- how your company can use the cloud service (i.e. acceptable usage policies, licensing rights or usage restrictions);
- how your data is stored and protected;
- whether the service provider has access to your data, and if so, how that access is restricted;
- how to report an incident;
- how to terminate the service and if data is retained after service termination;
- whether the service provider will give advance notice of any change of terms;
- the jurisdiction (Hong Kong SAR or other locations) that the Terms would apply.
- Negotiate the Terms of Service with the service provider if not all the terms are found acceptable. If you cannot find a service provider meeting your requirements, you should re-consider the use of cloud services.
- Understand whether there are “secondary uses” of your account information without your knowledge or consent. For example, information stored in the cloud may be used to tailor advertisements.
- Check whether the service provider reserves rights to use, disclose, or make public your information.
- Check whether the intellectual property rights of data you own remain intact.
- Check whether the service provider retains rights to your information even if you remove your data from the cloud.
- Understand whether you can move or transfer your data and the service to another provider when you want to, and whether export utilities are available and are easy to use.
- Check whether data can be permanently erased from the cloud, including any backup storage, when you delete this data or when you end the service.
Additional Selection Considerations
- Understand the acceptable range of risks associated with the use of cloud services.
- Select a service provider with a service level agreement commensurable with the importance of your business function.
- Select a service provider that can explain clearly what security features are available, preferably supported by an independent information security management certification (e.g. ISO/IEC 27001).
- Select a service provider with no major security incident reported, or one that can provide transparency to previous security incidents with cause and remediation explained.
- Select a service provider that ensures data confidentiality by -
- using encryption (e.g. Secure Sockets Layer (SSL)) to transmit data; and
- using encryption to protect stored static data. (If not, you have to use your own encryption before storing data in the cloud. In that case remember to keep your encryption key safe.)
- Select a service provider that provides a simple and clear reporting mechanism for service problems, security and privacy incidents.
- Select a service provider that provides regular service management reports and incident problem reports.
- Ask for samples of data that will be returned upon termination of service and ensure that they are readable and can be recovered when needed.
- Check for interoperability between the cloud service and external systems and select a service provider that can meet your requirements in terms of:
- The ability for other authorized sites or systems (e.g. your internal systems) to use the data or system functions that have been hosted under the cloud service, with standard-based and well-documented programming interfaces.
- The ability to access and work with data or functions provided at some other sites that are not managed by the cloud service provider.
- The ability to track for updates that are made on other sites, and automatically keep the corresponding data up to date under the cloud service.
- The ability to notify another system on the updates made under the cloud service, or provide a way for others to ask for the updates made.