The organization must have a procedure to make sure the external service has effective segregation of environments (service provider's clients) to prevent unauthorized access to our environment.
The providers concept for segregation should be documented and adapted to changes. The following should be considered:
There should also be a risk assessment for operating external software within shared environment.
The organization must implement practices and procedures so that the information coming out of the services is complete and timely. The procedures must take into account:
The organization must establish controls to accomplish information security objectives in offered services. Controls must take into account:
The organization must set up control measures to ensure the completeness and accuracy of the information entering the systems. For this purpose, the following should be defined:
When data is delivered as part of a service or product or as part of a product or service-related reporting obligation, the definition of data must be available to data users.
The definition of data includes the following information:
The organization should make it possible for the customer to fulfill its requirements regarding data subjects.
The organization should provide the customer with the necessary information so that the customer can demonstrate that it fulfills its obligations.
The organization's own place and role in the critical infrastructure is defined and communicated to the necessary parties.
It is important to recognize whether society is more broadly dependent on the services produced by the organization. Such criticality of the operation can increase the risks of, for example, hybrid and information influence and emphasizes the need to be prepared for them.
The organization's own role in the supply chain is defined and communicated to the necessary partners.
The organization must describe the administrative flows of communications. The description of administrative data flows complements the description of integrations between systems.
The cloud service provider should establish a process for responding to intellectual property rights complaints.
When offering cloud services, the organisation must have procedures in place for safe disposal or potential reuse of resources utilized in service providing, such as:
When utilizing cloud services, the customer organisation should ensure secure disposal by requesting confirmation of these procedures from the cloud service provider.
When offering cloud services for customers, the organisation should have identified and listed data related to cloud services the customer controls. These are referred to external data stores.
Organisation also needs to inventory derived data that is created through offering the cloud service. These can be controlled by the organisation and listed on system documentation instead of external data stores.
When offering cloud services, the organisation must clearly and actively inform the customer of the organisation’s geographic location and the countries where the customer's data is stored.
This information can help the customer e.g. in determining the relevant supervisory authorities and jurisdictions when utilizing the cloud service.
When an organization offers cloud services for its customers, the contract between the provider and customer should clearly specify the technical and organizational measures implemented to ensure information security.
The contract must also address that the data is not processed for any other purpose than according to instructions of the controller.
When offering cloud services, the provider should be transparent about its information security measures during the process of entering into a contract. However, it is ultimately the customer’s responsibility to ensure that implemented measures by the provider meet its obligations.
Personal data related to the offered cloud services will need to be disposed properly and obeying storage limitation principles. Disposal can involve returning the data to the customer by request, transferring it to another company (e.g. as a result of a merger) or either securely destroying, anonymizing or archiving it.
Organisation should have a clear written description about the retention period and the return, transfer and disposal mechanisms of personal data. This description should be made available to the customer.
By using this description the customer should be able to understand how the organisation will ensure the personal data processed under a contract is erased (also by any of its sub-contractors) from all storage locations (including e.g. backup purposes) as soon as they are no longer necessary for the customer.
Cloud service customer often acts as the personal data controller and is responsible for fulfilling the data subject rights e.g. to access, correction or deletion of their personal data. Cloud service provider should provide the customer with the necessary means to enable this.
Organization has defined measures how data controllers on offered cloud services are assisted in fulfilling data subject rights. This may include e.g. cloud service features or manual support actions.
Relevant information and possible technical measures related to facilitation should be specified in the relevant contract.
Critical admin operations mean operations where a failure can cause unrecoverable damage to assets in the cloud computing environment.
Critical admin operations may include e.g. changes related to virtualized devices (e.g. servers, networks, storage), termination procedures, backup and restoration.
For all offered cloud services the critical admin operations are documented. Also the procedures for carrying out critical admin operations are documented beforehand in needed detail.
Whenever a critical admin operation is carried out, a supervisor named in the documentation monitors the operation.
In relation to offered cloud services, the cloud service provider must provide documentation about critical admin operations and procedures if required by customers.
When offering cloud services, the cloud service customer’s virtual environment should be separated and protected from other customers and unauthorized persons.
To ensure this, the organisation should enforce appropriate logical segregation of cloud service customer data, virtualized applications, operating systems, storage, and network.
Segregation should also ensure the separation of the cloud service provider's internal administration from resources used by cloud service customers.
When utilizing or offering cloud services, both service provider and customer can have security responsibilities. Service provider may be responsible for technical cyber security but e.g. customer for access management and providing user guidelines for secure usage.
Responsibilities for shared information security roles towards offered cloud services and utilizing cloud-based data systems must be clearly defined and documented by both the cloud service customer and provider.
All servers in the organization should be protected by a properly configured software firewall that monitors traffic, accepts compliant traffic, and monitors users.
WAF (web application firewall) should be protecting offered digital services from attacks (e.g. SQL injection).
The organization must maintain a list of digital services provided and the owners designated for them. The owner is responsible for completing the information in the service and for any other security measures that are closely related to the service.
The documentation related to the digital service includes e.g. the following information:
The terms and conditions related to the digital services provided by the organization have been mapped and documented. The terms of the contract shall include at least the following:
The organization must clearly document all the digital services it provides to its customers according to the cloud service model.
The documentation for digital services must include the partners involved in the service supply chain. The partner listing must include supporting services (such as IaaS, such as AWS or MS Azure), other partners included in the main service provider's supply chain (such as outsourced development), and other services that complement the actual service (including IDaaS, CDN).
In the future, supply chain documentation can be used to review a more detailed division of safety responsibilities.
The organization shall define a security assessment and conduct it on a regular basis for the partners in the supply chain of the digital services provided.
This should ensure the compliance of the partners affecting the security of the services provided and thus the fulfillment of the terms of the contract.