Presentation is loading. Please wait.

Presentation is loading. Please wait.

What In-house Counsel and the Business Really Want and Need from the Cloud LEXPERT CLOUD COMPUTING CONFERENCE 2012 CLOUD COMPUTING: A PRACTICAL APPROACH.

Published byMiracle Sprigg Modified over 9 years ago

Similar presentations

Presentation on theme: "What In-house Counsel and the Business Really Want and Need from the Cloud LEXPERT CLOUD COMPUTING CONFERENCE 2012 CLOUD COMPUTING: A PRACTICAL APPROACH."— Presentation transcript:

1 What In-house Counsel and the Business Really Want and Need from the Cloud LEXPERT CLOUD COMPUTING CONFERENCE 2012 CLOUD COMPUTING: A PRACTICAL APPROACH PANEL: CHARLES McCARRAGHER – TD BANK PETER NGUYEN – GUESTLOGIX INC. KEN LEDGER – SAVANNA ENERGY SERVICES CORP. DECEMBER 3, 2012 ST. ANDREW’S CLUB AND CONFERENCE CENTRE CHAIR: LISA R. LIFSHITZ – TORKIN MANES

2 VENDOR DUE DILIGENCE Environment: Selecting a provider Challenge: Who is the “real cloud service provider? Where does the cloud “reside”? Solutions: You get what you pay for – mom & pop providers vs. institutional providers Ask the question of all new service providers: What element of the service offering is “cloud” based? What does cloud mean to the vendor?

3 IMPLEMENTATION Environment: Implementing the solution Challenge: Rarely turn-key Solutions: Data migration Data validation Data feeds Configuration Acceptance testing Association with payment obligations

4 IDENTIFYING NEEDS AND WANTS Environment: Savanna work sites are remote and operate 24/7/365 making Cloud services attractive Different activities have different needs (SaaS, IaaS, mobility, cost) Security, disaster recovery, scheduled outages, QOS requirements change by activity Internal IT resources are fully utilized and cannot address needs of users want lists Challenge: Setting up services that are accessible from remote locations cost effectively and timely Solutions: Carefully consider needs vs. wants can a Cloud solution work Identify nature of data not nature of application impact from loss of data Focus internal resources on support of solutions with critical data, leverage Cloud for less critical solutions

5 MISUNDERSTANDING STANDARDS Environment: Many providers quote standards, but few people know what these standards mean There is no consistent internal requirement for compliance to any specific standard(s) Challenge: Establish a compliance matrix for Cloud solutions Buying decisions follow a vendor selection process defined for in-house software/hardware Solutions: Identify the specific standards required: SSAE 16 Type II - attestation CICA 9110 – audit standards ISO 27001 - security Require independent attestation Define a vendor selection process for Cloud services

6 ACCESS AND INPUT Environment: Access and Input Challenge: Meeting the needs of all stakeholders within the enterprise Solutions: Tax Litigation Compliance Audit CIO

7 GOVERNANCE & DISCLOSURE Issue: Cloud services can start small and creep in scope how do you know when a service has gone from a small part of the business to a critical service and who should know Challenges: Services can start out small to address a niche problem If successful the solution can grow in scope taking a much more significant role in business systems If a service becomes a critical service do we need to disclose the relationship Solution: Define a scale for the proposed services Implement or include Cloud services in your change management processes Review critical suppliers regularly and disclose to the Audit Committee

8 RECOVERY AND PLAN B Issue: Cloud services can be highly proprietary and evolve over time Transition back may be difficult or impossible even if the data is recovered Challenges: Over time web applications as well as data will evolve, data may not work with original apps Data may not be recoverable from service provider To critical to fail Solution: Have access to backup data under your control If a solution is critical identify a second source or backup solution Test backup periodically to make sure it will work

9 INTERNAL AUDIT Issue: Need to maintain confidence that Cloud services have not weakened internal controls Need to detect when services have evolved beyond our risk appetite Challenges: How do we detect control weaknesses timely or know if a provider is not meeting commitments Solution: Consider leveraging internal audit to test vendor compliance Perform walkthroughs of processes identifying where Cloud services fit Use Audit to educate internal departments on the use of Cloud services

10 AUDIT RIGHTS - CLIENT Environment: Audit Rights Challenge: Scope and Compliance Solutions: the 4 Rs Retention of Records Rights (Audit Scope) Remediation Reimbursement

11 EXTERNAL AUDIT - PROVIDER Issue: Ensuring security and establishing credibility Challenge: Responding to customer requests for evidence of controls Solution: Savanna has opted to get a SSAE16 audit opinion based on controls designed to a COBIT 4 standard. Creates credibility with customers and eliminates several challenges when responding to requests for evidence of controls. Adds credibility in the event of legal challenge by meeting a high standard which has been independently evaluated.

12 TERMINATION AND TRANSITION Environment: When the Cloud Evaporates Challenge: Planned Termination vs. Unplanned Termination Solutions: Non-cloud contingency plans Transition to a new vendor

13 THANK YOU CHARLES McCARRAGHER SENIOR LEGAL COUNSEL,TD BANK GROUP 416-307-7887 CHARLES.MCCARRAGHER@TD.COM KEN LEDGER DIRECTOR RISK MANAGEMENT 403-781-9996 KLEDGER@SAVANNAENERGY.COM LISA R. LIFSHITZ PARTNER 416-775-8821 LLIFSHITZ@TORKINMANES.COM PETER NGUYEN GENERAL COUNSEL & CORPORATE SECRETARY 416-204-0178 PNGUYEN@GUESTLOGIX.COM

Download ppt "What In-house Counsel and the Business Really Want and Need from the Cloud LEXPERT CLOUD COMPUTING CONFERENCE 2012 CLOUD COMPUTING: A PRACTICAL APPROACH."

Similar presentations

. . . a step-by-step guide to world-class internal auditing

. . . a step-by-step guide to world-class internal auditing
IBM Corporate Environmental Affairs and Product Safety

IBM Corporate Environmental Affairs and Product Safety
The Lucernex Cloud: A software-as-a-service solution delivered via the Cloud What is the Cloud? Cloud Computing is the future of all software applications,

The Lucernex Cloud: A software-as-a-service solution delivered via the Cloud What is the Cloud? Cloud Computing is the future of all software applications,
CIP Cyber Security – Security Management Controls

CIP Cyber Security – Security Management Controls
A Consultative Approach to Auditing

A Consultative Approach to Auditing
Control and Accounting Information Systems

Control and Accounting Information Systems
Delivering Value-Add Services to Secure Business in a Tough Economic Climate ‘Sam’ Samuel – Independent Industry Consultant

Delivering Value-Add Services to Secure Business in a Tough Economic Climate ‘Sam’ Samuel – Independent Industry Consultant
© 2005, QEI Inc. all characteristics subject to change. For clarity purposes, some displays may be simulated. Any trademarks mentioned remain the exclusive.

© 2005, QEI Inc. all characteristics subject to change. For clarity purposes, some displays may be simulated. Any trademarks mentioned remain the exclusive.
Chapter 5 5-1 © 2009 Pearson Education, Inc. Publishing as Prentice Hall.

Chapter © 2009 Pearson Education, Inc. Publishing as Prentice Hall.
Chapter 5 5-1 © 2009 Pearson Education, Inc. Publishing as Prentice Hall.

Chapter © 2009 Pearson Education, Inc. Publishing as Prentice Hall.
Managing the Information Technology Resource Jerry N. Luftman

Managing the Information Technology Resource Jerry N. Luftman
COSO Framework A company should include IT in all five COSO components: –Control Environment –Risk Assessment –Control activities –Information and communication.

COSO Framework A company should include IT in all five COSO components: –Control Environment –Risk Assessment –Control activities –Information and communication.
Health Informatics Series

Health Informatics Series
Advisor: Jim French, Dept of Ecology Team Members: Scott Andersen, WSDOT Gary Duffield, DIS Doug Selix, OFM Thelma Smith, WSDOT Brian Sylvester, DOP.

Advisor: Jim French, Dept of Ecology Team Members: Scott Andersen, WSDOT Gary Duffield, DIS Doug Selix, OFM Thelma Smith, WSDOT Brian Sylvester, DOP.
Implementing and Auditing Ethics Programs

Implementing and Auditing Ethics Programs
SOX & ISO 27001 Protect your data and be ready to be audited!!!

SOX & ISO Protect your data and be ready to be audited!!!
Barracuda Networks Confidential1 Barracuda Backup Service Integrated Local & Offsite Data Backup.

Barracuda Networks Confidential1 Barracuda Backup Service Integrated Local & Offsite Data Backup.
Securing and Auditing Cloud Computing Jason Alexander Chief Information Security Officer.

Securing and Auditing Cloud Computing Jason Alexander Chief Information Security Officer.
AIIM Presentation Selecting and Implementing A Records Management System June 5, 2008.

AIIM Presentation Selecting and Implementing A Records Management System June 5, 2008.
Welcome ISO9001:2000 Foundation Workshop.

Welcome ISO9001:2000 Foundation Workshop.

Similar presentations

Ads by Google