Stay Secure and Recover Quickly: 16 Compliance and Security Checks to Look for in a Cloud Service Provider

There are countless benefits for legal professionals to be able to work and collaborate remotely in the cloud, but it’s important to also be aware of the associated security challenges and vulnerabilities that come with cloud technology. A security breach or failure to meet specific compliance guidelines could potentially put you and your team at risk of significant legal and financial trouble, not to mention potential downtime and losing the trust of your clients.

The good news is that many reputable cloud service providers offer their users the ability to rely on or “inherit” the embedded security and compliance controls that already exist within theprovider’s application infrastructure. To better help you and your legal team make the right choice in cloud service providers, we’ve identified 16 standards, certifications, audit reports, regulations, and attestations, as well as US and international laws, to look for as indicators that your work with individual cloud service providers is safe, secure, and compliant. The more of these “check items” your vendor meets or complies with, the better positioned they are to have security and compliance controls in place to benefit and protect their cloud customers, including your legal team.

16 Compliance and Security Controls to Look for in a Cloud Service Provider

This list of compliance and security checks includes the globally recognized International Organization for Standardization (ISO) 27000 family of standards and controls as well as US-based international standards that are not only required within their original state or country but have since been recognized more broadly as important security benchmarks.

1. ISO 27001 specifies requirements for establishing, implementing, maintaining, and continually improving an Information Security Management System (ISMS) within the context of the organization.
2. ISO 27017 provides guidance on the information security aspects of cloud computing and cloud services as well as additional implementation guidance for relevant controls specified in ISO/IEC 27002.
3. ISO 27018 establishes commonly accepted control objectives, controls, and guidelines for implementing measures to protect Personally Identifiable Privacy Information (PII) in accordance with the privacy principles in ISO/IEC 29100 for the public cloud computing environment.
4. ISO 27701 is a privacy extension to ISO/IEC 27001 designed to enhance the existing ISMS with additional requirements in order to establish, implement, maintain, and continually improve a Privacy Information Management System (PIMS). In addition, the controls in ISO 27701 address many of the requirements in the EU’s General Data Protection Regulation (GDPR), so being certified in the ISO 27701 controls can also be used to independently validate compliance with GDPR.
5. Service Organization Controls (SOC) reports help companies to establish trust and confidence in their service delivery processes and controls. This is achieved through detailed information and assurance about a cloud service provider’s ability to adhere to some or all of the Trust Principles: security, availability, privacy, processing, integrity, and confidentiality.
6. The Federal Information Processing Standard (FIPS) (140-3) specifies the security requirements that need to be satisfied by cryptographic modules and is a critical standard when dealing with highly regulated industries. It’s important to note the differences between FIPS 140-2 which meets the tamper resistant standard and FIPS 140-3 which meets the higher tamper proof standard. In addition, FIPS 140-2 only addresses security requirements after completion, but FIPS 140-3 now evaluates security requirements at all stages of cryptographic module creation - design, implementation, and final operational deployment.
7. The Federal Risk and Authorization Management Program (FedRAMP) is a US government-wide certification program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services supplied to government agencies, vendors, and customers.
8. Export Administration Regulations (EAR) are export control regulations run by different departments of the US government, such as the US Department of Commerce, which administers EAR to regulate the export of “dual-use” items, including technical data and technical assistance, which are designed for commercial purposes but could have military applications such as computers, aircraft, and pathogens.
9. Defense Federal Acquisition Regulation Supplement (DFARS) requirements and regulations are meant to guarantee the integrity of Controlled Unclassified Information (CUI), or sensitive information belonging to the US government that third parties such as suppliers, partners, and trade associations may hold or use.
10. The Federal Information Security Management Act (FISMA) is US legislation that defines a framework for guidelines and security standards to protect government information and operations.
11. The Health Insurance Portability and Accountability Act (HIPAA) defines nationally standardized privacy protections for patients’ medical records and other health information provided to and managed primarily by health plans, doctors, hospitals, and other healthcare providers in the US. However, it can also apply to employers that offer group health plans and any business or individual that provides services to physicians, healthcare providers, and insurance companies.
12. SEC Rule 17a-4 applies to US broker-dealers and other relevant parties who trade securities or function as brokers for traders, including banks, securities firms, and stock brokerage firms, requiring them to store all business records for a period of no less than six years on non-rewriteable and non-erasable media, with the first two years being in an easily accessible place.
13. The EU Model Clauses are standardized contractual clauses used in agreements between service providers and their customers to ensure that any personal data leaving the European Economic Area will be transferred in compliance with EU data protection laws and meet GDPR requirements.
14. The Australian Cyber Security Centre’s (ACSC) cloud security guidance informs Commonwealth entities, cloud service providers (CSPs), and Infosec Registered Assessors Program (IRAP) assessors on how to perform a comprehensive security assessment of CSPs and their services.
15. The General Data Protection Regulation (GDPR) regulates how companies protect EU citizens’ personal data and has become the benchmark privacy law for many countries.
16. The California Consumer Privacy Act (CCPA) is a state statute intended to enhance privacy rights and consumer protection for residents of the US state of California.

Pick A Cloud Solution That Prioritizes Security and Compliance

Choosing to work with a cloud service provider that is validated as complying with many of these different standards and regulations positions you to rely on or “inherit” the resulting compliance and security controls required by those standards and laws. Your organization’s leadership, your legal team, and your clients can rest assured that your data is in safe and capable hands.

As a native cloud solution designed with legal professionals in mind, NetDocuments provides you and your team with the strict security and compliance controls best suited for legal work while still allowing you to work and collaborate easily and efficiently.

To learn more about how NetDocuments can help you fulfill compliance obligations and client mandates to protect sensitive information, contact us today at (866) 638-3627 or click here to request a demo.

Read David’s original article on this topic in the International Legal Technology Association’s summer 2022 edition of Peer to Peer magazine.