DISASTER RECOVERY/COMPLIANCE

APPLICATION DEVELOPMENT

DATA CENTER MANAGEMENT

STORAGE ARCHITECTURE

BI/APPLICATIONS

VIRTUALIZATION

Handbook
SECURITY

NETWORKING

HEALTH IT

CLOUD

Keep Cloud Compliant

Moving operations to the cloud is an increasingly popular way to save money and other resources. It also requires dramatic changes to traditional information governance and risk practices.

1 2 3 4

EDITORS NOTE

EXTENDING INFORMATION GOVERNANCE CONTROLS TO THE CLOUD

DUE DILIGENCE, PROVIDER RESEARCH KEY TO COMPLIANCE IN THE CLOUD

THREE STEPS TO MAINTAIN GRC DURING CLOUD DEPLOYMENT

EDITORS NOTE

Security Risks, Compliance a Major Cloud Concern

Organizations today generate and are responsible for more data than ever before, forcing companies to turn to cloud-based options to reduce data management costs. Cloud computing has proven valuable from a data storage standpoint, but it also raises numerous questions about information governance. Most importantly, organizations must ensure the data they are entrusting to the cloud is still handled according to their compliance and security guidelines. That delicate balancing act isnt always easy. Organizations must determine where their data management and security responsibilities end, and where those of the cloud provider begins. In this SearchCompliance handbook, we examine how organizations can adapt information governance processes to the cloud to alleviate data risk and remain compliant with myriad regulations. In our first article, ARMA International CEO Marilyn Bier discusses information governance controls in the cloud, including how to hold your cloud provider accountable. In our second article, Christine Parizo examines how moving operations to the cloud influences data security processes, what security-related questions you need to ask cloud providers and the cloud contract wording that helps ensure security. In our third article, Ed Moyle outlines how compliance officers can ensure their companies adhere to regulations and reduce risk after moving operations to the cloud. As the cloud increasingly becomes a valid data management option, we hope you find this useful in helping your organization stay compliant and reduce data-related risk. Please write to me at bjcole@techtarget.com. n
Ben Cole Editor, SearchCompliance.com

Home Editors Note Extending Information Governance Controls to the Cloud Due Diligence, Provider Research Key to Compliance in the Cloud Three Steps to Maintain GRC During Cloud Deployment

2 KEEP CLOUD COMPLIANT

CLOUD CONTRACTS

2
Home

Extending Information Governance Controls to the Cloud

All organizations depend on information to manage day-to-day operations, comply with regulations, gauge financial performance and monitor strategic initiatives. This critical information resides in the organizations business records. Good information governance controls are difficult enough to apply inside an organization, even when it is using its own best practices tool set. While it is possible to manage aspects of the lifecycle and disposition of the information that resides in the cloud, these rules become more difficult to enforce. Proper information governance requires a centralized control point, as well as effective enforcement, for an organizations records management tool set to be effective, said Brent Gatewood, owner of consultIG, in a recent issue of Information Management magazine. Today, the controls in place with most SaaS [Software as a Service] providers are too non-specific. The controls in place are collection-focused and largely managed according to the providers rules, not those of the organization whose information is being stored. To satisfy the information governance needs of most organizations, control and management of data in the cloud should reside inside

Editors Note Extending Information Governance Controls to the Cloud Due Diligence, Provider Research Key to Compliance in the Cloud Three Steps to Maintain GRC During Cloud Deployment

A centralized tool manag ing lifecycle rules for the organization needs to have the proper hooks into the data residing in the cloud.
the organization itself and extend to cloudbased repositories. A centralized tool managing lifecycle rules for the organization needs to have the proper hooks into the data residing in the cloud. These tools need to have a complete view of the information owned by the

3 KEEP CLOUD COMPLIANT

CLOUD CONTRACTS

2
Home

Editors Note Extending Information Governance Controls to the Cloud Due Diligence, Provider Research Key to Compliance in the Cloud Three Steps to Maintain GRC During Cloud Deployment

organization to be responsive to internal and external requests. According to Gatewood, The reality is this: The tools may not exist, but organizations are movingor have already moveddata into the cloud. Data relationships and management controls inside of organizations are more important than ever. Unless the management controls are already in place, it is unlikely that individuals are going to seek advice about extending controls to cloud-based repositories. Cloud computing is not going away. It can be a valuable tool, but a tool that needs to be understood and managed. Applying information governance controls, with the proper relationships in legal and information technology and services, can help to reasonably manage information in the cloud.

Contracts: What service are we contracting for and what are the vendors records management and compliance obligations?
What

kind of data controls does the vendor have in place? is information destroyed?

How Can

we set minimum and maximum retentions and at what level? there secure destruction options?

Are

What

are the vendors policies for backups, replication or failover? do we confirm disposition takes place on a timely basis and according to our rules?

How

CLOUD PROVIDER ACCOUNTABILITY

Gatewood recommends that organizations considering a cloud-based initiativeor reviewing a solution already in placefind answers to the following questions about contracts, audit controls and integration points:

Audit controls: What is the providers internal audit process?

How

often is the provider audited by external agencies?

4 KEEP CLOUD COMPLIANT

CLOUD CONTRACTS

2
Home

What Is

standards is the provider held to?

the vendor open to being audited for compliance? (If not, this may be a sign of bigger issues.)

Editors Note Extending Information Governance Controls to the Cloud Due Diligence, Provider Research Key to Compliance in the Cloud Three Steps to Maintain GRC During Cloud Deployment

Integration points: Is the vendor open to integration with our systems and applications?
Has

the vendor integrated with any systems that provide a structure for compliance? Organizations must also consider if the

vendors policies and procedures related to the handling and management of information are acceptable. If they are not, Gatewood believes the organization should either move the data elsewhere or require an auditable change that meets its needs. Gatewood also recommends that organizations require a data map that details where the information resides. Data maps can be complicated because they detail what is often a complex infrastructure that might involve third-party relationships specific to your data, but the effort to review them is definitely worthwhile. Marilyn Bier

5 KEEP CLOUD COMPLIANT

PROVIDER NEGOTIATIONS

3
Home

Due Diligence, Provider Research Key to Compliance in the Cloud

Organizations generate more data than ever before through applications, email and other computing tasks. Faced with flat IT budgets, companies are turning to the cloud for storage, software and infrastructure. This is much to the chagrin of the compliance department, which wakes up in cold sweats thinking about data security. Experts agree, however, that by conducting due diligence, companies can minimize their cloudrelated risk. Your security teams have to satisfy themselves that what the cloud provider is doing on a routine basis meets or exceeds what theyd do on premise, said John Howie, chief operating officer of the Cloud Security Alliance. But enterprises are limited in how they can conduct this due diligence. For example, a cloud provider audit may not be possible because the provider doesnt want hordes of customers tromping through its data centers. Penetration testing could also shut down an enterprises service because the cloud provider could view it as a legitimate attack, Howie said.

Editors Note Extending Information Governance Controls to the Cloud Due Diligence, Provider Research Key to Compliance in the Cloud Three Steps to Maintain GRC During Cloud Deployment

CHECK PROVIDER CERTIFICATIONS

Because physical audits sometimes arent possible, reputable cloud service providers should have certifications. In the United States, the two major certifications are ISO/IEC 27001:2005 and SOC 2. ISO/IEC 27001:2005 provides a definition for how to run an information security management system. It does not say whether youre particularly good at it, and it doesnt say that you have the controls in place [that] are actually working, Howie cautioned. It just certifies that you have an information security system that understands these problems and is trying to improve. SOC 2, which is the replacement for SAS 72 and is based on the audit standard AP 101,

6 KEEP CLOUD COMPLIANT

PROVIDER NEGOTIATIONS

3
Home

Editors Note Extending Information Governance Controls to the Cloud Due Diligence, Provider Research Key to Compliance in the Cloud Three Steps to Maintain GRC During Cloud Deployment

contains the five SysTrust principles developed by the American Institute of Certified Public Accountants and the Canadian Institute of Chartered Accountants: confidentiality, integrity, availability, security and privacy, according to Howie. Privacy is a little bit of a misnomer, because its not privacy of the customers data, he said. Rather, it means the privacy of the cloud providers customer, not the customers of the company that signs up for service. SOC 2 requires an audit by a large firm to ensure the controls are adequate and working. An SOC 2 report is then presented that contains detailed information about vulnerabilities and the environment as a whole. These details often make cloud providers hesitant to let customers see the results of SOC 2 reports, Howie said.

ASK PROVIDERS THE RIGHT QUESTIONS

Before choosing a cloud provider, companies need to ask prospective vendors some hard questions to ensure theyll stay on the right side of regulators. Its about asking questions

around what arrangements are going to be in place to protect your information from the creation stage to the processing, the storage, the transmission and, of course, destruction, said Steve Durbin, global vice president of the Information Security Forum. Eventually, the contract with the provider will end and organizations need to know what will happen to their data when that occurs, he added. Other questions should include how secure the connection is, including whether a VPN is required to connect, and what the availability is, Durbin said. Companies also need to ask encryption-related questions, including whether the data needs to be encrypted, what facilities the cloud provider has to encrypt data and if data should be encrypted before being transmitted to the cloud service, he added. Physical security is also important, according to Mac McMillan, current chairman of the HIMSS Privacy and Security Policy Task Force and CEO of Austin, Texas-based IT security consulting firm CynergisTek. Questions should include how the cloud provider controls physical access and how systems are protected from other customers data in colocation situations.

7 KEEP CLOUD COMPLIANT

PROVIDER NEGOTIATIONS

3
Home

Finally, companies should check on the status of the cloud providers insurance, McMillan said. For example, if theres a security breach, its important to know if the provider will indemnify the customer and pay for the notifications, he said.

Editors Note Extending Information Governance Controls to the Cloud Due Diligence, Provider Research Key to Compliance in the Cloud Three Steps to Maintain GRC During Cloud Deployment

CONTRACT NEGOTIATIONS: READ THE FINE PRINT

Due diligence doesnt stop at the negotiating table. There is no one provision to include in the contract to maintain compliance, but careful language can help limit liability, according to Robert Scott, managing partner at Southlake, Texas-based technology law firm Scott & Scott LLP. If you outsource to a third-party cloud service provider to handle or store personally identifiable, financial or healthcare information thats regulated in any way, the law has a non-delegable duty that you cant just outsource these legal responsibilities, Scott said. Even changes to payment card industry compliance standards, which now

apply to third-party services, do not absolve enterprises of maintaining regulatory compliance, he said. Enterprises need to ensure that their cloud services providers agree to be bound by the same regulations that they are, Scott said. For financial institutions, that means adhering to regulations such as the Gramm-Leach-Bliley Act, for example. One thing to be wary of in contracts is provisions where the cloud services provider asks the enterprise to agree to limit data breach liability, Scott cautioned. Such a provision could work to significantly limit the availability of insurance and/or the ability to recover for privacy-related claims that result from a data breach, he said. Contracts are always negotiable, and any reasonable cloud provider will be willing to negotiate with a customer regarding legitimate regulatory compliance, data security and privacy concerns, Scott said. Theyre not going to be a successful cloud service provider without being sensitive to customer concerns in those areas, he said. Christine Parizo

8 KEEP CLOUD COMPLIANT

CLOUD RISK

4
Home

Three Steps to Maintain GRC During Cloud Deployment

For compliance professionals, theres no overstating what a huge challenge a cloud transition can be from a governance, risk and compliance (GRC) perspective. A cloud deployment is challenging to start with, from both a technical and operational level. Add to that the complexity of ensuring post-cloud-deployment adherence to regulatory requirements, such as the Payment Card Industry Data Security Standard, the Health Insurance Portability and Accountability Act (HIPAA), the SarbanesOxley Act and the Federal Information Security Management Act, and it becomes even more difficult. The biggest challenge from a regulatory and data risk standpoint comes about when an organizations compliance team encounters a cloud deployment after the fact. That happens more often than you might think: Most cloud deployments dont happen in a graceful, workmanlike manner where compliance teams are kept in the loop from inception through the final stages of implementation. Instead, what happens more often than not is cloud adoption is far along before compliance teams even realize its in place. Reasons for this are varied. Most commonly, it occurs when business teams bring in a cloud service without realizing they should engage the compliance department. Another common, underthe-radar transition occurs when existing cloud technology expands its scope from handling non-sensitive information systems, such as development and quality assurance, to include regulated environments or to process, store and transmit regulated data. When this backdoor cloud deployment happens, compliance professionals find themselves behind the proverbial eight ball. By that point, mitigation options are sparse because contracts are already signed, environments are already developed, controls are already in place and due

Editors Note Extending Information Governance Controls to the Cloud Due Diligence, Provider Research Key to Compliance in the Cloud Three Steps to Maintain GRC During Cloud Deployment

9 KEEP CLOUD COMPLIANT

CLOUD RISK

4
Home

diligence assessments have already been completedor, in some cases, not. What can compliance professionals do at that point? Below are a few immediate steps they can take.

STEP ONE: DONT PANIC. ASSESS AND DOCUMENT RISK

Editors Note Extending Information Governance Controls to the Cloud Due Diligence, Provider Research Key to Compliance in the Cloud Three Steps to Maintain GRC During Cloud Deployment

Lets say a hospitals compliance professional discovers that a clinical system (an electronic medical record, for example) has been relocated to an Infrastructure as a Service provider. The questions that arise as a result of this transition are legion: Have business associate agreements been signed? Is personal health information being protected appropriately? Is there a contractual arrangement to ensure notification in the event of a data breach? Instead of immediately pushing back, a prudent first step might be to undertake a systematic analysis of the situation. After all, if the vendor services healthcare providers regularly,

this wont be the first time it has heard about HIPAA, and it may have already spent quite a bit of time thinking through how to address the administrative, technical and physical controls associated with its security rule. Compliance officers should first engage with internal teams to find out what level of due diligence theyve done regarding information security during the cloud deployment, as well as what controls the vendor already has in place. Its vital to understand two things: new compliance gaps this cloud deployment introduces to your organization, and any newly introduced risk. The first item is relatively straightforward: Walk through each of your compliance requirements and evaluate the cloud deployment documentation to ensure the vendor agreement meets these rules. To evaluate risk, you can use one of the many readily available risk assessment templates to assist in this regard. Some examples include the Cloud Security Alliances GRC stack (notably the Consensus

Its vital to understand new com pliance gaps a cloud deployment introduces to your organization, and any newly introduced risk.
1 0 KEEP CLOUD COMPLIANT

CLOUD RISK

4
Home

Assessments Initiative Questionnaire and Cloud Controls Matrix), the European Network and Information Security Agencys cloud computing risk assessment and the NIST SP 800-30.

Editors Note Extending Information Governance Controls to the Cloud Due Diligence, Provider Research Key to Compliance in the Cloud Three Steps to Maintain GRC During Cloud Deployment

STEP TWO: KNOW WHAT YOU CAN CHANGE, AND WHAT YOU CANT

to change your environment versus theirs. During long-term remediation talks, ask what controls you can implement in the short term to offset cloud-related security gaps. For example, can you encrypt data in transit or at rest to add a layer of protection? Or will implementing additional monitoring controls help notify you of inappropriate access?

Its important to remember that the vendors controls are what they are, and changing them rapidly to meet your companys control gaps is unlikely to be the most efficient path to maintaining security. Compliance officers can probably lean on vendors enough to make changes, but they will not come quickly. Instead of railing against a vendors deficiencies, companies should look inward to see if there are things they can change on their end to maintain data security during a cloud deployment. Of course, you should call out areas where vendors controls are woefully inadequate and note these concerns in risk assessments, in reports to management and in long-term remediation plans. But also remember that its easier

STEP THREE: BUILD THE STRATEGIC REMEDIATION ROADMAP

If you followed the steps outlined above, by this point youll have two crucial pieces of data: a gap analysis showing where you dont meet your particular compliance requirements, and a risk assessment identifying any potential problem areas after the cloud deployment. You will have also put in place short-term stopgaps to address as many of those areas as you can. At this point, youll want to take a comprehensive look at changes that both you and the vendor can make to maintain compliance. Keep in mind that many cloud service providers have resources on staff specifically to understand

1 1 KEEP CLOUD COMPLIANT

CLOUD RISK

4
Home

Editors Note Extending Information Governance Controls to the Cloud Due Diligence, Provider Research Key to Compliance in the Cloud Three Steps to Maintain GRC During Cloud Deployment

customer compliance requirements and address them when developing and offering services. It behooves you to engage with those vendor resourcesyou might be surprised at the responsiveness and expertise. Also remember that most responsible vendors have a commercial incentive not to stonewall you. Any changes they make to meet your compliance requirements or alleviate risk ultimately helps them become more competitive in

your industry. Long term, maintaining a compliant cloud environment is an exercise in cooperation between the company and its vendor(s). By objectively analyzing and documenting compliance gaps and risks, changing what the company can do internally to close short-term gaps and putting together a long-term plan, dealing with unexpected cloud deployment doesnt have to be as painful as it seems. Ed Moyle

1 2 KEEP CLOUD COMPLIANT

ABOUT THE AUTHORS

MARILYN BIER is CEO of ARMA International, a not-for-

Home Editors Note Extending Information Governance Controls to the Cloud Due Diligence, Provider Research Key to Compliance in the Cloud Three Steps to Maintain GRC During Cloud Deployment

profit records management and information governance professional association. ARMA provides education, publications and resources for the creation, organization, security, maintenance and disposal of information in a manner that align with and contribute to an organizations goals.
CHRISTINE PARIZO is

Keep Cloud Compliant is a SearchCompliance.com e-publication. Rachel Lebeaux | Managing Editor

a freelance writer specializing in business and technology. She focuses on feature articles for a variety of technology and business-focused publications, as well as case studies and white papers for business-to-business technology companies. Christine has a background in litigation technology and compliance and was an assistant news editor for searchCRM .com prior to launching her freelance career.
ED MOYLE is

Ben Cole | Site Editor Marilyn Bier, Ed Moyle, Christine Parizo | Contributing Writers Christina Torode | Editorial Director Linda Koury | Director of Online Design Neva Maniscalco | Graphic Designer Amalie Keerl | Director of Product Management akeerl@techtarget.com TechTarget 275 Grove Street, Newton, MA 02466 www.techtarget.com
2013 TechTarget Inc. No part of this publication may be transmitted or reproduced in any form or by any means without written permission from the publisher. TechTarget reprints are available through The YGS Group. About TechTarget: TechTarget publishes media for information technology professionals. More than 100 focused websites enable quick access to a deep store of news, advice and analysis about the technologies, products and processes crucial to your job. Our live and virtual events give you direct access to independent expert commentary and advice. At IT Knowledge Exchange, our social community, you can get advice and share solutions with peers and experts.

director of emerging business and technology at ISACA. Moyle previously worked as a senior security strategist for Savvis and a senior manager at CTG. Prior to that, Moyle served as a vice president and information security officer at Merrill Lynch Investment Managers.

1 3 KEEP CLOUD COMPLIANT