|
Article 4
|
(Selection of cloud service providers)
- A cloud service user shall perform prior evaluations of service quality of a cloud service provider (including information and communication security protection) and other risks, and take appropriate risk management and control measures. In the event of a deficiency in meeting the needs, other compensatory measures should be considered.
- A cloud service user shall evaluate whether a cloud service provider has established the cloud service backup system, and it is advised to specify in the contract the requirements on the recovery time of cloud services.
- A cloud service user shall maintain the full ownership of the data processed by the cloud service provider. A cloud service provider shall make sure not to be authorized to access client information, except for performance of requested services, and not to use this information for any purpose beyond the scope of request.
- A cloud service user shall implement regular reviews on the cloud service provider with regard to the outsourced cloud services. If a cloud service provider has received a bronze award or a higher award from Cloud Service Alliance in the STAR program (CSA-STAR), an attestation report may be requested or an on-site inspection may be conducted where necessary.
|