| |JANUARY 20258CIOReviewIN MY OPINIONWhen we utilize cloud-based services that involve sharing our own confidential data or our customers' sensitive or private data, we entrust the security and privacy of this data to those cloud providers. For instance, if a cloud provider suffers a cyberattack that results in the loss or exposure of this sensitive data, both parties in the cloud services arrangement should understand their obligations in responding to and mitigating the incident. By comparison, if your organization and its infrastructure were attacked and sensitive data was exposed, you would be obligated by state, federal, and, in some cases, international law to identify and notify the affected individuals and provide adequate relief, such as free credit monitoring. Will your cloud providers take on this responsibility for the data you entrusted to them? If the answer to this question is unclear, then you may need to ensure both parties in cloud services arrangements clearly understand their responsibilities and obligations. You may also need to consider what steps can be taken to minimize the risk and impact of a data breach in your third-party relationships. Here are some tips and best practices to consider before entering into cloud service arrangements involving transferring, processing, or storing sensitive data.Classify all data in your organization and maintain a comprehensive inventory of systems and third-party providers that store or process this data.Data classification efforts must include data flow descriptions that identify the various systems, applications, and third parties that process or store your data. For each third party in your inventory, you should know the data types, volume, retention policies, and regulatory requirements associated with the data the third party has access to. MANAGING DATA SECURITY AND PRIVACY RISKS IN CLOUD SERVICES ARRANGEMENTSBy Darrell Bateman, Chief Information Security Officer, City BankDarrell Bateman
< Page 7 | Page 9 >