in how we are using Protecht.ERM to support compliance and our security processes, contact firstname.lastname@example.org