1 Aspects to consider within information security during procurement and use of cloud services Version: 2.00 Release date: 4-Mar-2014 This paper is licensed under Create Common Share Alike 3.0
2 Preface This document is partly based on the authors previous work [i-iii] made under the Creative Common Share Alike 3.0. Further, the legal part is partly based on [iv-vi]. If using this document, please reference it properly. The objective with this document is to provide guidance on information security aspects to organizations looking into procurement of cloud services, as well as to organizations already using cloud services. Further, legal aspects of cloud security and compliance frameworks are addressed too. Finally, if you have any ideas for improvement please do not hesitate to the contact person for the last version of the document listed below. Version history Version Contributors Released 1.00, first version John Lindström and Dan Harnesk (LTU) et al. 19-Apr , second version. Legal aspects added Project leaders/editors: John Lindström and Dan Harnesk (LTU) Contributors: Eva Ekelund, Karl-Mårten Karlsson (Actea Consulting AB), Lars G Magnusson, Lars Perhard (W&P Advokatbyrå KB), Ulf Berglund (U&I Security AB) 4-Mar-2014 Primary contact: Contents 1. Introduction Some legal aspects on cloud security Aspects to consider within information security during procurement and use of cloud services Creating a compliance framework for cloud computing what to address in such a framework? Sources Word list and abbreviations used IaaS PaaS SaaS SECaaS XaaS CIO CISO Security Information security Infrastructure as a Service Platform as a Service Software as a Service Security as a Service X as a service used as a collective term to denote anything or everything as a service Chief Information Officer corresponds to a senior management role responsible for IT- and information issues within an organization Chief Information Security Officer corresponds to a senior management role responsible for information security issues within an organization When the term security or information security is used, it encompasses security for IT, information systems and information Before you read this document please read: This document has been written for use mainly within Sweden, and although most of the aspects discussed are of a general nature, readers should have this fact in mind while reading. These guidelines should not be construed as technical or legal advice on any specific facts or circumstances. The content is not exhaustive and is intended for limited general informational purposes only. The authors make no representations as to accuracy, completeness, actuality, suitability, or validity of any information and will not be liable for any errors, omissions, or delays in this information or any losses, injuries, or damages arising from its display or use. All information is provided on an as-is basis with no warranties, and confers no rights. Readers should consult appropriate technical, accounting or legal consultants concerning any specific question or the relevance of the subjects discussed herein to particular factual circumstances.
3 1. Introduction This document concerns aspects of information security, including related legal and compliance matters, regarding cloud services. These cloud services are often referred to as SaaS, IaaS and PaaS and can of course be combined, or only partly be used, together with an organization s private IT environment. Additional recently introduced abbreviations are for instance SECaaS and XaaS. As the interest for cloud services start to gain momentum among stakeholders in an organization, and a procurement process is about to start (or if cloud service already has been procured), there are two questions to consider: What is the problem and challenge with security in the cloud compared to methods or practices used previously? The problem and challenge involve a number of issues, e.g. it is partly new, and that competences and personnel not existing in all organizations are required. The sourcing of personnel and specific competences may need to be examined. Many organizations will also probably need to make changes in their own security and risk management processes, update the legal/regulatory and compliance frameworks used, because there will not be the same transparency and possibilities to investigate, impact or follow up on issues. Many organizations are not familiar with procuring cloud services and the various legal issues which need to be considered. What security aspects need an organization consider? There is no exact template, as all organizations differ in their business processes. One example is if personal data is stored, processed or communicated within a cloud service, it may require additional actions regarding, e.g., clarification of responsibilities, agreements for export of personal data, and appointing a Personal Data Officer. However, this document comprises a number of aspects which we consider are of importance. Any organization should firstly consider what and where there can be problems before this document is used, not become too influenced by it and overlook important factors when the contents in this document are used and ticked off. Most organizations have a number of requirements regarding security (originating from regulations, laws or business requirements), and these usually differ depending on whether the organization is a small business, a public corporation, a public authority/government agency, or municipality. In most cases, the top management of an organization has a responsibility to investigate risks related to IT, as well as to take action to mitigate possible risks in a responsible manner. A hinder related to cloud services is that an organization, in most cases, does not have the same possibilities to control, impact or influence, and that an increased transparency is required from providers (see [1, 3, 7]). There is a need to build trust in between the parties. From a legal standpoint, work tasks with related responsibility to maintain the levels of security can be, to a certain degree, delegated to providers by a contractual agreement. For example, regarding a public corporation, its board and president (top management) are always ultimately responsible to the shareholders. In general, there is a legal obligation to continuously investigate risks and maintain an adequate level of security. Among the factors affecting the security requirements for a cloud service, importance of the information processed is as well how it needs to be protected (confidentiality, integrity, secure backup etc.), and what availability that is required. To facilitate the assessment of the availability level required, organizations need to analyze their business processes on a high level and also map out which IT resources and information systems etc. that are used in the processes. Following, an assessment of which business processes that are critical, i.e. that always need to be operational or operate at a very high level of availability, should be conducted. It is easier to cloud source the support for parts or whole business processes that are not critical. A security audit of a cloud service requires significant time and resources. Thus, an organization ought to be more thorough while auditing cloud services used in critical business processes compared to for non-critical business processes. A security audit should not only be made initially, but be made continuously as long as the cloud service is used. The security audit should always use your own policies related to the
4 area. Input to the audit requirements are, for example, changes in business and business environment requirements. Consequently, it is a good idea to start with a business process which is non-critical nor processes any confidential information, to learn and get experience before addressing critical business processes where demands are higher. Required are an analysis and a plan. In addition to listing and highlighting issues and problems, we link what business value can be created upon appropriate planning, management and actions pertaining to those issues or problems. Concerning business value for an organization, business value can be interpreted very differently, depending on type of organization, its mission and stakeholders. Preferably, the business value should be measured in straight figures like total-cost-of-ownership (TCO), where the cost for having a solution run by the organization is compared to using a cloud service, return-on-investment (ROI) or the like. However, finding these costs and cash flows can be difficult, as many of the business values are qualitative rather than quantitative. We suggest, as part of any cloud services business case, that the business value generated from information security and related topics are described and highlighted in order to show that not only costs are generated but also business value. Examples of business value categories, found in business literature and research, applicable for a cloud service context are: improved organizational performance/profitability (PERFORMANCE), improved competitive advantage (COMPETITIVENESS), creative synergy (SYNERGY), respectively improved management ability (MANAGEMENT). Below, there are one or more examples of different business values for each category: PERFORMANCE productivity increase, more efficient processes, lower costs, increased profitability, higher return on capital or investment, increased sales, more mobile workforce. COMPETITIVENESS facilitator for new products or services, improved adaptability/changeability and scalability (i.e. pay for usage), increased ability to attract or get resources that are difficult to imitate/rare/valuable/non-substitutable and make these productive and create competitive advantage, more content customers and employees, shorter time to markets for products/services, lower cost barrier, ability to reach new markets, lowered risk. SYNERGY improve the relation between information systems/it and organization/strategy/ structures/management processes to create synergies among strategies/organization/processes/technology/humans and further increase the effect from technology to reach higher profitability. MANAGEMENT management gets better understanding of available resources/customers etc. that may lead to better sourcing of resources and improved product/service design, management and organization are better prepared to manage a crisis, increased trustworthiness/reliability from customers and the own organization, organization is able to manage business/legal requirements. This document has a focus on improved management ability. Recommended is that you, besides using this document, further read and use the documents listed in the reference section.
5 2. Some legal aspects on cloud security This section aims to address some crucial legal aspects on cloud security that a potential organization should consider before deciding to migrate its IT-operations to the cloud. Inside or outside the [fire]walls In the legal analysis, it is first necessary to investigate whether any legal obstacles to the use of cloud services exist. This analysis should be conducted from the viewpoint of any jurisdiction where the intended cloud services shall be produced, used, stored, or where from any other viewpoint the services in question will gravitate. In practice, e.g., from a Swedish perspective as in many other jurisdictions, there are few direct legal challenges. However, sometimes requirements set forth in legislation may be difficult to fulfil using cloud services due to their particular features in relation to traditional IT services produced within the four [fire]walls of the using entity s own facilities. Such obstacles are often related to specific security requirements for a given activity or for a particular type of information. However, more common is that general legal requirements for security, e.g., confidentiality, security in the processing of personal data 1, or stock exchange requirements need to be converted to requirements set out when choosing a cloud service provider or to security requirements in the contract for cloud services. With an increased flow of business secrets that are sent and placed outside corporate firewalls, the encryption of data must also be considered. Information security Security issues from a technical perspective often go hand in hand with the legal issues as all aspects of security should be addressed in a cloud sourcing agreement. A migration of services to the cloud places special demands on the systematic work of information security, not only on the supplier but also on the customer. Deficiencies regarding information security that already exist at the customer s end before any decision is taken to use cloud services will not automatically be corrected through migration. In most cases, it will instead become more complex to address the shortcomings when the services are placed in a cloud environment. However, used in the correct way, cloud services can in most cases provide an adequate level of security. Due diligence A general observation is of course, that a customer should not rely entirely on a well-designed contract, but should also investigate the status and history of a supplier. This can, for example, involve obtaining references or carrying out a more or less comprehensive survey of the supplier s operations and status, from a legal, financial and technical perspective (due diligence), where the customer may for example have access to the supplier s documentation, routines and processes in order to determine the supplier s ability to meet the customer s requirements. These aspects are particularly important as cloud services in most cases are delivered by players in the international arena. International aspects Cloud services are often performed across borders and in different parts of the world simultaneously. Thus, it is not sufficient simply to find out where data is stored, but also where it is processed in the case that cloud services are used for the processing of data, since providers often try to optimise their computing power when processing data. This means that information can be transferred for the purposes of processing, and then returned and stored in processed form at the agreed storage site. The consequence is that a customer - 1 The EC Directive on data protection requires that all member states have rules that provide an equivalent protection for personal data and privacy, EU as well as Sweden as a member state can be considered to have a high standard concerning the protection of personal data. The EC-directive has been implemented in Sweden and here you can find the Act in English:
6 regardless of what the contract says - may be exposed to other countries legal systems. These technical aspects are important in determining how, for example, personal data protection issues are solved. Moreover, data stored within a particular country can, for example, be subject to publishing laws or the equivalent, or forcibly made available to authorities such as police or intelligence agencies. Such circumstances should also be considered before cloud services are used. Risk analysis Before a decision on transition to the cloud is taken, the customer must analyse the applicable risks and requirements in the given situation. It is essential that the customer converts the results of the analysis to precautionary measures and communicates these to the provider. Cloud Security Alliance  has identified a number of primary threats to deal with in connection with a migration to the cloud elaborating on many of the risks. Personal Data legislation An example of a legal framework that applies for every use of services is personal data legislation. Users of cloud services need to be aware of the responsibilities arising from the provisions of the [Swedish] Data Protection Act 2. This means, amongst other things, that the Act s rules on when processing of personal data is permitted must be taken into account, that the Act s security requirements must be met and that there must be a [written] contract between the parties that regulates the cloud service provider s processing of personal data. In order for personal data to be included in a cloud service whereby data may be stored (or processed) outside the EEA (i.e. EU and EFTA countries), specific legal requirements apply. Anyone who wants to use a cloud service for storing personal data must therefore either ensure that storage occurs only within the EEA or actively ensure that storage meet the requirements for transfer to a third country. As mentioned above cloud services are often carried out across borders and in different parts of the world. From the perspective of personal data legislation, however, the transfer for the purposes of processing, the processing itself and the returning of the processed data are all processing of personal data. The contract should clearly state where the customer s data may be processed (for example determined to a region, country/countries or data centres) and that this processing is traceable. Where systems administrative work may be carried out should also be covered in the contract. The contract should, as a minimum, include the provisions that according to the Personal Data Act should be found in a contract with a party who processes data on behalf of the customer; also ensure control over where and by whom personal data is processed. For example, the customer must consider, including provisions that the provider shall assist the customer in questions concerning obligations under the Personal Data Act, that consent should always be obtained from the customer in the case of the use of a subcontractor or if personal data shall be transferred to a third country (i.e. countries outside the EEA), that the provider shall bear the costs and risks relating to agreements with subcontractors and that the provider will reimburse the customer for any damage caused to the customer due to the supplier or subcontractor failing to meet obligations arising from the contract. If the contract allows the cloud service provider in practice, directly or indirectly through subcontractors, to process the customer s personal data outside the EEA, the contract must include regulation of the legal basis for this. There are several ways in which the customer can ensure that requirements for the transfer of personal data to a third country are met. The customer can, for example, conclude a separate standard contract (a model clause contract ) with the provider that regulates the transfer of personal data. Here it is also important to consider what kind of data is being transferred in the particular case, how long the processing will last and what kind of data protection rules exist in the country where the processing wishes to be carried out. 2
7 Confidentiality In some cases, legal requirements set explicit demands that certain information shall be given confidentiality protection. One example is the framework of the [Swedish] Official Secrets Act (2009:400). Confidentiality requirements need to be addressed in the contract with the provider of cloud services. The contract should state that the customer s data is not allowed to be disclosed to third parties or to be used by the provider for purposes other than the provision of services. The provider should ensure that access to the customer s data is limited to those persons within the organization who need access to the data in order to perform their duties. It should also be regulated how and in what way the provider can monitor and collect information about how and to what extent the customer uses the service (such as frequency, changes in volume and bandwidth usage etc.). If the provider is given such a possibility, this should be strictly regulated and in addition state which parties (companies, authorities etc.) the provider is able to share such information with. Particularly sensitive data shall be protected by encryption when transferring to and from the service provider. It should also be considered whether the data should be protected by encryption when in rest. Furthermore, it shall be ensured that the service meets the applicable regulations on export control, particularly in cases where the service is delivered from the USA. The contract should also include a requirement for the provider to store the customer s data separate from other customers data. Service levels Depending on whether the service is wholly or partly standardized, it may be necessary to contract on customized service levels. If the provider states a percentage for availability, this shall be converted into absolute numbers in order to get a precise estimate of, for example, how many minutes per month a service can be down without incurring liability for the provider. Almost any cloud services contract shall contain elaborated stipulations on service levels. The Swedish Standard Institute (SIS) has recently presented a standard on service level agreements (SLA). The most important legal aspect on SLA, apart from the contractual aspects, is the possible sanction. Penalty payments are often given as a sanction when service levels are not met. In case of delays in the customer s connection or service failures, the customer should be compensated. A fundamental requirement from the customer on the provider should be that work with information security (see next section) is conducted in accordance with established standards within the field and that adequate security measures exist. The structure and level of each security measure should be determined by the result of the customer s analysis of risks and requirements. Further, it is necessary to consider who shall be responsible for loss of data (for example due to technical failures, theft of data or intrusion) and how this term is defined in the particular case. It is important that the contract clarifies precisely what is considered to be included in such a loss, and which party shall bear responsibility for precautionary measures such as resets and back-ups. The customer should therefore critically review the contract regarding if data loss is considered to be indirect harm, and as such exempt from the responsibility of the provider.
8 3. Aspects to consider within information security during procurement and use of cloud services This section does not comprise a complete collection of aspects that need to be considered. The intention is to provide a basic structure for the work regarding security to enhance and continue to build upon. Hopefully this basic structure will enable organizations to save time, resources and money. The sources used are explicitly marked as references. However, the authors own experiences or research have been added into the text without any explicit references. The aspects are tagged with a level, which corresponds to the level where the aspect should be addressed. The levels used are strategic (s), tactical (t) and operative (o). By strategic we mean top management level consideration and decision that affect a whole organization with a long time frame (i.e. years). By tactical we mean the management responsibility for functions or processes and decisions that affect people s work with a medium time frame (i.e. months). Finally, by operative we mean department or group level where the decisions impact on the daily business with a short time frame (i.e. weeks or days). Suggested is to start with the strategic level aspects, and work downwards to the operative level. Below is a list of security aspects to consider: Level Aspect Who has most interest Source S Compliance with applicable legal requirements Top management [1, 4] and regulations. Which are fulfilled, and which need to be fulfilled? S Compliance with the own security policy. Anything Top management [1, 3, 4, 6] that renders problems? Is there a need to change the own security policy? S Fulfillment of requirements from standards, certifi- Top management [1, 3, 4] cations, best practices etc. (i.e. compliance). Which requirements should/must we fulfill and - which does the provider fulfill? How can we demonstrate this at a (re)certification? S Audit and evidence collection. How can audits be Top management  conducted, and how can potential evidence needed be collected? Is there a common audit for all customers together? S Risk management transparency at provider. Is it Top management, [1, 3, 4] possible to maintain a continuous high qualitative risk procurement function management/mitigation? Are there audits made by independent third parties after a standard model with publicly known criteria or metrics? Are the audit protocols for a number of previous years available? S Insurance. Does the provider have an insurance which Top management, covers damages or costs that can arise due to data procurement function breach, mistakes or other causes? Does insurance cover what the identified risks can cause?
9 S Information issues. Will our organization have ensured Top management [1, 3, 4] access to our own information during a certain period of time from a notified point in time, even if the cloud service is shut down for any reason, or during a contractual dispute? Ownership of information always owned by our own organization no matter what? Will the information be kept partitioned at storage and processing (possible to recreate if one or more partitions fail), and is it due to the partitioning more difficult to recreate information at a breach? Is the information stored or processed globally, or at appointed data centers? The last issue is of importance if there is sensitive personal information which is affected by, for example, the EU Data Protection Directive, and Safe Harbor/Patriot Act in the USA etc. S Long term digital preservation and storage. How do Top management, CIO we want this to be set up and operate? Who has responsibility for migration and emulation etc. of the formats stored? Does the provider manage all this, or is more knowledge and competence needed? S In case of a potential change of cloud service. Is it Top management, CIO, [3, 4] possible to port (or directly use) the information and architect its meta-data in new environments and other providers cloud services? S Business continuity planning to extend the own or Top management, resp. for [1, 3, 4] synchronize with the provider s. Is it easy, or does it business continuity planning comprise a large effort? How often to practice? S/T How far does the provider s responsibility stretch and Top management, [3, 4] where does the own responsibility end (does the procurement function provider responsibility end at the hypervisor, i.e. the virtualization/physical- and environmental security, or does it stretch shorter/longer)? What applies for security checks of infrastructure, operating systems, data/information, applications etc.? Is the virtualization shared with other customers, or is all separated per customer? How do we want it? S/T Disaster recovery planning on cloud service/system Top management, IT and  level how is it set up? Are our own services/systems Information systems departments integrated with the provider s? S/O Disaster recovery how is the provider s process Top management, IT and [3, 4] devised? Is there a need to integrate with our own Information systems departments, process, or is it enough that the provider s process operation/support looks OK? How often to test? S/O Incident response how is the provider s process set Top management, IT and [1, 4] up, and how can the own process be integrated with Information systems departments, the provider s process? How often to test? operations/support
10 T Identity and access management (IAM). How many Architect, procurement function [1, 2, 3] such IAM-systems will our organization be involved in? Are there proprietary and/or different variants used by the potential providers? Some of these IAM-systems require additional knowledge, resources and separate control processes. Is it possible to find an interoperable solution that all or several providers can use in common? How many security levels are required? What users/roles will we need to have? Do we have a process to add/remove users and roles? T Service integrity. Does the provider s development Procurement function [1, 3, 4] process concern security and personal integrity issues during the whole lifecycle of the cloud service? Does the delivery of the cloud service fulfill the contractual requirements on security (availability, monitoring/audit/ logging, response times and support level)? T Security at end users (i.e. end point security). Do we CISO [1, 3, 4] need training and an awareness program to achieve a secure behavior (for example, towards social engineering, identity theft, phishing, viruses, malicious links etc.)? How should users (and administrators) securely connect to the cloud service requirements? Is it possible to have single sign-on together with other cloud services/systems depending on how directory services, keys, key management and firewall policies look like? What does the own security policy require of the IT environment and users in general? T Security in the cloud service interfaces. How are the CISO [2, 3, 4] cloud service s security levels in the interfaces set up? Are the interfaces for instance securely developed, see , and are any APIs (Application Programming Interfaces) or other possibilities to connect within, around or to the cloud service secure and securely developed? Encryption levels and key generation/management? How and how often is all this tested? T Protection of information. Is the information always CIO/CISO [1, 2, 3, 4] protected while being within the cloud service according to the requirement/classification in the security policy (encryption, integrity, backup and recovery etc.)? How is the information kept separated from other organizations information? Levels of encryption and key management how are these set up? Backup method, safe and secure storage? How often is all this tested? T Dynamics of the cloud service. How quickly can CIO  additional resources or performance always be provided, and for how long? What is our need regarding dynamics?
11 O Physical security, background checks and logging of Buyer [1, 3] personnel at the provider etc. The requirements posed on the provider shall mirror the own business requirements on security. Are backups safe and secure? O Is the cloud service developed to prevent intrusion? Buyer, CISO [2, 4] In case of an intrusion, will the intruder get access to information stored in other data centers? What is monitored and logged? How is the monitoring function set up, and is it manned 24x7? O Does the cloud service have a standardized open Buyer, CISO  interface to MSS (managed security services) providers for its customers? Do we need or want this? O Patch management. How is patch management Buyer, CISO [2, 3] managed within the cloud service software, security solutions and supportive software like operating systems, device drivers, virtualization etc.? Is there a process for this and is it executed in a controlled manner? Are always new parameter settings changed by a patch reverted back to the prior settings if wanted? O Who have, and who should have access and be able to Buyer, CISO  log in to the cloud service, supportive software, and the information stored in the cloud service? Do these really need to be able all that they can, or do they have too much access rights or authorization (goes for both employees at the provider and the own organization)? O How often are penetration tests and different attacks Buyer, CISO [2, 3] applied towards the cloud service? What were the results of prior penetration tests? Examples are attacks towards password sources and authentication mechanisms, password- and key cracking, availability (DDOS/EDOS) etc.? O Can any user add links, applications or other source Buyer, CISO  code to the cloud service? If needed, can this be controlled by authorization? Logging? O Removal/deletion of data. If data should be Buyer, CISO  removed/deleted on demand by us, how is this managed and how can we ensure that the data has really been removed/deleted? How long will it take? What goes for the backups?
12 4. Creating a compliance framework for cloud computing what to address in such a framework? A compliance framework for cloud computing should preferably be integrated into an organization s overall risk management and compliance set up. Compliance can be seen as a tool for top management to ensure that risks are managed and requirements from legal/regulatory bodies, customers, standards, certifications or best practices that should be honored are in fact honored. Further, if an organization has additional internal requirements that should be upheld, those can be added to a compliance framework as well to be followed up on and kept updated. There are a number of ways to set up an organization s overall risk management and compliance activities, but those will not be covered in this document. The idea with this section is that an organization should get an idea on what elements/controls that a simplistic compliance framework for cloud computing can comprise. The elements/controls are aimed to be input for risk management departments, CIOs, CISOs, or other functions or roles responsible to honor requirements or to proactively monitor, manage and mitigate existing and emerging risks related to cloud services used by the organization in its operations. A further comprehensive set of elements/controls can be found in  (which maps to various international standards), and if used it should be adapted to your organization and the applicable Swedish conditions related to your business context. Below are a number of elements/controls that can be part of a cloud computing compliance framework: Risk management transparency at provider. Needed is to maintain a continuous high qualitative risk management/mitigation. Do we do the audits ourselves, or are the audits made by independent third parties after a standard model with publicly known criteria or metrics? Where are the audit protocols for a number of previous years available? [1, 3, 4] Risk management internal. What risks should be tracked and how often should risk evaluations be conducted? Who is responsible and will manage the risk mitigation? Compliance 3 with legal requirements and regulations. Which need to be fulfilled, which are and which remain to be fulfilled? [1, 4] Fulfillment of requirements from standards, certifications or best practices etc. Which requirements should/must we fulfill and - which does the provider fulfill? If there is a gap how to manage that gap? How can we demonstrate this at a (re)certification? [1, 3, 4] Compliance with essential customer requirements. Which are the essential requirements (necessary to stay in business), and which are fulfilled or remain to be fulfilled? Compliance with the own security policy or polices. Anything that renders problems? Is there a need to change the own security policy? [1, 3, 4, 6] Business continuity planning is the business continuity planning involving the provider and our own organization s related critical processes in line with the internal/external requirements (i.e. available within a decided timeframe in case of problems)? How often to practice crisis management, disaster recovery and incident response? [1, 3, 4] 3 It can be worth noting that not only the Swedish and EU legislation need to be considered, as planned and existing legislation in the USA can have an impact as well.
13 5. Sources  Microsoft (2010). Cloud Computing Security Considerations.  CSA Cloud Security Alliance (2010). Top Threats to cloud computing v1.0.  ENISA (2009). Cloud Computing: Benefits, risks and recommendation for information security.  CSA Cloud Security Alliance (2009). Security Guidance for critical areas of focus in cloud computing v2.1.  OWASP (2010). OWASP top ten project -  Microsoft (2010). Information Security Management System for Microsoft Cloud Infrastructure - loudinfrastructure.pdf  CSA Cloud Security Alliance (2013). Cloud Controls Matrix v1.4 - https://cloudsecurityalliance.org/research/ccm/ Some further specific Swedish sources of information relating to the cloud (some of it not available in English): [i] Cloud Sweden (2011). Areas and problems to consider within information security and digital preservation during procurement and use of cloud services, v1.1.1, [ii] Cloud Sweden (2011). Legal issues when moving to the cloud a checklist. https://natverk.dfs.se/engelsk-oversattning-legal-issues-when-moving-cloud-checklist [iii] There are a number of particular aspects to take into consideration before implementing cloud services in bodies and organizations within the public sector in Sweden, e.g., the principle of public access to official records - these are summed up in a document by Cloud Sweden: (available only in Swedish). [iv] Edvardsson and Frydlinger (2013). Legal Molntjänster, Norstedts (only in Swedish) [v] IT&Telekomföretagen (2010). Cloud Computing, kommentar till IT&Telekomföretagens standardavtal Cloud Computing version 2010 (in Swedish) [vi] IT&Telekomföretagen (2010). IT&Telekomföretagens standardavtal Cloud Computing version 2010 also available in English, Personal information Swedish Personal Data Act and the Personal Data Ordinance, and the Data Protection Directive (officially Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data)., as indicated above cf. www. Datainspektionen.se which comprises useful information on personal data legislation and related security issues also in English. Further documents of interest can found at CSA s main homepage at: https://cloudsecurityalliance.org/
Aspects to consider within information security during procurement and use of cloud services Version: 1.00 Release date: 19-Apr-2013 This paper is licensed under Create Common Share Alike 3.0 http://creativecommons.org/licenses/by/3.0/
GUIDELINES Areas and problems to consider within information security and digital preservation during procurement and use of cloud services Powered by Dataföreningen English version 1.1.1-2011-01-17 This
Client Alert Global Regulatory Enforcement If you have questions or would like additional information on the material covered in this Alert, please contact one of the authors: Cynthia O Donoghue Partner,
Annex 1. Contract Checklist for Cloud-Based Genomic Research Version 1.0, 21 July 2015 The following comprises a checklist of areas that genomic research organizations or consortia (collectively referred
Recommendations for companies planning to use Cloud computing services From a legal standpoint, CNIL finds that Cloud computing raises a number of difficulties with regard to compliance with the legislation
Cloud Computing: Legal Risks and Best Practices A Bennett Jones Presentation Toronto, Ontario Lisa Abe-Oldenburg, Partner Bennett Jones LLP November 7, 2012 Introduction Security and Data Privacy Recent
Securing The Cloud Foundational Best Practices For Securing Cloud Computing Scott Clark Agenda Introduction to Cloud Computing What is Different in the Cloud? CSA Guidance Additional Resources 2 What is
Cloud Computing and Security Risk Analysis Qing Liu Technology Architect STREAM Technology Lab Qing.Liu@chi.frb.org 1 Disclaimers This presentation provides education on Cloud Computing and its security
CPNI VIEWPOINT 01/2010 CLOUD COMPUTING MARCH 2010 Acknowledgements This viewpoint is based upon a research document compiled on behalf of CPNI by Deloitte. The findings presented here have been subjected
Risk Management of Outsourced Technology Services November 28, 2000 Purpose and Background This statement focuses on the risk management process of identifying, measuring, monitoring, and controlling the
How to procure a secure cloud service Dr Giles Hogben European Network and Information Security Agency Security in the cloud contracting lifecycle Can cloud meet your security requirements Choose the provider
p. 1 System Management Standards Proposed on October 8, 2004 Preface Today, the information system of an organization works as an important infrastructure of the organization to implement its management
INFORMATION SECURITY GUIDE Cloud Computing Outsourcing Information Security Unit Information Technology Services (ITS) July 2013 CONTENTS 1. Background...2 2. Legislative and Policy Requirements...3 3.
Cloud Computing Security Considerations Roger Halbheer, Chief Security Advisor, Public Sector, EMEA Doug Cavit, Principal Security Strategist Lead, Trustworthy Computing, USA January 2010 1 Introduction
How to ensure control and security when moving to SaaS/cloud applications Stéphane Hurtaud Partner Information & Technology Risk Deloitte Laurent de la Vaissière Directeur Information & Technology Risk
IT Security Risk Management Model for Cloud Computing: A Need for a New Escalation Approach. Gunnar Wahlgren 1, Stewart Kowalski 2 Stockholm University 1: (firstname.lastname@example.org), 2: (email@example.com) ABSTRACT
Cloud Computing Introduction This information leaflet aims to advise organisations which are considering engaging cloud computing on the factors they should consider. It explains the relationship between
Introduction and Overview Klaus Gribi Senior Security Consultant firstname.lastname@example.org May 6, 2015 Agenda 2 1. Cloud Security Cloud Evolution, Service and Deployment models Overview and the Notorious
CLOUD STORAGE SECURITY INTRODUCTION Gordon Arnold, IBM SNIA Legal Notice The material contained in this tutorial is copyrighted by the SNIA. Member companies and individual members may use this material
Cloud Computing This information leaflet aims to advise organisations on the factors they should take into account in considering engaging cloud computing. It explains the relevance of the Personal Data
Cloud Service Rollout Chapter 9 Cloud Service Topics Cloud service rollout plans vary depending on the type of cloud service SaaS, PaaS, or IaaS and the vendor. Unit Topics Identifying vendor roles and
Carl F. Allen, CISM, CRISC, MBA Director, Information Systems Security Intermountain Healthcare Regulatory Compliance External Audit Legal and ediscovery Information Security Architecture Models Access
CITY OF LEMOORE REQUEST FOR PROPOSALS FOR CREDIT CARD PROCESSING SERVICE City of Lemoore Finance Department 119 Fox St Lemoore, CA 93245 Notice is hereby given that the City of Lemoore is soliciting proposals
Information Technology Engineers Examination Information Security Specialist Examination (Level 4) Syllabus Details of Knowledge and Skills Required for the Information Technology Engineers Examination
Security Controls What Works Southside Virginia Community College: Security Awareness Session Overview Identification of Information Security Drivers Identification of Regulations and Acts Introduction
PRINCIPLES ON OUTSOURCING OF FINANCIAL SERVICES FOR MARKET INTERMEDIARIES TECHNICAL COMMITTEE OF THE INTERNATIONAL ORGANIZATION OF SECURITIES COMMISSIONS FEBRUARY 2005 Preamble The IOSCO Technical Committee
Privacy Level Agreement Working Group Privacy Level Agreement Outline for the Sale of Cloud Services in the European Union February 2013 The PLA Outline has been developed within CSA by an expert working
IBX Business Network Platform Information Security Controls 2015-02- 20 Document Classification [Public] Table of Contents 1. General 2 2. Physical Security 2 3. Network Access Control 2 4. Operating System
Effective Practices for Cloud Security Effective Security Practices Series Moving some internal processes to the cloud initially looks appealing: lower capital costs, more centralized management and control,
1 AIRBUS GROUP BINDING CORPORATE RULES 2 Introduction The Binding Corporate Rules (hereinafter BCRs ) of the Airbus Group finalize the Airbus Group s provisions on the protection of Personal Data. These
1 Scope of this Agreement (1) Licensor has agreed with Licensee to grant Licensee a license to use and exploit the software set out in the License Certificate ("Licensed Software") subject to the terms
Checklist: Cloud Computing Agreement crosslaw s checklists Date : 21 November 2015 Version 1.4 Tags : ICT Law Johan Vandendriessche Johan is partner and heads the ICT/IP/Data Protection practice. He combines
Identity and Access Management for the Cloud What you need to know about managing access to your clouds Organizations need to control who has access to which systems and technology within the enterprise.
Supplier Instructions for Processing of Personal Data 1 PURPOSE SOS International has legal and contractual obligations on the matters of data protection and IT security. As a part of these obligations
Astaro Services AG Rheinweg 7, CH-8200 Schaffhausen Supplementary data protection agreement to the license agreement for license ID: between...... represented by... Hereinafter referred to as the "Client"
Enrollment for Education Solutions Office 365 Data Processing Agreement (with EU Standard Contractual Clauses) Amendment ID Enrollment for Education Solutions number Microsoft to complete 7392924 GOLDS03081
Why & How Cloud computing is enabling the digital transformation of financial services institutions There s no one billion customer bank yet, because there s no way to do it without cloud. Next generation
1 European Users recommendations for the success of Public Cloud Computing in Europe Cyril Bartolo Cloud Computing Council chairman 25-Nov-2014 v1b 2 European CIO Association EuroCIO is created by CIOs
Table of Contents Validating Enterprise Systems: A Practical Guide Foreword 1 Introduction The Need for Guidance on Compliant Enterprise Systems What is an Enterprise System The Need to Validate Enterprise
Assessing Risks in the Cloud Jim Reavis Executive Director Cloud Security Alliance Agenda Definitions of Cloud & Cloud Usage Key Cloud Risks About CSA CSA Guidance approach to Addressing Risks Research
AN INSIDE VIEW FROM THE EU EXPERT GROUP ON CLOUD COMPUTING 1. Overview and Background On 27 September 2012, the European Commission adopted a strategy for "Unleashing the potential of cloud computing in
How not to lose your head in the Cloud: AGIMO guidelines released 07 December 2011 In brief The Australian Government Information Management Office has released a helpful guide on navigating cloud computing
GUIDANCE FOR MANAGING THIRD-PARTY RISK Introduction An institution s board of directors and senior management are ultimately responsible for managing activities conducted through third-party relationships,
web applications and websites W A T S O N H A L L Watson Hall Ltd London 020 7183 3710 Edinburgh 0131 510 2001 email@example.com www.watsonhall.com Identifying information security risk for web applications
PRINCIPLES ON OUTSOURCING OF FINANCIAL SERVICES FOR MARKET INTERMEDIARIES A CONSULTATION REPORT OF THE INTERNATIONAL ORGANIZATION OF SECURITIES COMMISSIONS STANDING COMMITTEE 3 ON MARKET INTERMEDIARIES
Cyber Security Pr o t e c t i n g y o u r b a n k a g a i n s t d a t a b r e a c h e s 1 Agenda Data Security Trends Root causes of Cyber Attacks How can we fix this? Secure Infrastructure Security Practices
Standard business terms Cybertec Schönig & Schönig GmbH Gröhrmühlgasse 26 2700 Wiener Neustadt (Named Cybertec resp. contractor below) Edition 2014-01 1. General remarks 1.1 As contractor Cybertec provides
Addressing Cloud Computing Security Considerations with Microsoft Office 365 Protect more Contents 2 Introduction 3 Key Security Considerations 4 Office 365 Service Stack 5 ISO Certifications for the Microsoft
SITA Information Security SITA Security Requirements for Third-Party Service Providers that Access, Process, Store or Transmit Data on Behalf of SITA September, 2012 Contents 1. Introduction... 3 1.1 Overview...
ELECTRONIC HEALTHCARE NETWORK ACCREDITATION COMMISSION (EHNAC) Healthcare Management Service Organization Accreditation Program (MSOAP) For The HEALTHCARE INDUSTRY Version 1.0 Released: January 2011 Lee
Align Technology Data Protection Binding Corporate Rules Processor Policy Confidential Contents INTRODUCTION TO THIS POLICY 3 PART I: BACKGROUND AND ACTIONS 4 PART II: PROCESSOR OBLIGATIONS 6 PART III:
International Journal of Information and Computation Technology. ISSN 0974-2239 Volume 3, Number 9 (2013), pp. 933-938 International Research Publications House http://www. irphouse.com /ijict.htm Ensuring
Top Ten Technology Risks Facing Colleges and Universities Chris Watson, MBA, CISA, CRISC Manager, Internal Audit and Risk Advisory Services firstname.lastname@example.org April 23, 2012 Overview Technology
Electronic business conditions of use This document provides Water Corporation s Electronic Business Conditions of Use. These are to be applied to all applications, which are developed for external users
Security Issues in Computing CSCI 454/554 Computing w Definition based on NIST: A model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources
lakyara Information security safeguards required for new ID number system - Recent revisions to guidelines for protection of personal information - Jun Tsutsumi 11. May. 2015 Executive Summary Jun Tsutsumi
Cloud Computing Hot topics in relation to security, liability and privacy Steven De Schrijver Cloud Computing : who and what is involved? Data Cloud Service Provider (e.g. SaaS, PaaS, IaaS) Sub-contractor
HIPAA Security S E R I E S Security Topics 1. Security 101 for Covered Entities 2. Security Standards - Administrative Safeguards 3. Security Standards - Physical Safeguards 4. Security Standards - Technical
21 Point Checklist for SELECTING AN ENTERPRISE-READY CLOUD SERVICE Brought to you by Introduction The journey to the cloud is well underway, and it s easy to see why when 84% of CIOs report cutting application
Data Protection Act 1998 Guidance on the use of cloud computing Contents Overview... 2 Introduction... 2 What is cloud computing?... 3 Definitions... 3 Deployment models... 4 Service models... 5 Layered
Company or Trading Name: Address: Post Code: Telephone: E-mail: Website: Date Business Established Number of Employees Do you have a Chief Privacy Officer (or Chief Information Officer) who is assigned
OPINION MAY 2012 ON CLOUD COMPUTING Article 29 Data Protection Working Party (July 1, 2012) ARTICLE 29 DATA PROTECTION WORKING PARTY 01037/12/EN WP 196 Opinion 05/2012 on Cloud Computing Adopted July 1
Public Cloud Service Agreements: What to Expect & What to Negotiate April 2013 The Cloud Standards Customer Council THE Customer s Voice for Cloud Standards! Provide customer-led guidance to the multiple
CLOUD CONTRACTS WHAT PROVIDERS AND CUSTOMERS SHOULD DISCUSS Catalogue of recommended contractual components in General Terms and Conditions of Business (AGB) and Service Level Agreements (SLA) for Cloud
IT Cluster Vienna Cloud Computing Group Publisher: Paul Meinl Questionnaire for the SaaS contract Overview of issues for negotiation preparations Before you start talks with the potential contractual partner,
security in the cloud White Paper Series 2 THE MOVE TO THE CLOUD Cloud computing is being rapidly embraced across all industries. Terms like software as a service (SaaS), infrastructure as a service (IaaS),
Cloud computing: benefits, risks and recommendations for information security Dr Giles Hogben Secure Services Programme Manager European Network and Information Security Agency (ENISA) Goals of my presentation
Report on Hong Kong SME Cloud Adoption and Security Readiness Survey Collaborated by Internet Society Hong Kong and Cloud Security Alliance (HK & Macau Chapter) Sponsored by Microsoft Hong Kong Jointly
Data Protection Processing and Transfer of Personal Data in Kvaerner Binding Corporate Rules Public Document 1 of 19 1 / 19 Table of contents 1 Introduction... 4 1.1 Scope... 4 1.2 Definitions... 4 1.2.1
TEXTURA AUSTRALASIA PTY LTD ACN 160 777 088 ( Textura ) CONSTRUCTION PAYMENT MANAGEMENT SYSTEM TERMS AND CONDITIONS OF USE Welcome to the Textura Construction Payment Management ( CPM ) System. By clicking
Pharma CloudAdoption and Qualification Trends OurCloudExperience Numerous implementations of EDMS systems with external hosting for smaller life science clients Development of qualification strategy for
IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including: 1. IT Cost Containment 84 topics 2. Cloud Computing Readiness 225
AUGUST 28, 2013 INFORMATION TECHNOLOGY INCIDENT RESPONSE PLAN 1250 Siskiyou Boulevard Ashland OR 97520 Revision History Revision Change Date 1.0 Initial Incident Response Plan 8/28/2013 Official copies
The Use of Cloud Computing for the Storing and Accessing of Client Information: Some Practical and Ethical Considerations Jeffrey D. Scott Jeffrey D. Scott, Legal Professional Corporation Practice Advisors
USER AGREEMENT FOR: ELECTRONIC DEALINGS THROUGH THE CUSTOMS CONNECT FACILITY CONDITIONS OF USE FOR ELECTRONIC DEALINGS THROUGH THE CUSTOMS CONNECT FACILITY Between: the Commonwealth of Australia, acting
AskAvanade: Answering the Burning Questions around Cloud Computing There is a great deal of interest in better leveraging the benefits of cloud computing. While there is a lot of excitement about the cloud,
Supplier Information Security Addendum for GE Restricted Data This Supplier Information Security Addendum lists the security controls that GE Suppliers are required to adopt when accessing, processing,
pic pic CIHI Submission: 2011 Prescribed Entity Review October 2011 Who We Are Established in 1994, CIHI is an independent, not-for-profit corporation that provides essential information on Canada s health
HEALTH WEALTH CAREER DON T BE A VICTIM! IS YOUR INVESTMENT PROGRAM PROTECTED FROM CYBERSECURITY THREATS? Gregg Sommer, CAIA Head of Operational Risk Assessments St. Louis MERCER 2015 0 CYBERSECURITY BREACHES
Summary of responses to the public consultation on Cloud computing run by CNIL from October to December 2011 and analysis by CNIL 1. Definition of Cloud Computing In the public consultation, CNIL defined
Cloud Computing and Privacy Toolkit Protecting Privacy Online May 2016 CLOUD COMPUTING AND PRIVACY TOOLKIT 1 Table of Contents ABOUT THIS TOOLKIT... 4 What is this Toolkit?... 4 Purpose of this Toolkit...