Presentation on theme: "What In-house Counsel and the Business Really Want and Need from the Cloud LEXPERT CLOUD COMPUTING CONFERENCE 2012 CLOUD COMPUTING: A PRACTICAL APPROACH."— Presentation transcript:
What In-house Counsel and the Business Really Want and Need from the Cloud LEXPERT CLOUD COMPUTING CONFERENCE 2012 CLOUD COMPUTING: A PRACTICAL APPROACH PANEL: CHARLES McCARRAGHER – TD BANK PETER NGUYEN – GUESTLOGIX INC. KEN LEDGER – SAVANNA ENERGY SERVICES CORP. DECEMBER 3, 2012 ST. ANDREW’S CLUB AND CONFERENCE CENTRE CHAIR: LISA R. LIFSHITZ – TORKIN MANES
VENDOR DUE DILIGENCE Environment: Selecting a provider Challenge: Who is the “real cloud service provider? Where does the cloud “reside”? Solutions: You get what you pay for – mom & pop providers vs. institutional providers Ask the question of all new service providers: What element of the service offering is “cloud” based? What does cloud mean to the vendor?
IMPLEMENTATION Environment: Implementing the solution Challenge: Rarely turn-key Solutions: Data migration Data validation Data feeds Configuration Acceptance testing Association with payment obligations
IDENTIFYING NEEDS AND WANTS Environment: Savanna work sites are remote and operate 24/7/365 making Cloud services attractive Different activities have different needs (SaaS, IaaS, mobility, cost) Security, disaster recovery, scheduled outages, QOS requirements change by activity Internal IT resources are fully utilized and cannot address needs of users want lists Challenge: Setting up services that are accessible from remote locations cost effectively and timely Solutions: Carefully consider needs vs. wants can a Cloud solution work Identify nature of data not nature of application impact from loss of data Focus internal resources on support of solutions with critical data, leverage Cloud for less critical solutions
MISUNDERSTANDING STANDARDS Environment: Many providers quote standards, but few people know what these standards mean There is no consistent internal requirement for compliance to any specific standard(s) Challenge: Establish a compliance matrix for Cloud solutions Buying decisions follow a vendor selection process defined for in-house software/hardware Solutions: Identify the specific standards required: SSAE 16 Type II - attestation CICA 9110 – audit standards ISO security Require independent attestation Define a vendor selection process for Cloud services
ACCESS AND INPUT Environment: Access and Input Challenge: Meeting the needs of all stakeholders within the enterprise Solutions: Tax Litigation Compliance Audit CIO
GOVERNANCE & DISCLOSURE Issue: Cloud services can start small and creep in scope how do you know when a service has gone from a small part of the business to a critical service and who should know Challenges: Services can start out small to address a niche problem If successful the solution can grow in scope taking a much more significant role in business systems If a service becomes a critical service do we need to disclose the relationship Solution: Define a scale for the proposed services Implement or include Cloud services in your change management processes Review critical suppliers regularly and disclose to the Audit Committee
RECOVERY AND PLAN B Issue: Cloud services can be highly proprietary and evolve over time Transition back may be difficult or impossible even if the data is recovered Challenges: Over time web applications as well as data will evolve, data may not work with original apps Data may not be recoverable from service provider To critical to fail Solution: Have access to backup data under your control If a solution is critical identify a second source or backup solution Test backup periodically to make sure it will work
INTERNAL AUDIT Issue: Need to maintain confidence that Cloud services have not weakened internal controls Need to detect when services have evolved beyond our risk appetite Challenges: How do we detect control weaknesses timely or know if a provider is not meeting commitments Solution: Consider leveraging internal audit to test vendor compliance Perform walkthroughs of processes identifying where Cloud services fit Use Audit to educate internal departments on the use of Cloud services
AUDIT RIGHTS - CLIENT Environment: Audit Rights Challenge: Scope and Compliance Solutions: the 4 Rs Retention of Records Rights (Audit Scope) Remediation Reimbursement
EXTERNAL AUDIT - PROVIDER Issue: Ensuring security and establishing credibility Challenge: Responding to customer requests for evidence of controls Solution: Savanna has opted to get a SSAE16 audit opinion based on controls designed to a COBIT 4 standard. Creates credibility with customers and eliminates several challenges when responding to requests for evidence of controls. Adds credibility in the event of legal challenge by meeting a high standard which has been independently evaluated.
TERMINATION AND TRANSITION Environment: When the Cloud Evaporates Challenge: Planned Termination vs. Unplanned Termination Solutions: Non-cloud contingency plans Transition to a new vendor
THANK YOU CHARLES McCARRAGHER SENIOR LEGAL COUNSEL,TD BANK GROUP KEN LEDGER DIRECTOR RISK MANAGEMENT LISA R. LIFSHITZ PARTNER PETER NGUYEN GENERAL COUNSEL & CORPORATE SECRETARY