Cloud Computing Guidelines and Checklist
Release: 2 - September 12th, 2016
This checklist is intended to assist those in Council of Europe (CoE) who are considering using cloud computer services for all or part of their official CoE work. Where difficulties are experienced completing this checklist advice should be sought from the appropriate IT Services[1] – clearly indicating where there is uncertainty with the answer.
As requirements can vary considerably this document should be regarded as a non-exhaustive checklist that highlights to sponsors the likely implications of using cloud computing.
Please note that this document cannot anticipate every issue that might arise in every project nor is it intended to take the place of a properly resourced project proposal or plan.
Please note that the cloud project, as with any other IT project has to be carried out with your responsible IT department.
· The answers to the questions should be in the first instance compiled by the CoE department(s) in MS Word (especially part A.3).
· Completed checklists and associated documents have to be submitted to the relevant IT Services.
· The checklist will be assessed and a member of appropriate IT Services may be in contact to progress the matter.
· Further clarification may be needed on certain points.
· Some projects may require input from another CoE MAE. It will be assumed that the disclosure of parts of the checklist to persons in these MAE can proceed unless the section is marked otherwise.
A.3 Business Guidelines and Checklist
This section deals with the service and the implications of its use for the MAEs and CoE.
In order to implement a cloud solution you should consider the following :
· Identification of the stakeholders : business, IT and vendor
· Business needs should be stated clearly and a cost/benefit/risk analysis performed
· Solution lifecycle from implementation to decommissioning should be considered
|
No. |
Questions |
Reply |
|
1. |
Which CoE MAE are stakeholders in the proposed solution? |
|
|
2. |
List the names of CoE sponsors for the system. These would normally be Heads of Department or senior staff. |
|
|
3. |
Name of MAE project manager |
|
|
4. |
Name of MAE contact person (usually person collating the information in this document). |
|
|
5. |
List the name of the vendor(s) and their contact details. Any sub-contractors should also be listed. |
|
|
6. |
List any other parties involved in the solution. |
|
|
7. |
Outside your entity, please list any parties internal to CoE involved or impacted by the solution. |
|
|
8. |
What business need(s) does this system fulfil? Have detailed user requirements been documented and agreed by the stakeholders? |
|
|
9. |
What groups of people will be using this system? E.g. Staff members, the general public, experts etc |
|
|
10. |
Can data generated by the vendor product be transferred to other CoE systems that might need it? |
|
|
11. |
How many years is it estimated that the service will be used? |
|
|
12. |
What is the budget and budgetary source for this project? |
|
|
13. |
Is the budget provided sufficient for the entire procurement and life cycle of the service? |
|
|
14. |
Does the vendor provide a Service Level Agreement that sets targets for the services it offers? |
|
|
15. |
How does the vendor charge for its services? E.g. annual charge, numbers of users, volume etc. |
|
|
16. |
Will the system need data from core CoE systems such as Personnel or Financial Support Systems? The permission of the relevant CoE data owner will be needed to use data of this type. |
This section outlines aspects to be considered in relation to the vendor offering the service.
CoE purchasing and tender board rules have to be followed and are not mentioned here.
|
No. |
Query |
Reply |
|
17. |
When was the vendor company established? |
|
|
18. |
What year did the vendor start to supply this service? |
|
|
19. |
Can they supply a banker’s reference? Please append. |
|
|
20. |
Is there an auditability clause in the contract? |
|
|
21. |
Please list independent reference sites and contacts using this service. · Site name and address: · Year started usage: · Site contract name and email: · Has this site been contacted by the MAE/COE: |
|
|
22. |
Which country or jurisdiction is the vendor based in. |
|
|
23. |
Which jurisdiction will the data reside? |
|
|
24. |
Is it possible to include specific CoE contractual clause to the vendor contract ? (e.g : CoE privilgeges and immunity) |
|
|
25. |
Has the CoE secured future price protection for this service? |
|
|
26. |
On termination of the contract does the vendor offer clear procedures and other methods to export data or other relevant content to allow take over of the solution by the CoE or another third party? |
Many cloud systems generate a need for collection of payments for services. This section need only be filled if financial transactions are to be processed through the cloud service.
|
# |
Issue |
Further details |
Refer to |
|
27. |
Does the application need to accept payments for CoE Services? Write ‘Nil’ if no financial transactions are involved. |
CoE sponsor |
|
|
28. |
What is the anticipated annual total amount of payments using this service? |
CoE Sponsor |
|
|
29. |
What is the anticipated annual number of transactions? |
CoE sponsor |
|
|
30. |
How does the vendor facilitate payments? |
Vendor |
|
|
31. |
What guarantees are there that the payment mechanism is secure? |
Vendor |
|
No. |
Issue |
Further details |
Refer to |
|
32. |
Type of Cloud |
Is this a public, private or hybrid cloud service? |
Vendor |
|
33. |
Security |
Where are the data stored? |
Vendor |
|
34. |
Security |
Are there some copies of the data existing? |
Vendor |
|
35. |
Security |
If yes where are those copies stored? |
Vendor |
|
36. |
Security |
Is the data transferred to other locations apart from those mentioned above? |
Vendor |
|
37. |
Security |
Can the vendor provide a current independent security audit of their site? |
Vendor |
|
38. |
Security |
How often are security audits conducted and by whom? |
Vendor |
|
39. |
Security |
Does the vendor accept that the client conduct security audits on the service offered |
Vendor |
|
40. |
Security |
What procedures does the vendor follow for its audit and security compliance. For example: ISO 27001:2013, C5 document … |
Vendor |
|
41. |
Service Level |
Is there a documented and enforceable means of complaints resolution? |
Vendor |
|
42. |
Service Level |
If the service level needs to be scaled up or down how is this to be accommodated in the cost of the service? |
CoE sponsor |
|
43. |
Continuity of service |
Does the vendor have adequate documented arrangements for dealing with computer disasters and ensuring a continuity of service to the CoE? |
Vendor |
|
44. |
Unavailability Impact |
What would be the impact to the CoE if the service was unavailable? What would be the impact to the CoE if the data was unavailable, lost or corrupted ? |
CoE sponsor |
|
45. |
Compatibility |
List any operating systems or versions that the vendor product cannot work on. |
Vendor |
|
46. |
Compatibility |
List any web browsers or versions that the vendor’s product cannot work on. |
Vendor |
This section deals with CoE data and the implications of its use. System sponsors will need to consider if the cloud solution justifies the risk of processing data offsite and the possible cost of any security audits.
In case of online document storage, disposal schedule of an entity should take into consideration the Cloud solutions.
|
No. |
Issue |
Further details |
Refer to |
|
47. |
Data ownership and safety |
Will the vendor allow other organizations or individuals access to the data stored on the cloud system? |
Vendor |
|
48. |
Will the contract allow the vendor disclose any of the data to others without the CoE’s permission ? |
Vendor |
|
|
49. |
Will the contractor collect data about the usage made of the offered service and process it for his own use? |
Vendor |
|
|
50. |
Are sub-contractors or other vendors involved in the provision of the service? |
Vendor |
|
|
51. |
Will the CoE retain full ownership of the data, including live data and copies? |
Vendor and system sponsor |
|
|
52. |
How long will data reside on the system? |
Vendor |
|
|
53. |
If the vendor ceases trading who would own the data? |
Vendor and system sponsor |
|
|
54. |
Who controls access to the data within the vendor’s organization? |
Vendor |
|
|
55. |
Data sensitivity |
Is the system dealing with information that must be kept confidential? Data Protection and other legislation apply to cloud computing services. Examples might include :- Names or contact details of CoE staff CoE financial information etc. |
System sponsor |
|
56. |
What steps does the vendor take to safeguard sensitive information? |
Vendor |
|
|
57. |
The vendor should supply current copies of their IT security policy and supporting documentation. |
Vendor. |
|
|
58. |
How are backups of data secured by the vendor? How long are they retained? Where are they stored? |
Vendor |
|
|
59. |
Data required |
What data will be required? Most vendors supply a list of the data fields they require. This should be given to the data owner. |
Vendor |
|
60. |
Is the vendor’s solution compatible with the CoE data formats? |
||
|
61. |
Is data encryption required? What data encryption mechanism does the vendor provide (e.g. who controls and has access to the ecryption keys)? |
Vendor |
|
|
62. |
How are users to be authenticated for the service? Which protocols does the cloud service support? |
Vendor |
|
|
63. |
Data Protection and other legislation |
How would the vendor address:- Users who wish to view their data under Data Protection or other legislation? Users who wish to amend or remove their data? |
Vendor |
|
64. |
Transparency to service users |
How will those using the new service be made aware that their data is been processed off-site and possibly their data is being stored off-site? |
|
No. |
Issue |
Further details |
Refer to |
|
65. |
Request Vendors to provide detailed breakdown of the 5 year support and maintenance cost. |
||
|
66. |
Is there a roadmap for the service/application in terms of product updates/support and testing? |
||
|
67. |
Can the CoE stop the contract in case of incompatible updates of the product/service? |
||
|
68. |
Will the CoE receive advanced notification in case of data format change or upgrades? |
||
|
69. |
Can you provide sample service agreement detailing maintenance and support services including scheduled maintenance plans, uptime, and response times? How is uptime calculated ? |
||
|
70. |
Please provide details of your service billing and charging methods? |
||
|
71. |
Please indicate if any other third party manages any part of the support? If the solution is a multi-vendor solution please provide details of how support calls are handled. |
||
|
72. |
Please describe your support organisation, account management, including locations and total number of support staff and intervention timeframes. |
This section clarifies what happens when the cloud service ends.
|
No. |
Issue |
Further details |
Refer to |
|
73. |
Notice |
What notice must the CoE give to terminate the service? |
Vendor contract |
|
74. |
What notice does the vendor have to give to terminate the service? |
Vendor contract |
|
|
75. |
What are the specific termination clauses eg. Force majeure? |
||
|
76. |
Data |
How and in what format will the CoE’s data be returned after termination? |
Vendor contract |
|
77. |
Will the returned data be in a format that can be migrated to another future system? |
Vendor |
|
|
78. |
Will the vendor be allowed keep copies of the data after the termination? |
Vendor contract |
|
|
79. |
How will the data be deleted by the vendor providing the service after the contract has terminated and what are the guaranties and proof of destruction. How can COE audit/verify actual destruction of data? |
These documents are likely to be needed. The variety of applications means a definitive list is difficult to compile.
|
Document name |
Question # |
|
Fully completed checklist (this document) |
n/a |
|
Agreed user requirements |
|
|
Vendor IT security policy |
|
|
List of required data fields |
|
|
Bankers reference |
|
|
Audited company accounts |
|
|
Vendor Business Continuity Plan |
|
|
Independent IT security audit |
|
|
Vendor Service Level Agreement |
|
|
Vendor contract |
[1] For CoE users the DIT, for the ECHR users the IT Department of the ECHR, and for EDQM users the IT Department of the EDQM