Cloud Services Directives
- Introduction
- Cloud Deployment Model
- Cloud Service Model
- Facilities
- Organization-Human resources
- Cloud Infrastructure
- Asset management and monitoring
- Cloud Security
- Physical Security
- Network and Infrastructure Security
- Applications and Database Security
- Security and Compliance
- Information Security
- Security Operations and Management
- Business continuity and Disaster Recovery
- Control Mapping
Introduction
Cloud computing is the provision of on-demand computing services such as software, operating system, processing power, storage and other hardware resource over the internet or Network.
Cloud computing is a model of enabling global, appropriate, on-demand network access to a shared pool of configurable computing resources that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model is composed of five essential characteristics, four deployment models and three service models.
Instead of owning their own computing infrastructure or data centers, companies can rent access to anything from applications to storage from a cloud service provider to avoid the upfront cost and maintain their own IT Infrastructure.
Proper and well-designed datacenter is mandatory in order to provide cloud services to the customer. The above directives assist to implement the datacenter as per the standards and this directive is appropriate for computing security and implementation.
Cloud security provider should implement strong security controls to ensure the security of customer information which is stored and transmitted in the cloud infrastructure.
Cloud security provider should be certified by standards organization such as ISO27001 and cloud security alliance standards in order to get the confidence of customer and protect the information stored in the cloud infrastructure.
Cloud Deployment Model
There are four main cloud deployment models that differ pointedly and for which most of the companies select: a public, private, hybrid and a community.
Public cloud
A public cloud is a type of computing in which a service provider makes resources available to the public via the internet. Resources vary by provider but may include storage capabilities, applications or virtual machines. Services are always available to customer and resources are controlled by the cloud service provider. Public cloud can be accessed beyond boundaries.
Private cloud
A private cloud is a type of computing which is restricted to specific organization or institute and it is accessed via their private secured network. This type of cloud computing are managed Cloud deployment model where cloud services are used exclusively by a single Customer and resources are controlled by that Customer. A private cloud may be owned, managed and operated by the organization itself or a third party and may exist on premises or off premises. Private clouds pursue to set a closely controlled boundary around the private cloud based on limiting the customers to a single organization.
Community cloud
Cloud deployment model where cloud services exclusively support and are shared by a specific collection of customers who have shared requirements and a relationship with one another, and where resources are controlled by at least one member of this collection. A community cloud may be owned, managed and operated by one or more of the organizations in the community, a third party or some combination of them, and it may exist on or off premises. Community clouds limit participation to a group of Customers who have a shared set of objectives, in contrast to the openness of public clouds, while community clouds have broader participation than private clouds.
Hybrid cloud
This cloud infrastructure is combination of two or more clouds (private, community or public) that remain as an individual organization but connected together by technology to enable Mobility. Hybrid clouds are often used for redundancy or load-balancing purposes for example, applications within a private cloud could be configured to utilize computing resources from a public cloud as needed during peak capacity times.
Cloud Service Model
There are many different types of cloud services, each involving different types of technology and assets. We give an overview below, we use this model later to indicate the different contribution of clients and cloud service provider.
Infrastructure as a Service
Infrastructure-as-a-Service (IaaS) denotes to the essential requirements and building blocks of computing that can be rented, physical or virtual servers, storage and networking.
In IaaS the provider offers storage (virtual file systems) or computing resources (virtual CPUs), accessible online. Examples include Amazon’s Elastic Compute Cloud, Google’s Compute Engine, Amazon Simple Storage Service, Google Cloud Storage, Microsoft Windows Azure Storage, Rackspace, Dropbox etc.
Platform as a Service (Paas)
Platform as a service denotes to cloud computing services that supply an on-demand environment for developing, testing, delivering, and managing software applications.
Platform as a service is designed to make it easier for developers to quickly create web or mobile apps,
without worrying about setting up or managing the underlying infrastructure of servers, storage, network, and databases needed for development.
Platform-as-a-Service provides tools and software that developers need to build applications on top of that could include middleware, database management, operating systems, and development tools. In Platform as a service, the provider distributes a platform for customers to run web and normal applications.
Software as a Service
Software-as-a-Service (SaaS) is the distribution of applications-as-a-service and it is a method for delivering software applications over the Internet, on demand and typically on a subscription basis. With SaaS, cloud providers host and manage the software application and underlying infrastructure, and handle any maintenance, like software upgrades and security patching.
In Software as a service, the provider deliver complete application via the internet such as email servers ,email clients, document editors and customer relationship management systems. Users connect to the application over the Internet, usually with a web browser on their phone, tablet, or PC.
Facilities
Facilities are the basic IT resources which underlies all types of cloud services (IaaS, PaaS, and SaaS),
network, housing, cooling, and power.
Organization-Human resources
Organization are the human resources, the processes and the policies and procedures that maintain the facilities and support the delivery of services.
Management of the Provider’s human resources is largely out of the control of the Customer. The Customer’s due -diligence processes should include an understanding of the Provider’s human resources and ongoing information security awareness training practices.
Cloud service provider needs to conduct regular basis for assessing the employment screening process and security awareness training program as per the ISO 27001 controls and cloud security alliance standards.
Cloud Infrastructure
The Datacenter should be above Tier 3 to implement the cloud infrastructure and it is mandatory to follow the standards and procedures.
The main differences between cloud service categories relate to how control is shared between Customer and Provider, which is usually implicates the level of responsibility for both parties. It should be noted that in public cloud services , the customer hardly has control over hardware, and it is up to which virtual components, applications and software are managed by the different parties that differentiates the cloud service categories.
Software as a Service gives customers with the minimum amount of control, but Infrastructure as a Service provides the most control for the customer.
Figure 1.1 shows how control is usually shared between the Cloud Service Provider and the customer. The customer needs to discuss with the Cloud service provider on suitable provision of information security roles and responsibilities.
The information security roles and responsibilities of both parties should be stated in an agreement. The cloud service customer should identify and manage its relationship with the customer support and care function of the cloud service provider.
The cloud service provider should agree and document an appropriate allocation of information security roles and responsibilities with its cloud service customers, its cloud service providers, and its suppliers.
Asset management and monitoring
Asset management and monitoring are processes and it needs to be regulated as per ISO 27001 and cloud security alliance standards.
In the case of cloud computing, many resources and assets are managed and monitored by the provider, but the customers might need to manage some assets and resources usually the more abstract and high- level assets and resources.
Customer runs applications on platform as a service, the provider manages the hardware, operating system and applications services but the customer needs to manage the apps running on the platform.
Similarly, the provider manages all assets from hardware to applications service in software as a service but the customer needs to manage the user account provisioning and customization.
Asset managements is crucial administrative tasks in cloud computing, and it is mandatory also from a security perspective. Standards are essential to allow customers integrate asset management interface.
Cloud Security
Below security measures needs to be considered in the cloud environment.
- Physical Security
- Network and Infrastructure Security (Systems, Hosts and Network)
- Application and DB Security
- Security and Compliance
- Information Security
- Software Security
- Security Operation and Management
- Business con
Physical Security
Cloud service provider must enforce the physical security as per the ISO27001 controls and it must be implemented and followed in a professional manner and the detailed control mapping is mentioned in the Annex A.
In a cloud environment, Individual entity environments should be physically and administratively separate from each other.
Customers utilizing a public or otherwise shared cloud must ensure that their environments are adequately isolated from the other cloud tenants.
In addition to enforcing separation between Customer environments, segmentation may also be recommended within a Customer’s environment to isolate its sensitive servers as per ISO 27001 and cloud security alliance standards.
Segmentation on a cloud computing infrastructure must provide a level of isolation equivalent to that feasible through physical network separation.
Proper mechanism and process should be in place to ensure appropriate isolation may be required at the network, operating system and application layers; and most importantly, there should be guaranteed isolation of data that is stored.
Cloud tenant environments must be isolated from each other such that they can be considered separately managed entities with no connectivity between them.
Providers should test segmentation between all entities within their control at least biannually and demonstrate results.
Any systems or components shared by the Customers in multi-tenant environments, including the
Hypervisor and underlying systems, must not provide an access path between environments.
The cloud service provider needs to take ownership of the segmentation between Customers and verify that it is effective and provides adequate isolation between individual Customer environments.
The cloud service provider must ensure the segmentation between customer environments and the
Provider’s own environment, and between client environments and other untrusted environments.
The Customer is responsible for the proper configuration of any segmentation controls implemented within its own environment and for ensuring that effective isolation is maintained components.
Cloud services involve physical resources located within the Provider environment (including DR Infrastructure) that are accessed remotely from the Customer’s environment.
Physical security controls need to be implemented which will protect the provider’s infrastructure as well
as the customer infrastructure.
Cloud service provider ensure the segmentation where Cloud service Providers shared clouds provide services to multiple Customers whose data and virtual components co-exist in the same physical location and are managed by the same physical systems as those of other Customers.
Network and Infrastructure Security
Cloud service provider must enforce the network security as per the ISO27001 controls and it must be implemented and followed in a professional manner and the detailed control mapping is mentioned in the Annex A.
Cloud service provider must ensure the network security by implementing either virtual or physical firewall network segmentation at the infrastructure level and the firewalls at the hypervisor and VM level.
Cloud service provider must ensure the network segmentation by implementing either virtual or physical switch with the provision of VLAN tagging or zoning in addition to firewalls.
Cloud service provider must ensure the implementation of Intrusion prevention systems at the hypervisor level, VM level or both, to detect and block unwanted traffic.
A segmented cloud environment exists when the Provider enforces isolation between Customers in multitenant environments. Environments where Customers run their applications in separate logical partitions using separate database management system images and do not share disk storage or other resources.
As per ISO 27001 and cloud security alliance standards, the environments where organizations use the same application image on the same server and are only separated by the access control system of the operating system or the application.
Strong, two - factor authentication should be implemented as per ISO 27001 standards and cloud security alliance standards.
Virtualized servers that are individually dedicated to a particular Customer, including any virtualized storage such as Storage Area Networks (SANs), Network Attached Storage (NAS) or virtual database servers.
Environments where organizations use different images of an application on the same server and are only separated by the access control system of the operating system or the application.
Applications and Database Security
Environments where organizations’ data is stored in the same instance of the database management
systems data store.
Security and Compliance
Proactive testing, identification and mitigation of vulnerabilities are an important part of achieving and maintaining compliance ISO 27001 and cloud security alliance standards that utilize cloud services and systems.
Cloud service provider must ensure that the proper controls requirements is in place to protect the Data
Breaches, unavailability, Account hijacking, malicious code.
There are six distinct areas of vulnerability management: web application vulnerability testing, internal network vulnerability scanning, external network vulnerability scanning, external penetration internal penetration testing and segmentation testing and Scoping is a critical element of vulnerability management.
Customers need to ensure that they have properly identified all in - scope systems and services, including those provided by the Provider, those for which the Customer and Provider have shared responsibility and those that fall uniquely to the Customer (e.g., on - premises, private cloud, hybrid systems, or applications or systems that the Customer maintains). Penetration testing is used to confirm segmentation controls intended to constrain scope, and to proactively identify vulnerabilities that could be exploited to allow an attacker to breach these boundaries.
Testing vulnerabilities in the cloud also requires an in - depth understanding of the cloud deployment model to determine responsibility when it comes to performing the appropriate testing exercise.
It is critical to understand the aspects of the environment that will be tested by the Provider and those that will be required to be tested by the Customer. It is not enough to identify responsibility by physical system, as each entity may have distinct or shared responsibility for aspects of a physical system (e.g., physical hardware, hypervisor, guest OS, application, configuration).
These responsibilities will vary depending on cloud service delivery model (i.e., IaaS, SaaS, and PaaS) or other division of control.
All public - facing web applications must be protected, either by deploying an automated technical solution that detects and prevents web - based attacks or by employing application vulnerability security testing in accordance with ISO 27001 control requirements.
If a Provider is providing a web application, the application should be either protected by a web application Firewall (or similar solution) or tested by the Provider. Providers that expose APIs to their Customers should also perform testing and reporting on those APIs.
If it is the Customer’s hosting web application, the customer should perform the web application vulnerability security testing as part of its ISO27001 and cloud security alliance standards.
Providers should recognize this requirement and support these required testing activities (e.g., by supporting the ability to disable controls that would impede controlled testing, by supporting applications that may perform these operations or offering a service to perform these services).
Information Security
IT governance by the cloud service provider is a significant concern for a cloud service customer, then customers are advised to establish whether a provider complies with one or more of these governance and management standards.
Cloud service customers must be aware that compliance with standards does not ensure effective security. In addition to confirming compliance, cloud customers must continually review service provider security controls to ensure they are properly defined and enforced.
There are also some standards that deal specifically with governance and management of information security, including the identification of risks and the implementation of security controls to address these risks.
The ISO/IEC 27000 series [1 9] of standards is probably the most widely recognized and used
set of standards relating to the security of ICT (Information and Communication Technology) systems. The core standards are 27001 and 27002, with 27001 containing the requirements relating to an information security management system and 27002 describing a series of controls that address specific aspects of the information security management system.
ISO/IEC 27001 is an advisory standard that is meant to be interpreted and applied to all types and sizes of organization s according to the information security risks they face.
In practice, this flexibility gives users a lot of latitude to adopt the detailed information security controls that make sense to them but can make compliance testing more complex than some other formal certification schemes.
ISO/IEC 27002 is a collection of security controls (often referred to as best practices) that are often used as a security standard.
Cloud service customers often have a requirement to audit the IT systems and related processes that they use.
Audit requirements can stem from the regulatory environment that applies to the customer,
or they may arise from business policies or IT security policies adopted by the customer organization.
The requirement to audit is likely to apply to the use of cloud services as well as to the in-house systems of the customer. As a result, there is a need to audit the systems and processes of the cloud service provider.
Security Operations and Management
Incident response
Customers need to be notified when an issue, incident, or breach has occurred and the impact to environment or to their data. Issues, incidents and data breaches should be communicated by the Provider to all affected Customers in a timely manner.
Customers should also consider whether their Provider requires all Customers to immediately notify the Provider of potential breaches in their environments, allowing the Provider to respond more quickly to contain the breach and minimize its impact to other Customers.
Based on the type of cloud service category used –relating to facilitating the storage, processing or transmitting of cardholder data each phase of the incident response life cycle is affected at a different level.
Notification processes and timelines should be included in SLAs, and incident response plans should include notification requirements.
Customers should contractually require data breach notification from their Providers in clear and
clear-cut language, taking into consideration the need to comply with local and global Regulatory/breach laws, data privacy, security incident management and breach notification requirements.
Forensics Investigation
Incident investigation may involve consideration of legal and jurisdiction requirements, and these requirements should be included in SLAs or operational agreements.
The potential for Customer data to be captured by third parties during a breach investigation should also be clearly understood.
Forensic functionality should be specified in service level objectives (SLOs) incorporated into the SLA between the Customer and the Provider. SLOs may include requirements for notification, identification, preservation and access to potential evidence sources.
Customers and law enforcement agencies require, and rely on Providers for, forensics support, and these obligations varies depending upon cloud service category as noted below.
In software as a service, the capability for forensics is dependent upon the Provider’s support, as Customers have no control over the Provider’s environment. Forensics examiners may need to rely on high-level application logs available from the SaaS application. SLOs may include evidence sources such as logs from applications.
In platform as a service, the capability for forensics is shared between Customers and Providers. Customers control the Developed and hosted software application, and hence control forensics capability within the application, automatic logging to an external log server can be configured to capture the applicable audit trail. However, since the actual operation of the application is within the Provider’s controlled infrastructure, Customers must clearly identify Providers' responsibilities with respect to forensics investigation. SLOs may include evidence sources such as logs from the application, web, and database server, guest OS/host, portal, network capture, billing and management portal.
In an infrastructure as a service, the capability for forensics is shared between Customers and Providers. Customers have greater control over the range of potential evidence sources; however, some essential data only exists with Providers and under their control. Customers must clearly identify Providers' responsibilities with respect to forensics investigation. SLOs may include evidence sources such as logs from the cloud network perimeter, DNS servers, virtual machine monitor, APIs, host OS, and network capture, billing and management portal.
Business continuity and Disaster Recovery
Cloud service provider must develop an organizational requirement for business continuity plans (BCP), fault tolerance, high availability and disaster recovery (DR) controls apply to the Customer’s outsourced environments as they do for Customer managed facilities.
Customers should consider whether the Provider’s continuity and recovery procedures are enough to meet the Customer’s or organizational requirements, and the scope of the cloud service should include any failover sites and systems that might be used to store the customer data in a BCP or DR situation.
The ability to perform tests of the BCP and DR capabilities and to observe results of the Provider’s testing
should also be considered.
Control Mapping
This below table represents the responsibilities of the Cloud Service Provider (CSP) and End User (EU) in the Cloud Security as per the ISO27001:2013 Standard, and Cloud Security Standard.
*CSP – Cloud Service Provider
*EU – End User
|
ISO 27001:2013 |
IAAS |
PAAS |
SAAS |
|
A.5 Information Security Policies To provide management direction and support for information security in accordance with business requirements and relevant laws and regulations. |
CSP |
CSP |
CSP |
|
A.6 Organization of information security To establish a management framework to initiate and control the implementation and operation of information security within the organization. |
CSP |
CSP |
CSP |
|
ISO 27001:2013 |
IAAS |
PAAS |
SAAS |
|
To ensure the security of teleworking and use of mobile devices. |
|
|
|
|
A.7 Human Resource Security To ensure that employees and contractors understand their responsibilities and are suitable for the roles for which they are considered. To ensure that employees and contractors are aware of and fulfil their information security responsibilities. To protect the organization’s interests as part of the process of changing or terminating employment. |
CSP |
CSP |
CSP |
|
A.8 Asset Management To identify organizational assets and define appropriate protection responsibilities. To ensure that information receives an appropriate level of protection in accordance with its importance to the organization. To prevent unauthorized disclosure, modification, removal or destruction of information stored on media. |
CSP, EU |
CSP, EU |
CSP |
|
A.9 Access Control To limit access to information and information processing facilities. To ensure authorized user access and to prevent unauthorized access to systems and services. To make users accountable for safeguarding their authentication information. To prevent unauthorized access to systems and applications. |
CSP, EU |
CSP, EU |
CSP, EU |
|
A.10 Cryptography To ensure proper and effective use of cryptography to protect the confidentiality, authenticity and/or integrity of information. |
CSP, EU |
CSP, EU |
CSP |
|
A.11 Physical & Environmental Security To prevent unauthorized physical access, damage and interference to the organization’s information and information processing facilities. To prevent loss, damage, theft or compromise of assets and interruption to the organization’s operations. |
CSP |
CSP |
CSP |
|
A.12 Operation Security |
CSP, EU |
CSP, EU |
CSP |
|
ISO 27001:2013 |
IAAS |
PAAS |
SAAS |
|
To ensure correct and secure operations of information processing facilities. To ensure that information and information processing facilities are protected against malware. To protect against loss of data. To record events and generate evidence. To ensure the integrity of operational systems. To prevent exploitation of technical vulnerabilities. To minimize the impact of audit activities on operational systems. |
|
|
|
|
A.13 Communication Security To ensure the protection of information in networks and its supporting information processing facilities. To maintain the security of information transferred within an organization and with any external entity. |
CSP, EU |
CSP, EU |
CSP |
|
A.14 System acquisition, development and maintenance To ensure that information security is an integral part of information systems across the entire lifecycle. This also includes the requirements for information systems which provide services over public networks. To ensure that information security is designed and implemented within the development lifecycle of information systems. To ensure the protection of data used for testing. |
CSP, EU |
CSP, EU |
CSP |
|
A.15 Supplier Relationships To ensure protection of the organization’s assets that is accessible by suppliers. To maintain an agreed level of information security and service delivery in line with supplier Agreements |
CSP, EU |
CSP, EU |
CSP |
|
A.16 Information security incident management To ensure a consistent and effective approach to the management of information security incidents, including communication on security events and weaknesses. |
CSP |
CSP |
CSP |
|
A.17 Information security aspects of business continuity management Information security continuity shall be embedded in the organization’s business continuity management systems. To ensure availability of information processing facilities. |
CSP, EU |
CSP, EU |
CSP |
|
A.18 Compliance |
CSP, EU |
CSP, EU |
CSP, EU |
|
ISO 27001:2013 |
IAAS |
PAAS |
SAAS |
|
To avoid breaches of legal, statutory, regulatory or contractual obligations related to information security and of any security requirements. To ensure that information security is implemented and operated in accordance with the organizational policies and procedures. |
|
|
|
|
Cloud Security Standard |
IAAS |
PAAS |
SAAS |
|
AIS-01 Application & Interface Security Application Security |
CSP,EU |
CSP,EU |
CSP |
|
AIS-02 Application & Interface Security Customer Access Requirements |
CSP,EU |
CSP,EU |
CSP |
|
AIS-03 Application & Interface Security Data Integrity |
CSP,EU |
CSP,EU |
CSP,EU |
|
AIS-04 Application & Interface Security Data Security / Integrity |
CSP,EU |
CSP,EU |
CSP,EU |
|
AAC-01 Audit Assurance & Compliance Audit Planning |
CSP,EU |
CSP,EU |
CSP,EU |
|
AAC-02 Audit Assurance & Compliance Independent Audits |
CSP,EU |
CSP,EU |
CSP,EU |
|
AAC-03 Audit Assurance & Compliance Information System Regulatory Mapping |
CSP |
CSP |
CSP |
|
BCR-01 Business Continuity Management & Operational Resilience Business Continuity Planning |
CSP |
CSP |
CSP |
|
BCR-02 Business Continuity Management & Operational Resilience Business Continuity Testing |
CSP |
CSP |
CSP |
|
BCR-03 Business Continuity Management & Operational Resilience Datacenter Utilities / Environmental Conditions |
CSP |
CSP |
CSP |
|
BCR-04 Business Continuity Management & Operational Resilience Documentation |
CSP |
CSP |
CSP |
|
BCR-05 Business Continuity Management & Operational Resilience Environmental Risks |
CSP |
CSP |
CSP |
|
BCR-06 Business Continuity Management & Operational Resilience Equipment Location |
CSP |
CSP |
CSP |
|
BCR-07 Business Continuity Management & Operational Resilience Equipment Maintenance |
CSP |
CSP |
CSP |
|
BCR-08 Business Continuity Management & Operational Resilience Equipment Power Failures |
CSP |
CSP |
CSP |
|
BCR-09 Business Continuity Management & Operational Resilience Impact Analysis |
CSP |
CSP |
CSP |
|
BCR-10 Business Continuity Management & Operational Resilience Policy |
CSP |
CSP |
CSP |
|
BCR-11 Business Continuity Management & Operational Resilience Retention Policy |
CSP |
CSP |
CSP |
|
CCC-01 Change Control & Configuration Management New Development / Acquisition |
CSP,EU |
CSP,EU |
CSP |
|
CCC-02 Change Control & Configuration Management Outsourced Development |
CSP,EU |
CSP,EU |
CSP |
|
CCC-03 Change Control & Configuration Management Quality Testing |
CSP,EU |
CSP,EU |
CSP,EU |
|
Cloud Security Standard |
IAAS |
PAAS |
SAAS |
|
CCC-04 Change Control & Configuration Management Unauthorized Software Installations |
CSP,EU |
CSP,EU |
CSP,EU |
|
CCC-05 Change Control & Configuration Management Production Changes |
CSP,EU |
CSP,EU |
CSP,EU |
|
DSI-01 Data Security & Information Lifecycle Management Classification |
CSP,EU |
CSP,EU |
CSP |
|
DSI-02 Data Security & Information Lifecycle Management Data Inventory / Flows |
CSP,EU |
CSP,EU |
CSP,EU |
|
DSI-03 Data Security & Information Lifecycle Management Ecommerce Transactions |
CSP,EU |
CSP,EU |
CSP |
|
DSI-04 Data Security & Information Lifecycle Management Handling / Labeling / Security Policy |
CSP |
CSP |
CSP |
|
DSI-05 Data Security & Information Lifecycle Management Non- Production Data |
CSP,EU |
CSP,EU |
CSP |
|
DSI-06 Data Security & Information Lifecycle Management Ownership / Stewardship |
CSP,EU |
CSP,EU |
CSP |
|
DSI-07 Data Security & Information Lifecycle Management Secure Disposal |
CSP |
CSP |
CSP |
|
DCS-01 Datacenter Security Asset Management |
CSP |
CSP |
CSP |
|
DCS-02 Datacenter Security Controlled Access Points |
CSP |
CSP |
CSP |
|
DCS-03 Datacenter Security Equipment Identification |
CSP |
CSP |
CSP |
|
DCS-04 Datacenter Security Off-Site Authorization |
CSP,EU |
CSP,EU |
CSP,EU |
|
DCS-05 Datacenter Security Off-Site Equipment |
CSP,EU |
CSP,EU |
CSP |
|
DCS-06 Datacenter Security Policy |
CSP |
CSP |
CSP |
|
DCS-07 Datacenter Security Secure Area Authorization |
CSP |
CSP |
CSP |
|
DCS-08 Datacenter Security Unauthorized Persons Entry |
CSP |
CSP |
CSP |
|
DCS-09 Datacenter Security User Access |
CSP,EU |
CSP,EU |
CSP,EU |
|
EKM-01 Encryption & Key Management Entitlement |
CSP,EU |
CSP,EU |
CSP |
|
EKM-02 Encryption & Key Management Key Generation |
CSP,EU |
CSP,EU |
CSP,EU |
|
EKM-03 Encryption & Key Management Sensitive Data Protection |
CSP,EU |
CSP,EU |
CSP,EU |
|
EKM-04 Encryption & Key Management Storage and Access |
CSP,EU |
CSP,EU |
CSP,EU |
|
GRM-01 Governance and Risk Management Baseline Requirements |
CSP,EU |
CSP,EU |
CSP |
|
GRM-02 Governance and Risk Management Data Focus Risk Assessments |
CSP |
CSP |
CSP |
|
GRM-03 Governance and Risk Management Oversight |
CSP |
CSP |
CSP |
|
GRM-04 Governance and Risk Management Program |
CSP |
CSP |
CSP |
|
GRM-05 Governance and Risk Management Support/Involvement |
CSP |
CSP |
CSP |
|
GRM-06 Governance and Risk Management Policy |
CSP |
CSP |
CSP |
|
GRM-07 Governance and Risk Management Policy Enforcement |
CSP,EU |
CSP,EU |
CSP,EU |
|
GRM-08 Governance and Risk Management Policy Impact on Risk Assessments |
CSP,EU |
CSP,EU |
CSP |
|
GRM-09 Governance and Risk Management Policy Reviews |
CSP |
CSP |
CSP |
|
GRM-10 Governance and Risk Management Risk Assessments |
CSP |
CSP |
CSP |
|
GRM-11 Governance and Risk Management Risk Management Framework |
CSP |
CSP |
CSP |
|
HRS-01 Human Resources Asset Returns |
CSP |
CSP |
CSP |
|
HRS-02 Human Resources Background Screening |
CSP |
CSP |
CSP |
|
Cloud Security Standard |
IAAS |
PAAS |
SAAS |
|
HRS-03 Human Resources Employment Agreements |
CSP |
CSP |
CSP |
|
HRS-04 Human Resources Employment Termination |
CSP |
CSP |
CSP |
|
HRS-05 Human Resources Mobile Device Management |
CSP,EU |
CSP,EU |
CSP,EU |
|
HRS-06 Human Resources Non-Disclosure Agreements |
CSP,EU |
CSP,EU |
CSP,EU |
|
HRS-07 Human Resources Roles / Responsibilities |
CSP,EU |
CSP,EU |
CSP,EU |
|
HRS-08 Human Resources Technology Acceptable Use |
CSP,EU |
CSP,EU |
CSP,EU |
|
HRS-09 Human Resources Training / Awareness |
CSP |
CSP |
CSP |
|
HRS-10 Human Resources User Responsibility |
CSP,EU |
CSP,EU |
CSP,EU |
|
HRS-11 Human Resources Workspace |
CSP |
CSP |
CSP |
|
IAM-01 Identity & Access Management Audit Tools Access |
CSP |
CSP |
CSP |
|
IAM-02 Identity & Access Management Credential Lifecycle / Provision Management |
CSP,EU |
CSP,EU |
CSP,EU |
|
IAM-03 Identity & Access Management Diagnostic / Configuration Ports Access |
CSP |
CSP |
CSP |
|
IAM-04 Identity & Access Management Policies and Procedures |
CSP |
CSP |
CSP |
|
IAM-05 Identity & Access Management Segregation of Duties |
CSP |
CSP |
CSP |
|
IAM-06 Identity & Access Management Source Code Access Restriction |
CSP |
CSP |
CSP,EU |
|
IAM-07 Identity & Access Management Third Party Access |
CSP,EU |
CSP,EU |
CSP,EU |
|
IAM-08 Identity & Access Management Trusted Sources |
CSP,EU |
CSP,EU |
CSP,EU |
|
IAM-09 Identity & Access Management User Access Authorization |
CSP,EU |
CSP,EU |
CSP |
|
IAM-10 Identity & Access Management User Access Reviews |
CSP,EU |
CSP,EU |
CSP |
|
IAM-11 Identity & Access Management User Access Revocation |
CSP,EU |
CSP,EU |
CSP,EU |
|
IAM-12 Identity & Access Management User ID Credentials |
EU |
CSP,EU |
CSP,EU |
|
IAM-13 Identity & Access Management Utility Programs Access |
EU |
CSP,EU |
CSP |
|
IVS-01 Infrastructure & Virtualization Security Audit Logging / Intrusion Detection |
CSP |
CSP |
CSP |
|
IVS-02 Infrastructure & Virtualization Security Change Detection |
CSP,EU |
CSP,EU |
CSP,EU |
|
IVS-03 Infrastructure & Virtualization Security Clock Synchronization |
CSP,EU |
CSP,EU |
CSP,EU |
|
IVS-04 Infrastructure & Virtualization Security Information System Documentation |
CSP |
CSP |
CSP |
|
IVS-05 Infrastructure & Virtualization Security Vulnerability Management |
CSP |
CSP |
CSP |
|
IVS-06 Infrastructure & Virtualization Security Network Security |
CSP |
CSP |
CSP |
|
IVS-07 Infrastructure & Virtualization Security OS Hardening and Base Controls |
CSP |
CSP |
CSP |
|
IVS-08 Infrastructure & Virtualization Security Production / Non- Production Environments |
CSP |
CSP |
CSP |
|
IVS-09 Infrastructure & Virtualization Security Segmentation |
CSP |
CSP |
CSP |
|
IVS-10 Infrastructure & Virtualization Security VM Security - Data Protection |
CSP |
CSP |
CSP |
|
IVS-11 Infrastructure & Virtualization Security Hypervisor Hardening |
CSP |
CSP |
CSP |
|
IVS-12 Infrastructure & Virtualization Security Wireless Security |
CSP |
CSP |
CSP |
|
IVS-13 Infrastructure & Virtualization Security Network Architecture |
CSP |
CSP |
CSP |
|
IPY-01 Interoperability & Portability APIs |
CSP,EU |
CSP,EU |
CSP,EU |
|
IPY-02 Interoperability & Portability Data Request |
CSP |
CSP |
CSP |
|
IPY-03 Interoperability & Portability Policy & Legal |
CSP |
CSP |
CSP |
|
Cloud Security Standard |
IAAS |
PAAS |
SAAS |
|
IPY-04 Interoperability & Portability Standardized Network Protocols |
CSP |
CSP |
CSP |
|
IPY-05 Interoperability & Portability Virtualization |
CSP |
CSP |
CSP |
|
MOS-01 Mobile Security Anti-Malware |
EU |
CSP,EU |
CSP,EU |
|
MOS-02 Mobile Security Application Stores |
EU |
CSP,EU |
CSP,EU |
|
MOS-03 Mobile Security Approved Applications |
EU |
CSP,EU |
CSP,EU |
|
MOS-04 Mobile Security Approved Software for BYOD |
CSP |
CSP |
CSP |
|
MOS-05 Mobile Security Awareness and Training |
CSP |
CSP |
CSP |
|
MOS-06 Mobile Security Cloud Based Services |
CSP,EU |
CSP,EU |
CSP,EU |
|
MOS-07 Mobile Security Compatibility |
CSP |
CSP |
CSP |
|
MOS-08 Mobile Security Device Eligibility |
EU |
EU |
CSP |
|
MOS-09 Mobile Security Device Inventory |
CSP |
CSP |
CSP |
|
MOS-10 Mobile Security Device Management |
CSP |
CSP |
CSP |
|
MOS-11 Mobile Security Encryption |
CSP |
CSP |
CSP |
|
MOS-12 Mobile Security Jailbreaking and Rooting |
EU |
EU |
EU |
|
MOS-13 Mobile Security Legal |
CSP |
CSP |
CSP |
|
MOS-14 Mobile Security Lockout Screen |
CSP |
CSP |
CSP |
|
MOS-15 Mobile Security Operating Systems |
CSP,EU |
CSP,EU |
CSP,EU |
|
MOS-16 Mobile Security Passwords |
EU |
EU |
EU |
|
MOS-17 Mobile Security Policy |
CSP |
CSP |
CSP |
|
MOS-18 Mobile Security Remote Wipe |
CSP,EU |
CSP,EU |
CSP,EU |
|
MOS-19 Mobile Security Patches |
EU |
EU |
EU |
|
MOS-20 Mobile Security Users |
CSP,EU |
CSP,EU |
CSP,EU |
|
SEF-01 Security Incident Management, E-Discovery, & Cloud Forensics Contact / Authority Maintenance |
CSP |
CSP |
CSP |
|
SEF-02 Security Incident Management, E-Discovery, & Cloud Forensics Incident Management |
CSP |
CSP |
CSP |
|
SEF-03 Security Incident Management, E-Discovery, & Cloud Forensics Incident Reporting |
CSP |
CSP |
CSP |
|
SEF-04 Security Incident Management, E-Discovery, & Cloud Forensics Incident Response Legal Preparation |
CSP |
CSP |
CSP |
|
SEF-05 Security Incident Management, E-Discovery, & Cloud Forensics Incident Response Metrics |
CSP |
CSP |
CSP |
|
STA-01 Supply Chain Management, Transparency, and Accountability Data Quality and Integrity |
CSP |
CSP |
CSP |
|
STA-02 Supply Chain Management, Transparency, and Accountability Incident Reporting |
CSP |
CSP |
CSP |
|
STA-03 Supply Chain Management, Transparency, and Accountability Network / Infrastructure Services |
CSP,EU |
CSP,EU |
CSP,EU |
|
STA-04 Supply Chain Management, Transparency, and Accountability Provider Internal Assessments |
CSP |
CSP |
CSP |
|
STA-05 Supply Chain Management, Transparency, and Accountability Supply Chain Agreements |
CSP,EU |
CSP,EU |
CSP,EU |
|
STA-06 Supply Chain Management, Transparency, and Accountability Supply Chain Governance Reviews |
CSP,EU |
CSP,EU |
CSP,EU |
|
STA-07 Supply Chain Management, Transparency, and Accountability |
CSP,EU |
CSP,EU |
CSP,EU |
|
Cloud Security Standard |
IAAS |
PAAS |
SAAS |
|
Supply Chain Metrics |
|
|
|
|
STA-08 Supply Chain Management, Transparency, and Accountability Third Party Assessment |
CSP,EU |
CSP,EU |
CSP,EU |
|
STA-09 Supply Chain Management, Transparency, and Accountability Third Party Audits |
CSP,EU |
CSP,EU |
CSP,EU |
|
TVM-01 Threat and Vulnerability Management Anti-Virus / Malicious Software |
EU |
EU |
CSP |
|
TVM-02 Threat and Vulnerability Management Vulnerability / Patch Management |
EU |
EU |
CSP |
|
TVM-03 Threat and Vulnerability Management Mobile Code |
CSP,EU |
CSP,EU |
CSP,EU |