BCA CT&IS A
Make a list of 10 questions which will you ask to cloud providers.
1. What are your and my company’s duties in the protection of our data?
When partnering up with a security provider one of the first things to clear up is
the amount of responsibilities each of the partner has to take on. It’s important to
determine what kind of involvement is required from each side. If you are
required to follow certain procedures, it’s good to educate your staff and see how
much you security provider gets involved on the matter. Does he follow you
through the process “hands-on” or do you just get some guidelines? In terms of
risk management, a company plays a key role in protecting their own data but the
security provider must provide adequate assurance as well.
2. How will I get set up?
Once you choose and sign a contract with an online security vendor, the next
logical step is to log in to your user dashboard and start configuring your account,
adding employees as users, setting up permissions and key parameters. There’s a
lot of fine tuning to do which can sometimes seem overwhelming as it requires
adequate knowledge. Considering the lack of time, staff, expertise and/or
resources being the reasons to why you approached a security solution provider
in the first place, make sure the setup process doesn’t fire back. Some of them
will walk you step-by-step through the whole installation and setup process of
their services, while others will simply provide online guides. You should go with a
provider that best suits your knowledge and skills or at least offers structured
assistance when setting up your security solutions.
3. What level of access to logs will my company get?
Although it may sound simple at first, the level of access to logs should be one of
the top concerns when choosing security providers. As the servers will no longer
be entirely handled by your staff, it’s important to carefully consider what
information will and what will not be obtainable from the provider. Although
some information may simply not be as important to your company, it can
happen that pieces of crucial data are not available. In that case, you should try to
negotiate the level of log access you will be provided with as early as possible.
4. Who will be able to access my company’s data?
Although your data will likely reside somewhere else than within your premises,
you definitely have to own and control it. You should look for a provider who uses
customer data only to provide them with the services to which they have
subscribed and for complementary purposes for providing those services. Make
sure your security service provider doesn’t scan customer services, applications or
data storages for advertising or other unapproved purposes.
5. Where will all the servers, processes and my company data physically reside?
When choosing your security provider it’s crucial to know where will your data
reside. Providers can host all data in their own data centers, some may leverage
cloud services and offer a hybrid on-site and cloud solution, while others may
handle data on customer’s premises. Considering the increased migration and
adoption of cloud services it is likely that you security provider will leverage cloud
solutions as well. Although the cloud is considered as borderless, the data still has
to reside somewhere in real countries which then have varying privacy and
security laws in place. You need to be aware of regulations for both your country
and the country where your data lives.
6. What is your service level agreement (SLA) for uptime?
Downtime is when services are inaccessible to internet users for a period of time,
as opposed to uptime which is the amount of availability your users can expect
and you want it to be as high as possible. Many providers offer a 99.9% uptime,
which can end up to almost 45 minutes of unwanted downtime per month and
end up costing you revenue if your business processes are executed online.
7. How strong is your expertise?
The more expertise and knowledge your security provider possess, the better
their performance will be. You want to make sure your data is handled by
certified security experts who know exactly how to approach even the most
specific issues. Look for provider whose experts are constantly training and
improving. You need them to be up-to-date with the latest technologies you find
most important for your business.
8. What is the level of customer support I can expect if I side with you?
Today’s global, online economy doesn’t operate within “normal business hours”.
The same is valid for cyber threats which are definitely not a “nine-to-five”
occurrence. It’s why you should definitely look for a provider that offers quick
responses and a proactive approach around the clock.
9. Do you keep a signed trail of which users performed what actions and when?
Setting up a safe IT perimeter is important to keep safe from hackers and external
threats, but don’t underestimate the risks that arise from inside your company.
It’s why it is important to protect against both malicious and mistaken actions.
Find out if your security vendor can provide user action logs in order to track
possible internal security mishaps and flaws.
10. What is your exit process?
We all know not all relationships can last forever. It’s why it is important for
companies to know exactly how the termination process is executed when ending
a cooperation or switching to another provider. Make sure to define the following
in your contract:
How will the security provider assist with the transition – including providing the
company’s data back or to a third party
What are the provider’s destruction or electronic shredding policies – you need to
have evidence that your data is no longer resident on the provider’s systems
Which independent third parties will review and certify the exit process – you
have to make sure the exit process is diligently executed and reviewed