For PII, the "Cloud" may be an issue relative to citizens of data privacy
sensitive geographies (such as the EU). Depending upon the nature of the
information, the citizenship of the data subjects, and internal data
privacy policies and agreements (such as Binding Corporate Rules), you may
or may not be able to move data to the "Cloud". Another aspect is what you
mean by "Cloud". Is it a third party provider that does "data processing"
(as defined by Data Privacy regulations) or simply something like AWS
(Amazon Web Services) which is hosting your own internal applications?
Another factor is where the services are being provided. Since most of the
major cloud services providers are in the US, the data in question will
generally be maintained in the US and that may be an issue for certain
geographies. Unfortunately, this is very much an "it depends" sort of
situation -- but there is no blanket prohibition against cloud services for
PII.

With regard to PCI, you need to understand which elements of the PCI-DSS
are applicable to your organization. After that, it is a matter of being
able to comply with the relevant requirements of the PCI DSS in that realm.
Again, no blanket prohibition, but you need to be able to meet the
requirements that are specified for your organization.

Another consideration is the risk appetite of the organization. Some
companies are going to be highly risk adverse when it comes to the "Cloud"
and will want to limit the potential for exposure of sensitive information.
Only your organization can make that determination.

Patrick Cunningham, FAI

List archives at http://lists.ufl.edu/archives/recmgmt-l.html
Contact [log in to unmask] for assistance
To unsubscribe from this list, click the below link. If not already present, place UNSUBSCRIBE RECMGMT-L or UNSUB RECMGMT-L in the body of the message.
mailto:[log in to unmask]