Two members of our Technology, Outsourcing, and Commercial Transactions practice group, Morgan Lewis partner Barbara Melby and associate Katherine O’Keefe, recently published an article in The Legal Intelligencer that analyzes best practices with respect to diligence, internal controls, and management of providers in the mitigation of security risks in cloud-based offerings. The article, titled, “Mitigating Security Risks in Cloud Offerings Through Diligence, Oversight,” discusses how companies, in even the most risk-averse industries, have begun to routinely adopt cloud-based solutions and how these companies are mitigating the inherent risks associated with cloud services.
Barbara and Katherine’s article highlights a list of key diligence steps companies should undertake and questions companies should ask when considering cloud solutions. The authors note that “[t]hrough thorough diligence, proactive steps and good governance, cloud solutions potentially can provide security that is as good as, if not better than, what a company can provide itself.”
The authors comment that many cloud service providers consider security a “shared” responsibility and state that a company:
should have its security teams review the security policies, procedures and protocols of the provider to understand the division of responsibilities and confirm that the provider’s security standards and notification obligations are acceptable based on the company’s industry, the company’s requirements, applicable regulations and risk profile.
Some important responsibilities to consider include:
- Defined security processes and workflows
- Clear roles and responsibilities, as well as notifications and communications for each stage and steps taken within internal incident response teams
- Change control and management
Our group continues to monitor the security and other key developments regarding the growing usage of cloud infrastructure and will highlight those developments in future posts at Tech and Sourcing @ Morgan Lewis.