Essential terms and conditions for a secure use of Cloud services Checklist



Similar documents
Personal data and cloud computing, the cloud now has a standard. by Luca Bolognini

Article 29 Working Party Issues Opinion on Cloud Computing

Cloud Service Contracts: An Issue of Trust

Acquia Comments on EU Recommendations for Data Processing in the Cloud

Cloud Computing: Legal Risks and Best Practices

Processor Binding Corporate Rules (BCRs), for intra-group transfers of personal data to non EEA countries

Briefly summarised, SURFmarket has submitted the following questions to the Dutch DPA:

Privacy and Cloud Computing for Australian Government Agencies

AIRBUS GROUP BINDING CORPORATE RULES

Policy and Procedure for approving, monitoring and reviewing personal data processing agreements

Office 365 Data Processing Agreement with Model Clauses

TERRITORY RECORDS OFFICE BUSINESS SYSTEMS AND DIGITAL RECORDKEEPING FUNCTIONALITY ASSESSMENT TOOL

Data Protection. Processing and Transfer of Personal Data in Kvaerner. Binding Corporate Rules Public Document

The potential legal consequences of a personal data breach

Protection. Code of Practice. of Personal Data RPC001147_EN_WB_L_1

INTERNATIONAL SOS. Data Protection Policy. Version 1.05

Cloud Computing: Contracting and Compliance Issues for In-House Counsel

BUSINESS ASSOCIATE AGREEMENT ( BAA )

OFFICIAL. NCC Records Management and Disposal Policy

ADMINISTRATIVE POLICY # (2014) Information Security Roles and Responsibilities

Service Schedule for CLOUD SERVICES

Supplier IT Security Guide

Data Processing Agreement for Oracle Cloud Services

GUIDANCE FOR MANAGING THIRD-PARTY RISK

PBGC Information Security Policy

Page 1 of 15. VISC Third Party Guideline

INITIAL APPROVAL DATE INITIAL EFFECTIVE DATE

Privacy Rules for Customer, Supplier and Business Partner Data. Directive 7.08 Protection of Personal Data

technical factsheet 176

Records Retention and Disposal Schedule. Information Management

Protection. Code of Practice. of Personal Data RPC001147_EN_D_19

HIPAA BUSINESS ASSOCIATE AGREEMENT

Privacy Level Agreement Outline for the Sale of Cloud Services in the European Union

ICT SERVICE LEVEL AGREEMENT MANAGEMENT POLICY (EXTERNAL SERVICE PROVIDERS/VENDORS)

Residual risk. 3 Compliance challenges (i.e. right to examine, exit clause, privacy acy etc.)

Insights into Cloud Computing

Anatomy of a Cloud Computing Data Breach

CCBE RESPONSE REGARDING THE EUROPEAN COMMISSION PUBLIC CONSULTATION ON CLOUD COMPUTING

Information Security Program

Checklist for a Watertight Cloud Computing Contract

Enrollment for Education Solutions Addendum Microsoft Online Services Agreement Amendment 10 EES

Service: Contract Management (Software as a Service)

CLOUD COMPUTING FOR SMALL- AND MEDIUM-SIZED ENTERPRISES:

Microsoft Online Subscription Agreement/Open Program License Amendment Microsoft Online Services Security Amendment Amendment ID MOS10

Cloud Security Trust Cisco to Protect Your Data

Role of contracts in Cloud Computing an Overview. Kevin McGillivray Doctoral Candidate (NRCCL)

Align Technology. Data Protection Binding Corporate Rules Controller Policy Align Technology, Inc. All rights reserved.

LEGAL ISSUES IN CLOUD COMPUTING

Outsourcing Technology Services A Management Decision

Information Integrity & Data Management

SUPPORT TO KOSOVO INSTITUTIONS IN THE FIELD OF FOR PROTECTION OF PERSONAL DATA

<Choose> Addendum Windows Azure Data Processing Agreement Amendment ID M129

CORPORATE RECORD RETENTION IN AN ELECTRONIC AGE (Outline)

by: Scott Baranowski Community Bank Auditors Group Best Practices in Auditing Record Retention, Safeguarding Paper Documents, GLBA and Privacy

Corporate Guidelines for Subsidiaries (in Third Countries ) *) for the Protection of Personal Data

This Amendment consists of two parts. This is part 1 of 2 and must be accompanied by and signed with part 2 of 2 (Annex 1) to be valid.

Research Data Management Policy

CITY UNIVERSITY OF HONG KONG

Align Technology. Data Protection Binding Corporate Rules Processor Policy Align Technology, Inc. All rights reserved.

Legal Issues Associated with Cloud Computing. Laurin H. Mills May 13, 2009

Binding Corporate Rules ( BCR ) Summary of Third Party Rights

Information Governance Policy A council-wide information management policy. Version 1.0 June 2013

Annex 1. Contract Checklist for Cloud-Based Genomic Research Version 1.0, 21 July 2015

HIPAA Privacy & Security White Paper

Information Technology: This Year s Hot Issue - Cloud Computing

HIPAA CRITICAL AREAS TECHNICAL SECURITY FOCUS FOR CLOUD DEPLOYMENT

Cloud Security and Managing Use Risks

Understanding HIPAA Privacy and Security Helping Your Practice Select a HIPAA- Compliant IT Provider A White Paper by CMIT Solutions

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA) BUSINESS ASSOCIATE AGREEMENT

HIPAA Compliance and the Protection of Patient Health Information

ISO Controls and Objectives

Microsoft Online Services - Data Processing Agreement

GUIDANCE NOTE ON OUTSOURCING

Policies and Procedures Audit Checklist for HIPAA Privacy, Security, and Breach Notification

Credit Union Liability with Third-Party Processors

HIPAA Security Alert

Cloud Computing. Cloud Computing An insight in the Governance & Security aspects

Software as a Service: Guiding Principles

Cloud computing and personal data protection. Gwendal LE GRAND Director of technology and innovation CNIL

CHAPTER 9 RECORDS MANAGEMENT (Revised April 18, 2006)

Recommendations for companies planning to use Cloud computing services

ISO COMPLIANCE WITH OBSERVEIT

Cloud Computing In a Post Snowden World. Guy Wiggins, Kelley Drye & Warren LLP Alicia Lowery Rosenbaum, Microsoft Legal and Corporate Affairs

ADRI. Advice on managing the recordkeeping risks associated with cloud computing. ADRI v1.0

Summary of responses to the public consultation on Cloud computing run by CNIL from October to December 2011 and analysis by CNIL

Transcription:

Essential terms and conditions for a secure use of Cloud services Checklist Publication of the CIO Interest Group Cloud CIO Platform Nederland, March 2015 www.cio-platform.nl/publicaties

From the authors All CIO Interest Groups (CIGs) of the CIO Platform Nederland aim at sharing knowledge on those issues in which the members have expressed an interest. This document contains a concise description of essential terms and conditions that are necessary for a secure use of Cloud services. This makes it a checklist of sorts that may be useful for legal and regulatory work and that may form the basis for widely accepted and used norms. Aspects that have a more specific nature, for instance because they are relevant for certain organizations, or in a specific context are not included in this checklist. This document is meant to be the foundation to a written agreement between a provider and a customer, in which the basic issues are further specified and formally agreed. The entire CIG Cloud has reviewed this document. The authors, Evelijn Jeunink (SURFnet) Jacq de Rijck (Coöperatie VGZ) Andres Steijaert (SURFnet) Edwin Strijland (SVB) Annemarie Vervoordeldonk (SHV) page 2 of 13

Contents From the authors... 2 Contents... 3 Use of the Checklist... 4 1.1 Individual use... 4 1.2 Collective use... 4 Introduction to the Checklist... 5 A. (Intellectual) Property, ownership and control... 6 B. Laws and regulations... 7 C. Security and data integrity... 8 D. Quality and continuity... 9 E. Confidentiality... 10 F. Supervision and notification... 11 Organizations involved in the CIO Interest Group on Cloud... 12 page 3 of 13

Use of the Checklist 1.1 Individual use Members of the CIO Platform Nederland, as well as members of the European CIO Association and of its National Bodies, may use the checklist: As a starting point or reference in contact with providers; When procuring Cloud services, by using the checklist as a guide in setting satisfactory terms of use. 1.2 Collective use When all members of the demands side community, formed by the CIO Platform Nederland, as well as members of the European CIO Association and of its National Bodies, use these fundamental terms and conditions that will create: A broad base; and A common language; Towards an increased use of Cloud services, against fair terms and conditions. page 4 of 13

Introduction to the Checklist The central focus of this description of essential terms and conditions for a secure use of Cloud services are business interests and risk assessment. These are used to address six issues: A. (Intellectual) Property, ownership and control B. Laws and regulations C. Security and data integrity D. Quality and continuity E. Confidentiality F. Supervision and notification For all issues mentioned above it is necessary that they: Are written down in a document expressing the agreement between provider and customer; Are binding for the provider, as well as for sub-contractors (third parties) that the provider may involve in executing the agreement. The provider is responsible for the sub-contractors that he involves. page 5 of 13

A. (Intellectual) Property, ownership and control 1) All (intellectual) property rights regarding (the file or files containing) data remain with the customer at all times. 2) The provider has no independent entitlement to control regarding the data that he processes. Control of the data remains with the customer. page 6 of 13

B. Laws and regulations 1) Typically, the customer is responsible ( controller ) and the provider has the role of processor. 2) Before data export (exchange of personal data)/international exchange of data takes place, it is guaranteed that data is only exchanged with countries and companies that have an adequate level of protection. Provider and customer ascertain the level of protection in the home country of the customer, and will come to additional provisions on monitoring and compliance if necessary to ensure the required level of protection. a. In Member States of the European Union and countries that are white listed in the EU the privacy is guaranteed in laws and regulations, therefore no additional provisions between provider and customer are necessary. b. In case of providers from the United States it is necessary for the provider to be on the Safe Harbour list (these providers adhere to the U.S.-EU Safe Harbour Framework and offer an adequate level of protection) and for the customer to come to an agreement with the provider that the customer will be able to monitor compliance of the provider with the Safe Harbour principles. c. If the country is not a member of the EU and is not on the EU s white list or if the provider is a U.S. company but not on the Safe Harbour list, then an adequate level of protection is not available. In that case it is necessary to come to an agreement based on a European Model Contract, Model Clauses, Licence (catch all provision) or Binding Corporate Rules 1 that have been accepted by the relevant Data Protection Authorities and that describe how a company will process personal data. 3) Other legislation and regulations may be in force, for example pertaining to archiving, fiscal legislation, export restrictions and ediscovery. 1 The scope of Binding Corporate Rules (BCR) is the internal operation of a group or legal entity, and therefore are not transferable to external Cloud service providers. Since 2013 there is a possibility to create BCR for the processor of personal data. As of this moment there have been few instances where this form of BCR have been applied. page 7 of 13

C. Security and data integrity 1) Provider will take appropriate measures to ensure both the physical and logical security of the Cloud service against loss or corruption and any form of unauthorized access, change or dissemination or other forms of unauthorized processing of the data. 2) In case of sensitive data: ISO27001, ISO27015 page 8 of 13

D. Quality and continuity 1) Provider is responsible for quality aspects of the Cloud service and the service level of the Cloud service, in accordance with the agreement: a. Provider has an escalation- and communication plan b. Provider provides a support clause, containing a prioritization scheme in case of emergency c. Provider and customer reach an agreement on the availability of the Cloud service 2) Provider and customer come to an agreement on an exit strategy (in case of end of service or bankruptcy of the Provider), containing at least the following aspects: a. Roles, tasks and responsibilities b. Conditions that trigger the exit strategy c. Data portability I. The possible ways of extracting data II. The possible ways of migrating data to another provider d. The ways in which data is / can be destroyed 3) Provider takes care of adequate means of disaster recovery to ensure the availability of the Cloud service and the data 4) Provider offers insight into and influence on the change (what is going to change) and release (when is it going to change) calendar of the Cloud service 5) Provider and customer record the exchange standards used in the Cloud service, including the period in which these exchange standards will be supported. page 9 of 13

E. Confidentiality 1) Provider keeps confidential data secret. This means that at least: a. All data are kept confidential (meaning: are not to be made public), unless otherwise indicated b. Provider will contractually oblige all personnel working for it (including its own employees) that are involved in processing of confidential data to keep the confidential data secret c. Provider and customer record the consequences of a violation of the confidentiality. page 10 of 13

F. Supervision and notification 1) Provider will cooperate upon first notice of customer to exercise the right to supervision by or in the name of customer on the retention and the use of data by the provider 2) Provider will provide all data that it has in its power as a consequence of the execution of the agreement, including copies of the data, to the customer upon first notice 3) Provider will inform customer immediately upon gaining information on possible or certain: I. Degradation of quality (including availability) II. Violation of confidentiality III. Loss, theft or abuse of confidential and/or personal data; or IV. Violation of security measures or the anticipation that one of these issues will arise. This is necessary for the customer to be able to adhere to legal obligations to notify authorities of breaches of data security. 4) Customer is able to periodically perform an audit (or to have an audit performed) in order to check if the provider is operating according to agreements and applicable laws and regulations. 5) Customer is entitled to check the quality and the service level of the Cloud service from a user perspective and will not be restricted in this by the provider. 6) Provider will make every effort to look after the interests of the customer when confronted with requests and injunctions for access by authorities by: a. Verifying if there is a legal obligation to comply with the request or injunction b. Challenging the request/injunction when and where possible c. Not providing more data than necessary to comply (just the minimal dataset) d. Notifying the customer as soon as possible. page 11 of 13

Organizations involved in the CIO Interest Group on Cloud Ahold / Albert Heijn AkzoNobel N.V. CBS Coöperatie VGZ UA CZ ECT Enexis B.V. Gemeente Rotterdam GVB Amsterdam Koninklijke Vopak LUMC Marel Food Systems Nutreco Rabobank Nederland Randstad SHV Sociale Verzekeringsbank Stichting SURF TBI Unirobe Meeùs Groep B.V UWV page 12 of 13

De vereniging van ICT eindverantwoordelijken in grote organisaties van de vraagzijde www.cio-platform.nl page 13 of 13

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information