September 17, 2014
Ensuring Your Vendor’s Cloud Has a Silver Lining
Posted by Steve Shofner
A cloud vendor tends to deliver IT systems and services better than we can, generally speaking. Since the systems they provide are the core of their business, they invest more in their personnel, technology, and other resources to deliver security, availability, processing integrity, scalability, reliability and other factors better than we typically would…since IT is not the core of our (and most people’s) business. They also tend to offer those services at a lower cost through economies of scale. However, notice the caveats in what I just said: they tend to be better, in general, which tends to be at a lower cost. Not all of them are better. If the vendor doesn’t practice sound business operations, you may try to log onto your system one day and find that it, and your data, are gone…and completely un-retrievable.
This nightmare can be avoided by establishing a solid Vendor Management Program, focused on evaluating vendors up front, ensuring there are adequate provisions regarding the service levels they provide, and ensuring your ability to independently monitor their performance over time. Even though you are outsourcing your systems to another firm, your organization is still responsible for what happens with those systems. Your customers may not be very understanding if you can’t provide your product or service to them because of whom you chose to outsource your IT systems to. If you keep your customer’s private and confidential data, you may also have compliance issues to address, along with the related fines, penalties, and other damages. Vendor Management Programs will help you ensure your vendors are good stewards and custodians of your systems and data, that they follow leading industry practices while managing your affairs, and that you have the information necessary to monitor their service delivery over time and ensure their service is delivered as agreed upon.
Given the cost of implementing a new system, including a SaaS system, the same costs serve as a significant barrier to moving. So, performing your due diligence up front is important to ensure you don’t end up in a disadvantageous situation, putting your organization at risk. This can be accomplished by ensuring you include the right stakeholders in the evaluation process and by ensuring the agreement includes provisions for adequate Service Level Agreements (SLAs), regular communication of corresponding metrics, audits at least annually, and the availability of Service Organization Control (SOC) reports at least annually (SOC Reports are independent audits performed by a CPA, producing reports that can be provided to the organization’s customers). These provisions allow you to evaluate a cloud vendor’s services, both from the information they provide, and through independent audits. Even though a vendor makes convincing promises up front, they are not always incentivized to tell you if they aren’t meeting all their commitments. So, these provisions are important for you to ensure they do. Other topics to be evaluate include the ownership of intellectual property, non-disclosure of sensitive data, confidentiality regarding personal information, required and timely breach notification, retention and destruction of your data (and the backups of your data), and more.
For more information about establishing a Vendor Management Program, including strategies for working with your existing vendors to bring them into compliance, as well as details on how to evaluate SOC reports that assess your vendor’s key processes and controls, please take advantage of the Armanino Vendor Management Program webinar, Why You Need SOC Reports for Outsourced Operations. Learn more about ensuring SOC compliance when evaluating your business vendors.