P2P

56 P E E R T O P E E R : I L T A ' S Q U A R T E R L Y M A G A Z I N E | S U M M E R 2 0 2 2 David Hansen leads NetDocuments' Security Compliance department, which includes managing annual ISO 27000 series information security standards and Type 2 SOC 2 audits, developing policies, implementing procedures, auditing operational and security compliance, and helping customers and prospects understand NetDocuments' security architecture. David has over 25 years of experience in finance, HR, marketing, IT operations, and federal legislation. His experience is supported by degrees in communications, accounting (David is a Certified Public Accountant), and journalism. David lives with his wife and one son who is still at home outside of Park City. UT. very specific requirements related to verification, serialization, indexing, and duplication of data. This regulation also requires entities that store their data electronically to have a separate entity (third-party downloader) that can independently access the entity's data if it is unable or unwilling to access its data. In addition to US laws and standards, other countries, and even individual US states, have enacted laws or regulations that are not only required within their original jurisdictions, but are also being recognized more broadly in other countries and industries. Four specific laws are highlighted for your consideration as you evaluate your own and your cloud provider's security status: 13. The EU Model Clauses are standardized contractual clauses used in agreements between service providers such as NetDocuments and their customers to ensure that any personal data leaving the European Economic Area will be transferred in compliance with EU data- protection law and meet GDPR requirements. 14. The Australian Cyber Security Centre's (ACSC) cloud security guidance informs Commonwealth entities, cloud service providers (CSPs), and Infosec Registered Assessors Program assessors on how to perform a comprehensive security assessment of a CSP and its cloud services. 15. The General Data Protection Regulation (GDPR), agreed upon by the European Parliament and Council in April 2016, replaces the Data Protection Directive 95/46/EC and became effective in May 2018 as the primary law regulating how companies protect EU citizens' personal data. 16. The California Consumer Privacy Act (CCPA) is a state statute intended to enhance privacy rights and consumer protection for residents of the US state of California. Using some combination of these standards will help you strengthen the security of your organization and effectively evaluate the compliance status of your key cloud service providers. While no legal IT professional or even IT Department is solely responsible for their firm's cloud compliance strategy, the name of the game is teamwork, especially when it comes to working with native cloud service providers who will have a major leg up on meeting security and governance standards and obligations. Being able to lean on your cloud partners to help answer the tough security and compliance questions, while taking advantage of the ability to "inherit" cloud security, can help simplify your road to security compliance. ILTA F E A T U R E S

• Cover