CIOREVIEW >> Compliance >>

Ensuring Compliance through SLA Negotiations

By CIOReview | Monday, April 10, 2017

All businesses have a deep knowledge of the significance of Service-level Agreement (SLA) that states the services and standards, which the provider is supposed to furnish. In the case of cloud, enterprises are even more cautious to read the entire guidance measures on security and compliance to ensure goals are best addressed in SLAs. Regulatory compliance reporting is an essential part of the contractual negotiation process. However, a major concern is ‘what’ type of information organizations want, what options are available to help make reporting easier to consume, and what specifically to look and ask for while conducting such discussions.

The Foundation for Regulatory Compliance Reporting

While some organizations follow a detailed visualization and reporting in their security and compliance structure, others struggle to maintain a complete view of their data and compliance posture. This can be a major barrier, as the use of these services through providers could introduce an area of regulatory risk—in case they fail to follow the mandates of the regulations in scope. To resolve such an issue, the foremost step that an organization should take is—self examination. To carry out self examination, businesses need to identify their regulatory requirements and the way these requirements are being addressed internally. This can be complicated in case of multiple business units to understand the compliance posture for each unit.

Next, organizations have to find out the cloud services they utilize and each of their functions. Any service—used by one employee or all—can be the cause of a potential compliance problem. Organizations want to have an inventory of all locations—where potentially regulated data is in the cloud, which is seldom feasible. Here, automated cloud discovery tools can help.

Creating Compliance Reporting Needs

The next step is to determine the reporting needs of compliance and then establish a process ensuring the reporting is complete and accurate. The reporting needs for every organization varies depending on the specific regulatory requirements. An important consideration should be the services it gets from various providers when the scope of compliance coincides with provider environments. It is pertinent for organizations to go through these on a service-provider-by-service-provider basis to ensure this reporting exists, and can be accessed. Some providers only offer compliance reports upon request, others might provide the report through a channel that an organization may not expect, such as providing it as an attachment to a maintenance bulletin sent to an operations contact. Also, there are third party services that can help round out the reporting through various tools.

Validating Accurate Reporting

Once the reporting requirements are ready, organizations need to establish a validation process to ensure accurate reporting. Report validation begins just like any other audit or assessment activity; enterprises can also consider outsourcing it if they don't have internal bandwidth. Due to the introduction of service provider relationships and the popularity of the cloud, other options have started to emerge to help limit the audit and assessment requirements for individual organizations. The CSA also has licensed the CloudTrust Protocol, a procedure that helps improve transparency for customers about potential providers' compliance, security, privacy and more.

All the procedures in ensuring cloud regulatory compliance—the auditing, logging and reporting—are not trivial, and each service provider has its own way of handling the unique compliance-driven reporting requirements for the services they provide. Ensuring that the services provided are in sync with organizational need is not an easy task. By incorporating the initial groundwork, organizations can make sure their compliance posture in the cloud is as robust as in the environments they build and maintain themselves.