Page 34 - Cyber Warnings
P. 34
Securing Obligations: Contracting for Cloud
by Charlotte A.Tschider, Affiliated/Adjunct Professor, Mitchell Hamline School of Law;
Owner/Principal, Cybersimple Security, LLC
Global organizations have a complicated relationship with cloud computing. With shrinking
budgets and big data investment opportunities, organizations will likely invest in cloud solutions.
Alternatively, some sectors with large potential cost savings and highly available or global
location needs, often have the most sensitive data, necessitating greater prudence in
implementing cloud services. A 2016 McAfee study highlighted this dualistic problem: Global
organizations expect to spend 80% of their budgets on cloud computing services within the next
16 months, while a mere 13% of respondents completely trust public cloud providers with
sensitive data.
Further exacerbating cloud trust issues, threat vectors involving vendor service providers
continue to be prevalent. Third party cloud technologies, in particular, introduce a number of
risks including: high data volume (for use in big data/operations) and associated impact in data
breaches, increased use of cloud computing for sensitive data without commensurate security
controls (health data and financial data), lack of direct control over activities of subcontractors
(greater threat of malicious insiders).
A third party management capability offers an opportunity for organizations to manage cloud
computing risks through a repeatable process and integration with organizational governance
processes for risk decisioning. Standard contractual language is a critical control for third party
management, yet organizations exhibit significantly different levels of maturity in implementing
standard contract language with cloud providers and other third parties. Similar to contract
language reviewed by sales, human resources, or technology departments, information security
professionals are uniquely qualified to identify security requirements and negotiate security
terms in collaboration with legal teams as appropriate.
Memorializing cybersecurity and privacy requirements in a service agreement benefits business
because:
Active negotiation can reveal non-compliance with specific requirements and facilitate
effective risk decisioning.
Clear contractual terms establish explicit expectations for performance, minimizing
confusion as to expectations during contract performance.
A signed agreement between parties for service provided offers financial recovery if a
cloud provider fails to honor its obligations.
Prioritization
Effective third party prioritization or “tiering” is critical for organizations to manage the workload
associated with contract negotiation. Organizations may consider a two-tier approach to
cybersecurity and privacy requirements – a full set of requirements for higher risk third party
34 Cyber Warnings E-Magazine – June 2016 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
