IT Compliance Advisor

Jun 11 2009   6:02PM GMT

Gartner and CA on addressing compliance requirements in cloud computing

GuyPardon Guy Pardon Profile: GuyPardon

If you are a CIO, CTO or compliance officer tasked with evaluating a cloud vendor, give Linda Tucci’s excellent new article a read: “Addressing compliance requirements in cloud computing contracts.”

In the piece, Tucci reports on interviews with Debra Logan, an enterprise content management analyst at Stamford, Conn.-based Gartner Inc, and Tom McHale, vice president of product management for CA’s GRC Manager suite, to gain answers to the following questions:

  • Who has access to sensitive data in the cloud?
  • Data backup: How often, how long, how well?
  • How will you manage e-discovery requests and satisfy different retention laws?

“Even before price negotiations begin, CIOs must understand that data backup and storage in the cloud does not remove a company’s responsibility for the legal, regulatory and audit obligations attached to that information,” Tucci writes. “CIOs should be ready with a list of compliance questions for cloud vendors. But don’t expect their answers to suffice.”

Gartner recommends, in fact, getting a security assessment from a neutral third party before committing to a specific vendor of cloud computing, In a report released in June, entitled “Assessing the Security Risks of Cloud Computing,” Gartner analysts Jay Heiser and Mark Nicolett write that cloud computing has “unique attributes that require risk assessment in areas such as data integrity, recovery, and privacy, and an evaluation of legal issues in areas such as e-discovery, regulatory compliance, and auditing.”

As noted in Tucci’s article, however, Logan is skeptical about adoption, especially for companies in heavily regulated industries. In Logan’s view, “If legal departments are paying attention when companies are adopting cloud services, they will put the brakes on fast. Early adoption of cloud services will be significantly inhibited by cloud providers’ failure to adequately address security, privacy and risk concerns, especially among highly regulated industries.”

Reblog this post [with Zemanta]

 Comment on this Post

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: