1 Purpose
To establish the processes that IT must follow when considering the engagement of Cloud Computing services and service providers.
2 Scope
This procedure applies to all XXX’s Information or Information Systems which are stored with or hosted by any party other than the XXX within one of its Data Centres.
3 Classification
This procedure provides the process to be followed when considering and before making a decision to contract Cloud Computing services such as:
Applications As A Service (AaaS)/Software As-A-Service (SaaS)
Platform-As-A-Service (PaaS)
Infrastructure-As-A-Service (IaaS).
Classification Description:
- Level One Data – “Confidential”
- Level Two Data – “Restricted”
- Level Three Data – “Internal Use”
- Level Four Data – “General”
4 Procedures
Consistent with the principles provided in the Enterprise Architecture Policy, it is the XXX’s preferred position to adopt and use Cloud Computing services first, with all new services deployed in the cloud where possible.
4.1 Risk assessment
The CISO must conduct a risk assessment when considering the use of Cloud Computing services. The extent of the ‘risk assessment’ must be commensurate with the Information Security Classification (Ref: Risk assessment Procedure)
As a first step, the CISO must consider whether the selection of a Cloud Computing service is appropriate given the Information Security Classification (Ref: Risk assessment Procedure) associated with the Information System under consideration. With reference to the Cloud Service Use Inherent Risk Schedule determine whether the XXX should be considering a Cloud Computing service and the level of rigor that should be applied in this and subsequent processes before selecting a Cloud Computing provider.
The CISO should also consider the cost to manage the associated risks and its impact on the value proposition.The following risk categories should be used when identifying risks:
- quality – does the cloud solution meet stakeholder needs
- financial – does the cloud solution provide value for money
- organisational – does the cloud solution work within the XXX’s culture
- integration – can the cloud solution meet objectives without business or technical integration difficulties
- compliance – does the cloud solution comply with XXX’s legal, regulatory and policy obligations
- business continuity – can the cloud solution recover from outages or disaster situation
- external – is the Cloud Service Provider’s performance adequate.
The Cloud Computing service provider and all subcontractors in the service provision supply chain must be subject to the risk assessment and conditions on the service agreement/contract. Each of the factors below should be addressed when preparing a risk assessment for proposed Cloud Computing deployments.
4.1.1 Evaluation process
CISO should use the Information security policy for supplier relationship as the basis for evaluating the implementation of a potential Cloud Computing solution. When deciding to use a Cloud Computing service or to store Information or data in a facility which is not owned by the XXX, it is the responsibility of the CICO to consult with other appropriate Information System Custodians, process owners, stakeholders, and subject matter experts during the evaluation process.
4.1.2 Intellectual property and copyright
CISO should refer to the Intellectual Property Policy and Procedure to ensure that Information or data is not stored in any facility where the XXX’s intellectual property, copyright, trademarks or patents may be compromised. Information or data must not be stored in such a way that allows unauthorised parties to claim ownership of the Information or data.
4.1.3 Location of provider and relevant infrastructure
Due to the nature of web-based services, providers or their equipment will often be based interstate or overseas. If any data is to be hosted or stored outside the organziation, CISO must check where this will be, who will have access, who will be managing this and how. Depending on the response, additional terms and conditions may need to be included in the legal contracts to mitigate any potential risks. Providers should notify the XXX if any of these conditions change during the agreement. Data must not be allowed to be stored outside the country as it may be subject to different laws, which could affect XXX compliance requirements, such as privacy. Use of three-way encryption (upload, download and storage) should be considered to improve data security.
4.1.4 Privacy and Data Security
The University is subject to the Indian IT Act 2000 which specifies conditions regarding the use and handling of Personal Information as defined in that Act. If any Personal Information is to be collected by, or disclosed or transferred to the service provider, CISO needs to make sure it meets these requirements. The Information System Custodian can assess these requirements by undertaking a Privacy Threshold Assessment (PTA) and, if required, a Privacy Impact Assessment (PIA). Performing a PTA enables the CISO to quickly assess whether Personal Information is involved. If Personal Information is involved, a PIA should be completed (effort commensurate with the risk) . To fulfill its privacy obligations the XXX must take reasonable steps to protect Personal Information from misuse, loss, unauthorized access, modification or disclosure. XXX will retain ownership of its Information irrespective of where it is stored. Information and Communication Technology (ICT) Services should be consulted where any security issues are unclear. Relevant data security issues for the CISO to consider include:
- data control
- data encryption
- blending of data with other customer data
- business process if a security breach does occur or if data is damaged or destroyed
- data backup frequency/conventions/standards/accessibility
- availability of an audit trail to demonstrate that data is reliable.
Relevant data access issues for the CISO to consider include:
- quick and easy access
- format useability
- process to follow if data cannot be accessed or access is delayed
- ease with which the data can be amended or deleted if required.
- Information or data that has been marked as Restricted or Confidential, Information must be stored in a way that minimises the likelihood that the Information or data can be accessed by any unauthorised parties.
4.1.5 Records retention and availability
All XXX records must be stored, retained and accessed in accordance with relevant legislation and XXX’s Information classification and Handling policy.
4.1.6 Data classification
Storing or transmitting of level 1 data is prohibited on all cloud services unless:
- A contract with vendor contains appropriate Information Security Supplemental Language
- Utilization of the service is approved by the appropriate data owner
- Approval is granted by the CISO and approved by the CEO
- The cloud service must be configured to utilize the multi-factor service Duo or other approved multi factor solution.
2. Storing or transmitting of level 2 and Level 3 data Levels is prohibited on all cloud services unless:
- A contract with vendor contains appropriate Information Security Supplemental Language
- Utilization of the service is approved by the appropriate data owner
- Approval is granted by the CISO and approved by the CEO
- The cloud service must be configured to utilize the multi-factor service Duo or other approved multi factor solution.
3. Cloud application administrators are responsible for maintaining accurate and timely user account status
- Terminated users must have their account to the cloud service disabled no later than the day of termination.
- Accounts should be provisioned with the Principle of Least Privilege
4. Cloud application administrators are responsible for reviewing all accounts and their associated level of application access on a quarterly basis
- Active accounts should be compared to employee records.
- Any terminated users should have their accounts removed or disabled.
5. Cloud application administrators are required to provide an annual report of compliance with this policy.
- Once a year any administrator of a cloud-based SaaS application will be required to provide a listing showing all the accounts and their associated rights or privilege level associated to that account to the CISO.
- Application Owners of applications that manage Level one data must work with the cloud application vendor to get the updated SOC 2 audit and cyber liability insurance certificate of insurance (COI) on an annual basis and post those documents with the CISO
Failure to maintain these reporting requirements will lead to the violating application being blocked from running on the network.
4.1.7 Business continuity
CISO must ensure the continuity of service for every system with a Cloud Computing provider. This requires CISO to:
- determine if the Cloud Computing provider’s business continuity and disaster recovery plan is acceptable
- determine the impact of outages
- ensure the availability of data in the event of any and all types of outage (e.g. through off site backup data that is accessible to the organisation)
- prepare a business continuity plan for both short and long term
- include scheduled outages in service level agreements
- arrange a guarantee of availability
- consider the use of multiple Cloud Computing providers depending on the business criticality of the system deployed to the cloud
- determine whether Information is able to be retrieved or disposed of in compliance with the Indian IT act 2000 during or at the conclusion of a contract with the Cloud Computing provider.
4.1.8 Legal issues
Prior to approaching the market, CISO should determine the contractual terms required, even when it is anticipated that a standardised ‘click wrap’ agreement will be the only option. A prior understanding of the XXX’s terms will provide a basis to ensure the final contract will meet business requirements, security requirements and adequately address the risks associated with the cloud solution.
At a minimum the SLA will include:
- clear definition of services
- agreed upon service levels including service availability time, service outages, routine maintenance timeframes, upgrades and changes to the cloud computing services
- clearly defined physical and logical security conditions
- performance measurement
- problem management
- customer duties
- disaster recovery
- termination of agreement
- protection of sensitive Information and intellectual property
- agreement of the disposal of Information when required
- definition of vendor versus customer responsibilities, especially pertaining to backups, incident response, and data recovery.
An exit strategy for disengaging from the vendor and/or service should be planned before committing Information or data to a Cloud Computing or outsourced service. The exit strategy should outline how the relevant records will be preserved and maintained, and how the service can be discontinued or transitioned to another provider. Contracts and/or agreements are to cover the Cloud Computing provider and all subcontractors involved in providing the Cloud Computing service. XXX should consider including the need for vulnerability assessment/penetration testing in any contracts/agreements with Cloud Computing service providers. This is mandatory when Restricted Information is involved.