It is essential that any challenges or areas that are unclear should be raised and clarified prior to engagement and signing of any contracts between the customer and provider. Why is this important? For three distinct reasons:
- Understanding the contractual requirements will form the organization’s baseline and checklist for the right to audit
- Understanding the gaps will allow the organization to challenge and request changes to the contract before signing acceptance
- The Cloud Security Professional will have an idea of what he/she is working with and the kind of leverage he/she will have during the audit
Documenting the requirements and responsibilities will make it possible to utilize technological components to track and report adherence and variations from contractual requirements. This will provide both an audit output (report) as well as allow you to approach the cloud service provider with evidence of variations/violations of the contract.
Prior to signing acceptance of the relevant contract(s) with the cloud service provider, appropriate organizational involvement across a number of departments will most likely be required. This will typically include Compliance, Regulatory, Finance, Operations, Governance, Audit, IT, Information Security, and Legal. Final acceptance will typically reside with legal, however, may be signed off at an Executive Level from time to time.