This document discusses key considerations for procuring cloud computing services and drafting cloud services agreements. It identifies legal and business risks, such as data security, privacy, jurisdiction, and termination issues. It provides recommendations for addressing these risks, including conducting due diligence of the vendor, negotiating terms to retain data ownership and ensure access in case of disputes, and establishing governance processes to manage the relationship. The appendices describe relevant stakeholders, regulatory issues, and aspects of assessing security based on NIST standards.

1. Procuring Software and Information TechnologyThe Legal and Business Issues PresentedThe Computer Forensics ShowHotel Pennsylvania, New York, NYApril 19, 2011

2. An Initial Risk AssessmentSecurity Risk Management GuidanceThe Risk Matrix is a classification tool used to rate security risks based on impact and probability

3. Cloud Legal RisksENISA (European Network and Information Security Agency) ) and Cloud Security Alliance Leading Practices

4. Key legal questions the customer should ask the cloud providerENISA (European Network and Information Security Agency) ) and Cloud Security Alliance Leading PracticesIn what country is the cloud provider located? Is the cloud provider’s infrastructure located in the same country or in different countries? Will the cloud provider use other companies whose infrastructure is located outside that of the cloud provider? Where will the data be physically located? Will jurisdiction over the contract terms and over the data be divided? Will any of the cloud provider’s services be subcontracted out? Will any of the cloud provider’s services be outsourced? How will the data provided by the customer and the customer’s customers, be collected, processed and transferred? What happens to the data sent to the cloud provider upon termination of the contract?

5. Key legal Recommendations for Cloud Computing ENISA (European Network and Information Security Agency) ) and Cloud Security Alliance Leading PracticesCustomers and cloud providers must have a mutual understanding of each other’s roles and responsibilities related to electronic discovery, including such activities as litigation hold, discovery searches, who provides expert testimony, etc.Cloud providers are advised to assure their information security systems are responsive to customer requirements to preserve data as authentic and reliable, including both primary and secondary information such as metadata and log files. Data in the custody of cloud service providers must receive equivalent guardianship as in the hands of their original owner or custodian.Plan for both expected and unexpected termination of the relationship in the contract negotiations, and for an orderly return or secure disposal of assets.Pre-contract due diligence, contract term negotiation, post-contract monitoring, and contract termination, and the transition of data custodianship are components of the duty of care required of a cloud services client.Knowing where the cloud service provider will host the data is a prerequisite to implementing the required measures to ensure compliance with local laws that restrict the cross-border flow of data.As the custodian of the personal data of its employees or clients, and of the company’s other intellectual property assets, a company that uses Cloud Computing services should ensure that it retains ownership of its data in its original and authenticable format. Numerous security issues, such as suspected data breaches, must be addressed in specific provisions of the service agreement that clarify the respective commitments of the cloud service provider and the client.The cloud service provider and the client should have a unified process for responding to subpoenas, service of process, and other legal requests.The cloud services agreement must allow the cloud services client or designated third party to monitor the service provider’s performance and test for vulnerabilities in the system.The parties to a cloud services agreement should ensure that the agreement anticipates problems relating to recovery of the client’s data after their contractual relationship terminates.

6. The Selection ProcessValue Value Strategic Strategic DeliveryDeliveryAlignmentAlignmentIT IT IT GovernanceGovernanceGovernanceFocus AreasDomainsDomainsRisk Risk ManagementManagementPerformance MeasurementPerformance MeasurementResource Resource ManagementManagementStakeholdersUsing Risk AssessmentEstablishing a Governance Process At the Outset

7. Selection ProcessRequests for ProposalEstablishing technical requirementsEstablishing security requirements: Gap analysis between vendor policies and customer requirementsRequesting comments on contract terms during RFP processUpgrading Vendor’s Security Policies

8. Products and ServicesPricingMFN provisions, pass-throughs of cost savingsChange ControlHow are disagreements about change requirements managed?Acceptance/RejectionService Levels

9. Intellectual Property RightsWill any new intellectual property be created? If so, who will own it? What rights will the non-owner retain?Will licenses survive termination?

10. Representations and WarrantiesSophisticated customers will require a number of representations and warranties and also require indemnification if they are breached:Ownership of all IP rights;Compliance with all applicable law;Employees with appropriate skills and background;Systems are secure and properly maintained;Industry standard disaster recovery and back-up measures are in place;Data is not stored or maintained in a manner other than described to customer.

11. Liability and RemediesScope of possible injuries for which vendor may be liableMonetary LimitsIndemnificationService Level CreditsRepair/Replacement

12. Governance and Dispute ResolutionRelationship GovernanceDesignated project managers and key employeesEscalation clausesArbitration vs. CourtFast track arbitration mechanismsContinuing payments and work during disputes

13. Term and Termination Typical duration of a contractVendors will rarely want contracts that extend more than 3-4 years.Termination for causeRight of customer to terminate for convenienceOften means termination fees.Exit AssistanceDemand the creation of a plan at the outset that provides for transfer of data, equipment, and knowledgeMay be the most important item for customer’s leverage, it is important that vendor know customer can end the agreement without too much painEscrow Provisions/Step-InThis is customer’s best protection in the event of a bankruptcy or major failure, but it requires a commitment to make sure escrow is maintained and can be used by customer.It is also important to avoid the potential to get “gummed up” by arbitration over whether it is properly triggered.

14. AppendicesAppendix A: Identifying Constituencies and What Matters to ThemAppendix B: Governmental, Regulatory, and Privacy Touch PointsAppendix C: What Do We Examine When Assessing ‘Security?’

15. Appendix A: Identifying Constituencies and What Matters to Them

16. Appendix A: Identifying Constituencies and What Matters to Them (continued)

17. Appendix B: Governmental and Regulatory Touch Points

18. Appendix B: Governmental and Regulatory Touch Points (continued)

19. Appendix B (continued): Privacy Law Touch Points

20. Appendix C: What We Examine When Assessing “Security” NIST SP 800-53 defines the security controls required by FISMA (as summarized by SecureIT at: www.secureit.com/resources/WP_FISMA_and_SAS_70.pdf):

21. Presenters