Developers of New Zealand's code of practice for cloud computing have suggested a "multi-tiered" approach, whereby it will be compulsory to make disclosures on some factors of cloud-computing operations, such as security and privacy controls, while information on other factors can be voluntarily supplied to gain a higher grade of compliance.
The code is currently seen as voluntary, with compliance to be obtained by simple disclosure rather than active auditing of the truth of the statements made; but the current consultation draft does not rule out future evolution of the code, possibly to a stricter form.
A consultation document was issued on December 23 following country-wide workshops and a survey of attendees. In the survey, 23 percent of respondents thought third-party assessment would be needed. Another 29 percent were in favour of self-assessment with random independent audits being held of a small proportion of providers.
The public have until Friday January 27 to respond to the consultation document, although late submissions will be accepted at the discretion of the New Zealand Computer Society, which is coordinating the development of the code.
The 10 factors thought to be essential elements for disclosure are:
the identity of the company
who owns the data stored -- the provider or the client
geographical data location
diversity of location
access to data, both during the service's operation and after any failure of the company
backup and maintenance
service level and support undertakings
a warranty of the provider's competence to supply the services advertised
Seven additional suggested factors that can be specified for higher grades of compliance are:
data transportability and migration
dependencies on upstream service providers and steps to be taken should these providers fail
business continuity provisions
human resources policies
data formats used
"disclosure of jurisdictions that are relevant to the service being supplied"