|
Article 5
|
(Selection and due diligence of cloud service providers)
- An organization shall perform due diligence and regular review procedures for cloud service providers based on the cloud service mode in use for evaluations of service quality, backup mechanism, data destruction mechanism, resources logic partition mechanism, log retention mechanism, information and communication security protection capability, management of information and communication security reporting responsibility, business continuity operation and disaster recovery capability, professional knowledge and resources of contracted business, financial health, internal control and compliance of law of a cloud service provider to see if needs can be met. In the event of a deficiency in meeting the needs, other compensatory measures should be considered.
- An organization shall maintain the full ownership of the data processed by the contracted cloud service provider. A cloud service provider shall make sure not to be authorized to access client information, except for performance of requested services, and not to use this information for any purpose beyond the scope of request.
- To ensure the system can be relocated or the data can be migrated out of cloud services at the end of the services, an organization shall evaluate and determine if the cloud service provider can satisfy the following needs for cloud interoperability and portability:
- A cloud service provider may provide documents describing interoperability and portability of application programs and information processing for the organization’s reference.
- A cloud service provider is advised to use the virtualized platform, virtual machine file format, and data and file format commonly seen in the industry to ensure interoperability.
- If the cloud services provided by a cloud service provider involve accessing via application interfaces, it is advisable to use an open or public application programming interface (API) to ensure better portability of application components.
|