Managing the Risks of Using Cloud Service Providers

The Province of Manitoba does not have consistent practices for managing its cloud service providers, increasing security and availability risks for government services.

Cloud service providers are third-party companies that host government data and systems.

This audit found that the Province did not have an approved cloud vendor management framework during the period examined. As a result, departments used cloud services without consistent guidance or oversight.

As well, supporting documentation for vendor selection decisions was often incomplete or missing, limiting the Province’s ability to demonstrate that vendors met key security and operational requirements.

The audit also identified gaps in the Province’s ongoing management of cloud service providers:

Contracts were missing or did not include key security requirements.
Cloud service providers were not subject to regular monitoring.
Exit strategy for the termination of cloud service providers was not clearly defined.

The report includes six recommendations to strengthen governance, procurement documentation, contracting, ongoing monitoring, and exit strategies for cloud services.

Read the audit report

Download a website version of our audit report. The website version is for information purposes only. Be considerate of the environment; think before you print it.

View audit report