The Truth About Protection of Your Data in The Cloud

Does your organization have a defined, written data protection strategy and negotiation process for finalizing agreement terms with cloud vendors?

Is it part of your cloud vendor management and/or contracting process to routinely request and use attestations (evidence of independent security audits your vendors routinely have performed on their business) to perform due diligence in auditing and understanding the level of protection of your data in the cloud?

If so, are you able to use the attestations to identify any deficiencies (vulnerabilities in their ability to protect your data) and assess their potential impact on your data, and does your agreement provide you remedies if your vendor fails to remedy those deficiencies in a timely manner

Do all of your vendor agreements grant you the right to conduct penetration tests on the vendor’s solution, or otherwise obligate your vendor to provide you the results of regular penetration tests by the vendor or their subcontractors?

Do your agreements limit your cloud vendor’s liability specifically for data protection and privacy?