May 2010. Cloud Vendor Charter. Vendor Version Not for distribution to customers



Similar documents
XIT CLOUD SOLUTIONS LIMITED

HIPAA CRITICAL AREAS TECHNICAL SECURITY FOCUS FOR CLOUD DEPLOYMENT

DISCLOSURE STATEMENT PREPARED BY

Disclosure Requirements of CloudCode Software

Secure Remote Backup (IL3) G-Cloud Lot3 IaaS

A COMPLETE GUIDE HOW TO CHOOSE A CLOUD-TO-CLOUD BACKUP PROVIDER FOR THE ENTERPRISE

G-CLOUD IIII FRAMEWORK SERVICE DEFINITION: SCHOOLS HOSTED SERVICE FOR SIMS

THE CASE FOR ACTIVE DATA ARCHIVING

Service Definition Document

GPG13 Protective Monitoring. Service Definition

TERMS & CONDITIONS of SERVICE for MSKnote. Refers to MSKnote Limited. Refers to you or your organisation

PSN Protective Monitoring. Service Definition

With Eversync s cloud data tiering, the customer can tier data protection as follows:

Maintaining PCI-DSS compliance. Daniele Bertolotti Antonio Ricci

Table of Contents. FME Cloud Architecture Overview. Secure Operations. Application Security. Shared Responsibility.

The Requirements Compliance Matrix columns are defined as follows:

PCI Policy Compliance Using Information Security Policies Made Easy. PCI Policy Compliance Information Shield Page 1

Ensuring Enterprise Data Security with Secure Mobile File Sharing.

Hosted Exchange Service

Information Security Policy September 2009 Newman University IT Services. Information Security Policy

InForm On Demand Single Trial Services Description

Things You Need to Know About Cloud Backup

SERVICE DEFINITION G-CLOUD 7 SECURE FILE TRANSFER DIODE. Classification: Open

DocAve Software Platform

Protecting Data with a Unified Platform

IBM G-Cloud Microsoft Windows Active Directory as a Service

SERVICE DEFINITION G-CLOUD 7 CLOUD BACKUP. Classification: Open

Miami University. Payment Card Data Security Policy

Modernizing the Infrastructure: Cloud Computing, Green IT Mickey Zandi, Ph.D. Managing Director

Leveraging Cloud Storage with SharePoint and StoragePoint

ATTERCOPIA MANAGED HOSTING & DOMAIN SERVICES TERMS & CONDITIONS

Data Processing Agreement for Oracle Cloud Services

Why back up the Cloud?

WHITE PAPER. HIPAA-Compliant Data Backup and Disaster Recovery

Solution Overview. Our Solution employs two tiers of storage aligning costs of storage with the changing value of data over time.

Page 1 of 15. VISC Third Party Guideline

Payment Card Industry Data Security Standard

Groupware Project Definition: Scope of Project

Specialist Cloud Services. Acumin Cloud Security Resourcing

Healthcare Management Service Organization Accreditation Program (MSOAP)

White Paper: Librestream Security Overview

INCIDENT RESPONSE CHECKLIST

Is Cloud-Based WMS an Option for Complex Distribution Centers?

Cloud Computing. Introduction

Cloud computing. Advantages and disadvantages

ARCHIVING SERVICES SERVICE DEFINITION

How To Protect Your Data From Being Hacked

Information Security Policy and Handbook Overview. ITSS Information Security June 2015

Best Practices for Log File Management (Compliance, Security, Troubleshooting)

<COMPANY> P01 - Information Security Policy

Archiving Services

Information Disclosure Reference Guide for Cloud Service Providers

SMS. Cloud Computing. Systems Management Specialists. Grupo SMS option 3 for sales

POPI Cloud Backups. Overview. The Challenges

G-Cloud 6 Service Definition DCG Enterprise Backup Reporting Service

Solutions for Encrypting Data on Tape: Considerations and Best Practices

Enterprise level security, the Huddle way.

HIPAA/HITECH Compliance Using VMware vcloud Air

G-Cloud iv brightsolid Hosting and Management Services. Service Definition Document

Injazat s Managed Services Portfolio

Energy Efficient Storage - Multi- Tier Strategies For Retaining Data

Cloud Computing Security Considerations

What you need to know about cloud backup: your guide to cost, security, and flexibility. 8 common questions answered

Academic Institution Licence for Perpetual Access to the Global Health Archive Database

Guidance for Data Users on the Collection and Use of Personal Data through the Internet 1

Big Data Analytics Service Definition G-Cloud 7

How To Use Egnyte

VMware vcloud Air HIPAA Matrix

CLOUD COMPUTING FOR SMALL- AND MEDIUM-SIZED ENTERPRISES:

Agilisys G-Cloud Service V

Issue 1.0. UoG/ILS/IS 001. Information Security and Assurance Policy. Information Security and Compliance Manager

Harbinger Escrow Services Backup and Archiving Policy. Document version: 2.8. Harbinger Group Pty Limited Delivered on: 18 March 2008

Cloud Vendor Evaluation

Database as a Service (DaaS) Version 1.02

WHITE PAPER WHY ORGANIZATIONS NEED LTO-6 TECHNOLOGY TODAY

Hosted Desktop as a Service

Vodafone Private Cloud

Service Description Archiving

HIPAA COMPLIANCE AND DATA PROTECTION Page 1

Proposal. Deployment Guide. How to Use CloudBerry Drive with Oracle Storage Cloud Service

CAVAN AND MONAGHAN EDUCATION AND TRAINING BOARD. Data Breach Management Policy. Adopted by Cavan and Monaghan Education Training Board

University of Pittsburgh Security Assessment Questionnaire (v1.5)

Table 1 Question Answer Explanation Next Question 1. Sensitive data?

Supplier Security Assessment Questionnaire

Service Schedule for BT Business Lite Web Hosting and Business Lite powered by Microsoft Office 365

Information Circular

Talk With Someone Live Now: (760) One Stop Data & Networking Solutions PREVENT DATA LOSS WITH REMOTE ONLINE BACKUP SERVICE

Dean Bank Primary and Nursery School. Secure Storage of Data and Cloud Storage

(a) the kind of data and the harm that could result if any of those things should occur;

Overview. What are operational policies? Development, adoption, implementation

Lot 1 Service Specification MANAGED SECURITY SERVICES

Document title client name. G Cloud Service Description Cloud Software & Application Integration. September Code: QSS202-SD

Privacy and Cloud Computing for Australian Government Agencies

Enterprise Key Management: A Strategic Approach ENTERPRISE KEY MANAGEMENT A SRATEGIC APPROACH. White Paper February

Sample Data Security Policies

Software as a Service (SaaS) Online HR

Legalesign Service Definition Electronic signature and contract management service

Transcription:

May 2010 Cloud Vendor Charter Vendor Version Not for distribution to customers

Disclaimer This specification is published without responsibility on the part of BASDA Ltd or the various contributors, sponsors or members of the BASDA Cloud Working Party for any loss occasioned to any person acting or refraining from action as a result of any view expressed therein. BASDA cannot accept any responsibility and shall not be liable in contract, tort or otherwise, for the accuracy, completeness or otherwise, of this document, the extent to which it has been implemented by packaged software vendors, or any consequences or losses arising from the failure of software to meet specific requirements. You are advised to take appropriate advice in order to determine the full implications of developing applications on the Cloud. Acknowledgements This White Paper was developed by BASDA and its members as an initiative of the Cloud Special Interest Group (SIG). Our special thanks go to: Gary Ramsay and Conor Halpin of Opsource, Sarah Gathercole of Liquid Accounts, Bryan Richter of Mamut and David Turner of Unit4 for editing and compiling the document. Published by BASDA, The Business Application Software Developers Association, 92 High Street, Great Missenden, Buckinghamshire, HP16 0AN, UK, tel: +44 (0)1494 868 030, www.basda.org, e: info@basda.org Copyright BASDA 2010. All rights reserved. No part of this publication may be reproduced, stored in any retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording or otherwise, without the prior written consent of BASDA. Additional copies of this document may be obtained from BASDA on +44 (0)1494 868 030; nominal price may be charged to cover our cost. This document is part of series of documents produced by BASDA to aid our members and their customers in understanding cloud computing. Other documents already released: Developing on The Cloud (White Paper) Cloud Vendor Charter for Customers NOTE: This is a VENDOR ONLY version of the Charter it contains notes to some of the charter sub-sections to give some background explanation or pointers for vendors when assessing compliance to the Charter. This version should not be passed to non-vendor staff; a customer version of the Charter is also available contact BASDA (www.basda.org) for more details. 2 BASDA May 2010 Version 1.0V

Contents Cloud Vendor Charter 1 Introduction... 4 2 Overview... 4 3 Cloud Vendor Requirements... 4 3.1 Compliance requirements... 4 3.2 Hosting... 4 3.3 Back-ups... 5 3.4 Data export... 5 3.5 Complaints... 5 3.6 Policies... 5 3.7 Specific security requirements... 5 3.8 Service availability requirements... 5 3.9 Specific customer management requirements... 6 4 Notes... 7 5 About BASDA... 8 BASDA May 2010 Version 1.0V 3

1 Introduction BASDA is the Business Application Software Developers Association, a member-driven not-for-profit organisation where members benefit by sharing knowledge and expertise and working effectively as one voice to address strategic issues and evolving legal, political and technical influences that affect the business software industry. Consequently, this Cloud Charter is primarily intended for software developers and independent software vendors (ISVs) that deliver their products and services through a Cloud or Software as a Service architecture. However, other associated vendors and organisations may also choose to conform to the Charter. 2 Overview The Cloud Vendor Charter outlines the minimum best practices that BASDA recommends be followed by Cloud Vendors to protect their customers interests. The Charter seeks to encourage a responsible approach to Data Management, Application Availability, Security and Customer Management throughout the lifecycle of the customer engagement. The Charter aims to enhance the commercial success of both Customer and Vendor. Adhering to the Charter should not be overly burdensome for the Vendor but should assure the Customer that the Vendor deals with their business in a professional fashion and following industry best practices. It is not the intention of the Charter to replace any of the existing industry standards such as ISO 27001, SAS 70, PCI DSS or Data Protection requirements. Where a Cloud Vendor is required to adhere to such standards, such adherence is implicit in accepting the Charter. However, customers should seek additional confirmation regarding specific standards compliance if that is critical to their organisation. BASDA recognizes that no Charter can guarantee the commercial success of a Vendor organisation or provide a 100% guarantee against security breaches or systems failures. However adherence to the Charter will help reduce the chances of issues arising and mitigate the worst effects of such events. Specifically we have considered: Security Reliability and Availability Application Life-Cycle management Customer Life-Cycle Management. Across each of the four areas above consideration has been given to the following stages in the lifecycle of a customer engagement with the Vendor: Registration and On-boarding On-going operations Contract renewal Vendor migration The Charter defines general minimum conditions whose effects cross all of the areas listed above and then describes some specific requirements for the sub-sections. 3 Cloud Vendor Requirements 3.1 Compliance requirements All Vendors must adhere to the appropriate Data Protection Legislation as it applies to their customers. Where specific industry compliance requirements exist Vendors undertake to meet those requirements and to undergo mandated audits. 3.2 Hosting Cloud applications should be hosted at a location which meets the standards of a Tier 3 data centre 1. Tier 3 describes the physical security and layout of a data centre together with redundant power, bandwidth and cooling. NOTE FOR VENDORS: Few Cloud Vendors have the resources necessary to secure a data centre and provide the power, cooling and redundant bandwidth services necessary to guarantee a reasonable level of availability. Managed hosting that provides this level of service is readily available and at a reasonable cost. Furthermore most cloud infrastructure providers such as Amazon EC2, OpSource and RackSpace meet these requirements as a matter of course. This requirement will mean that Vendors will normally not be able to host at their own premise. This requirement immediately delivers a minimum standard of physical security and system availability. -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 1. (Following the four-tier classification system for data centre infrastructure and design by the Uptime Institute and generally accepted as industry standard.) 4 BASDA May 2010 Version 1.0V

3.3 Back-up All data should be backed up daily to an off-site location with a minimum two-day retention. In other words: If a data storage device fails, or a data centre becomes unavailable the customer should not lose their data at least up to the previous day s operations; and A customer should be able to request the restoration of their data to a point at least two days prior in the event that some processing error occurs (e.g. an operator deletes data). NOTE FOR VENDORS: Back-ups do not imply a disaster recovery strategy; simply that data is not lost. If a data centre was compromised there could be a significant delay (weeks) before a customer had access to their data, but it would not be lost. Restoration of back-ups should be tested at least annually and also after any significant change in back-up strategy (e.g. new back-up software) or physical deployment (e.g. move to a new data centre). Evidence of back-up tests should be maintained. NOTE FOR VENDORS: Back-ups cannot be assumed to be successful. When first deployed a back-up strategy must be tested and then tested at least annually to ensure that the process has not been compromised. 3.4 Data export The Vendor should provide a mechanism, at no extra cost, for customers to take a copy of their core transaction data in a usable format (such as.csv). NOTE FOR VENDORS: The definition of core transaction data is intended to refer to the customer transaction information rather than all lookup/reference tables. An open question remains about archived data and how this can be exported by a Vendor. The intention is that the export should apply to on-line transaction information rather than off-line archived data. The implication of the description is that for the customer to take a copy does not require a manual process from the Vendor but can be achieved by the customer through the user interface of the Vendor application. While the full data set may be of limited value without the application code, the customer at the very least can download their data and potentially upload it into a new system. 3.5 Complaints The Vendor provides a mechanism for the Customer to register a complaint with the Vendor via electronic means (email, web-form) and for that complaint to be formally acknowledged, tracked and escalated within the Vendor organization. 3.6 Policies Vendors commit to having a clear and published: Privacy Policy Complaints Policy Acceptable Usage Policy Support Policy. 3.7 Specific security requirements Passwords: All Customer passwords should be encrypted (in the database and for transmission). Security breach notification: If a security breach occurs or is suspected to have occurred customers should be notified of that breach as soon as possible and in any event not more than 12 hours after such a breach has been discovered. Vendors should have a formal procedure in place to deal with such notifications. 3.8 Service availability requirements Issues often arise when the production environment is changed and so Vendors should have a documented release management policy. This policy should cover both application and environment (e.g. operating system, database, middleware) changes. Vendors will provide automated monitoring and alerting of critical service components. Vendors will have a documented support policy to respond to alerts. The escalation process and response times by Vendor will be commensurate with the service criticality and hours of use by customers. NOTE FOR VENDORS: The level of support and the escalation procedures will be different for different services depending on how critical they are. However in all cases there should be details of how Vendor responds to incidents, either from monitors or customer calls. BASDA May 2010 Version 1.0V 5

3.9 Specific customer management requirements Customers should be provided with a mechanism to keep a complete copy of their contract or subscription agreement at the time of the agreement (for example the ability to print as a PDF). The Vendor will maintain a record of the actual terms of the agreement that was accepted by each customer. It should be clear to customers who the legal contracting party is and who the billing entity is. Vendors should allow customers reasonable termination clauses as part of the subscription agreements. This can include the option for the customer to notify them of their wish not to renew their contract at any time during their subscription. Specific limited time windows for such notifications (e.g. 30 days prior to an annual renewal) should not form part of an agreement. Vendors should provide customers with reasonable notice of pricing changes. The notice period should be sufficient for the customer to plan and move off the service if they do not wish to continue using the service after the price adjustment. 6 BASDA May 2010 Version 1.0V

Notes: BASDA May 2010 Version 1.0V 7

About BASDA: www.basda.org BASDA is the Business Application Software Developers Association, a member-driven not-for-profit organisation where members benefit by sharing knowledge and expertise and working effectively as one voice to address strategic issues and evolving legal, political and technical influences that affect the business software industry. BASDA s members range from small, medium and large national & international software & service providers, primarily to businesses. The BASDA s Cloud SIG Aims and Objectives This Specialist Interest Group has been set up to raise the profile of business Cloud computing applications, exploring ideas around standards and best practice and producing deliverables that benefit both members, partners and end users. Ensure that members of BASDA understand both the potential and the implications for developing Cloud business applications. Inform and educate end users about Cloud business applications the potential benefits and the considerations for implementation. Communicate with the wider industry and bodies that influence the future of Cloud computing 8 BASDA May 2010 Version 1.0V

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information