General principles regarding the use of cloud services

Critical
High
Normal
Low

Organization must define (in addition to more detailed practices regarding supplier responsibilities, incidents and the procurement of cloud services) the general principles for managing information security risks related to the use of cloud services.

Principles must take into account e.g.:

< ul>
  • how to utilize security features made possible by service providers
  • how to demand evidence of security measures implemented by service providers
  • what factors must be taken into account in own operations when utilizing a large number service providers
  • considering use of cloud services in own information security risk management process
  • procedures for ending the use of cloud services
  • Connected other frameworks and requirements:
    5.23: Information security for use of cloud services
    ISO 27001

    General rules for the procurement of data systems

    Critical
    High
    Normal
    Low

    Whenever new data systems are acquired, a pre-defined procurement process and rules are followed. The rules ensure that the supplier is able to guarantee an adequate level of security, taking into account the priority of the system.

    Connected other frameworks and requirements:
    14.1.1: Information security requirements analysis and specification
    ISO 27001
    4 luku, 13 §: Tietoaineistojen ja tietojärjestelmien tietoturvallisuus
    5.23: Information security for use of cloud services
    ISO 27001
    7.2 (MIL1): Manage Third-Party Risk
    C2M2

    Comprehensiveness of contractual terms for cloud service provisioning

    Critical
    High
    Normal
    Low

    Agreement between a cloud service provider and the organization must include requirements for protecting the organization's data and the availability of services, e.g. in the following ways:

    • providing a solution based on generally accepted architecture and infrastructure standards in the industry
    • managing access rights to meet organizational requirements
    • implementing malware control and protection solutions
    • li>
    • processing and storage of the organization's sensitive data in approved locations (e.g. a certain country or legislative area)
    • providing support in the event of a data security breach
    • ensuring that the organization's data security requirements are met also in subcontracting chains
    • li>providing support in the collection of digital evidence
    • providing sufficient support when the organization wants to terminate the use of the service
    • required backup and secure management of backups, where applicable
    • information owned by the organization (possibly, e.g. source code, data filled/created for the service) restored upon request or when the service ends
    • notification requirement in relation to significant changes (such as infrastructure, important features, information location or use by subcontractors)
    Connected other frameworks and requirements:
    5.23: Information security for use of cloud services
    ISO 27001

    Documenting security-related responsibilities for offered cloud services and utilized data systems

    Critical
    High
    Normal
    Low

    When utilizing or offering cloud services, both service provider and customer can have security responsibilities. Service provider may be responsible for technical cyber security but e.g. customer for access management and providing user guidelines for secure usage.

    Responsibilities for shared information security roles towards offered cloud services and utilizing cloud-based data systems must be clearly defined and documented by both the cloud service customer and provider.

    Connected other frameworks and requirements:
    6: Organization of information security
    ISO 27017
    CLD 6.3: Relationship between cloud service customer and cloud service provider
    ISO 27017
    CLD 6.3.1: Shared roles and responsibilities within a cloud computing environment
    ISO 27017
    6.1: Internal organization
    ISO 27017
    6.1.3: Contact with authorities
    ISO 27017

    Process for detecting and reporting security breaches related to the supply chain

    Critical
    High
    Normal
    Low

    The organization shall define the procedures for reporting security breaches in the supply chain. The process must take into account all kinds of roles in the supply chain, whether we are the customer of the end product or one supplier in the chain.

    Policies shall take into account agreements with partners and customers and their commitments regarding the reporting obligations of both parties.

    Connected other frameworks and requirements:
    DE.CM-6: External service provider activity monitoring
    NIST CSF
    A.10.1: Notification of a data breach involving PII
    ISO 27018
    5.23: Information security for use of cloud services
    ISO 27001

    Confirming information security roles and responsibilities related to utilized cloud services

    Critical
    High
    Normal
    Low

    When an organisation is using a cloud-based data system, the organisation should understand and confirm the related information security roles and responsibilities as stated in the service agreement.

    These can include responsibilities related e.g. to:

    • Malware protection
    • Cryptographic controls
    • Backup
    • Vulnerability and incident management
    • Compliance and security testing
    • Authentication, identity and access management
    Connected other frameworks and requirements:
    15: Supplier relationships
    ISO 27017
    15.1: Information security in supplier relationships
    ISO 27017
    15.1.2: Addressing security within supplier agreements
    ISO 27017
    15.1.3: Information and communication technology supply chain
    ISO 27017
    5.23: Information security for use of cloud services
    ISO 27001
    No items found.