Embed Size (px)
Citation preview
What In-house Counsel and the Business Really Want and Need from the Cloud
LEXPERT CLOUD COMPUTING CONFERENCE 2012CLOUD COMPUTING: A PRACTICAL APPROACH
PANEL: CHARLES McCARRAGHER – TD BANK PETER NGUYEN – GUESTLOGIX INC.KEN LEDGER – SAVANNA ENERGY SERVICES CORP.
DECEMBER 3, 2012ST. ANDREW’S CLUB AND CONFERENCE CENTRE
CHAIR: LISA R. LIFSHITZ – TORKIN MANES
VENDOR DUE DILIGENCE
Environment:• Selecting a provider
Challenge:• Who is the “real cloud service provider?• Where does the cloud “reside”?
Solutions:• You get what you pay for – mom & pop providers vs. institutional providers• Ask the question of all new service providers:
• What element of the service offering is “cloud” based?• What does cloud mean to the vendor?
IMPLEMENTATION
Environment:• Implementing the solution
Challenge:• Rarely turn-key
Solutions:• Data migration• Data validation• Data feeds• Configuration• Acceptance testing• Association with payment obligations
IDENTIFYING NEEDS AND WANTS
Environment:• Savanna work sites are remote and operate 24/7/365 making Cloud services attractive• Different activities have different needs (SaaS, IaaS, mobility, cost)• Security, disaster recovery, scheduled outages, QOS requirements change by activity• Internal IT resources are fully utilized and cannot address needs of users want lists
Challenge:• Setting up services that are accessible from remote locations cost effectively and timely
Solutions:• Carefully consider needs vs. wants can a Cloud solution work• Identify nature of data not nature of application impact from loss of data• Focus internal resources on support of solutions with critical data, leverage Cloud for less critical
solutions
MISUNDERSTANDING STANDARDS
Environment:• Many providers quote standards, but few people know what these standards mean• There is no consistent internal requirement for compliance to any specific standard(s)
Challenge:• Establish a compliance matrix for Cloud solutions• Buying decisions follow a vendor selection process defined for in-house software/hardware
Solutions:• Identify the specific standards required:
• SSAE 16 Type II - attestation• CICA 9110 – audit standards• ISO 27001 - security
• Require independent attestation• Define a vendor selection process for Cloud services
ACCESS AND INPUT
Environment:• Access and Input
Challenge:• Meeting the needs of all stakeholders within the enterprise
Solutions:• Tax• Litigation• Compliance• Audit• CIO
GOVERNANCE & DISCLOSURE
Issue:• Cloud services can start small and creep in scope how do you know when a service has gone
from a small part of the business to a critical service and who should know
Challenges:• Services can start out small to address a niche problem• If successful the solution can grow in scope taking a much more significant role in business
systems• If a service becomes a critical service do we need to disclose the relationship
Solution:• Define a scale for the proposed services• Implement or include Cloud services in your change management processes• Review critical suppliers regularly and disclose to the Audit Committee
RECOVERY AND PLAN B
Issue:• Cloud services can be highly proprietary and evolve over time• Transition back may be difficult or impossible even if the data is recovered
Challenges:• Over time web applications as well as data will evolve, data may not work with original apps• Data may not be recoverable from service provider• To critical to fail
Solution:• Have access to backup data under your control• If a solution is critical identify a second source or backup solution• Test backup periodically to make sure it will work
INTERNAL AUDIT
Issue:• Need to maintain confidence that Cloud services have not weakened internal controls• Need to detect when services have evolved beyond our risk appetite
Challenges:• How do we detect control weaknesses timely or know if a provider is not meeting commitments
Solution:• Consider leveraging internal audit to test vendor compliance• Perform walkthroughs of processes identifying where Cloud services fit• Use Audit to educate internal departments on the use of Cloud services
AUDIT RIGHTS - CLIENT
Environment:• Audit Rights
Challenge:• Scope and Compliance
Solutions:• the 4 Rs
• Retention of Records• Rights (Audit Scope)• Remediation• Reimbursement
EXTERNAL AUDIT - PROVIDER
Issue:• Ensuring security and establishing credibility
Challenge:• Responding to customer requests for evidence of controls
Solution:• Savanna has opted to get a SSAE16 audit opinion based on controls designed to a COBIT 4
standard. Creates credibility with customers and eliminates several challenges when responding to requests for evidence of controls. Adds credibility in the event of legal challenge by meeting a high standard which has been independently evaluated.
TERMINATION AND TRANSITION
Environment:• When the Cloud Evaporates
Challenge:• Planned Termination vs. Unplanned Termination
Solutions:• Non-cloud contingency plans• Transition to a new vendor
THANK YOU
CHARLES McCARRAGHERSENIOR LEGAL COUNSEL,TD BANK [email protected]
KEN LEDGERDIRECTOR RISK [email protected]
LISA R. [email protected]
PETER NGUYENGENERAL COUNSEL & CORPORATE [email protected]
