|- Randall S. Beach [sharethis]
In deciding to place some or all of a company’s data and/or software on a cloud platform, executives are in essence deciding to give a third party custody of their company’s most precious asset (its data) and the tools of its productivity (its software systems). That can be a daunting decision, and one that often leaves executives wanting to quickly turn their focus to other more mundane (i.e. comfortable) matters. It is exactly at that moment though, that company leaders must remain focused in order to ensure that their decision to engage the cloud will be successful. In fact, the decision to engage the cloud is just the beginning. If a company is to successfully utilize the cloud, its decision makers must embrace a carefully planned due diligence process.
When a company looks to purchase a new parcel of land, enter into a new lease, buy an expensive piece of operating equipment, or any other major transaction, a due diligence process is executed to ensure that the decision will be a profitable one. Engaging with the cloud should be no different. After deciding to place data on the cloud or use SAAS, a due diligence process must be developed and followed to ensure that the company’s data will remain secure and accessible, and that its new cloud-based software will, at a minimum, retain the productivity levels of the company’s captive systems.
What does such a due diligence process look like? The answer to that question will, of course, depend on the size of the company, its internal structure, the amount and type of data to be placed in the cloud, and extent of SAAS that the company intends to utilize. To be productive, the scope of due diligence must be commensurate with all of the foregoing.
In general, decision makers should first develop and agree upon the scope of the due diligence. Here it is critical to identify the “go/no go” elements. What are must crucial concerns that the company has with respect to its data? What minimum levels of productivity must a SAAS platform deliver? Is the geographic location of data important to the company?
Once the scope of the due diligence is determined, a due diligence checklist should be developed. This checklist breaks the scoping work down into a series of brief questions to be answered by each potential vendor. Examples include:
» How is data protected/stored– encryption levels?
» How is the malicious insider protected against?
» How is data deletion accomplished?
» What is the vendor’s disaster recovery plan?
» Is there a clear incident response notification procedure?
» How does the vendor ensure adequate PII protection?
» Are there mandatory background checks for vendor employees?
» Where is data stored?
» Can the vendor isolate the geographic location of the data to approved/specified locations?
» Can the vendor adhere to and implement user’s data retention policies?
» Will data be in accessible format and accessible at all times?
» Can the vendor accommodate the company’s compliance requirements, if the company is regulated (e.g., healthcare)?
» Are third party auditors engaged?
» Can the company develop its own metrics to be deployed and monitored?
» What are the transition and post-termination support levels?
Each potential cloud vendor should be vetted using the company’s due diligence checklist. Vendor responses should then be evaluated and compared. In this manner, the due diligence process ensures that the company’s critical data and software concerns are addressed by each potential vendor. At the conclusion of the due diligence process, the company should have enough information about potential cloud vendors to make an informed and profitable decision when it engages with the cloud.