Scotland's Digital Future: Scottish public sector cloud computing guidance

Guidance and principles on cloud computing in the Scottish public sector.


Annex 2 - Suggested risk assessment considerations and questions

Confidentiality

Can your cloud provider provide an appropriate third party security assessment? Does this comply with an appropriate industry code of practice or other quality standard?

How quickly will the cloud provider react if a security vulnerability is identified in their product?

Is all communication in transit encrypted? Is it appropriate to encrypt your data at rest? What key management is in place?

Will the cloud provider delete all of your data securely if you decide to withdraw from their cloud in the future? What are the data deletion and retention timescales? Does this include end-of-life destruction?

Find out if your data, or data about your cloud users will be shared with third parties or shared across other services the cloud provider may offer.

Integrity

What audit trails are in place so you can monitor who is accessing data?

Make sure that the cloud provider allows you to get a copy of your data, at your request, in a usable format.

How quickly could the cloud provider restore your data (without alteration) from a back-up if it suffered a major data loss?

Availability

Does the cloud provider have sufficient capacity to cope with a high demand from a small number of other cloud customers?

How could the actions of other cloud customers or their cloud users impact on your quality of service?

Can you guarantee that you will be able to access the data or services when you need them?

If there was a major outage at the cloud provider how would this impact on your business?

Contractual

Make sure you have a written contract in place with your cloud provider.

How will the cloud provider communicate changes to the cloud service which may impact on your agreement?

Require the cloud provider contractually to operate within defined jurisdictions. Which countries will your cloud provider process your data in and what information is available relating to the safeguards in place at these locations? Can you ensure the rights and freedoms of the data subjects are protected?

You should ask your cloud provider about the circumstances in which your data may be transferred to other locations including countries.

Can your cloud provider limit the transfer of your data to countries that you consider appropriate?

Ensure that you have locked in maximum pricing on renewal of cloud agreements.

Ensure that you are clear about what is included, and watch out for typically unrecognised costs such as storage and premium maintenance.

Know and update your switching/exit cost, ensuring that you can exit contracts and get your data out effectively and efficiently.

Seek contractual uptime and performance guarantees that meet your business needs, and beware of exclusions to those guarantees.

Require the cloud provider to inform you when law enforcement authorities request personal information in the cloud

When an organisation has an understanding of what the answers to these areas mean for them, it can decide on the next steps for ways to move to the cloud, although this might include different approaches for different types of cloud services such as:

  • cloud computing infrastructure services to host enterprise applications
  • cloud computing infrastructure services to build new applications
  • creation of composite mashups (running internally or externally) to combine and leverage multiple cloud services
  • cloud computing application and information services

Contact

Email: Philip Whitley

Back to top