G3

The organization must have a procedure to make sure the external service has effective segregation of environments (service provider's clients) to prevent unauthorized access to our environment.

The providers concept for segregation should be documented and adapted to changes. The following should be considered:

• Separation of data
• Functions
• Customer-specific software
• Operating systems
• Storage systems
• Networking

There should also be a risk assessment for operating external software within shared environment.

The organizations must communicate and update, throgh the digital platform, a list of its activites and services to competent national NIS authority. This includes all the elements necessary for their characterization and the relative assignment of a relevance category.

The organization must clearly document all the digital services it provides to its customers according to the cloud service model.

The documentation for digital services must include the partners involved in the service supply chain. The partner listing must include supporting services (such as IaaS, such as AWS or MS Azure), other partners included in the main service provider's supply chain (such as outsourced development), and other services that complement the actual service (including IDaaS, CDN).

In the future, supply chain documentation can be used to review a more detailed division of safety responsibilities.

The terms and conditions related to the digital services provided by the organization have been mapped and documented. The terms of the contract shall include at least the following:

• Nature and extent of the service provided
• Cyber security requirements(including the Shared Security Responsibility Model)
• Description of the change management procedure
• Stored logs and their monitoring
• Procedures for fault management and reporting
• Right to audit and third party evaluation
• Compatibility
• Privacy requirements and descriptions of the processing of personal data
• Termination of service

The organization must maintain a list of digital services provided and the owners designated for them. The owner is responsible for completing the information in the service and for any other security measures that are closely related to the service.

The documentation related to the digital service includes e.g. the following information:

• The type of digital service offered, the service category and the purpose of use
• Data controller and related processing agreements
• Key partners in the service supply chain and the distribution of security responsibilities (discussed in more detail in a separate task)

All servers in the organization should be protected by a properly configured software firewall that monitors traffic, accepts compliant traffic, and monitors users.

WAF (web application firewall) should be protecting offered digital services from attacks (e.g. SQL injection).

When utilizing or offering cloud services, both service provider and customer can have security responsibilities. Service provider may be responsible for technical cyber security but e.g. customer for access management and providing user guidelines for secure usage.

Responsibilities for shared information security roles towards offered cloud services and utilizing cloud-based data systems must be clearly defined and documented by both the cloud service customer and provider.

When offering cloud services, the cloud service customer’s virtual environment should be separated and protected from other customers and unauthorized persons.

To ensure this, the organisation should enforce appropriate logical segregation of cloud service customer data, virtualized applications, operating systems, storage, and network.

Segregation should also ensure the separation of the cloud service provider's internal administration from resources used by cloud service customers.

Critical admin operations mean operations where a failure can cause unrecoverable damage to assets in the cloud computing environment.

Critical admin operations may include e.g. changes related to virtualized devices (e.g. servers, networks, storage), termination procedures, backup and restoration.

For all offered cloud services the critical admin operations are documented. Also the procedures for carrying out critical admin operations are documented beforehand in needed detail.

Whenever a critical admin operation is carried out, a supervisor named in the documentation monitors the operation.

In relation to offered cloud services, the cloud service provider must provide documentation about critical admin operations and procedures if required by customers.

Cloud service customer often acts as the personal data controller and is responsible for fulfilling the data subject rights e.g. to access, correction or deletion of their personal data. Cloud service provider should provide the customer with the necessary means to enable this.

Organization has defined measures how data controllers on offered cloud services are assisted in fulfilling data subject rights. This may include e.g. cloud service features or manual support actions.

Relevant information and possible technical measures related to facilitation should be specified in the relevant contract.

Personal data related to the offered cloud services will need to be disposed properly and obeying storage limitation principles. Disposal can involve returning the data to the customer by request, transferring it to another company (e.g. as a result of a merger) or either securely destroying, anonymizing or archiving it.

Organisation should have a clear written description about the retention period and the return, transfer and disposal mechanisms of personal data. This description should be made available to the customer.

By using this description the customer should be able to understand how the organisation will ensure the personal data processed under a contract is erased (also by any of its sub-contractors) from all storage locations (including e.g. backup purposes) as soon as they are no longer necessary for the customer.

When an organization offers cloud services for its customers, the contract between the provider and customer should clearly specify the technical and organizational measures implemented to ensure information security.

The contract must also address that the data is not processed for any other purpose than according to instructions of the controller.

When offering cloud services, the provider should be transparent about its information security measures during the process of entering into a contract. However, it is ultimately the customer’s responsibility to ensure that implemented measures by the provider meet its obligations.

When offering cloud services, the organisation must clearly and actively inform the customer of the organisation’s geographic location and the countries where the customer's data is stored.

This information can help the customer e.g. in determining the relevant supervisory authorities and jurisdictions when utilizing the cloud service.

When offering cloud services for customers, the organisation should have identified and listed data related to cloud services the customer controls. These are referred to external data stores.

Organisation also needs to inventory derived data that is created through offering the cloud service. These can be controlled by the organisation and listed on system documentation instead of external data stores.

When offering cloud services, the organisation must have procedures in place for safe disposal or potential reuse of resources utilized in service providing, such as:

• Equipment
• Devices
• Data storage
• Files
• Memory

When utilizing cloud services, the customer organisation should ensure secure disposal by requesting confirmation of these procedures from the cloud service provider.

The cloud service provider should establish a process for responding to intellectual property rights complaints.

The organization must describe the administrative flows of communications. The description of administrative data flows complements the description of integrations between systems.

The organization's own role in the supply chain is defined and communicated to the necessary partners.

The organization's own place and role in the critical infrastructure is defined and communicated to the necessary parties.

It is important to recognize whether society is more broadly dependent on the services produced by the organization. Such criticality of the operation can increase the risks of, for example, hybrid and information influence and emphasizes the need to be prepared for them.

The organization should provide the customer with the necessary information so that the customer can demonstrate that it fulfills its obligations.

The organization should make it possible for the customer to fulfill its requirements regarding data subjects.

When data is delivered as part of a service or product or as part of a product or service-related reporting obligation, the definition of data must be available to data users.

The definition of data includes the following information:

• The amount of events in the data
• Type of information contained in each data element (e.g. field) (event to which the data field is related)
• Sources of information
• Data elements (e.g. fields) unit(s) of measurement
• Precision of measurement
• Uncertainty or confidence interval inherent in each data element
• Date or time period of the event associated with the data
• Variables (in addition to the date/period) that can be used to define the inclusion of items in data elements

The organization must set up control measures to ensure the completeness and accuracy of the information entering the systems. For this purpose, the following should be defined:

• The necessary characteristics of future data
• Evaluation of future data sources
• Future data logging and log maintenance

The organization must establish controls to accomplish information security objectives in offered services. Controls must take into account:

• Data processing requirements
• Necessary data processing
• Detecting and correcting production errors
• Data processing log
• li>
• Completeness, accuracy and timeliness of data entry

The organization must implement practices and procedures so that the information coming out of the services is complete and timely. The procedures must take into account:

• Protection of outgoing information, when stored or transferred, from theft, destruction, modification or other events affecting the integrity of the information
• Outcoming information is shared only with intended targets< /li>
• Logging of outgoing data

The organization shall define a security assessment and conduct it on a regular basis for the partners in the supply chain of the digital services provided.

This should ensure the compliance of the partners affecting the security of the services provided and thus the fulfillment of the terms of the contract.