Cyber Security Partners – Implementing Legal within Tech

A guide to performing a digital transformation of your business.

The title may seem the wrong way round, but in truth it is the way you need to view it. Performing a digital transformation of your company’s operations is a major change in the way you do business, but you must be clear on its limitations and who is responsible for each element in protecting your data.

If you have to modify the way you operate to be able to carry out a digital transformation, do those changes improve your workflow and increase your potential return? In this short paper, we will go through some of the additional things that you may not immediately consider when moving to the cloud.

Responsibility

Something we hear quite often is that clients are not aware that a cloud service “didn’t provide the service level we expected”. It is highly dependent on the type of cloud service that you use as to who is responsible for what. If, for example, you use a Software as a Service model (SaaS) while the service provider is responsible for keeping the systems running and secure, they are not responsible for the data that it holds. That is your job as the user of the system. If, on the other hand, you are using a Platform as a Service, (PaaS) you are partially responsible for the authentication and the granting of access to the system. So, it is important to be clear on what you are responsible for when your services and data are transferred to the cloud.

Location

When your client and company data is not on a system you own, do you know where it is located? One of the key advantages of moving to a cloud-based solution is that there is a higher level of availability, but this is achieved by the cloud provider having multiple data centres with multiple systems. This is so they do not have a single point of failure and can provide the guarantees of uptime. To achieve this data is often transferred to data centres which are not located in the same country, unless you specify you require a specific geo location for all your data. Even if the data is transferred to a backup server located in a different country, you maybe breaching the UK GDPR requirements.

Define the pain points

What are the reasons you are implementing a digital transformation? What are the pain points you want to address? Do you really need an app for that? Any technology move has to provide benefits and address weaknesses or delays in your current processes. Don’t lose sight of the fact that you are implementing the technology to make it better, more secure, have an easier workflow etc. Define the issues that the solution is going to address before you begin planning how to do it.

How secure is it?

If you run your services from an in-house on-premises system, it’s obvious that you are responsible for securing the data, but the cloud is someone else’s computer, in a different location. Do not assume that it will be as secure as your own systems. You need to define the security requirements of the implementation and ensure that they are understood and implemented by the service provider. Does the service provider hold security certification for the service’s you are using? Check the scope of the certification to be sure what it does and doesn’t cover. Can the service provider give you access to vulnerability reports and penetration testing results? You will need them to show that you are carrying out due diligence if a problem occurs.  What is their incident handling procedure? Who within your organisation are they going to tell if there is an incident, and how does that integrate into your own incident handling process? Is the data encrypted at rest and in transit? If so, how and most importantly, who owns and manages the encryption keys? You don’t lock a filing cabinet and then hand the landlords a set of the keys!

Checklist

Follow these steps to ease the digital transformation of your organisations.

  • Define the objectives –
    • The benefits,
    • the pain points to be addressed
    • Define security level you require
  • Review the security –
    • Check certificate scopes,
    • right to audit within the agreement,
    • vulnerability reporting,
    • incident reporting,
    • check encryption key management.
  • Establish where the data is held –
    • for both the live and the backup locations,
    • check if it matches your data privacy policy and procedures.
  • Establish responsibility levels –
    • Understand who is responsible for what – some cloud services expect you to back up the data.
    • Define communication channels.
  • Implement a review cycle
    • For performance
    • For service
    • For security

Technology is a tool to help us work better, more efficiently and in a more cost-effective way. Don’t lose sight of the fact that it is there to help not hinder.

Contact us today to get your company secured, allowing you to concentrate on building your business.

Anastasiia Nahirna                                                Kevin Else

Sales Manager                                                         Consulting Director

T: 0113 5323763                                                     T: 0113 5323763

M: 07842018865                                                     M: 07962289255

Anastasiia.Nahirna@csp.partners                        Kevin.Else@csp.partners

Website Cyber Security Partners – CSP Partners             Follow us on LinkedIn.

View Previous Article
View Next Article
Read the Leeds and Yorkshire Lawyer
The latest from the Court Information Board
Explore our Upcoming Events
Make-it-wild-logo