T6.3.2 - SERVICE DELIVERY AGREEMENTS WITH CLOUD PROVIDERS Implementation Guidance
The entity shall document relevant security requirements in service delivery agreements with cloud service providers.
Back to T6.3.2 - P2 - SERVICE DELIVERY AGREEMENTS WITH CLOUD PROVIDERS
When establishing service delivery agreement for cloud-based services, it is the entity’s responsibility to define security requirements for the cloud vendor. This should also take into consideration that the entity may have different levels of ability to negotiate these terms with a vendor based on the type of cloud services being purchased (e.g. private vs. public).
Part of the entity’s responsibility includes understanding, where possible, where information will be stored, processed, or transmitted to ensure that often sensitive information privacy laws and other legal restrictions (e.g. prohibiting transmission of certain types of information outside national borders) are respected.
In addition, the entity should ensure that the terms and conditions of service delivery agreements provide ample clarification on how information will be migrated from the selected cloud service provider to another provider (or back to the entity) at the termination of the service delivery agreement. This is critical to ensuring that the entity is not “held hostage” by the service provider.
Back to T6.3.2 - P2 - SERVICE DELIVERY AGREEMENTS WITH CLOUD PROVIDERS
