ABSTRACT
Once the deliverables have been turned over by the cloud assessor vendor (CAV), walk through the report with practitioners cloud engagement decision makers. Similar to the in-depth cloud assessment, present the prioritized findings of the cloud service provider (CSP) and weigh in on the stipulations to be incorporated in the CSP contract. For major cloud projects, the authors recommendation is to select a reputable CAV to conduct the security assessment and provide practitioners with its findings and recommendations. The cloud security assessment is a defined process with clear deliverables. The authors highly recommend going for a fixed-price engagement with the CAV where possible. Typically, fixed-price models indicate that the CAV has a mature process for conducting its assessments and can leverage repeatable processes. Check the quality of the work, as the CAV is incented to finish the job quickly. Reserve the right to sit in on some of the interview processes to audit the work.
