Organization must define (in addition to more detailed practices regarding supplier responsibilities, incidents and the procurement of cloud services) the general principles for managing information security risks related to the use of cloud services.
Principles must take into account e.g.:
Whenever new data systems are acquired, a pre-defined procurement process and rules are followed. The rules ensure that the supplier is able to guarantee an adequate level of security, taking into account the priority of the system.
Agreement between a cloud service provider and the organization must include requirements for protecting the organization's data and the availability of services, e.g. in the following ways:
When utilizing or offering cloud services, both service provider and customer can have security responsibilities. Service provider may be responsible for technical cyber security but e.g. customer for access management and providing user guidelines for secure usage.
Responsibilities for shared information security roles towards offered cloud services and utilizing cloud-based data systems must be clearly defined and documented by both the cloud service customer and provider.
The organization shall define the procedures for reporting security breaches in the supply chain. The process must take into account all kinds of roles in the supply chain, whether we are the customer of the end product or one supplier in the chain.
Policies shall take into account agreements with partners and customers and their commitments regarding the reporting obligations of both parties.
When an organisation is using a cloud-based data system, the organisation should understand and confirm the related information security roles and responsibilities as stated in the service agreement.
These can include responsibilities related e.g. to: