Cloud Assurance poster - Print this poster on A3 format and use it as a checklist

Business challenges

in the cloud

Security&

Privacy

Governance

Operations

Finance&

Tax

Vendors

Assurance

Third party vendor(s)

Cloud service provider

Network

Customer organisation

Data centre

Cloud services ecosystem• Areanythirdpartyvendorsinvolvedwhich

couldpotentiallyimpactcompliance?• Whatisthethirdpartyvendor’srole?• Whatistherelationshipbetweentheprimary

cloudserviceproviderandthethirdparty?• Whatlevelofassurancedoesthethirdparty

offertheprimarycloudserviceprovider?• Isthislevelofassurancesufficienttoachieve

andmaintaincompliance?• Howistheentirecloudsystemmonitoredin

termsofcompliance?

Data location• Whereisthecustomer’sdatastored,

processedandarchived?• Howisthecustomer’sdataisolatedand

separatedfromothercustomerdata?• Withinwhichjurisdictiondoestheprovider

anditsdatacentrefall?• Whatarethedatadeletion/destruction

policiesafterterminationofthecontract?

Public cloud• Towhatlevel/degreearetheITservicesshared

withothercustomers(facilities,network,hardware,software,supportstaff)?

• Towhatlevel/degreearetheITservicesstandardised;whatistheITservicescustomisationpotential?

• Howdoestheprovidersupportforensicanalysisbyindependentresearchers?

Certifications• Whatassuranceandqualitystatementscan

theprovideroffer?• Whichframeworksareused?• Whichaudittoolsandmethodsareused?• Areallriskareascoveredbythecontrols?• Whatisthevalidity/acceptanceofthe

frameworksused?• Whataretheintervalsfor(re)certification?• Arethecurrentcertificationsup-to-date?• Whataretheprovider’scurrentdeficienciesand

issuesandwhatisthestatusofthefollow-ups?

Regulatory compliance

•Dataprivacydirective•Basel•Solvency•SOx•PCIDSS

Trends and changes• Whatcurrentinitiativesareunderwayand

whatchangescanbeexpected?• Whatarethepoliticalfieldsofinfluence?• Howdootherorganisationscopewithrules

andregulations?

Licence to operate• Which(local,international)laws,rulesand

directivesapplytothecustomerorganisation?• WhichITservicesareinscopeofregulatory

compliance?• Whatisthecurrentlevelofcompliance?

Data protection and business continuity• Whatisthecriticalityofthebusinessdata?• Whataretheorganisation’sprinciples,

requirementsandexpectedlevelsregardingITservices?

• Whataretheminimummeasuresandcontrolswhichmustbeinplace?

External private cloud• Towhatlevel/degreearetheITservices

dedicatedtocustomer(facilities,network,hardware,software,supportstaff)?

• TowhatextentcantheITenvironmentbeauditedbythecustomer(‘righttoaudit’)?

Network resilience• Whatdegreeofassurancedoesthenetwork

offerintermsofavailabilityandperformance?• Whatsecuritymechanismsareappliedto

thenetwork(s)?• Whatistherelationshipbetweenthecloud

serviceprovider(s)andthenetworkprovider(s)?

Security and performance

•Securitystandards•Businesscontinuity•Serviceavailability•SLAs

Key contacts

JaapvanBeek|PartnerT:+31653256697E:vanbeek.jaap@kpmg.nl

JohnHermans|PartnerT:+31651366389E:hermans.john@kpmg.nl

Areas of importance and key questions

Orchestrating the Cloud: Assurance