Cloud Governance Model - Areas of Risk & Counter Measures Required

Cloud computing has transforming businesses across the globe, the entire enterprise infrastructure is moving to the cloud. With accelerating adoption of cloud, organizations are increasing their attack surface and infrastructure security in cloud computing is an issue given the hyper-connected nature of the cloud.

The below checklist has been created by Nitish Goyal,Information Technology Risk Office at Ocwen (many of the points were discussed at CISO Platform 100 & Decision Summit @ Kochi).

Cloud Governance Model (Areas of Risk & Counter Measures Required):

The organization must have mechanisms in place to identify all providers and brokers of cloud services with which it currently does business and all cloud deployments that exist across the enterprise.

  • Does Information technology, information security functions and key business units are actively involved in the establishment of SLAs and contractual obligations?

  • Does technology function has performed a gap analysis of the service provider's information security capabilities against the organization’s information security policies and threat and vulnerabilities/IT risks emanating from the transition to cloud computing?

  • Does the organization maintains an inventory of all services provided via the cloud?

  • Do you ensure the involvement of the information security team before onboarding any cloud service?

  • Is the responsibilities for governance documented and approved by organization and accepted by the service provider?

  • Does the organization capture the risk associated with the migration data to cloud? And align the risk with the enterprise Risk?

  • Do you ensure that services provided by the service provider and the processing model selected shall not limit the execution of information security activities, such as:
    • Restrictions on vulnerability assessments and penetration testing
    • Availability of audit logs
    • Access to activity monitoring reports
    • Segregation of duties
  • Is the operations team managing the Cloud infrastructure capable of following:
    • Identification and valuation of assets and services
    • Identification and analysis of threats and vulnerabilities with their potential impact on assets
    • Analysis of the likelihood of events using a scenario approach
    • Documented management approval of risk acceptance levels and criteria
    • Risk action plans (control, avoid, transfer, accept)
  • Does enterprise technology team identify the feasibility of the application on deployed cloud service model?

  • Does the identified assets include both service-provider- and customer-owned assets?

  • Does the cloud management team has identified analytical information (Reports) required from the cloud service provider to support contractual obligations relating to performance, security and attainment of SLAs. for SaaS (software as a Service) service model?

  • Is the cloud management team, responsible to identify the available information and the control practices necessary to manage the application and development processes effectively for PaaS service model? Do they address availability, confidentiality, data ownership, concerns around e-discovery, privacy and legal issues?

  • Does the cloud management team determine the required controls and security processes necessary to provide a secure operating environment?

  • Does the cloud service provider make available metrics and controls to assist customers in implementing their information risk management requirements?

  • Does the cloud service provider has independent third-party assessments performed and issued?

  • Does the scope of the third-party assessment includes descriptions of the following service provider processes?
    • Incident management
    • Business continuity and disaster recovery
    • Backup and co-location facilities
  • Does the cloud service provider routinely performs internal assessments of conformance to its own policies, procedures and availability of control metrics?

  • Does the cloud service provider’s information security governance, risk management and compliance processes are routinely assessed and include:  
    • Risk assessments and reviews of facilities and services for control weaknesses
    • Definition of critical service and information security success factors and Key Performance Indicators (KPI)
    • Explicitly defined Frequency of assessments
    • Mitigation procedures to ensure timely completion of identified issues
    • Review of legal, regulatory, industry and contractual requirements for comprehensiveness
    • Terms of use due diligence to identify roles, responsibilities and accountability of the service provider
    • Legal review for local contract provisions, enforceability and laws pertaining to jurisdictional issues that are the responsibility of their service provider
    • Inclusion of the business users and their business impact analysis in the continuity plan

A contract team representing the customer’s legal, financial, information security and business units has identified and included required contractual issues in the contract from the customer’s perspective, and the service provider’s legal team has provided contractual assurance to the satisfaction of the customer.

  • Do you review the responsibilities related to contractual agreement which defines both parties’ responsibilities related to discovery searches, litigation holds preservation of evidence and expert testimony?

  • Does the cloud service provider contract requires assurance to organization that their data are preserved as recorded, including the primary data and secondary information (metadata and logs)?

  • Does the cloud service providers understand their contractual obligations to provide guardianship of the customer's data?

  • Does customer’s duty of care includes full scope of contract monitoring, including:
    • Precontract due diligence
    • Contract term negotiation
    • Transfer of data custodianship
    • Contract termination or renegotiation
    • Transition from processing
  • Does the contract stipulates and both parties understand their obligations for both expected and unexpected termination of the relationship during and after negotiations and that the contract and/or precontract agreement provides for the orderly and timely return or secure disposal of assets?

  • Have the contractual obligations specifically identify suspected data breach responsibilities of both parties and cooperative processes to be implemented during the investigation and any follow-up actions?
  • Does the agreement provide organization to have access to the service provider’s performance and tests for vulnerabilities on a regular basis?

  • Does the contract establishes rights and obligations for both parties during transition at the conclusion of the relationship and after the contract terminates?

  • Does the contract establishes the following data protection processes:
    • Full disclosure of the service provider’s internal security practices and procedures
    • Data retention policies in conformance with local jurisdiction requirements
    • Reporting on geographical location of organization's data
    • Circumstances in which data can be seized and notification of any such events
    • Notification of subpoena(summon from court) or discovery concerning any customer data or processes
    • Penalties for data breaches
    • Protection against data contamination between customers (compartmentalization)

  • Are the Encryption requirements for data in transit, at rest and for backup are clearly identified in the cloud contractual agreement?
  • Does organization has developed appropriate issue monitoring processes to oversee the cloud service provider’s performance of contract requirements?
  • Legal issues relating to functional, jurisdictional and contractual requirements are addressed to protect both parties, and these issues are documented, approved and monitored.
    • Are the cross-border information sharing laws (such as Stored Communications Act, Safe harbor Act, Electronic Communications Privacy Act (ECPA), Fair Information Practice (FTC)) and local laws are defined and considered in the contract?
    • Does the cloud service provider and organization have an agreed-upon unified process for responding to subpoenas, service of process, and other legal requests?
  • The deployment service models (SaaS, PaaS, IaaS) defines the data protection responsibilities between the customer and service provider, and these responsibilities should be clearly established contractually.
    • Does the organization cloud management team classify requirement of data protection on the bases of the risk for the deployment scenarios/ cloud service models?
    • Does the organization and cloud service provider each have established appropriate data protection measures within the scope of their responsibilities?
  • Service provider security assurance is provided through ISO27001 Certification.
    • Does the cloud service provider is ISO 27001 certified?
  • Planning for the migration of data, such as formats and access, is essential to reducing operational and financial risks at the end of the contract. The transition of services should be considered at the beginning of contract negotiations.
    • Does the hardware and software requirements and feasibility for moving from the existing service provider (legacy provider) to another provider (new provider) has been documented for each cloud computing initiative?
    • Does an alternate service provider for each legacy service provider has been identified and that the feasibility for transferring processes has been evaluated?
    • Does the feasibility analysis includes procedures and time estimates to move large volumes of data?
    • Do you test the data portability process?
    • Does the portability analysis includes:
      • Translation functions to a new service provider
      • Interim processing until a new service provider is operational
      • Testing of new processes before promotion to a production environment at the new service provider
    • Does the portability analysis includes:
      • A plan to back up the data in a format that is usable by other applications
      • Routine backup of data
      • Identification of custom tools required to process the data and plans to redevelop
      • Testing of the new service provider’s application and due diligence before conversion

Views: 39

Join the Discussion ...

You need to be a member of CISO Platform to join the discussion!

Join CISO Platform

© 2019   Created by CISO Platform.   Powered by

Badges  |  Report an Issue  |  Privacy Policy  |  Terms of Service