It’s all in the cloud. Well, if you listen to corporate marketing, everything is in the cloud (or moving there shortly). Wouldn’t it be best to offload all your data (and your concerns) to someone up in the cloud – like Microsoft, Amazon, Google or any one of the myriad of independent cloud providers? You could even go and create your own private cloud, but neither a private cloud nor any other cloud solution gets you around the compliance tasks you’re responsible for now.
You’re still responsible for the control, protection and disposition of your data – regardless of where it resides. PCI-DSS 3.0 is a perfect example, and, luckily, they’ve laid it all out for us. Corporations are responsible both for establishing requirements and reviewing them with any third party vendors who have access to data that is covered by regulatory compliance. In effect, as charges of your company, third party vendors are just like any other employee – and you must ensure that chain of custody is maintained (and compliant) at all times. Sounds like a tall order, doesn’t it? Well, it is, but there are things you can do to make your lives easier and ensure you’re always in compliance.
First, communicate the broad and specific requirements with any third party vendor who has access to (or even controls who has access to) your data. Assume that their assets are under the same set of controls you have on premises. Make sure they know you can be audited at any time, and, therefore, they could be asked for audit reporting on any or all of the requirements, also at any time. Next, establish a date at which you can randomly spot check your third party vendors for compliance (by asking for auditor-ready reports). Be sure to have primary and secondary contacts for your vendors in case someone should change roles or be unavailable for you. You also should have a service level agreement in place that covers both response to the request and delivery of assets (reports, in this case), so that what you need, and when you need it, are clear.
Finally, put a process in place that allows for anyone in your company to initiate a request for audit reports from your vendors. This should be a step-by-step guide with complete information on who to contact, what to ask, and what the deliverables should look like.