Cloud service provider due diligence
The cloud provider’s privacy and security safeguards may need to be reviewed, depending on the system’s criticality, information confidentiality and legal, regulatory, contractual and/or funding agency requirements. Consult the cloud service considerations to determine if the cloud service privacy and security controls must be verified.
Examples of due diligence privacy and security controls review include:
- Obtain proof of SSAE 16 Type II or ISO 27001 certification.
- Obtain proof of other external third party controls review or certification based on industry best practices.
- Cloud provider prepared Cloud Security Assessment Questionnaire for Official Use Only (OUO) or Confidential information.
- Other security controls documentation pertinent to the scope of the cloud offering.
Security controls information can be obtained along with the RFP, if one is issued. Otherwise, it must be obtained directly from the cloud provider and reviewed by the department and IT Information Security.
Next step: Cloud service contracts
If you have comments or suggestions about this Web page or see any errors, contact the IT Communication Group.