Part 2 will continue discussing more aspects regarding cloud compliance and security.

Contractual Agreements

Defining a formal agreement between several parties, a company is obligated to comply with certain terms once it has agreed to a contract. Noncompliance may result in severe legal and financial penalties.

A company processing or storing credit card information likely has contracts with several credit card companies requiring the implementation of 12 security requirements set forth by the PCI-DSS (Payment Card Industry-Data Security Standard). Its level of regulatory compliance will be determined by how many transactions it processes annually.

The business and legal affairs team of a company should review its contracts with customers regarding its compliance with laws and regulations regarding personal data.

Compliance Standards

Many companies utilize standards, such as ISO/IEC 27001, as their basis for the implementation of information security controls. An organization using the ISO/IEC 27001 standard must train employees to ensure proper controls are established.

Controls specific to the cloud are contained in the ISO/IEC 27017 standard. This is an

information security standard providing more guidance for the implementation of ISO 27002 information security controls inside a cloud computing environment.

ISO 27018 is an international standard providing guidance on the protection of personally identifiable information within a public cloud computing environment.

The standard helps ensure the confidentiality of customer data by guiding businesses on the selection and implementation of security controls. It also helps companies make risk assessments of public cloud computing providers.

Compliance Audit

A proper assessment of a company’s compliance with contracts, laws, and regulations involving its use of the cloud and personal data will require an audit. An audit can either be internal or external.

An internal audit is performed by a company’s own auditors to determine its level of compliance. As the auditors may be biased, the results of an internal audit may be perceived as viewed in favor of a company.

For greater objectivity, an independent third-party audit firm may be retained by a company to perform an external audit.

Audit Reports

A compliance audit findings will be contained in a report written by the auditor. The format of an audit report is typically standardized by the AICPA (American Institute of Certified Public Accountants).

Alpha Business Support

Choosing an expert computer technology-support provider is an important decision for your business. Alpha has been a trusted partner of many companies in the Washington, D.C., Baltimore, and Annapolis areas since 1990. For affordable client-focused network consulting services and solutions, please call Alpha today at (410) 295-9500.