Cloud-based services are applications or infrastructure that users access via the Internet. While cloud solutions can be easy to set up and are affordable compared to traditional IT infrastructure and software, there are risks that need to be considered when reviewing cloud-based services for use at Kindred. The
Contract Policy for Third Parties Hosting Kindred Data
is a new Enterprise policy that governs the review and acquisition of all types of cloud-based services. The following highlights the policy and some questions to ask when considering a cloud-based solution:
- Use of cloud-based services must comply with current laws, data privacy and security requirements and Kindred policies and procedures.
The cloud vendor may have control of Kindred data, but we are still responsible to protect it.
- All cloud-based services must be reviewed and approved by IS-Finance and Information Security Risk & Compliance prior to signing a contract and product implementation.
Due diligence must be performed to ensure cloud services are properly catalogued, required contractual language is met, and that the service meets minimum security, privacy and management requirements for the types of service and data involved.
Ask yourself the following questions when considering a cloud service:
- What kind of data will be hosted in the cloud? Is the data protected by appropriate security and privacy controls?
- How critical is the hosted data? Would a lack of availability impact business?
- How is data access managed? Is data at risk of being accessed by unauthorized users?
- How will data be recovered if Kindred's relationship with the vendor ends?
- See the policy for additional guidance on reviewing cloud services.
Be cloud smart!
Ensure that you follow requirements for acquisition of cloud-based services and are aware of risks to data confidentiality, integrity, and availability. Click
to review the
Contract Policy for Third Parties Hosting Kindred Data.
Contact Information Security Risk & Compliance by e-mailing
InfoSec - Risk and Compliance.