Information Disclosure Guidelines for Safety and Reliability of IaaS / PaaS

Transcription

1 Information Disclosure Guidelines for Safety and Reliability IaaS / PaaS Condition 1: Objective information disclosure Information disclosure would be made in a unit each IaaS/PaaS. Condition 2: Definition IaaS/PaaS IaaS/PaaS is defined in this guideline as follows. IaaS (Infrastructure as a Service) means which fer hardware resources, such as servers, hard disks and storages, necessary for ASP, SaaS or PaaS. In a broader sense, it means which include data centers. PaaS (Platform as a Service) means which fer system resources, development and operation resources and network facilities in a narrower sense, while meaning which include data centers and IaaS in a broader sense. IaaS and PaaS are collectively called hosting. Items for Information Disclosure Description / Time Date the Information Year, month, date information disclosure (in Western calendar) the Information Disclosure Disclosure Place business enterprise / Business Business Name business Formal name business enterprise (trade name) enterprise Overview enterprise Website business URL homepage business enterprise enterprise Established Year / Established year business enterprise (in Western calendar) Years in Business Years in the business Office (enterprise Address, postal code head fice business enterprise place) Number fices (domestic, overseas) Business Principal business Overview principal business business enterprise overview overview Human resources Management Representatives Name representative Background representative (age, academic, career, certificate etc.) Executive Number executive Employees Number employees Number regular employees (single basis) Financial Conditions Financial Sales Sales the entire business enterprise (Consolidated base) (unit: Yen) Data Ordinary prit Ordinary prit the entire business enterprise (Consolidted base) (unit: Yen) Capital Capital the entire business enterprise (Consolidated base) (unit: Yen)

2 Equity ratio Ratio equity capital the entire business enterprise (Consolidated base) (unit: %) Financial Listing on stock Whether or not business enterprise is listed on stock market, name Reliability markets market if listed Situation on financial Select appropriate situation from the following; (1) accounting audit by audit / Finan- accounting auditor, (2) audit by accounting adviser, (3) financial data cial data based on checklist according to small and mid-sized enterprise accounting, or (4) none the above Mandatory publication Whether or not financial statements is published mandatorily financial statements Capital relationship / Business connections Capital Shareholder composition Names large shareholders (largest 5) and ratio stock holding each relationship shareholder Business Main dealing financial Name main dealing financial institution connections institution Name industry Names industry organizations, economic organizations and others and/or which enterprise belongs non-governmental organizations which enterprise belongs Compliance Organization-syste m Rulemaking and documentation rules Full-time section and meeting committee structure Policies on the information security Policies on the complaint procedure relating to IaaS / PaaS Policies on the Business Continuity Policies on the Risk Management Presence or absence full-time section and meeting committee structure which is responsible for compliance, name section and meeting committee if present Presence or absence documents such as basic policies, organizational rules, manuals etc. on the information security, names documents if present Presence or absence documents such as basic policies, organizational rules, manuals etc. on the complaint procedure relating to IaaS /PaaS service, names documents if present Presence or absence documents such as basic policies, plans, manuals etc. on business continuity, names documents if present Presence or absence documents such as basic policies, plans, manuals etc. on risk management, names documents if present Basic features Service Name Name IaaS/PaaS service that disclosed information overview Start date Year, month, date service launch IaaS/PaaS service that disclosed information (If major renewal has occurred between service launch and application, sate year, month, date the renewal) Basic types Limitation on service customization Select appropriate type from the following; system platform service, development/runtime platform service, application platform service, hardware platform service, or network platform service Range application customization (It not defined or to be discussed separately, describe so)

3 (System (Hardware (Network Quality Service Types lines and bandwidths Provided OS Server maintenance ASP / SaaS Support Network provision for the connections by administrators Backup and restore Other (Development and execution (Application Support for stware development Services for domain name management Type line such as dedicated line (including VPN)and Internet Type band provided, description band guaranty if present Presence or absence provision virtualized OS Describe OS that serves as single OS (Windows, Unix, Linux, etc.) Description such as server OS initialization, patch update for OS, etc. Description such as search, authentication, clearing/billing, security, location data, timestamp, media, language conversion, etc. Description access methods such as remote desktop, SSH, etc. Description backup service, restore service at system failure, etc. Description administrative application service, clearing service, representative service, consulting service etc. Provision Java, Servlet, Perl, PHP, Ruby, C/C++ and other open source development environments etc. Description for IP address management, domain acquisition/management, DNS server management, etc. Mail Services Description for Web mail, mailing list, etc. Web Services Description for Web server, FTP server, Web account, access control, access log analysis, access log acquisition, blog, BBS etc. Others Description for API, DB server, etc. Server Description for shared server, dedicated server, etc. Storage Description storage hosting service Rental equipment Presence or absence trouble-shooting service, regular operation service, operation/maintenance support service for rental equipments, description if present Services for integrated Description fered by integrating virtual resources (virtual resource machine, server, storage, network etc.) Load balancer Description load balancer service Network device Description to provide network equipment such as router, switch, etc. Service availability Actual value service availability If actual value cannot be described by an unavoidable reason, the reason and target value must be described Pattern number type service in Information Security Guideline and counter measured reference value History service suspension accidents Management Method detection equipment failure and system delay service performance (point detection, detection interval, detection method such as screen display check) Method to understand service performance (point detection, detection interval, detection method such as screen display check)

4 Change / termination Prices for the / Cancellation Amount used Reinforcement service performance Acquirement Certification / Implementation Audits Treatment personal information Vulnerability assessment Interval on verifications backup data integrity Maintenance for backup data History award or commendation Service level agreement (SLA) Prior notice the change or termination Response and alternative for the change or termination References relating to the change or termination Charging methods Pricing structure / Prices Method payment Penalty for cancellation the contract Term for the prior notice cancellation from users Number users Number agencies Presence or absence system reinforcement determination criteria or plan Outline technical measure (load balancing, network routing, compression etc.) if determination criteria or plan is present Acquirement Privacy mark, ISMS (JIS Q etc.), ITSMS (JIS Q etc.), presence or absence audit report created upon ASCR18 (SAS70 in US). Provide name certification or audit if the above is present Clear indication purposes collecting personal information Presence or absence vulnerability assessment Readiness assessment criteria and procedure to take countermeasure, outline state countermeasure taken Backup execution interval Generations backup data(describe the number generations) Interval verification backup History awards received relevant to IaaS/PaaS service Whether or not SLA relevant to this certification items is attached to contract Time and method prior notice to users (Describe time prior notice using such units as 1 month prior, 3 months, 6 months, and 12 months) Presence or absence basic policies on response and alternative, outline if basic policies are present Presence or absence response to users at contract termination (introducing alternative service etc.), outline response if present Presence or absence responsibility to return information assets (user data etc.) at contact termination Presence or absence point contact (including one for regular complaints), name and opening hours point contact if present Charging methods measured rate portion and fixed rate portion respectively Amount initial cost, monthly charge, minimum contract duration * Details such as price chart for each service can be attached as appendix Methods payment such as credit card payment, electronic money payment, etc. Presence or absence cancellation penalty (which user must pay), amount penalty fee if present Presence or absence term for the prior notice cancellation from users, due date if present (describe how many days/months prior the notice should be made) Number or user licenses for IaaS/PaaS service that disclosed information (identify if this is the number concurrent users or actual users) Number agency IaaS/PaaS service that disclosed information

5 Data Location the Location saved customer data (place where data exists) when IaaS/PaaS Management data service is provided (describe country name) Data center used Number data centers used when IaaS/PaaS service is provided System Operation (Operation PaaS, Security) Operation PaaS Security (Platform, Storage) Security (Network) Live-or-death monitoring Presence or absence live-or-death monitoring, monitoring target if live-or-death monitoring is carried out (platform, storage etc.), and monitoring interval, monitoring time, notification time each live-or-death monitoring target Fault monitoring Presence or absence fault monitoring Time Synchronization Method time synchronization system Anti-virus Presence or absence antivirus measure, if present, update interval pattern file (time from vendor release) Administrator authentication Presence or absence formal procedure to register/remove administrator privileges (although the content is not disclosed, submission standards which describe procedures etc. is required as examination documents for certification) Record (Log) Usage users, whether or not record exception handling and security event (log etc.) is taken, how long record (log) is kept if taken Management Presence or absence standards administration method ID and IDs and passwords password (although the content is not disclosed, submission standards which describe administration method etc. is required as examination documents for certification Security Patch Presence or absence standard that defines how to acquire security patch Management information, assessment method, decision criteria, update procedure, update interval at normal time, emergency response, etc. Firewall Presence or absence firewall Network Intrusion Presence or absence detection mechanism unauthorized server intrusion Detection System by illegal packet or non-privileged user Network monitoring Reporting time when a failure occurs in the network (dedicated line etc.) between enterprise and contract user Virus check Presence or absence to , download file, and access to files on servers, update interval pattern file (time from vendor release) if measure is present User authentication Presence or absence personal authentication (Web, server) and user authentication by ID/password through authentication platform, method authentication if present Record (Log) Network usage, whether or not record exception handling and security event (log etc.) is taken, how long record (log) is kept if taken Defence against Presence or absence taken for spoing where a third party Spoing pretends to be a user company, method authentication if present Other security Describe freely for information leak and data encryption. Housing ( Location servers ) Building Name data center Beginning year the Data center Building for data centre or not Formal identification name or abbreviated name the data center indicated in the above item No, 75 <*> * the term abbreviated name here means A, B, C... or 1, 2, 3,,, etc. Year from which data center began its business Select whichever is closer between building dedicated to data center and fice building

6 Electric power facilities Fire extinguishing systems Protection against thunders Air conditioning facilities Security Location Country name, regional block name (if Japan, e.g. Kanto, Tohoku) Describe notable geographical advantages if any (e.g. altitude, ground condition etc.) Earthquake resistant Earthquake resistance value (seismic intensity) structures Building structure relevant to earthquake (quake-absorbing structure, quake-damping structure etc.) Uninterruptible Presence or absence to establish uninterruptible power supply power supply (UPS installation etc.), minimum power supply duration if present, (UPS) and relevance with start-up time emergency power supply Power supply route Whether or not 2 or more power supply routes via different substations are secured (except UPS and emergency power supply) Emergency power Presence or absence emergency power supply (private power generation), supply continuous operating time without refuelling if present, and de- scription emergency power supply operation measure (method continuous fuel supply etc.) Fire extinguishing Presence or absence automated fire extinguishing system, whether or systems in the not it is gas-based fire extinguishing system (whether it is halon gas type Server Room or new gas type) if present Fire sensor / alarm Presence or absence fire detection system and smoke detection system system Protection against Presence or absence for direct lightening stroke direct thunders Protection against Presence or absence for induced lightening stroke, value induced lightning maximum endurable voltage if present (optional) from thunders Adequate air conditioning facilities Control people's entry and leaving Stock recording media Other Service support Service desk (Complaints desk) Coverage / support Guarantee and continuity the security Business hours and dates Liability and amount the limit the accident Description air conditioning facilities (upward blowing air conditioning on the floor, individual air conditioning dedicated for computer, water-cooling/air-cooling, other devices etc.) Presence or absence entry and leaving record, how long record is kept if present Presence or absence surveillance camera, operating hours and monitoring range surveillance camera, how long videos are kept, and availability alternation prevention feature if present Presence or absence personal authentication system Presence or absence cabinet with key lock or stock room to keep medium such as magnetic tape, optical media, etc. Presence or absence stock control procedure document Other notable security Business days and hours (open hours) Availability outside hours response Support coverage Contact method (phone/fax, etc.) Presence or absence document stating liability data center provider at accident occurrence and compensation coverage policy, name document if present

7 Prior notice temporary closures by such as maintenances Time prior notice to users (Describe time prior notice using such units as 1 month prior, 3 months, 6 months, and 12 months) Methods prior notice to users Presence or absence emergency maintenance with shorter notification period than described above Presence or absence notification at failure occurrence Notification and report Services Notification systems accidents and disasters Periodical reports Presence or absence regular reporting to users