Presentation is loading. Please wait.

Presentation is loading. Please wait.

Outsource Contracting Law, Policy, & Process

Published byDominick O’Neal’ Modified over 5 years ago

Similar presentations

Presentation on theme: "Outsource Contracting Law, Policy, & Process"— Presentation transcript:

1 Outsource Contracting Law, Policy, & Process
Tracy Mitrano Ann Geyer Cornell University UC Berkeley

2 The Challenge of Cloud Computing
The challenge of cloud computing revolves around the transition from a managed infrastructure and information to vendor products and services. Substantively, contracts bridge control of institutional information and business process. Procedurally, cloud computing requires rethinking the information technology organizational process from conception to implementation of a cloud service.

3 Contracting --Past, Present, and Future
Pre Box Box Post Box Click Thru Nobody knows or cares Consortium Contract I2/Net+ intermediated Customized terms for HE Adhoc negotiation process Relationship contract Lessons learned Memorialize reliance components Create framework for management

4 Cloud Computing Operational Process

5 Cornell Box Policy

6 Lessons Learned Janus face of cloud computing Contracts revisited
Outsourcing Contract Process Contracts revisited Obsolescent linear process New vendor relationship Cloud computing & institutional missions Strategic planning Effectiveness & efficiencies Institutional integrity

7 Cloud Contract Objectives
Recognize service and data control strategy is different University has diminished direct control Must rely on vendor policy, operations, and sub-vendors Recognize that the service environment is always changing Contract objectives Create a defined ongoing relationship Share risk and responsibilities Assign protection requirements Vendor—traditional asset protection University—focus on data and user protections Both—a comprehensive protection structure

8 Relationship Contract Concept
Open Communications & Shared Decision-making Example provisions Ownership of data (IP) Right to use data (access, mining, indexing, etc.) Privacy and security protections Regulatory compliance Mediate differences Contract expiration

9 Other Contract Issues Common terms to protect the university
Vendor may never unilaterally “share” data with 3rd party Frequent communication & notification by vendor Corrective action timeframes Indemnification for vendor errors Contract terms tied to data classification levels

10 Role for Data Classification
Protection Levels matched to Protection Profiles Both vendor and university communicate in same framework Changes to policy, operations, applications, infrastructure described in terms of compatibility with protection level requirements (+/-)

11 Current Recommendations (Berkeley)
Protection Level Data Category Permitted on Box? Permitted on Google? PL0 De-identified data Public consumption data Yes PL1 Student Education Records (FERPA) PL2 Patient Health Information (PHI) No Payment Card Industry (PCI) Information California State Law Notice‐Triggering Information Human Subject Research Data Export Controlled Data

12 Service Classification Example
Protection Level Suitable Services Protection Profiles (Requirements & Standards) Risks or Variances PL0 Any MSS-networked devices PL1 Box Google Baseline data profile FIPPS controls for PII Auditing immature Adm access w/o notice Data leakage 3rd party apps PL2 Calshare EMR MSS-NTD HIPAA profile DB not encrypted None

13 Berkeley Data Classification
Protection Level Impact Category Protection Profiles (Requirements & Standards) Examples PL0 Limited Availability Reliability Fair Use Published Open access PL1 Moderate Privacy impact assessment FIPPS controls for PII Baseline assessment Nondisclosure Student data Low value data PL2 High Full risk assessment Comprehensive security Need to know monitoring Actively regulated Home & family High value PL3 Mission Critical SSO DB

14 Conclusions Demystifying the Cloud Relationship Contracting
Not just outsourcing arrangement Contract is essential to mediate the Cloud relationship Contract should retain institutional integrity, provide an opportunity for strategic planning, and create efficient/effective outcomes for the university Relationship Contracting Building a meaningful vendor relationship Defining the relationship terms Memorializing shared risk and responsibilities

Download ppt "Outsource Contracting Law, Policy, & Process"

Similar presentations

Data Privacy and Security in the Cloud Presented by Robert J. Scott Managing Partner Scott & Scott, LLP www.ScottandScottllp.com.

Data Privacy and Security in the Cloud Presented by Robert J. Scott Managing Partner Scott & Scott, LLP
IT Security Policy Framework

IT Security Policy Framework
Managing Outsourced Service Providers By: Philip Romero, CISSP, CISA.

Managing Outsourced Service Providers By: Philip Romero, CISSP, CISA.
Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group 209-754-9130

Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group
Chapter 10 Accounting Information Systems and Internal Controls

Chapter 10 Accounting Information Systems and Internal Controls
1 HIT Standards Committee Privacy and Security Workgroup: Recommendations Dixie Baker, SAIC Steven Findlay, Consumers Union August 20, 2009.

1 HIT Standards Committee Privacy and Security Workgroup: Recommendations Dixie Baker, SAIC Steven Findlay, Consumers Union August 20, 2009.
Security Controls – What Works

Security Controls – What Works
Insights on the Legal Landscape for Data Privacy in Higher Education Rodney Petersen, J.D. Government Relations Officer and Security Task Force Coordinator.

Insights on the Legal Landscape for Data Privacy in Higher Education Rodney Petersen, J.D. Government Relations Officer and Security Task Force Coordinator.
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
First Practice - Information Security Management System Implementation and ISO 27001 Certification.

First Practice - Information Security Management System Implementation and ISO Certification.
COMPLYING WITH HIPAA BUSINESS ASSOCIATE REQUIREMENTS Quick, Cost Effective Solutions for HIPAA Compliance: Business Associate Agreements.

COMPLYING WITH HIPAA BUSINESS ASSOCIATE REQUIREMENTS Quick, Cost Effective Solutions for HIPAA Compliance: Business Associate Agreements.
Don Von Dollen Senior Program Manager, Data Integration & Communications Grid Interop December 4, 2012 A Utility Standards and Technology Adoption Framework.

Don Von Dollen Senior Program Manager, Data Integration & Communications Grid Interop December 4, 2012 A Utility Standards and Technology Adoption Framework.
What Keeps You Awake at Night Compliance Corporate Governance Critical Infrastructure Are there regulatory risks? Do employees respect and adhere to internal.

What Keeps You Awake at Night Compliance Corporate Governance Critical Infrastructure Are there regulatory risks? Do employees respect and adhere to internal.
Chapter 07 Internal Control McGraw-Hill/IrwinCopyright © 2014 by The McGraw-Hill Companies, Inc. All rights reserved.

Chapter 07 Internal Control McGraw-Hill/IrwinCopyright © 2014 by The McGraw-Hill Companies, Inc. All rights reserved.
Assistant VP of IT *Cloud Computing* Some Guidelines Kelly McDonald Dec. 8, 2011.

Assistant VP of IT *Cloud Computing* Some Guidelines Kelly McDonald Dec. 8, 2011.
1 Secure Commonwealth Panel Health and Medical Subpanel Debbie Condrey - Chief Information Officer Virginia Department of Health December 16, 2013 Virginia.

1 Secure Commonwealth Panel Health and Medical Subpanel Debbie Condrey - Chief Information Officer Virginia Department of Health December 16, 2013 Virginia.
Roles and Responsibilities

Roles and Responsibilities
HIT Standards Committee Privacy and Security Workgroup: Initial Reactions Dixie Baker, SAIC Steven Findlay, Consumers Union June 23, 2009.

HIT Standards Committee Privacy and Security Workgroup: Initial Reactions Dixie Baker, SAIC Steven Findlay, Consumers Union June 23, 2009.
Policy Review (Top-Down Methodology) Lesson 7. Policies From the Peltier Text, p. 81 “The cornerstones of effective information security programs are.

Policy Review (Top-Down Methodology) Lesson 7. Policies From the Peltier Text, p. 81 “The cornerstones of effective information security programs are.
April 14, 2003- A Watershed Date in HIPAA Privacy Compliance: Where Should You Be in HIPAA Security Compliance and How to Get There… John Parmigiani National.

April 14, A Watershed Date in HIPAA Privacy Compliance: Where Should You Be in HIPAA Security Compliance and How to Get There… John Parmigiani National.

Similar presentations

Ads by Google