Jump to Navigation

 

4.2.1 Content of Accounts

In addition to proactive reports, the Accountable Organisation should also report while its services are operational. In this case, the Accountable Organisation will either validate its operations or inform on an incident. As explained in [1], while describing such an event, be it expected (i.e. a legitimate event) or unexpected (an incident), "the account should generally include the answers to what are traditionally referred to as the reporters questions [...] backed up with as much evidence as possible to validate the account". These questions are:

  • Who? The account should provide information on all cloud actors involved in the actual event. This information will especially be very helpful for the Auditor or the Data Protection Authorities to identify the responsible or liable actor.
  • What? The report should describe all actions taken with respect within this event or provide the details of the incident.
  • Where? The answer to such a question is especially helpful while verifying the compliance with respect to data transfer policies.
  • When? The account should mention the time (preferably a timestamp) and duration of the actual event.

While these four questions should definitely be answered in the case of both expected and unexpected events, the account on legitimate events may also include some more details about the process in order to demonstrate the compliance to the corresponding policy rule by answering the following two additional questions:

  • Why? The answer to this question will simply be the obligation or policy rule the accountable organisation is aiming at enforcing.
  • How? The report should include as much details as possible on the means used to achieve the corresponding action. For example, to demonstrate that a cloud provider implements security and privacy measures, it should provide details of the underlying functions such as the encryption algorithm, the size of the encryption key, etc.

On the other hand, although an account describing an incident cannot easily answer the previous two questions, it should nevertheless provide some information on remediation and hence answer the following question:

  • What Next? In [1] authors note that an account is used in a prospective function; hence together with the description of the incident the account should ideally contain some additional information on future remedial actions and the adopted measures to prevent the recurrence of such an undesired event.