The Ultimate Guide to Choosing WordPress Pros and Cons
Procurement Of Software And Information Technology Services
1. Procuring Software and Information Technology The Legal and Business Issues Presented The Computer Forensics Show Hotel Pennsylvania, New York, NY April 19, 2011
2. An Initial Risk Assessment Security Risk Management Guidance The Risk Matrix is a classification tool used to rate security risks based on impact and probability
3. Cloud Legal Risks ENISA (European Network and Information Security Agency) ) and Cloud Security Alliance Leading Practices
4. Key legal questions the customer should ask the cloud provider ENISA (European Network and Information Security Agency) ) and Cloud Security Alliance Leading Practices In what country is the cloud provider located? Is the cloud provider’s infrastructure located in the same country or in different countries? Will the cloud provider use other companies whose infrastructure is located outside that of the cloud provider? Where will the data be physically located? Will jurisdiction over the contract terms and over the data be divided? Will any of the cloud provider’s services be subcontracted out? Will any of the cloud provider’s services be outsourced? How will the data provided by the customer and the customer’s customers, be collected, processed and transferred? What happens to the data sent to the cloud provider upon termination of the contract?
5. Key legal Recommendations for Cloud Computing ENISA (European Network and Information Security Agency) ) and Cloud Security Alliance Leading Practices Customers and cloud providers must have a mutual understanding of each other’s roles and responsibilities related to electronic discovery, including such activities as litigation hold, discovery searches, who provides expert testimony, etc. Cloud providers are advised to assure their information security systems are responsive to customer requirements to preserve data as authentic and reliable, including both primary and secondary information such as metadata and log files. Data in the custody of cloud service providers must receive equivalent guardianship as in the hands of their original owner or custodian. Plan for both expected and unexpected termination of the relationship in the contract negotiations, and for an orderly return or secure disposal of assets. Pre-contract due diligence, contract term negotiation, post-contract monitoring, and contract termination, and the transition of data custodianship are components of the duty of care required of a cloud services client. Knowing where the cloud service provider will host the data is a prerequisite to implementing the required measures to ensure compliance with local laws that restrict the cross-border flow of data. As the custodian of the personal data of its employees or clients, and of the company’s other intellectual property assets, a company that uses Cloud Computing services should ensure that it retains ownership of its data in its original and authenticable format. Numerous security issues, such as suspected data breaches, must be addressed in specific provisions of the service agreement that clarify the respective commitments of the cloud service provider and the client. The cloud service provider and the client should have a unified process for responding to subpoenas, service of process, and other legal requests. The cloud services agreement must allow the cloud services client or designated third party to monitor the service provider’s performance and test for vulnerabilities in the system. The parties to a cloud services agreement should ensure that the agreement anticipates problems relating to recovery of the client’s data after their contractual relationship terminates.
6. The Selection Process Value Value Strategic Strategic Delivery Delivery Alignment Alignment IT IT IT Governance Governance Governance Focus Areas Domains Domains Risk Risk Management Management Performance Measurement Performance Measurement Resource Resource Management Management Stakeholders Using Risk Assessment Establishing a Governance Process At the Outset
7. Selection Process Requests for Proposal Establishing technical requirements Establishing security requirements: Gap analysis between vendor policies and customer requirements Requesting comments on contract terms during RFP process Upgrading Vendor’s Security Policies
8. Products and Services Pricing MFN provisions, pass-throughs of cost savings Change Control How are disagreements about change requirements managed? Acceptance/Rejection Service Levels
9. Intellectual Property Rights Will any new intellectual property be created? If so, who will own it? What rights will the non-owner retain? Will licenses survive termination?
10. Representations and Warranties Sophisticated customers will require a number of representations and warranties and also require indemnification if they are breached: Ownership of all IP rights; Compliance with all applicable law; Employees with appropriate skills and background; Systems are secure and properly maintained; Industry standard disaster recovery and back-up measures are in place; Data is not stored or maintained in a manner other than described to customer.
11. Liability and Remedies Scope of possible injuries for which vendor may be liable Monetary Limits Indemnification Service Level Credits Repair/Replacement
12. Governance and Dispute Resolution Relationship Governance Designated project managers and key employees Escalation clauses Arbitration vs. Court Fast track arbitration mechanisms Continuing payments and work during disputes
13. Term and Termination Typical duration of a contract Vendors will rarely want contracts that extend more than 3-4 years. Termination for cause Right of customer to terminate for convenience Often means termination fees. Exit Assistance Demand the creation of a plan at the outset that provides for transfer of data, equipment, and knowledge May be the most important item for customer’s leverage, it is important that vendor know customer can end the agreement without too much pain Escrow Provisions/Step-In This is customer’s best protection in the event of a bankruptcy or major failure, but it requires a commitment to make sure escrow is maintained and can be used by customer. It is also important to avoid the potential to get “gummed up” by arbitration over whether it is properly triggered.
14. Appendices Appendix A: Identifying Constituencies and What Matters to Them Appendix B: Governmental, Regulatory, and Privacy Touch Points Appendix C: What Do We Examine When Assessing ‘Security?’
20. Appendix C: What We Examine When Assessing “Security” NIST SP 800-53 defines the security controls required by FISMA (as summarized by SecureIT at: www.secureit.com/resources/WP_FISMA_and_SAS_70.pdf):
Assets:Company reputation, Customer trust PII, EPHI, PCI, Hardware Persons who support and use the IT systemKey: Know the value of your data Data ClassificationThreatAbuse and Nefarious Use of Cloud ComputingInsecure Application Programming Interfaces Malicious Insiders Shared Technology VulnerabilitiesData Loss/LeakageAccount, Service & Traffic HijackingUnknown Risk ProfileVulnerability Lack of resource isolation Storage of data in multiple jurisdictions and lack of transparency about THIS Lack of information on jurisdictions Lack of completeness and transparency in terms of use
Subpoena and E-DiscoveryIn the event of the confiscation of physical hardware as a result of subpoena by law-enforcement agencies or civil suits . the centralization of storage as well as shared tenancy of physical hardware means many more clients are at risk of the disclosure of their data to unwanted parties.Risk From changes of JurisdictionsCustomer data may be held in multiple jurisdictions, some of which may be high risk. If data centers are located in high-risk countries, e.g., those. lacking the rule of law and having an unpredictable legal framework and enforcement, autocratic police states, states that do not respect international agreements, etc, sites could be raided by local authorities and data or systems subject to enforced disclosure or seizure. Data Protection RisksIt can be difficult for the cloud customer to effectively check the data processing that the cloud provider carries out, and thus be sure that the data is handled in a lawful way. It has to be clear that the cloud customer will be the main person responsible for the processing of personal data, even when such processing is carried out by the cloud provider in its role of external processor. Failure to comply with data protection law may lead to administrative, civil and also criminal sanctionsCloud Computing data processing and data security activities and the data controls they have in place, e.g.,. SAS70 certification providers.There may be data security breaches which are not notified to the controller by the cloud provider.The cloud customer may lose control of the data processed by the cloud provider. This issue is increased in the case of multiple transfers of data (e.g., between federated cloud providers). The cloud provider may receive data that have not been lawfully collected by its customer (the controller).Licensing RisksLicensing conditions, such as per-seat agreements, and online licensing checks may become unworkable in a cloud environment.In the case of PaaS and IaaS, there is the possibility for creating original work in the cloud (new applications, software etc). As with all intellectual property, if not protected by the appropriate contractual clauses