Businesses can also mitigate the risk of system outages and data loss by carefully reviewing a cloud service provider’s infrastructure, with a focus on their business continuity procedures (BCP). A cloud service provider should attach a written BCP to any agreement to render services. To further minimize risk, a customer should require a contractual right to review and approve changes to the BCP. Another key issue to address is whether the vendor is sub- contracting any of its services and/or placing any restrictions on its own liability for system failures (for example, a vendor may state in its agreement that they “own or license” the services they provide). Many cloud customers may be surprised that cloud service vendors frequently use sub-contractors to expand their own clouds. You should make sure that any sub-contractors involved have the same quality of service as the vendor, and that the vendor does not remove itself from liability for acts or omissions of its sub- contractors. You may also want to address the transferability of these services from one provider to another, should you wish to transition to a different vendor. Make sure that your data is not held hostage by a vendor and can be easily transitioned to another vendor. Provisions for maintaining the data in certain formats and time lines in the case of a requested transfer should be established. How to track and audit data stored in the “ cloud ” also presents a legal and regulatory issue. A services agreement should stipulate that the vendor is able to keep track of the information it holds in a manner sufficient for your needs (e.g. if litigation is anticipated, it may be necessary to perform “record holds” or establish an audit trail).
22
Made with FlippingBook - Online Brochure Maker