Cyber Security Solutions, Compliance, and Consulting Services - IT Security

We offer It security management, data, network, & Information security services for protecting information & mitigating security risks to your organization.

Cloud Service Providers Risk Management: 50+ Contracts Key Components

Dependent on the services, the following will form key components for cloud contracts. Given that contracts may vary significantly between various cloud service providers, not all of these may be captured or covered. This constitutes a typical illustrative list, as opposed to an exhaustive list:

  1. Performance measurement – how will this be performed and who is responsible for the reporting?
  2. Service Level Agreements (SLAs)
  3. Availability and associated downtime
  4. Expected performance and minimum levels of performance
  5. Incident response
  6. Resolution timeframes
  7. Maximum and minimum period for tolerable disruption
  8. Issue resolution
  9. Communication of incidents
  10. Investigations
  11. Capturing of evidence
  12. Forensic/eDiscovery processes
  13. Civil/State investigations
  14. Tort Law/Copyright
  15. Control and compliance frameworks
  16. ISO 27001/2
  17. COBIT
  18. PCI DSS
  19. HIPAA
  20. GLBA
  21. PII
  22. Data protection
  23. Safe Harbor
  24. S. Patriot Act
  25. Business Continuity and Disaster Recovery
  26. Priority of restoration
  27. Minimum levels of security and availability
  28. Communications during outages
  29. Personnel checks
  30. Background checks
  31. Employee/Third-party policies
  32. Data retention and disposal
  33. Retention periods
  34. Data destruction
  35. Secure deletion
  36. Regulatory requirements
  37. Data access requests
  38. Data protection/Freedom of information
  39. Key metrics and performance related to Quality of Service (QoS)
  40. Independent assessments/certification of compliance
  41. Right to audit (including period or frequencies permitted)
  42. Ability to delegate/authorize third parties to carry out audits on your behalf
  43. Penalties for nonperformance
  44. Delayed or degraded performance penalties
  45. Payment of penalties (supplemented by service or financial payment)
  46. Backup of media, and relevant assurances related to the format and structure of the data
  47. Restrictions and prohibiting the use of your data by the CSP without prior consent, or for stated purposes
  48. Authentication controls and levels of security
  49. Two-factor authentication
  50. Password and account management
  51. Joiner, Mover, Leaver (JML) processes
  52. Ability to meet and satisfy existing internal access control policies
  53. Restrictions and associated Non-Disclosure Agreements (NDAs) from the cloud service provider related to data and services utilized
  54. Any other component and requirements deemed necessary and essential

Failing to address any of the above listed components can result in hidden costs being accrued by the cloud customer in the event of additions or amendments to the contract. Isolated and ad hoc contract amendment requests typically take longer and more resources to achieve than if addressed at the outset.