With so many cloud options, district CIOs should push vendors for details about their security and privacy services. “With the cloud, you have to ask big questions,” says Taiye Lambo, founder of CloudeAssurance. He suggests that CIOs assess three major security areas: confidentiality, integrity, and availability.
“Many providers will pay lip service to security, but push them to get into specifics.” Will your data be stored on multiple servers, so that if one goes down, your data are secure? Will it be backed up? What sorts of security tests are performed? Do the servers have scheduled downtime, or will you always have unfettered access?
Also make sure to carefully study user agreements: “Some of them are very vague when it comes to security,” warns Ramiro Zuniga, CIO at Port Arthur ISD. He recommends that CIOs ask specifically about security services, encryption and ISO 27001 certification, as well as compliance with FISMA, HIPAA, and FERPA.
Zuniga also suggests making contact with other clients. “Ask the vendor to put you in contact with a client of a similar size in a different part of the country,” he says. “Call them and have a candid conversation. Ask them if they are satisfied with the vendor’s security offerings and if the vendor has been responsive to security concerns.”
Ultimately, CIOs should consider vendors that are constantly making improvements to their security systems, says Lambo. He recommends CIOs ask about vendors’ history of security improvements and modifications to get a sense of their responsiveness to changing dynamics. IT security needs to evolve in response to new threats, better security technology, and changing government requirements. “For the cloud, compliance isn’t enough,” he says, “you have to think about continuous improvement.”