Contracts and Provider Selection

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *

Already have an account? Sign In »

9 hours 59 minutes
Video Transcription
in this video, we're gonna highlight aspects of the customer provider contract and how that's impacted by data privacy considerations. We'll also revisit the due diligence process when evaluating and assessing cloud providers.
In the last module, we talked about negotiating cloud provider contracts. In particular, the difficulty in getting custom is ations in those cloud provider contracts. But keep in mind the NIST service models of SAS Pass and I ***.
While you may not be able to negotiate the master contract with particularly large cloud providers, you can certainly try to negotiate some of the specific terms around the services off that cloud provider that you're using
specifically those services that you're gonna have less control on, like sass and pass. You really want to make sure that you or more specifically, the cloud provider provide you with the right capabilities so that you can adhere to the applicable data privacy requirements.
For example, if you're working with S A P, a very large company and you want to use one of their SAS offerings, let's take, for example, concur, which is used for company expense management. You can certainly negotiate terms regarding data managed in the concur system that you may not be able to get those same terms
in the master s A P contract.
Baby, you're using octus *** for managing identities of your customer as they authenticate across multiple different devices. Again, you can negotiate points with them regarding timeliness of reporting. Any data breaches to you, you as the cloud user so that you can subsequently report
those data breaches to your customers and to the appropriate government agencies.
There are circumstances where the terms of a contract may need to exceed regulations. For example, if your company makes strong promises in their terms and conditions, the teas and sees and the privacy statements so you're making promises to your customers, you need to make sure that you can recognize those promises.
And in many circumstances, the cloud provider is going to play a key role in allowing you to realize
those promises that you're making to your own clients and customers
because keep in mind you, the company that is using the cloud, you are the data collector and you are responsible for how that data gets managed, regardless of the underlying cloud provider. And that's why it's so important to have coverage
in your contract in agreements with the cloud provider that allow you fulfill the promises that you're making to your clients.
And finally, it's important that both the cloud customer, your business and the cloud provider stay abreast of changing regulations and make adjustments based on those regulations.
Put this obligation in the contract and the representations and warranties. This puts the cloud provider on the hook to also stay aware of things that change, or at least put them on the hook to make changes when you send them. Notice that certain changes need to take place in order to recognize new
or in order to recognize changes to your own terms and conditions, so that you can realize the way that you manage data and the privacy of that data.
Next up, let's talk about due diligence. This is the process of figuring out what you need to do so internally. You want to get your own house in order as well. So when it comes to the data and data privacy, you want to take a look at existing contracts that you have you the business have with your own clients,
and I'm gonna say especially government clients,
so there may be clauses in those contracts that require the data be hosted on premise.
Personally, I've encountered this situation with a medical provider that had a very large contract with a large government provider, and this contract had been around for some 20 years. So it was a great and well established contract, and 20 years ago, Cloud was a very emerging technology. It really wasn't a mainstream consideration. So
a lot of the contracts as they addressed digital records and management of data.
I just assumed the model where people had all their computers in data centers that were on their premise and that they had physical control over from the physical level all the way up. So these contracts were established and built, with provisions specifically requiring the sensitive data remain on premise.
And so part of your intuitive diligence.
You may also decide that the data itself is so sensitive it's not even worth the risk off violating those contracts that you have in place with other customers and clients.
Furthermore, you're gonna want evaluate externally. This is where you are evaluating that cloud provider themselves, and you're gonna use a risk based approach because you want to invest your effort wisely as you're doing this diligence. For example, if we're talking about a SAS provider, they give you some really cool
platform that allows you to build nice interactive
marketing materials and get some real simplistic. Anonima ized uses metrics around that the value and the risk there is going to be much lower than let's say we have another SAS provider. They give you a tool that examines your portfolio of clients.
They're spend history, their purchase history,
and I give you great valuations. Obviously, that kind of information is going to be a lot more valuable to your own company, cause it's everything about your different customers and clients that you've had over time. Moreover, it would be a very bad situation of your client list. Purchase history and so forth Leaked, got into the hands of competitors,
got in hands of other clients who may be paying different rates for the same services.
Just a lot of bad things could happen, so you're gonna want to put a lot more diligence in that paradigm.
And we talked about this with the supplier assessment process, requesting information from the Cloud Provider Reviewing that information from the cloud provider, we've looked at tools like the Star Registry, which provides information and assessments, sometimes its self declared from the cloud providers. Sometimes it has been attested to by third party auditors.
You want to take a look at reviews by other customers? What air their experiences with this cloud provider? And also pay particular attention to click through agreements that cloud providers may have or may add over the course of time. In fact, your contract will probably want to address something to this extent because these are legally binding so that whole
I agree to these terms and conditions check box
that as you're using the cloud provider you may encounter on a regular basis, those could be continually altering and amending the contract that you have in place. You want to specify the latitude that thes click through agreements have in altering the over our king
agreement between yourself and the cloud provider,
in particular with regards to removing and relieving the cloud provider of certain responsibilities in terms of data management and ensuring data privacy is adhered to.
So when this video was pretty quick, but we looked at two key and important things. We highlighted aspects of the cloud provider contract and how data privacy impacts that. And then we took a look at the due diligence process, the supplier assessment, the internal assessment and all the additional considerations you want toe take a good look at
through the lens of ensuring data privacy.
Up Next