Questions on the Service Provider’s Practices
- Is the provider's cloud infrastructure built with an N+1 configuration to withstand equipment failure?
- What are the cloud provider's backup and retention procedures? How long is data retained?
- What is the provider's disaster recovery strategy, and how frequently is it tested?
- What type of security and monitoring practices are in place at the data center?
- Who can access the provider's data and at what level?
- Can the provider share an audit trail which logs who has accessed what?
- Is data encrypted at rest as well as in transit?
- What Service Level Agreements (SLAs) are in place for the infrastructure and applications? What is the agreed upon uptime?
- How are support requests handled, and what is the expected response time?
- Has the provider ever experienced a security breach? If so, how was it resolved, and what safeguards were implemented to prevent a repeat experience?
- Is the data center SAS70 Type-II or SSAE 16 Type II (new standard 2012) certified?
Questions on Internal Practices
- How financially stable is the cloud provider? Can they provide audited financials? Can they sustain business in the long run?
- When an employee leaves, what is the process for blocking access to applications to prevent data downloads?
- How do we prevent employees from sharing login credentials with unauthorized employees?
- How do we define and enforce user roles to control access levels?
- Who has the authority to add new users?
- How often will employees be required to reset passwords? Are there requirements around complexity standards for passwords?
Questions on Application Hosting
- Which application vendors have systems operating in the cloud?
- Does the application vendor confirm their product works in a hosted environment?
- Are there any issues associated with virtualizing the applications?
- How is the application deployed? Does the software run native over the Internet, or does it require a delivery mechanism such as Citrix?
- Are there any limitations with this type of deployment? Are there certain pieces of functionality that will not work if remotely deployed? Are there display limitations?
- How many clients for the specific application have a hosted implementation?
- What certification levels does the cloud provider have with these application vendors?
- Will the application vendor help with a “proof of concept”?
- Will there be any changes to the level of service if the application is deployed in a hosted environment?