Contracts and Provider Selection

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
9 hours 59 minutes
Difficulty
Intermediate
CEU/CPE
10
Video Transcription
00:02
>> In this video, we're going to highlight aspects of
00:02
the customer/provider contract and how
00:02
that's impacted by data privacy considerations.
00:02
We'll also revisit the due diligence process
00:02
when evaluating and assessing Cloud providers.
00:02
In the last module, we talked about
00:02
negotiating Cloud provider contracts.
00:02
In particular, the difficulty in getting
00:02
customizations in those Cloud provider contracts.
00:02
But keep in mind the NIST service models
00:02
of SaaS, PaaS and IaaS.
00:02
Or, you may not be able to negotiate
00:02
the master contract with
00:02
particularly large Cloud providers.
00:02
You can certainly try to negotiate some of
00:02
the specific terms around
00:02
the services of that Cloud provider that you're using.
00:02
Specifically those services that
00:02
you're going to have less control on,
00:02
like SaaS and PaaS,
00:02
you really want to make sure that you,
00:02
or more specifically, the Cloud provider
00:02
provides you with the right capabilities,
00:02
so that you can adhere to
00:02
the applicable data privacy requirements.
00:02
For example, if you're working with SAP,
00:02
a very large company,
00:02
and you want to use one of their SaaS offerings.
00:02
Let's take for example, concur,
00:02
which is used for company expense management.
00:02
You can certainly negotiate
00:02
terms regarding data managed in
00:02
the concurrent system that you may not be able to get
00:02
those same terms in the master SAP contract.
00:02
Maybe you're using Okta SaaS
00:02
for managing identities of your customer,
00:02
as they authenticate across multiple different devices.
00:02
Again, you can negotiate points with them
00:02
regarding timeliness of reporting
00:02
any data breaches to you,
00:02
you as the Cloud user,
00:02
so that you can subsequently report
00:02
those data breaches to your customers and
00:02
to the appropriate government agencies.
00:02
There are circumstances where the terms of
00:02
a contract may need to exceed regulations.
00:02
For example, if your company makes
00:02
a strong promises in their terms and conditions,
00:02
the Ts and Cs and the privacy statements,
00:02
so you're making promises to your customers,
00:02
you need to make sure that you
00:02
can recognize those promises.
00:02
In many circumstances,
00:02
the Cloud provider is going to play a key role in
00:02
allowing you to realize
00:02
those promises that you're making
00:02
to your own clients and customers.
00:02
Because keep in mind you,
00:02
the company that is using the Cloud,
00:02
you are the data collector and you
00:02
are responsible for how
00:02
that data gets managed
00:02
regardless of the underlying Cloud provider.
00:02
That's why it's so important to have
00:02
coverage in your contract and agreements with
00:02
the Cloud provider that allow you fulfill
00:02
the promises that you're making to your clients.
00:02
Finally, it's important that
00:02
both the Cloud customer, your business,
00:02
and the Cloud provider,
00:02
stay abreast of changing regulations
00:02
and make adjustments based on those regulations.
00:02
Put this obligation in
00:02
the contract and the representations and warranties.
00:02
This puts the Cloud provider on the hook to
00:02
also stay aware of things that change,
00:02
or at least puts them on the hook
00:02
to make changes when you send them
00:02
notice that certain changes need
00:02
to take place in order to recognize
00:02
new regulations or in order to
00:02
recognize changes to your own terms and
00:02
conditions so that you can realize the way that
00:02
you manage data and the privacy of that data.
00:02
Next up, let's talk about due diligence.
00:02
This is the process of figuring out what you need to do.
00:02
Internally, you want to get
00:02
your own house in order as well.
00:02
When it comes to data and data privacy,
00:02
you want to take a look at existing
00:02
contracts that you have,
00:02
you the business have with your own clients.
00:02
I'm going to say especially government clients.
00:02
There may be clauses in those contracts that
00:02
require the data be hosted on-premise.
00:02
Personally, I've encountered this situation with
00:02
a medical provider ahead of
00:02
very large contract with a large government provider.
00:02
This contract had been around for some 20 years.
00:02
It was a great and well-established contract.
00:02
In 20 years ago, Cloud was a very emerging technology.
00:02
It really wasn't a mainstream consideration.
00:02
A lot of the contracts as they
00:02
addressed digital records and management of data,
00:02
just assumed the model where
00:02
people had all their computers in datacenters that
00:02
were on their premise and that they had
00:02
physical control over from
00:02
the physical level all the way up.
00:02
These contracts were established
00:02
and built with provisions
00:02
specifically requiring
00:02
the sensitive data remain on-premise.
00:02
Part of your intuitive diligence,
00:02
you may also decide that the data
00:02
>> itself is so sensitive,
00:02
>> it's not even worth the risk of violating
00:02
those contracts that you have in place
00:02
with other customers and clients.
00:02
Furthermore, you're going to want to
00:02
evaluate externally.
00:02
This is where you are evaluating
00:02
that Cloud provider themselves.
00:02
You're going to use a risk-based
00:02
approach because you want to
00:02
invest your efforts wisely
00:02
as you're doing this diligence.
00:02
For example, if we're talking about a SaaS provider,
00:02
they give you some really cool platform
00:02
that allows you to build
00:02
nice interactive marketing materials and get
00:02
some real simplistic anonymized uses metrics around that.
00:02
The value in the risk there,
00:02
is going to be much lower than,
00:02
let's say we have another SaaS provider.
00:02
They give you a tool that
00:02
examines your portfolio of clients.
00:02
Their spend history, their purchase history,
00:02
and it gives you great valuations.
00:02
Obviously, that kind of information
00:02
is going to be a lot more valuable to
00:02
your own company because it's everything about
00:02
your different customers and
00:02
clients that you've had over time.
00:02
Moreover, it would be a very bad situation
00:02
if your client lists,
00:02
purchase history and so forth.
00:02
Leaked, got into the hands of competitors,
00:02
got in the hands of other clients who may be
00:02
paying different rates for the same services,
00:02
just a lot of bad things can happen.
00:02
You're going to want us put a lot more
00:02
diligence in that paradigm.
00:02
We talked about this with
00:02
the supplier assessment process,
00:02
requesting information from the Cloud provider
00:02
reviewing that information from the Cloud provider,
00:02
we've looked at tools like the star registry,
00:02
which provides information and assessments.
00:02
Sometimes it's self-declared from the Cloud providers,
00:02
sometimes it has been attested
00:02
to by third-party auditors.
00:02
You want to take a look at reviews by other customers.
00:02
What are their experiences with this Cloud provider?
00:02
Also pay particular attention to
00:02
click through agreements that
00:02
Cloud providers may have
00:02
or may add over the course of time.
00:02
In fact, your contract will probably want
00:02
to address something to this extent
00:02
because these are legally binding so that
00:02
whole I agree to these terms and conditions checkbox,
00:02
that as you're using
00:02
the Cloud provider you may encounter on a regular basis,
00:02
those can be continually altering and
00:02
amending the contract that you have in place.
00:02
You want to specify
00:02
the latitude that these click through agreements
00:02
have in altering the overarching agreement
00:02
between yourself and the Cloud provider.
00:02
In particular, with regards to
00:02
removing and relieving the Cloud provider of
00:02
certain responsibilities in terms of
00:02
data management and ensuring data privacy is adhered to.
00:02
In this video was pretty quick,
00:02
but we looked at two key and important things.
00:02
We highlighted aspects of
00:02
the Cloud provider contract
00:02
and how data privacy impacts that.
00:02
Then we took a look at the due diligence process;
00:02
the supplier assessment, the internal assessment,
00:02
and all the additional considerations you want to take
00:02
a good look at through the lens of ensuring data privacy.
Up Next