Page 27 - COSO Guidance
P. 27

Thought Leadership in ERM   |  Enterprise Risk Management for Cloud Computing   |    19







                    Exhibit 7.1 Levels of Control by Cloud Service Delivery Model






























                    • Ultimate legal responsibility and liability – By using   > In what country is the data stored when the CSP’s
                     public or hybrid cloud solutions, management has in   solution is in use?
                     effect assigned the performance of tasks to a third
                     party but has not transferred its responsibility and   > To what legal jurisdiction are the data and systems
                     liability for the risks and controls that affect the data   subject? Are there multiple jurisdictions?
                     and transaction processing. Specifically, with a public
                     or hybrid cloud deployment model, the organization is   > If the CSP stores data in a country different from the
                     outsourcing components of its infrastructure, software   country of the organization and the organization’s
                     solutions, and related operations support. In most cases,   customers, what are the legal implications, and what
                     the amount of liability and accountability a contract can   are the organization’s legal rights if a foreign court
                     transfer to a third party is limited.             subpoenas the organization’s or its customers’ data?

                   Legal Ambiguity about Data Jurisdiction            > If a legal authority subpoenas the data of the
                                                                       organization’s CSP or the data of a fellow cloud tenant
                   An organization may be subject to multiple legal    can the organization’s data be separated or isolated
                   jurisdictions, depending on where the organization resides,   from the data that’s being confiscated?
                   the location of the cloud infrastructure, and where data is
                   stored. At the time of this publication, significant ambiguity   > What tax jurisdictions govern any transaction
                   exists with respect to how the cloud computing paradigm   processing that is taking place?
                   fits in the international legal and regulatory environment. In
                   addition, regulations such as HIPAA, national and regional   > If a law enforcement agency seizes the CSP’s server
                   data privacy laws, and the jurisdiction of law enforcement   in its legal jurisdiction and it contains data about the
                   and other authorities further complicates the use of   organization’s customers in a different legal jurisdiction,
                   commercial public and hybrid cloud solutions.       would the organization be violating the legal rights of its
                                                                       customers (and related data protection laws) for storing
                   As part of cloud computing governance and the       customer records in a public or hybrid cloud solution in
                   organization’s ERM program, management should consult   the first place?
                   with legal counsel to determine the related risks and
                   challenges of complying with applicable laws if cloud
                   computing solutions were to support some or all of the
                   organization’s processes. Some of the legal aspects of
                   cloud computing that should be considered include:



                                                                                                        w w w . c o s o . o r g
   22   23   24   25   26   27   28   29   30   31   32