I'm seeking guidance on establishing general regulatory compliance with our cloud vendors. What should I be aware of and include? Are there any best practices or templates available to assist me in this process?

CloudProcess ManagementRegulatory Compliance
928 views2 Comments
Sort By:
Oldest
IT Director in Healthcare and Biotech3 months ago
A good starting point would be to check your vendor's compliance management details. AWS provides the "Artifact" service https://aws.amazon.com/artifact/ for this, Azure has a comprehensive list of compliance documents https://learn.microsoft.com/en-us/azure/compliance/ and GCP has their compliance resource center https://cloud.google.com/compliance?hl=en. 

You should also be mindful of the SLAs, data security and access policies in their shared responsibility models to ensure that you are covering any possible gap that they are not covering. There are generic SLAs but you might have agreed something more specific in your contract.

For templates, a good starting point would the the Cloud security alliance Cloud Controls Matrix (https://cloudsecurityalliance.org/research/cloud-controls-matrix) and the NIST compliance templates. 

As compliance requirements vary a lot depending on the country where your company provides services and per industry, consider also looking into more specific guidance like the ISO/IEC 27001 Toolkit, the GDPR Compliance Checklist or the PCI DSS Self-Assessment Questionnaire.
lock icon

Please join or sign in to view more content.

By joining the Peer Community, you'll get:

  • Peer Discussions and Polls
  • One-Minute Insights
  • Connect with like-minded individuals
Strategy & Digital Transformation VP, Information Technology in Manufacturing3 months ago
Building upon what others have said, each of the major cloud providers offer policy "overlays" for cloud environments. Say you need to be PCI compliant, both AWS and Azure have reviewed areas of risk and control specific to that framework. When you apply that governance framework to your instance, it will highlight your compliant and non-compliant configurations.

At the higher vendor management level, we ask any vendor we work with to complete a security questionnaire which explores topics of security, patching, data management, change management, etc.. Smaller providers will tend to answer directly. Larger providers will tend to have a set of governance documents, such as a SOC2 report. We will review those and potentially accept them in lieu of our questionnaire.

I hope this helps.

Content you might like

Will rising cloud costs lead to a reverse migration, from cloud to on-prem?

CloudCost OptimizationInfrastructure
Director IT | CTO Office | Digital Factory / Industry 4.0 in Hardware2 years ago
I don't think rising costs will make people migrate back to on-prem because they're too  invested. If you're already in the cloud, you would have to bring everything down and set up an on-prem environment, which ...read more
2 Replies
Read More Comments
3.2k views11 Comments

What is your primary deciding factor in adopting enterprise search?

Strategy & ArchitectureCloudEnd-User Services & Collaboration+26 more

TCO19%

Pricing26%

Integrations21%

Alignment with Cloud Provider7%

Security10%

Alignment with Existing IT Skills4%

Product / Feature Set7%

Vendor Relationship / Reputation

Other (comment)

View Results
5.7k views3 Upvotes1 Comment

I am trying to understand what are the key skills on the ground that would be pivotal for moving our company to a digital first organization? Have you trialed anything in your organization? What are the skills and trainings you recommend that would be beneficial for the CDIO function at a high level to at least be prepared for the digital disruption in the next two years?

Process Management
Banking Platform Transformation Lead in Finance (non-banking)8 days ago
 Not knowing the current state of your organization, it is difficult to say definitively what skills and training are required for the CDIO function. However, based on my experience of working on multiple digital transformation ...read more
1
Read More Comments
1.6k views7 Comments

Which tech conference do you intend to attend in person next year or have already participated in this year, and what motivated your choice?

Applications & PlatformsCloudData & Analytics+15 more
Head of Enterprise Architecture MERCK Group in Healthcare and Biotecha year ago
Strategy & Architecture
Read More Comments
39k views5 Upvotes34 Comments

Google recruiters have recently begun requesting written proof of rival job offers for tech roles before considering upping their own offer. Does this give Google a competitive edge when it comes to salary negotiations?

People & LeadershipProcess ManagementNews+1 more

Yes, this allows Google to see competitor compensation package structures and improve their own.81%

No, offer letter reviews should be standard industry practice.18%

2.7k views2 Upvotes8 Comments