14.2.4.2  Business Impact Assessments

Again, without going into too much detail about defining a Business Impact Assessment (BIA), an organization must identify the business requirements of any one of their systems prior to considering outsourcing it to the cloud. This includes understanding a few key details of the systems in question. For instance, a company should know the Recovery Time Objective (RTO) or the acceptable amount of time to restore the function of the system without gravely affecting the financial stability of the organization of the systems. Another important thing to identify would be the Restore Point Objective (RPO) or the acceptable latency of data to be recovered. Each of these issues can severely impact the cost of outsourcing, so great care and diligence needs to be exercised in the execution. Once completed, the Business Impact Assessment values would need to be communicated to the cloud provider.

14.2.4.3  Privacy Impact Assessments

Where PII is involved, an organization should conduct a Privacy Impact Assessment (PIA) prior to engaging the cloud in order to understand the implications and risk of the engagement. The Canadian Federal Government17 and Provincial Government of British Columbia (BC)18 Canada have done an excellent job in providing freely available frameworks and reference materials, all easily found using your favorite search engine.

14.2.5  Due Diligence and Provider Contract Requirements

Once the preliminary requirements have been addressed, and the systems and data with which the cloud is to be seeded have been chosen, it is time to engage the provider and start the rest of the due diligence work. Some of this would be done through capturing those various requirements in contracts and ensuring the organization is aware of the service it is obtaining and all of the impacts that entails. The exercise of diligence can uncover or validate many things. With respect to compliance and security, an organization can verify if the practices in place on the cloud provider’s side are satisfactory and align with the client’s requirements.

17 http://www.tbs-sct.gc.ca/pubs_pol/ciopubs/pia-pefr/paipg-pefrld-eng.asp 18 http://www.cio.gov.bc.ca/services/privacy/Public_Sector/pia/default.asp

14.2.5.1  ISO Certification

Practices such as obtaining ISO/IEC 27001:200519 certification as a way to demonstrate an understanding and adherence to best security practices may be a valid response; however, the certification is only as useful as the company’s defined requirements. Prior to taking the certification as evidence of a solid security foundation, an investigation into the scope and how it pertains to the outsourcing arrangement needs to be conducted. The worst-case scenario would be for a company to pursue a certification that would not be able to address any of the systems and processes to be used as they may be out of scope of that specific certification. On the other hand, even though having a qualification like this may not necessarily address the specific security requirements of the organization, it does demonstrate a certain commitment to ensuring that quality programs are in place in general.

14.2.5.2  SAS 70 Type II

A common type of an externally conducted assessment by North American outsourcing providers is a Statement on Auditing Standards No. 70 (SAS 70)20 Service Organizations. The “Type II” provides an opinion as to the operating efficiency of the tested controls. Most outsourcers tend to have these assessments conducted periodically (mostly annually) in order to provide or maintain certain assurances to the customers. The associated cost is built into the cost of the outsourcing arrangement. Not entirely unlike the ISO certification, the scope of the assessment is of particular concern for clients; so if a provider is offering such assurances, it is necessary to remember that ensuring the scope is comprehensive and relevant is more important than how often the assessments get done.

14.2.5.3  PCI PA DSS or Service Provider

Relevant for the retail space or any organization processing payment cards, PCI approved Services Providers or Payment Application DSS certified applications may be in scope for the organization. These are fairly easy to research, at least initially, as Visa tends to publish lists of approved vendors for each application on a fairly regular basis.21 Since an organization cannot outsource to a service provider that has not been pre-approved, nor can it use an application not on the PA-DSS

19 http://www.iso.ch/

20 http://www.aicpa.org/Professional+Resources/Accounting+and+Auditing/Audit+and+ Attest+Standards/Authoritative+Standards+and+Related+Guidance+for+Non-Issuers/auditing_ standards.htm

21 https://www.pcisecuritystandards.org/security_standards/vpa/

confirmed list (at least not without jumping through a whole new collection of hoops), it follows that parts of their compliance, or lack thereof, remains out of their hands. Alternatively, in order to make it, or remain on the pre-approved vendor list, the cloud provider is encouraged to use specific applications to handle client’s customer’s card numbers data in order to achieve PA DSS certification on an annual basis.

The challenges with respect to requirements like this surround the strategic direction of the cloud provider. If, for instance, the provider is not solely tied to the concept of maintaining a PCI status, problems will ensue for the client. Specific language must be inserted into contracts with respect to ensuring compliance. Further, as a colleague once suggested: plan for the divorce before the wedding. This leads to the concepts of Portability and Interoperability.

14.2.5.4  Portability and Interoperability

Planning for contingency is paramount for outsourcing arrangements and cloud arrangements are no different. It is important to identify who owns the data and ensure that both parties agree. Further, in the event that the arrangement no longer meet the requirements of either party, preparations should take place to allow for smooth transitioning away. This can include simple steps such as ensuring proper termination clauses are inserted into legal agreements, but will likely include more complicated technical considerations. The data being surrendered at contract termination may not be in a universal format, and if returned in a vendor-specific proprietary format might be rendered unreadable. Surely this would not be a desired outcome, and an organization must plan to ensure that a different result is produced by doing their fair share of due diligence while negotiating the terms of their services, rather than after when it may be too late.

14.2.5.5  Right to Audit

If the agreement begins to proverbially “go sideways” or the client organization begins to question the results of an assessment, it may be in the client’s best interest to conduct their own assessment of the cloud provider’s environment and operating procedures. This action, of course, must be predicated on the existence of a “Right to audit” clause within the contract. Not to be taken lightly, the right to audit clause also indirectly implies that the client will have to be willing to accept relatively large costs from an impartial third party acting as an auditor of the environment. This clause provides the ability to execute the arrangement and hopefully would never need to be used, acting more as a deterrent for the cloud provider to not dismiss their responsibilities to the client throughout the full term of their services.