If you are a CIO, CTO or compliance officer tasked with evaluating a cloud vendor, give Linda Tucci’s excellent new SearchCIO.com article a read: “Addressing compliance requirements in cloud computing contracts.”
In the piece, Tucci reports on interviews with Debra Logan, an enterprise content management analyst at Stamford, Conn.-based Gartner Inc, and Tom McHale, vice president of product management for CA’s GRC Manager suite, to gain answers to the following questions:
- Who has access to sensitive data in the cloud?
- Data backup: How often, how long, how well?
- How will you manage e-discovery requests and satisfy different retention laws?
“Even before price negotiations begin, CIOs must understand that data backup and storage in the cloud does not remove a company’s responsibility for the legal, regulatory and audit obligations attached to that information,” Tucci writes. “CIOs should be ready with a list of compliance questions for cloud vendors. But don’t expect their answers to suffice.”
Gartner recommends, in fact, getting a security assessment from a neutral third party before committing to a specific vendor of cloud computing, In a report released in June, entitled “Assessing the Security Risks of Cloud Computing,” Gartner analysts and write that cloud computing has “unique attributes that require risk assessment in areas such as data integrity, recovery, and privacy, and an evaluation of legal issues in areas such as e-discovery, regulatory compliance, and auditing.”
As noted in Tucci’s article, however, Logan is skeptical about adoption, especially for companies in heavily regulated industries. In Logan’s view, “If legal departments are paying attention when companies are adopting cloud services, they will put the brakes on fast. Early adoption of cloud services will be significantly inhibited by cloud providers’ failure to adequately address security, privacy and risk concerns, especially among highly regulated industries.”