Outsource Contracting Law, Policy, & Process

Slides:



Advertisements
Similar presentations
Data Privacy and Security in the Cloud Presented by Robert J. Scott Managing Partner Scott & Scott, LLP
Advertisements

IT Security Policy Framework
Managing Outsourced Service Providers By: Philip Romero, CISSP, CISA.
Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group
Chapter 10 Accounting Information Systems and Internal Controls
1 HIT Standards Committee Privacy and Security Workgroup: Recommendations Dixie Baker, SAIC Steven Findlay, Consumers Union August 20, 2009.
Security Controls – What Works
Insights on the Legal Landscape for Data Privacy in Higher Education Rodney Petersen, J.D. Government Relations Officer and Security Task Force Coordinator.
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
First Practice - Information Security Management System Implementation and ISO Certification.
COMPLYING WITH HIPAA BUSINESS ASSOCIATE REQUIREMENTS Quick, Cost Effective Solutions for HIPAA Compliance: Business Associate Agreements.
Don Von Dollen Senior Program Manager, Data Integration & Communications Grid Interop December 4, 2012 A Utility Standards and Technology Adoption Framework.
What Keeps You Awake at Night Compliance Corporate Governance Critical Infrastructure Are there regulatory risks? Do employees respect and adhere to internal.
Chapter 07 Internal Control McGraw-Hill/IrwinCopyright © 2014 by The McGraw-Hill Companies, Inc. All rights reserved.
Assistant VP of IT *Cloud Computing* Some Guidelines Kelly McDonald Dec. 8, 2011.
1 Secure Commonwealth Panel Health and Medical Subpanel Debbie Condrey - Chief Information Officer Virginia Department of Health December 16, 2013 Virginia.
Roles and Responsibilities
HIT Standards Committee Privacy and Security Workgroup: Initial Reactions Dixie Baker, SAIC Steven Findlay, Consumers Union June 23, 2009.
Policy Review (Top-Down Methodology) Lesson 7. Policies From the Peltier Text, p. 81 “The cornerstones of effective information security programs are.
April 14, A Watershed Date in HIPAA Privacy Compliance: Where Should You Be in HIPAA Security Compliance and How to Get There… John Parmigiani National.
Privacy and Security Risks to Rural Hospitals John Hoyt, Partner December 6, 2013.
LeToia Crozier, Esq., CHC Vice President, Compliance & Regulatory Affairs Corey Wilson Director of Technical Services & Security Officer Interactive Think.
Eliza de Guzman HTM 520 Health Information Exchange.
Bank Audit. Internal Audit Internal audit is an independent, objective assurance activity and can give valuable insight in providing assurance that major.
Patient Confidentiality and Electronic Medical Records Ann J. Olsen, MBA, MA Information Security Officer and Director, Information Management Planning.
Working with HIT Systems
Designing Services for Security: Information Security Management throughout the Service Lifecycle Sarah Irwin & Craig Haynal 2015 Penn State Security Conference,
IT Controls Global Technology Auditing Guide 1.
Fred Carter Senior Policy & Technology Advisor Information and Privacy Commissioner Ontario, Canada MISA Ontario Cloud Computing Transformation Workshop.
Data Security & Privacy: Fundamental Risk Mitigation Tactics 360° of IT Compliance Anthony Perkins, Shareholder Business Law Practice Group Data Security.
Information Security Framework Regulatory Compliance and Reporting Auditing and Validation Metrics Definition and Collection Reporting (management, regulatory,
Connecting for Health Common Framework: the Model Contract for Health Information Exchange Gerry Hinkley com July 18, 2006 Davis Wright.
Control and Security Frameworks Chapter Three Prepared by: Raval, Fichadia Raval Fichadia John Wiley & Sons, Inc
Chapter 4: Laws, Regulations, and Compliance
Chapter 1: Security Governance Through Principles and Policies
Case Study: Applying Authentication Technologies as Part of a HIPAA Compliance Strategy.
Safeguarding Sensitive Information. Agenda Overview Why are we here? Roles and responsibilities Information Security Guidelines Our Obligation Has This.
Dr. Mark Gaynor, Dr. Feliciano Yu, Bryan Duepner.
© 2014 By Katherine Downing, MA, RHIA, CHPS, PMP.
COBIT. The Control Objectives for Information and related Technology (COBIT) A set of best practices (framework) for information technology (IT) management.
Internal Control. McGraw-Hill/Irwin © 2004 The McGraw-Hill Companies, Inc., All Rights Reserved. 7-2 Summary of Internal Control Definition A process...designed.
The Community Cloud Don Welch Merit Network. Definitions l My Definition: Shared Services above the campus l Elastic demand can be very deliberate l Can.
Chapter 6 Internal Control in a Financial Statement Audit McGraw-Hill/IrwinCopyright © 2012 by The McGraw-Hill Companies, Inc. All rights reserved.
©2005 Prentice Hall Business Publishing, Auditing and Assurance Services 10/e, Arens/Elder/Beasley Internal Control and Control Risk Chapter 10.
Vendor Management by Banks: How Law Firms Are Affected Peter Swire Huang Professor of Law and Ethics Scheller College of Business Georgia Institute of.
Donald JG Chiarella, PhD, CISM, CDMP, PEM, CHS-CIA, MBA.
Modern Auditing: Assurance Services and the Integrity of Financial Reporting, 8th Edition William C. Boynton California Polytechnic State University at.
An Information Security Management System
Performing Risk Analysis and Testing: Outsource or In-house
Information Security Program
BIL 424 NETWORK ARCHITECTURE AND SERVICE PROVIDING.
Microsoft 365 Get help with regulatory compliance
Auditing Cloud Services
Current ‘Hot Topics’ in Information Security Governance Auditing
Service Organization Control (SOC)
Introduction to Soonr by ….
Building the Foundation of Compliance
Matthew Christian Dave Maddox Tim Toennies
Institutional Privacy Challenges
Building the Foundation of Compliance
IS4550 Security Policies and Implementation
Privacy Project Framework & Structure
IS4680 Security Auditing for Compliance
Security Awareness Training: Data Owners
CompTIA Security+ Study Guide (SY0-401)
Model Contract for Health
IS4680 Security Auditing for Compliance
IS4680 Security Auditing for Compliance
Internal Control Internal control is the process designed and affected by owners, management, and other personnel. It is implemented to address business.
Presentation transcript:

Outsource Contracting Law, Policy, & Process Tracy Mitrano Ann Geyer Cornell University UC Berkeley

The Challenge of Cloud Computing The challenge of cloud computing revolves around the transition from a managed infrastructure and information to vendor products and services. Substantively, contracts bridge control of institutional information and business process. Procedurally, cloud computing requires rethinking the information technology organizational process from conception to implementation of a cloud service.

Contracting --Past, Present, and Future Pre Box Box Post Box Click Thru Nobody knows or cares Consortium Contract I2/Net+ intermediated Customized terms for HE Adhoc negotiation process Relationship contract Lessons learned Memorialize reliance components Create framework for management

Cloud Computing Operational Process

Cornell Box Policy http://www.it.cornell.edu/services/box/policy.cfm

Lessons Learned Janus face of cloud computing Contracts revisited Outsourcing Contract Process Contracts revisited Obsolescent linear process New vendor relationship Cloud computing & institutional missions Strategic planning Effectiveness & efficiencies Institutional integrity

Cloud Contract Objectives Recognize service and data control strategy is different University has diminished direct control Must rely on vendor policy, operations, and sub-vendors Recognize that the service environment is always changing Contract objectives Create a defined ongoing relationship Share risk and responsibilities Assign protection requirements Vendor—traditional asset protection University—focus on data and user protections Both—a comprehensive protection structure

Relationship Contract Concept Open Communications & Shared Decision-making Example provisions Ownership of data (IP) Right to use data (access, mining, indexing, etc.) Privacy and security protections Regulatory compliance Mediate differences Contract expiration

Other Contract Issues Common terms to protect the university Vendor may never unilaterally “share” data with 3rd party Frequent communication & notification by vendor Corrective action timeframes Indemnification for vendor errors Contract terms tied to data classification levels

Role for Data Classification Protection Levels matched to Protection Profiles Both vendor and university communicate in same framework Changes to policy, operations, applications, infrastructure described in terms of compatibility with protection level requirements (+/-)

Current Recommendations (Berkeley) Protection Level Data Category Permitted on Box? Permitted on Google? PL0 De-identified data Public consumption data Yes PL1 Student Education Records (FERPA) PL2 Patient Health Information (PHI) No Payment Card Industry (PCI) Information California State Law Notice‐Triggering Information Human Subject Research Data Export Controlled Data

Service Classification Example Protection Level Suitable Services Protection Profiles (Requirements & Standards) Risks or Variances PL0 Any MSS-networked devices PL1 Box Google Baseline data profile FIPPS controls for PII Auditing immature Adm access w/o notice Data leakage 3rd party apps PL2 Calshare EMR MSS-NTD HIPAA profile DB not encrypted None

Berkeley Data Classification Protection Level Impact Category Protection Profiles (Requirements & Standards) Examples PL0 Limited Availability Reliability Fair Use Published Open access PL1 Moderate Privacy impact assessment FIPPS controls for PII Baseline assessment Nondisclosure Student data Low value data PL2 High Full risk assessment Comprehensive security Need to know monitoring Actively regulated Home & family High value PL3 Mission Critical SSO DB

Conclusions Demystifying the Cloud Relationship Contracting Not just outsourcing arrangement Contract is essential to mediate the Cloud relationship Contract should retain institutional integrity, provide an opportunity for strategic planning, and create efficient/effective outcomes for the university Relationship Contracting Building a meaningful vendor relationship Defining the relationship terms Memorializing shared risk and responsibilities

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.