What In-house Counsel and the Business Really Want and Need from the Cloud

1. What In-house Counsel and the Business Really Want and Need from the Cloud LEXPERT CLOUD COMPUTING CONFERENCE 2012CLOUD COMPUTING: A PRACTICAL APPROACH CHAIR: LISA R. LIFSHITZ – TORKIN MANES PANEL: CHARLES McCARRAGHER – TD BANK PETER NGUYEN – GUESTLOGIX INC.KEN LEDGER – SAVANNA ENERGY SERVICES CORP. DECEMBER 3, 2012ST. ANDREW’S CLUB AND CONFERENCE CENTRE

2. VENDOR DUE DILIGENCE Environment: • Selecting a provider Challenge: • Who is the “real cloud service provider? • Where does the cloud “reside”? Solutions: • You get what you pay for – mom & pop providers vs. institutional providers • Ask the question of all new service providers: • What element of the service offering is “cloud” based? • What does cloud mean to the vendor?

3. IMPLEMENTATION Environment: • Implementing the solution Challenge: • Rarely turn-key Solutions: • Data migration • Data validation • Data feeds • Configuration • Acceptance testing • Association with payment obligations

4. IDENTIFYING NEEDS AND WANTS Environment: • Savanna work sites are remote and operate 24/7/365 making Cloud services attractive • Different activities have different needs (SaaS, IaaS, mobility, cost) • Security, disaster recovery, scheduled outages, QOS requirements change by activity • Internal IT resources are fully utilized and cannot address needs of users want lists Challenge: • Setting up services that are accessible from remote locations cost effectively and timely Solutions: • Carefully consider needs vs. wants can a Cloud solution work • Identify nature of data not nature of application impact from loss of data • Focus internal resources on support of solutions with critical data, leverage Cloud for less critical solutions

5. MISUNDERSTANDING STANDARDS Environment: • Many providers quote standards, but few people know what these standards mean • There is no consistent internal requirement for compliance to any specific standard(s) Challenge: • Establish a compliance matrix for Cloud solutions • Buying decisions follow a vendor selection process defined for in-house software/hardware Solutions: • Identify the specific standards required: • SSAE 16 Type II - attestation • CICA 9110 – audit standards • ISO 27001 - security • Require independent attestation • Define a vendor selection process for Cloud services

6. ACCESS AND INPUT Environment: • Access and Input Challenge: • Meeting the needs of all stakeholders within the enterprise Solutions: • Tax • Litigation • Compliance • Audit • CIO

7. GOVERNANCE & DISCLOSURE Issue: • Cloud services can start small and creep in scope how do you know when a service has gone from a small part of the business to a critical service and who should know Challenges: • Services can start out small to address a niche problem • If successful the solution can grow in scope taking a much more significant role in business systems • If a service becomes a critical service do we need to disclose the relationship Solution: • Define a scale for the proposed services • Implement or include Cloud services in your change management processes • Review critical suppliers regularly and disclose to the Audit Committee

8. RECOVERY AND PLAN B Issue: • Cloud services can be highly proprietary and evolve over time • Transition back may be difficult or impossible even if the data is recovered Challenges: • Over time web applications as well as data will evolve, data may not work with original apps • Data may not be recoverable from service provider • To critical to fail Solution: • Have access to backup data under your control • If a solution is critical identify a second source or backup solution • Test backup periodically to make sure it will work

9. INTERNAL AUDIT Issue: • Need to maintain confidence that Cloud services have not weakened internal controls • Need to detect when services have evolved beyond our risk appetite Challenges: • How do we detect control weaknesses timely or know if a provider is not meeting commitments Solution: • Consider leveraging internal audit to test vendor compliance • Perform walkthroughs of processes identifying where Cloud services fit • Use Audit to educate internal departments on the use of Cloud services

10. AUDIT RIGHTS - CLIENT Environment: • Audit Rights Challenge: • Scope and Compliance Solutions: • the 4 Rs • Retention of Records • Rights (Audit Scope) • Remediation • Reimbursement

11. EXTERNAL AUDIT - PROVIDER Issue: • Ensuring security and establishing credibility Challenge: • Responding to customer requests for evidence of controls Solution: • Savannahas opted to get a SSAE16 audit opinion based on controls designed to a COBIT 4 standard. Creates credibility with customers and eliminates several challenges when responding to requests for evidence of controls. Adds credibility in the event of legal challenge by meeting a high standard which has been independently evaluated.

12. TERMINATION AND TRANSITION Environment: • When the Cloud Evaporates Challenge: • Planned Termination vs. Unplanned Termination Solutions: • Non-cloud contingency plans • Transition to a new vendor

13. THANK YOU CHARLES McCARRAGHERSENIOR LEGAL COUNSEL,TD BANK GROUP416-307-7887CHARLES.MCCARRAGHER@TD.COM PETER NGUYENGENERAL COUNSEL & CORPORATE SECRETARY416-204-0178PNGUYEN@GUESTLOGIX.COM LISA R. LIFSHITZPARTNER416-775-8821LLIFSHITZ@TORKINMANES.COM KEN LEDGERDIRECTOR RISK MANAGEMENT403-781-9996KLEDGER@SAVANNAENERGY.COM