The document summarizes a training session on auditing cloud transactions led by attorney David Snead. The session covered identifying your cloud provider and the legal issues involved in negotiating contracts, including data governance, security, and access. It emphasized understanding where data will be located, how it will be processed and transferred, and what will happen upon contract termination. The goal is to create an auditable partnership and enforceable contract terms around critical issues like security, reliability, and access.

1. Auditing Your Cloud Transaction
Session 36
Friday, September 21, 2012
9:45 am
David Snead
Attorney + Counselor
Roadmap Who is your cloud provider?
· Controller
Who is your cloud provider? · Processor
Why certain legal issues are critical
Non-traditional legal issues · Transferor / Transferrer
Negotiating your contracts
Creating an auditable partnership
MIS Training Institute S ession 36 MIS Training Institute S ession 36
© W. David S nead, P.C. © W. David S nead, P.C.
What are the goals of your audit?
Safeguarding assets
Maintaining data integrity
Achieving organizational goals
Using resources wisely
Ensuring legal compliance
MIS Training Institute S ession 36 MIS Training Institute S ession 36
© W. David S nead, P.C. © W. David S nead, P.C.
MIS Training Institute
© 2012 W. David Snead, P.C. Reproduction Prohibited

2. Why certain legal issues are critical Non-traditional legal issues Non-traditional legal issues
· Information Security · Operations Management
· Data Governance · Risk Management
· Documentation: · Documentation:
· Facility Security · Release Management
Get a copy of your provider s incident response plan Do internal policies support your needs?
· Information Security · Resiliency
Determine if response plan adequately delegates Have you given your technical needs to provider?
· Legal · Security Architecture
· Litigation holds:
· Operations
Provider should have the ability to preserve data
· Breach:
Understand notification procedure
Ensure that procedure meets state law obligations
MIS Training Institute S ession 36 MIS Training Institute S ession 36 MIS Training Institute S ession 36
© W. David S nead, P.C. © W. David S nead, P.C. © W. David S nead, P.C.
Non-traditional legal issues Non-traditional legal issues Negotiating your contracts
· Data Governance · Security Architecture
· Data Retention: · Access: In what country is the provider located?
Can you enforce data retention obligations? Are contractual / regulatory requirements covered?
How will you or your provider respond to legal What does your contract say? Where is the provider s infrastructure?
process?
· Contract issues:
Are you required to monitor compliance regularly? Will other providers be used?
MIS Training Institute S ession 36 MIS Training Institute S ession 36 MIS Training Institute S ession 36
© W. David S nead, P.C. © W. David S nead, P.C. © W. David S nead, P.C.
Non-traditional legal issues Why certain legal issues are critical Negotiating your contracts
· Information Security · Risk Management
Where will the data be physically located?
· Policies: · Insurance:
Flow down of security policies to cloud ecosystem Trust but verify
Should jurisdiction be split?
· Segregation: Align policies
Is your data, and subsets, segregated from others? · SLA:
· Monitoring: What do you actually need?
How will data be collected, processed, transferred?
Can you monitor security needs against your security · Risk assessments:
baseline? What will happen to the data on termination?
How frequently does your provider audit?
How are these audits conveyed to you?
MIS Training Institute S ession 36 MIS Training Institute S ession 36 MIS Training Institute S ession 36
© W. David S nead, P.C. © W. David S nead, P.C. © W. David S nead, P.C.
MIS Training Institute
© 2012 W. David Snead, P.C. Reproduction Prohibited

3. Negotiating your contracts Negotiating your contracts
Reliability
Access W. David Snead
Demonstrated by metrics Attorney + Counselor
Objective criteria used Understand and define law enforcement access
Third party vendors considered Don t assume Understand whowill prevail
your country s laws has david.snead@dsnead.com
Contract access to data and under wdsneadpc / Twitter
Don t let stereotypes interfere with a legal analysis
Standard SLA may need additional what circumstances. thewhir.com / Blog
clauses for response time, fallback Try to create definition
options, standards of service
Static v. flexible SLA
MIS Training Institute S ession 36 MIS Training Institute S ession 36 MIS Training Institute S ession 36
© W. David S nead, P.C. © W. David S nead, P.C. © W. David S nead, P.C.
Negotiating your contracts Negotiating your contracts
Security Termination
Define breach Create and implement deletion policies
Require your vendor to
Determine when a breach happens When agreement
have skin in the game. Flow down contract terms to vendors
Assume there will be data breach laws terminates, your rights
Do not assume security ends upon termination
terminate.
Review any laws that my currently exist
Understand who will be responsible for security Create and implement deletion policies
Create enforceable contract terms
Remember post termination issues
Understand that you may not be made whole
MIS Training Institute S ession 36 MIS Training Institute S ession 36
© W. David S nead, P.C. © W. David S nead, P.C.
Negotiating your contracts Toolkit
Access Determine how services will be used
Document data to which you have access Evaluate cloud structure
Limit the number of employees who have access to data Understand data collection, processing and transfer
Create and implement access policies
Security breach notification
Require written notice
Don t assume validity High risk regulatory areas
Create and implement access policies
Include legal advisor Disposition of data on termination
MIS Training Institute S ession 36 MIS Training Institute S ession 36
© W. David S nead, P.C. © W. David S nead, P.C.
MIS Training Institute
© 2012 W. David Snead, P.C. Reproduction Prohibited