Addressing compliance requirements in cloud computing contracts

By Linda Tucci, Senior News Writer 11 Jun 2009 | SearchCIO.com

IT news and analysis for CIOs Digg This!     StumbleUpon     Del.icio.us

More on data security Firm moves from tape backup to managed backup and recovery service Looming questions for managing your data protection services Avoiding gotchas of security tools and global data privacy laws Gartner: Vetting security of third-party partners in five steps

In some cases, the cloud provider will be able to satisfy compliance requirements -- but often at a price, according to two market experts. Even before price negotiations begin, CIOs must understand that data backup and storage in the cloud do not remove a company's responsibility for the legal, regulatory and audit obligations attached to that information.

CIOs should be ready with a list of compliance questions for cloud vendors. But don't expect their answers to suffice. Indeed, Gartner Inc. published a report last month stating that security, privacy and compliance will prevent adoption of cloud computing in regulated industries and global companies through 2012.

Here are some guidelines and advice from Debra Logan, an enterprise content management analyst for Stamford, Conn.-based Gartner, and Tom McHale, vice president of product management for CA's GRC manager suite.

Who has access to sensitive data in the cloud?

"Early adoption of cloud services will be significantly inhibited by cloud providers' failure to adequately address security, privacy and risk concerns, especially among highly regulated industries." Debra Logan analyst, Gartner Inc.

"Although you are buying the infrastructure, you are still responsible for who is getting access to those applications, who is administering those applications, and the separation of duties of those people who are dealing with the data," McHale said.

Companies typically do regular background checks to ensure that their employees are certified and trustworthy, and they need to see what types of personnel processes their cloud vendor follows. McHale cautioned, however, that unless you are a very big customer, you won't have much luck prescribing personnel policy: e.g., requiring a drug testing every three months. "Your company may well have policies that are pretty restrictive for people handling sensitive data, in which case, this can be a challenge."

Data backup: How often, how long, how well?

CIOs should nail down how often their systems will be backed up and the vendor's windows for scheduled maintenance, when systems may not be available. "It may take them five or six hours to do the backup," McHale said.

Once the backup and maintenance schedule is determined, there are the privacy and security issues to consider: What exactly can administrators see when they start doing the backup? Do the administrators have to have access to the data? What tools are used to make sure the backup (or a copy of it) doesn't go on a CD or thumb drive but only through an approved system?

Gartner's Debra Logan recommends that you ask for a description of the infrastructure, the format in which the data is held, what happens to backup tapes, and whether or not you can have specific retention processes applied to your data.

How will you manage E-discovery requests and satisfy different retention laws?

Companies are subject to myriad laws or regulations that stipulate in what manner and how long data has to be kept, SOX being one. A number of countries -- Germany and the U.K., for example -- have specific regulations relating to email. The Federal Rules of Civil Procedure (FRCP) that U.S. lawyers must follow in civil cases require the disclosure of electronically stored information at an early stage of a case, Logan points out. These are matters that must be addressed with vendors.

"The process, costs and duties for discovery and preservation requirements need to be negotiated up front, and the appropriate protocols for maintaining attorney-client privilege should also be established at the outset," Logan advised in a May 29 note.

Logan lists questions for negotiating cloud computing terms:

• What happens if I need to preserve data?
• How is the data collection to be done if I need to produce data?
• Who will do it?
• What is the SLA, given that "preservation" kicks in almost immediately after getting a subpoena, and only 90 to 120 days are allowed for producing the data?
• Which jurisdictions are your data centers in, and how is privacy protected in those jurisdictions?
• How do you respond to governmental requests for information about your data?
• In what format is it possible to export the data from the hosted service?
• How can you ensure that cross-border legal limitations on storage of data are met?

If your company is in a heavily regulated industry, Logan is skeptical you'll be doing a lot of IT business in the cloud for the next few years. If legal departments are paying attention when companies are adopting cloud services, they will put the brakes on fast, she said.

"Early adoption of cloud services will be significantly inhibited by cloud providers' failure to adequately address security, privacy and risk concerns," she said, "especially among highly regulated industries."

Tags: Cloud computing for enterprise CIOs,  Compliance strategies and best practices,  Contract negotiations and legal issues,  Data storage regulatory compliance,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Cloud computing for enterprise CIOs IT exec's best practices for application consolidation include SaaS Sidekick data and 'balloon boy' Disaster recovery is dead; long live continuous business operations Gmail outage raises issue of control Technology is changing IT disaster recovery outsourcing Wary of public cloud, CIO builds private cloud and transition plan Beware these risks of cloud computing, from no SLAs to vendor lock-in Investigating public cloud could inspire overdue housecleaning A disaster recovery plan meets cloud computing Latest cloud computing trend: End users buying IT as a Service Compliance strategies and best practices Information security and risk management guides for CIOs Email archiving solutions and strategies for enterprise CIOs Miscues abounded in Boston email retention policy, practices Health care security, HIPAA compliance on deck for CIOs in Obama era Enterprise risk management solutions for CIOs Avoiding gotchas of security tools and global data privacy laws CIO turns to identity and access management to solve business problem Log management tool, SIM boxes combine to form security architecture Data protection quiz for enterprise CIOs Economic downturn hits IT budgets Contract negotiations and legal issues Free IT outsourcing templates: SLAs, RFPs and more How Virginia's new CIO is fixing the state's IT outsourcing problems Botched IT outsourcing contract shows need for governance, SLAs How to build IT innovation, flexibility into your IT outsourcing deals Why IT can be OK with users managing their own SaaS services contracts Failure to track virtualization licensing terms can cost you Virtualization licensing terms: A call to arms Beware these risks of cloud computing, from no SLAs to vendor lock-in Solid governance model key to IT outsourcing contract success Internet traffic overload: What does it mean for cloud computing services?

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary GRC (governance, risk management and compliance) software  (SearchCIO.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary