SATURDAY, FEBRUARY 28, 2015 CLE 10 (Ethics) 9:30 a.m. 10:30 a.m. Moving to the Cloud - Identifying & Managing Legal, Ethical and Compliance Risks

Transcription

1 SATURDAY, FEBRUARY 28, 2015 CLE 10 (Ethics) 9:30 a.m. 10:30 a.m. Moving to the Cloud - Identifying & Managing Legal, Ethical and Compliance Risks

2 Moving to the Cloud - Identifying & Managing Legal, Ethical and Compliance Risks Charles Harris Partner Mayer Brown Bruce Jackson Associate General Counsel Microsoft Corporation Daphne Forbes Senior Attorney Microsoft Corporation Casiya Thaniel Attorney Microsoft Corporation

3 Agenda What is the Cloud? Key benefits to the Cloud Key risks to the Cloud Smart risk-taking considerations Cloud policy & governance Identify Cloud usage and perform risk assessment Pre-contract: Identify & engage key stakeholders Pre-contract: Conduct due diligence Contract stage: Top 10 Cloud contract terms Post-contract: Monitor & manage Leading practices Open forum

4 A thought Security and privacy are enabled by transparency of controls. However, transparency is challenging in Cloud computing environments.

5 Another thought People will use technology only if they can trust it.

6 What is the Cloud? The Cloud is not new Different definitions of the Cloud NIST definition Simple definition: a fancy way of saying stuff s not on your computer On-premise versus off-premise The big 3 of Cloud computing: Software as a Service (SaaS) Infrastructure as a Service (IaaS) Platform as a Service (PaaS)

7 Key benefits to the Cloud Significant cost savings Increases agility & flexibility Allows you to focus on your core business Enhanced security & privacy with a trusted Cloud provider

8 Key risks to the Cloud Financial, tax and vendor Underestimated start-up costs Exit costs Contract complexity Run-away variable costs Tax compliance and planning Vendor lock-in Service provider reliance Vendor governance Identity and access management Unauthorized access Excessive access Regulatory and compliance Complexity to ensure compliance Lack of industry standards and certifications for cloud providers Records management/records retention Regulatory change control, reliant on vendor timeliness Financial and Vendor Identity and Access Business Risks Regulatory and Compliance Data Operational Technology Data Data segregation, isolation, and encryption Information security Intellectual property protection Operational Business resiliency/ disaster recovery Service reliability and uptime SLA compliance Technology Cross-vendor compatibility Proprietary lock-in Customization limitations Limited change control capabilities Technical security risks

9 Cloud policy & governance Cloud computing has became an extension of information technology and a lot of organizations continue to use existing policies for Cloud computing Policies should be added/updated to reflect the nature of opportunities and risks. Some areas to consider: Risk management policy Information security policy Vendor management policy Governance structure should be established or enhanced with resources to help support the cloud computing policies

10 Identify Cloud usage and perform risk assessment One of the ways to do smart risk taking in the Cloud is to understand your organization s risk appetite and exposure by performing a risk assessment. Successful completion of risk assessment is dependent on a good understanding of current and future Cloud footprint. Due to inherent limitations with manual data gathering, such mechanisms may not paint a complete picture. As such, organizations struggle with understanding their Cloud computing footprint. There are automated software tools available that can scan network traffic and help enforce policies, perform logging, and monitoring of Cloud usage.

11 Pre-contract: Identify & engage key stakeholders CSO Identify the right team The core four Involve early & often Risk Mgmt or Compliance CIO/IT & Procurement Legal CPO

12 Pre-contract: Conduct due diligence Transparency Privacy & Security Continuous Compliancy Data Sovereignty Use the 5 Ys framework to Identify a trusted Cloud provider!

13 Transparency Proactive external communications: Web sites/trust centers, blogs, etc Provides meaningful customer references Conducts data center & cybercrime lab tours Clarity on data location Transparency Allows for Cloud solution pilots Ease of access to audit reports Cloud contract clarity/publication/ simplicity

14 Privacy & Security EU Model clause approach Privacy regulator validation Understand Cloud provider s history with regulators Encryption, encryption, encryption Privacy & Security State-of-the-art back-up & disaster recovery practices Focus on cybersecurity Does the Cloud provider have a cybercrime team/lab? Does the Cloud provider partner with law enforcement? Does the Cloud provider improve its solutions based on data it collects?

15 Continuous Compliancy ISO 27001/27018 SSAE16 SOC1 Type II HIPAA/Business Associate Agreement Continuous Compliancy FISMA/FedRamp FERPA CJIS

16 Data Control Data Sovereignty Third party data requests practices Proactive legal action Law enforcement reports Leadership on government surveillance reform Electronic Frontier Foundation (EFF) Who Has Your Back Report

17 Contract stage: Top 10 contract terms Cloud contracting custom services Review Cloud terms carefully! Top 10 terms: Clarity on customer data ownership, usage, and access Detailed Data Protection/Processing Agreement Meaningful Service Level Agreement (SLA) commitments Third party access to customer data Limitation of liability terms that balance risk/reward Security incident notification and process Independent verification Subcontractor commitments Terms of use/service changes Contract suspension/exit considerations

18 Post contract: Monitor & manage Cloud & regulatory landscape is evolving Watch SLA commitments Monitor the financial stability/entity change of your Cloud vendor Changes to contract terms

19 Leading practice examples Alignment of enterprise Cloud strategy and roadmap with business and IT strategy Updated sourcing/vendor management program to reflect risks with procuring cloud services Development of governance model for cloud with business and IT involvement Involvement of legal department, risk management department, and internal audit Development of welldefined Cloud computing policies and procedures Training of stakeholders Cloud is changing so fast! Enforcement of cloud computing policies

20 DAPHNE TO ADD ETHICS SLIDES

21 Open forum