UNCLASSIFIED UNCONTROLLED-IF-PRINTED. Public. 2:51 Outsourced Offshore and Cloud Based Computing Arrangements

Transcription

1 Defence Security Manual DSM Part 2:51 Outsourced Offshore and Cloud Based Computing Arrangements Version 1 ation date July 2105 Amendment list 23 Optimised for Screen; Print; Screen Reader Releasable to Compliance Requirements Defence personnel are, and external service providers subject to the terms and conditions of their contract may be, bound by security policy contained in the DSM and Information Security Manual (ISM). Failure to comply with the mandatory requirements of the DSM and ISM may result in action under the relevant contract provision or legislation including, but not limited to; the Defence Force Discipline Act 1982, the Service Act 1999, and the Crimes Act Mandatory requirements in the DSM and ISM are identified through the use of the terms must / must not and should / should not. Compliance with these requirements is mandatory unless the appropriate authority, if applicable, has considered the justification for non-compliance and accepted the associated risk through the granting of a dispensation. The terms recommend and may are used to denote a sensible security practice and noncompliance need not be approved or documented. Note: Non-compliance with a sensible security practice ought to be informed by sound risk management principles. The DSM compliance regime, including the authority to approve non-compliance with mandatory requirements, the use of dispensation indicators, and how to apply for a dispensation is detailed in DSM Part 2:1 Dispensations. Copyright Commonwealth of Australia 2010 This work is copyright. Apart from any use as permitted under the Copyright Act 1968, no part may be reproduced by any process without prior written permission from the Department of Defence. Requests and inquiries concerning reproduction and rights should be addressed to Defence Publishing Services, Department of Defence.

2 Introduction 1. The storage and processing of Defence information in outsourced or offshore ICT facilities represents an increased risk to Defence information. The purpose of Defence Security Manual (DSM) Part 2:51 is to outline Defence policy for the protection of information in these circumstances. Policy 2. Defence will adopt a risk managed approach to the use of outsourcing and cloud based computing. Defence risk tolerance is compliant with mandatory whole of government approval processes specified in the Australian Government Protective Security Policy Framework (PSPF). Process 3. Unclassified information, including information that is subject to the Privacy Act 1988 requires a minimum level of protection unless it has been publically released. Outsourcing arrangements that involve this information introduces risks that need to be identified and managed. 4. The government, through the PSPF, has directed all agencies to take a consistent approach to the risk management and the level of approvals required when considering outsourcing functions that use this information. The levels of approvals required in this document are consistent with the government s requirements as described in the PSPF. 5. This part applies to cloud based storage and processing of unclassified Dissemination Limited Marking (DLM).marked information. It applies to both Defence outsourcing activities and Defence industry s own ICT infrastructure that is used to process Defence Unclassified information that is not publically available. Example: A consultancy company will be working on a range of Defence tasks that will require it to process For Official Use Only (FOUO) and Sensitive: Personal information. The company can not use Internet cloud based computing to host this work without approval. For instance they could not use a word processor hosted on the web or web based as these are examples of Software as a Service. Example: A multinational consultancy company can not use the company s international private cloud for processing of Defence information without approval. For instance they could not store information on virtual servers physically hosted in another country on their private cloud or use overseas system administrators to administer software resident on an Australian server. Note: Nothing prevents an international company from undertaking network monitoring or other system administration tasks that cannot access the stored data from offshore. 6. Both Defence and Defence industry are bound by the approvals processes in this DSM part for the infrastructure on which they process Defence unclassified information that is not publicly available, and Defence information subject to the Privacy Act Note: Defence employee name, Position with Defence, DRN address and Defence phone number are not subject to the Privacy Act 1988 as this information is placed onto the public record via the Commonwealth Gazette, s sent via the internet and the Defence Telephone Directory. Note: Defence members who hold Defence Protected Identities have their identity and role protected as official information. The systems that process these identities are protected in accordance with DSM Part 2: For Defence industry all risk assessments must be undertaken in consultations with the contract manager. Defence industry is unable to accept security risk on behalf of Defence and therefore needs to work closely with relevant contract managers. Defence industry is reminded that this DSM part applies to all information that is not for public release. In practice this is all information that a company DSM Part 2:51 Page 2 of 14

3 has about Defence that is not publically available, regardless of whether it carries a DLM or not. Material that carries a DLM will require additional protections. 8. These approval processes apply to information that is not encrypted with an Australian Signals Directorate (ASD) endorsed product to reduce the classification of information. Example: The same consultancy company could use any Internet based backup service and storage if the content being backed up is encrypted to an ASD endorsed encryption standard prior to being backed up. 9. This part is to be read in conjunction with DSM Part 2:4 Facilities and ICT accreditation. Where information is classified information, DSM Part 2:4 takes precedence and the system is always accredited. a. Unclassified systems that process DLM managed material meet the ISM requirements for Government systems and are accredited against the ISM G controls. However due to the large number of these systems Defence takes a risk managed approach to determine which systems will undergo accreditation. 10. A risk assessment is needed to determine the risk of using cloud based computing services and whether accreditation will be conducted in order to assess the effectiveness of implemented risk mitigation measures. The following table shows the approvals required for the risk assessment: Table 2:51-1: Defence Policy for the Storage and Processing of Australian Government information in Outsourced or Offshore Arrangements ICT Arrangement Offshore and Outsourced - Domestically hosted (onshore) public cloud Outsourced Domestically hosted (onshore) private, internal or community cloud Unclassified information that is publicly available Defence or Defence industry may enter into these arrangements following a risk assessment. The risk assessment must [Auth:None] be endorsed by a SES Band 1/O7. Accreditation is not required. Defence or Defence industry may enter into these arrangements following a risk assessment. The risk assessment must [Auth:None] be endorsed by a SES Band 1/O7. Accreditation is not required. Other unclassified information that is not publicly available Defence or Defence industry may enter into these arrangements following a risk assessment. The risk assessment must [Auth:None] be endorsed by Secretary Defence. The risk assessment must [Auth:None] be conducted in accordance with this DSM Part. The risk assessment must [Auth:None] identify whether the system will be accredited. All Unclassified - Information subject to the Privacy Act 1988 Defence or Defence industry must not [Auth:None] enter into these arrangements without agreement from Minister for Defence and the Attorney General. The risk assessment must [Auth:None] be conducted in accordance with this DSM part. The risk assessment must [Auth:None] identify whether the system will be accredited. If the risk assessment identifies that accreditation is required, it must be conducted in accordance with DSM part 2:4; any accreditation awarded under an international standard may be taken into consideration, but is not considered equivalent to a Defence accreditation. Defence or Defence industry may enter into these arrangements following a risk assessment. The risk assessment must [Auth:None] be endorsed by a SES Band 1/O7. The risk assessment must [Auth:None] identify whether the system will be accredited. Defence or Defence industry may enter into these arrangements following a risk assessment. The risk assessment must [Auth:None] be endorsed by a SES Band 1/O7. The risk assessment must [Auth:None] identify whether the system will be accredited. DSM Part 2:51 Page 3 of 14

4 Determine the Approval Context 11. Prior to commencing a business case or outsourcing activity that requires the Secretary or Minister s approval, an in principle agreement to conduct the activity must be gained from the Cyber Security Governance Board (GCSB). a. Other activities that do not require Secretary or Ministerial approval must seek the advice of the Defence Chief Information Security Officer (CISO) in order to determine if the matter will be managed through the CSGB. 12. The purpose of seeking in principle agreement from the CSGB is to determine the appropriateness of the activity in the context of the Defence environment and establish the scope and managerial context that the risk assessment will be conducted in as well as any consequent project decision and coordination activities. 13. CSGB submissions must identify: a. the scope of the activity; b. the key risk holders; c. the decision maker(s) and resources that will be responsible for the conduct of the risk assessment; d. any alignment to enterprise ICT risk activities; e. the decision maker or committee (including the CSGB) that will act as the risk owner; f. the approvals process for staffing to the Secretary and Minister as appropriate; and g. project or other approval mechanisms. Conduct the Risk Assessment 14. The risk assessment is undertaken in accordance with AS/NZS ISO 31000:2009 Risk Management Principles and Guidelines and HB 167:2006 Security Risk Management. These are standard approaches to risk management. 15. The risk assessment needs to be as broad and as comprehensive as is possible and identified risks will form the basis of decisions made. The assessment needs to be independent, objective and capable of withstanding public scrutiny and independent inquiry. The Strategic Context of Outsourcing and Offshoring 16. The strategic context is the external environment in which the agency seeks to achieve its objectives. The external context can include, but is not limited to: a. the social and cultural, political, legal, regulatory, financial, technological, economic, natural and competitive environment, whether international, national, regional or local; b. key drivers and trends having impact on the objectives of the organisation; and c. relationships with, perceptions and values of external stakeholders. 17. When conducting the risk assessment it is necessary to consider what aspects of strategic context are relevant to the situation, and factor these into the risk assessment process. These can include: DSM Part 2:51 Page 4 of 14

5 a. relevant Australian legislation, regulation and policy, including responsibility for safeguarding Australian Government information, including but not limited to: (1) requirements of the Archive Act 1983 and Freedom of Information Act 1988; b. foreign laws and potential jurisdictional access to information; (1) equivalent FOI acts; and (2) operation of Foreign Intelligence Services, local intelligence collection laws; and c. the potential benefits of outsourcing or off shoring arrangements. 1 How to Determine the Organisational Context 18. The organisational context is the internal environment in which the project seeks to achieve its objectives. This can include, but is not limited to: a. governance, organisational structure, roles and accountabilities within Defence; b. policies, objectives, and the broader Chief Information Officer Group managed strategies that are in place to achieve them; c. capabilities, understood in terms of resources and knowledge (eg, capital, time, people, processes, systems and technologies); d. extent of contribution to overall Defence capability and key dependencies and interrelationships; e. the relationships with and perceptions and values of internal stakeholders; f. the organisation's culture, including the security culture; g. information systems affected, information flows between them and decision making processes (both formal such as extant project boards and informal such as working relationships between multiple vendors); h. standards, guidelines and models such as the Defence Information Environment security architecture; and i. the nature and extent of contractual relationships, including subcontracting. Identifying Risk 19. ASD publishes specific guidance on cloud computing issues in addition to general outsourcing risks covered in the ISM. Readers should refer to ASD product when conducting risk assessments. 20. The following questions can assist in identifying risks. Enquiries should not be limited to these topics. It may be necessary to form a project security working group and workshop the following risks in order to gain a view across all stakeholders: a. Is the information provided to Defence by a foreign government? This information may be subject to control and foreign release restrictions; 1 Extensive advice exists on this subject. As a starting point, see the Australian Government Information Management Office s Cloud Computing Strategic Directions paper. DSM Part 2:51 Page 5 of 14

6 b. How could the integrity of government information be affected? What would be the impact of loss of confidence in the integrity of the information? c. How could an unintended disclosure of government information occur in an outsourced or offshore arrangement? What are the sources of risk? What threats are there? d. What would the impact of an unintended disclosure be for the various classes of information? e. Why could an unintended disclosure occur? What is the cause (actions, incidents or factors) behind the source of risk? Are there any measures in place that limit or encourage sources of risk? f. What would an unintended disclosure look like? What would an event or incident look like? g. Where would this happen? Based on arrangements, would this happen in Australia? If offshore, what countries could the information be stored or processed through? h. When could an unintended disclosure happen? What is the length of the proposed arrangement? What is the time period that risks need to be considered over? i. Who would be involved in an unintended disclosure? Who is the threat source? Who will be involved in a response? Who would be impacted? Does this include the Australian public, individual Defence members, protected identity holders, or is it limited togovernment? j. Is the cloud host country a known intelligence collector against Australia? 21. Defence ability to effectively manage and control its information in an outsourced or offshore arrangement can potentially be put at risk from any of the following: a. compromise of the integrity of the information which impacts on business functioning; b. unavailability of the information which impacts on business functioning; c. unauthorised access by a third party; d. unauthorised access by the service provider s other customers; e. unauthorised access by rogue service provider employees and f. inadequate resilience and security measures applied to the associated physical infrastructure, supply chain and ICT networks. 22. In addition to the risks associated with outsourcing arrangements, entering into an agreement with an offshore component can cause additional complications due to: a. the nature of the legal powers to access or restrict data; b. the lack of transparency (and reduced ability to directly monitor operations); c. the prevailing culture of some countries; and d. complications arising from data being simultaneously subject to multiple legal jurisdictions. DSM Part 2:51 Page 6 of 14

7 The Nature of Legal Powers to Access or Restrict Data 23. Like Australia, most foreign jurisdictions have legislated powers that allow access to communications and stored information for the purposes of law enforcement and national security. In some cases these laws allow law enforcement and national security agencies to access information held overseas or in Australia. Lack of Transparency 24. Should Defence enter into arrangements where information is held offshore, there is the potential for that information to be stored or processed in jurisdictions where foreign government information access mechanisms operate without transparency or outside of established legal frameworks. Alternatively, the lack of effective rule of law may fail to deter attempts by non-state actors to misappropriate information. 25. These matters of particular concern in high FIS threat countries with known intelligence collection requirements against Australia. The Defence Security and Vetting Service (DS&VS) can assist with advice in this area. Prevailing Culture of Some Countries 26. The prevailing culture of some countries may give rise to additional risks. For example, the tolerance (legal and/or law enforcement effectiveness) and acceptance of corruption and white collar crime differs across countries and may impact on an agency s ability to ensure the confidentiality, availability and integrity of government information. Similarly, extrajudicial behaviour of government agencies, and the ability of citizens to refuse those demands may be limited, potentially giving rise to further risks that need to be considered. Complications Arising from Data being simultaneously subject to Multiple Legal Jurisdictions 27. Complications may arise from information being subject to the laws of multiple jurisdictions. This may occur in circumstances where: a. foreign laws apply to a vendor because it is located offshore; b. foreign laws have an extra territorial application to vendors located in Australia; or c. the services provided by the vendor pass through a foreign jurisdiction. How to Assess Risk 28. Having identified a range of relevant risks, they are to be assessed in terms of their likelihood and consequence and acceptable levels of tolerance. The sources of risk events, and the effectiveness of existing controls to prevent the occurrence or reduce the consequences of risk events should be considered. This includes the level of oversight and control Defence and contractors have on the management of their information. 29. For additional information on assessing risks, see HB 167:2006 Security Risk Management. Guidance on Determining Potential Consequences 30. The risk assessment process must [Auth:None] assess the consequence with respect to Confidentiality, Integrity and Availability impacts on both individual items of information (or sub systems) and aggregated information and sub systems. The risk assessment may also assess against other risks such as reputation and financial risk as required. 31. A Confidentiality, Integrity and Availability Business Impact Level (BIL) must [Auth:None] be assigned to the individual items and the aggregation dependent on the worst consequence identified. DSM Part 2:51 Page 7 of 14

8 Example: The assessment may identify that whilst there is a low to medium confidentiality impact (unclassified DLM marked information maps to a Confidentiality BIL of 1-2) there could be High or Catastrophic integrity or availability impacts (BIL 5 and 6). In this case, information with a Confidentiality BIL of 2, an Integrity BIL of 3 and an Availability BIL of 4 would be assigned an overall BIL of 4. The aggregation of such information may require a higher BIL. 32. Further information is contained in DSM Part 2:7 Business Impact Levels. 33. The consequence of unintended disclosure of government information will depend on the profile of that information. The majority of government information is neither publicly available nor security classified. This includes information that is unclassified, but potentially sensitive, such as health and financial records; details of business dealings with government; correspondence between citizens and Ministers; and public service employee records. 34. Loss of Confidentiality, Integrity or Availability could for example: a. affect Defence operational capability; b. affect Defence capacity to make administrative decisions or operate; c. affect privacy and integrity of personal information about Defence employees and Australian citizens; d. affect the safety of persons; e. affect the public s confidence in government; f. affect Defence morale; g. interfere with commercial interests and the competitive process; h. result in non-compliance with legislation; i. incur additional cost restoring integrity; j. interrupt the operation of the Department whilst integrity is restored; and k. affect employee entitlements. Guidance on Determining Likelihood 35. The likelihood is the chance or probability that an event or incident will occur resulting in the unintended disclosure, interruption, modification of fabrication of government information. When considering the likelihood, agencies should consider the timeframe in which the risk could potentially occur. Likelihood may be expressed using a qualitative, pre-determined scale such as low, medium and high or a quantitative, numerical representation such as a 70 per cent chance of occurrence. Evaluating the Risks 36. Evaluating the risks of unintended disclosure of government information in outsourced or offshore arrangements involves considering the risks within the context of the agency risk tolerance and potential treatment options. 37. In some circumstances, the risks to Australian Government information can be quantified almost entirely in financial terms based on a loss of revenue or the cost to restore it to a trusted state. In these circumstances, determining the risk is a matter of financial calculation. However, in most circumstances, DSM Part 2:51 Page 8 of 14

9 Defence will need to consider a wider range of factors, including the potential reputational cost of a disclosure due to aggregated national security impacts. In these circumstances, calculating the risk is a more complex process and the acceptance of that risk is a responsibility of the Minister. 38. There may be circumstances where the factors for consideration and judgments required are so complex that the risk of outsourcing or storing data offshore is incalculable. If the risk is determined to be incalculable, it will not be possible to manage it. Under these circumstances the PSPF directs that Secretary Defence as the agency head is required not to enter into these arrangements. 39. For further information on evaluating risks, see HB 167:2006 Security Risk Management. Incapacity to manage risk Figure 2:51-1 Risk Tolerance Tolerable risk Increasing risk Intolerable risk Scope for agency determination of risk tolerance 40. Determining risk tolerance will be highly dependent on the organisational context of Defence and the Secretary. However, in most cases the concept can be understood as a gradient, where the risk may become increasingly less tolerable as the risk level is elevated (see Figure 2:51-1 above). 41. The CSGB may also refer the matter to the Defence Security Counter Intelligence Board or Secretary Chief of Defence Force Advisory Committee as a source of information on the overall enterprise risk tolerance, especially in the context of multiple capability owners. How to Consider Potential Risk Treatment Options 42. There is no such thing as absolute security. This means that efforts to treat risks will not remove them completely, but should aim to make the risk levels more tolerable. HB 167:2006 Security Risk Management outlines strategies for risk treatment. This includes a six step process where Defence: a. prioritises intolerable risks; b. establishes treatment options; c. identifies and develop treatment options; d. evaluates treatment options; e. details the design and conducts a review of chosen options, including the management of residual risks; and f. undertakes communication and implementation. DSM Part 2:51 Page 9 of 14

10 Suggested Treatment Options 43. Contractual arrangements present a potential tool that agencies can use to mitigate risks associated with the outsourcing or offshoring of government information through: a. specifying the necessary protective security requirements in the terms and conditions of any contractual documentation (including sub-contractual arrangements), and b. verifying that the contracted service provider complies with the terms and conditions of any contractual documentation. 44. In some cases however it may be impractical or impossible for Defence to verify if the service provider is adhering to the contract. This can be addressed through the use of third party audits, including certifications and accreditations, but at an additional cost. Finalise the Risk Assessment 45. Documenting the risk assessment and risk treatment 46. The risk assessment must be documented and agreed by the appropriate decision maker. The risk assessment must include a statement that the decision maker has considered, calculated and accepted the associated security risks in outsourced or offshore arrangements. 47. The risk assessment will determine whether accreditation is required. In some instances Defence accreditation may be replaced by an assessment by an external certification body. Example: A health service provider may be providing services for other government Agencies and undergone a certification to participate in that program. In this example it may be appropriate to recognise the certification. Secretary Approval 48. The CSGB will notify the appropriate format and mechanism to request Secretary approval. In some instances this will be via a senior committee. 49. The approval must include a letter for signature advising the Secretaries ICT Governance Board that they have entered into outsourced or offshore arrangements for the storage and processing of Australian Government information. The purpose of this measure is to support information sharing and inform potential whole-of-government ICT procurement arrangements. Ministerial Approval 50. Where there are risks to personal information, the potential impacts are broader than just financial considerations and include loss of public confidence and trust in government. Where these risks are calculable and manageable, under the PSPF the Minister is required to accept those risks before Secretary Defence can enter into such an arrangement. The Minster for Defence is required to consult with the Attorney General before granting approval. 51. The CSGB will coordinate the mechanisms for gaining Ministerial and Attorney General Approval. Roles and Responsibilities 52. Attorney-General. The Attorney-General is the Minister responsible for privacy and protective security within the Australian Government. They set overall protective security policy via the Protective Security Policy Framework, including minimum approval thresholds. They consider government wide impacts of DSM Part 2:51 Page 10 of 14

11 Privacy issues and act as a joint approval authority in conjunction with Secretary Defence for some offshore processing and outsourcing activities identified within this DSM part. 53. Secretary of Defence. The Secretary is the Agency Head under the PSPF, and in consultation with the Chief of the Defence Force, is the approval authority for some onshore processing and activities identified in this DSM part. 54. Chief Information Officer. The CIO sets policy direction for the outsourcing of Defence ICT arrangements and chairs the CSGB which approves business cases for outsourcing and cloud based computing initiatives and manages approvals for those business cases that require acceptance by the Secretary or the Minister for Defence. 55. Chief Information Security Officer. The CISO provides advice to projects considering outsourcing or cloud based computing and determines whether projects that do not meet mandatory criteria for approval by the Secretary or Minister will be managed by the CSGB. 56. Australian Signals Directorate. ASD publishes the ISM and other advice on security considerations for cloud services. Readers are encouraged to refer to ASD public website for further information on these topics. 57. System Owners, Project Managers and Contractors. Are responsible for seeking approvals for outsourced and cloud projects in accordance with this paper. Key Definitions 58. Unclassified - not publicly available information. This comprises information that is unclassified, but requires additional protections as it is not publically releasable. It includes Information marked with any DLM. 59. Unclassified - information subject to the Privacy Act This comprises information that is subject to the Privacy Act 1988 and includes both Personal and Sensitive information as described in the Act. It includes: a. Personal information. This is information or an opinion (including information or an opinion forming part of a database), whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion. b. Sensitive information (1) information or an opinion about an individual that is also personal information: i. racial or ethnic origin; ii. iii. political opinions; membership of a political association; iv. religious beliefs or affiliations; v. philosophical beliefs; vi. vii. membership of a professional or trade association; membership of a trade union; DSM Part 2:51 Page 11 of 14

12 viii. ix. sexual preferences or practices; criminal record; (2) health information about an individual; (3) genetic information about an individual that is not otherwise health information. 60. Within Defence this information will be marked with the DLM Sensitive: Personal. However for the purposes of this part it is necessary to differentiate between the types of information and the definitions above are used. 61. Unclassified - publicly available information. This comprises information that the Australian Government makes publicly available. Example: The Defence internet presence and press releases. 62. Security classified information. Information which is security classified at PROTECTED, CONFIDENTIAL, SECRET or TOP SECRET. 63. Offshore arrangements. Information is stored or processed in equipment that is located outside of Australia. The mere transit of information is not considered storage or processing for the purposes of this policy. 64. Onshore arrangements. Information is stored or processed in equipment that is located within Australia. 65. Cloud computing. Is a delivery model for IT services. It is defined by the US National Institute of Standards and Technology (NIST) as a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g. networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. 66. There are three cloud service models indentified by NIST: a. Infrastructure as a Service (IaaS). This involves the vendor providing physical computer hardware including CPU processing, memory, data storage and network connectivity. The vendor may share their hardware among multiple customers referred to as multiple tenants using virtualisation software. IaaS enables customers to run operating systems and software applications of their choice. Typically the vendor controls and maintains the physical computer hardware and the customer controls and maintains the operating systems and software applications. b. Platform as a Service (PaaS). This involves the vendor providing Infrastructure as a Service plus operating systems and server applications such as web servers. PaaS enables customers to use the vendor s cloud infrastructure to deploy web applications and other software developed by the customer using programming languages supported by the vendor. Typically the vendor controls and maintains the physical computer hardware, operating systems and server applications and the customer only controls and maintains the software applications that they develop. c. Software as a Service (SaaS). This involves the vendor using their cloud infrastructure and cloud platforms to provide customers with software applications. Example applications include and collaborative working environments for users to develop and share files such as documents and spreadsheets. These end-user applications are typically accessed by users via a web browser, eliminating the need for the user to install or maintain additional software. Typically the vendor controls and maintains the physical computer hardware, operating systems DSM Part 2:51 Page 12 of 14

13 and software applications. The customer only controls and maintains limited application configuration settings specific to users such as creating address distribution lists. 67. There are three cloud deployment models indentified in the PSPF. These models are PSPF policy specific, NIST uses different deployment models: a. Domestically hosted public cloud. Information is stored or processed by equipment which is located in Australia, offers services to the public, and is not under the direct control of the Australian Government. It involves an organisation using a vendor s cloud infrastructure which is shared via the Internet with many other organisations and members of the public. For example, a multi-tenant data centre located in Australia. Note: An internationally hosted public cloud has the same requirements as Offshore Processing and is therefore not differentiated in this policy. b. Domestically hosted private cloud. Information that is stored or processed by equipment which is located in Australia, is serviced by Australian residents and is restricted to a single or small class of tenants. The facility can be under the direct control of the Australian Government. It involves Defence exclusive use of cloud infrastructure and services located at the Defence premises or offsite, and managed by the Defence or a vendor. Example: A data centre in operated and managed in Australia operated by the private sector for use by the government. c. Community cloud. A type of private cloud that is shared by several organisations with similar security requirements and a need to store or process data of similar sensitivity. Example: A data centre shared between multiple departments. Further Definitions 68. Further definitions for common DSM terms can be found in the Glossary DSM Part 2:51 Page 13 of 14

14 Annexes and Attachments N/A This part currently has no annexes or attachments. DSM Part 2:51 Page 14 of 14