As you are creating a list of questions for information security, what questions should you ask? Here is a list from Net Security from Creating a cloud security policy.
Perhaps a differentiation is the level of the organisation such as small business vs corporate. These considerations mainly apply to corporate organisations.
* Define who, when and under what circumstances changes can be made. Defining the "who" is often the hardest part of establishing a cloud security policy.
* Do we have a good data classification policy and procedure and what type of data will we allow in the cloud, sensitive corporate data, protected data such as PII, SSNs or HIPAA related, day-to-day operational data?
* Do you allow application developers to make changes to security settings in the cloud to improve performance?
* For applications in the cloud, who in organization is allowed to modify settings on the cloud that affect performance?
* How should we manage administrative privileges to the cloud provider?
* How well does the cloud provider’s security policies and procedures align with organizations? The organization may already have a level of security appropriate for cloud transactions or a new policy needs to be developed.
* What do we want to put in the cloud (data, applications or both)?
* What existing policy does the company have that applies to what we want to do in the cloud?
* What have others in industry done and what can we borrow?
* What is exit strategy and policy for removing data or application from this cloud provider?
* Where can my data or application be physically located?
* Where your data lives and where it could be moved to have legal and privacy implications.
* Who can set up an application in or move data to the cloud and with whom should it be approved beforehand?
* Who has authority to negotiate SLA’s?
* Who in organization is allowed to enter into agreements with cloud providers?