Cloud Security checklist Are you really ready for Cloud

Similar documents
CLOUD-BASED BIM AND SMART ASSET MANAGEMENT: ADOPTING A SECURITY-MINDED APPROACH

Information Security Policies. Version 6.1

Validating Enterprise Systems: A Practical Guide

Fujitsu Private Cloud Customer Service Description

Specialist Cloud Services. Acumin Cloud Security Resourcing

Fujitsu Asset Lifecycle Management Services

How To Make Money From Your Desktop Virtualisation

Microsoft Dynamics CRM as a. Service. G-Cloud Pricing. Service - Pricing. Commercial in Confidence

State Records Guideline No 25. Managing Information Risk

Cloud Computing and Records Management

Information Governance Policy

G-CLOUD 7 - VIRTUAL ASSET MANAGER (VAM) SPECIALIST CLOUD SERVICES (SCS)

PAYWARE MERCHANT MANAGED SERVICE

Fujitsu in Energy & Utilities

White paper Reaping Business Value from a Hybrid Cloud Strategy

IT Governance Charter

Prudential Practice Guide

Securing The Cloud With Confidence. Opinion Piece

G-Cloud Framework Service Definition. Information Distribution Service

Time better spent. Take your organisation somewhere new with Fujitsu Mobile Business Solutions. Reshaping ICT, Reshaping Business

Cloud Adoption. The definitive guide to a business technology revolution. shaping tomorrow with you

Records Retention and Disposal Schedule. Information Management

Application Value Assessment

ICT and Information Security Resources

Director, Value Engineering

IT Service Continuity Management PinkVERIFY

Salesforce ExactTarget Marketing Cloud Consultancy and Implementation Services

I S O I E C I N F O R M A T I O N S E C U R I T Y A U D I T T O O L

Datacenter Management Optimization with Microsoft System Center

Industry Solutions Process Manufacturing Flexible and Agile Engineering Document Control for Efficient, Safe and Compliant Plants

Job Description. Job Title: Network Services Manager. Department: INFORMATION TECHNOLOGY MAIN PURPOSE OF JOB: MAIN DUTIES AND RESPONSIBILITIES:

Moving from BS to ISO The new international standard for business continuity management systems. Transition Guide

Risk & Assurance. Tailored to your needs. Internal audit solutions

ENABLING ENTERPRISE AVEPOINT ONLINE SERVICES. For Microsoft Office 365 COLLABORATION. For how you work, where you work

ADRI. Advice on managing the recordkeeping risks associated with cloud computing. ADRI v1.0

(NOTE: ALL BS7799 REFERENCES IN THIS DOCUMENT ARE FROM BS7799-2:1999 and SHOULD BE AMENDED TO REFLECT BS7799-2:2002)

Cloud-based Infrastructure and Application Support Service Definition

Security in the Cloud: Visibility & Control of your Cloud Service Providers

Bringing Safe and Cost Effective Products to Market

Considerations for firms thinking of using third-party technology (off-the-shelf) banking solutions

Information Security Policy September 2009 Newman University IT Services. Information Security Policy

Backup Software? Article on things to consider when looking for a backup solution. 11/09/2015 Backup Appliance or

Cloud Platform Development Services

CyberEdge. Desired Coverages. Application Form. Covers Required. Financial Information. Company or Trading Name: Address: Post Code: Telephone:

Release: 1. ICTNWK607 Design and implement wireless network security

The State of Hybrid Cloud

Coping with a major business disruption. Some practical advice

COMPUTACENTER AND SYMANTEC TOGETHER: PROTECTING AND EMPOWERING DATA

AWS IaaS Services. Methods Digital GCloud Service Definition

ISO 27001:2005 & ISO 9001:2008

Protecting Official Records as Evidence in the Cloud Environment. Anne Thurston

The Cloud. IIA Seminar, York April 30 th

Identity & Access Management The Cloud Perspective. Andrea Themistou 08 October 2015

<workers> Online Claims and Injury Management

Industry Solutions Oil and Gas Engineering Document Control and Project Collaboration Solutions for Oil and Gas

Private Cloud: Key considerations for an insurance agency

Privacy and Cloud Computing for Australian Government Agencies

Information security controls. Briefing for clients on Experian information security controls

University of Sunderland Business Assurance Information Security Policy

Newcastle University Information Security Procedures Version 3

AGN INTERNATIONAL. Yo u r D o o r t o Wo r l d w i d e B u s i n e s s

CONTENTS. List of Tables List of Figures

PSN Protective Monitoring. Service Definition

Why Plan B DR? Benefits of Plan B Disaster Recovery Service:

Cloud Software Services for Schools

How To Assess A Critical Service Provider

The Business Case for Cloud: Critical Legal, Business & Diligence Considerations

Retention & Disposition in the Cloud Do you really have control?

WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY

HIPAA/HITECH Compliance Using VMware vcloud Air

How To Store s On A Server Or On A Hard Drive

Professional Indemnity Insurance for Security Companies Proposal Form

pavcloud PaaS IaaS VaaS DCaaS For orders and information call or FEATURES: BENEFITS: DCaaS VaaS IaaS PaaS

Information Management Advice 18 - Managing records in business systems Part 1: Checklist for decommissioning business systems

Application management services that power business transformation

EA-ISP-001 Information Security Policy

Transcription:

checklist Are you really ready for Cloud

Introduction Once you have assessed the benefits of migrating a business system or its function to the Cloud (See our White Book of Cloud Adoption), the next step is to consider the security and risk management implications of doing so. As with traditional outsourcing projects, organisations need to assess not only their own capabilities, but also those of any proposed cloud service provider. If you approach cloud in the right way, with appropriate checks and balances to ensure all necessary risk management measures are covered, security is not a barrier to adoption. This checklist enables you to make this assessment in two stages: 1 Determine how prepared the security team is for the move; 2 The readiness of the rest of the organisation by business area and any proposed provider s assurance of Cloud security. The following provides a high-level guide to the areas organisations need to consider. Once ALL the boxes have been ticked, you can be sure you are operating in a secure Cloud context.

1 Is the security team ready for the Cloud? 1 Is the security team aware of / knowledgeable about cloud? 2 Does the organisation have a cloud security strategy with which its auditors would be happy 3 Has security governance been adapted to include cloud? 4 Does the team s structure enable cloud security? 5 Has the security team updated all security policies and procedures to incorporate cloud? 6 Has the security team provided guidance to the business on how to remain secure within a cloud environment?

2 Is your organisation /service provider ready? Effective Cloud security considerations for the / Service provider spans three key areas: Management Operation Technology Management 1 Is everyone aware of his or her cloud security responsibilities? 2 Is there a mechanism for assessing the security of a cloud service? 3 Does the business governance mitigate the security risks that can result from cloud-based shadow IT? 4 Does the organisation know within which jurisdictions its data can reside? 5 Is there a mechanism for managing cloud-related risks? 6 Does the organisation understand the data architecture needed to operate with appropriate security at all levels? 7 Can the organisation be confident of end-to-end service continuity across several cloud service providers? 8 Can the provider comply with all relevant industry standards (e.g. the UK s Data Protection Act)? 9 Does the compliance function understand the specific regulatory issues pertaining to the organisation s adoption of cloud services?

Operation 1 Are regulatory complience reports, audit reports and reporting information available form the provider? 2 Does the provider have the right attitude to incident resolutions and configuration management, even when services involve multiple providers? 3 Does using a cloud provider give the organisation an environmental advantage? 4 Does the organisation know in which application or database each data entity is stored or mastered? 5 Is the cloud-based application maintained and disaster tolerant (i.e. would it recover from an internal or externallycaused disaster)? 6 Are all personnel appropriately vetted, monitored and supervised? 7 Is the provider able to deliver a service within the required performance parameters? 8 Is it easy to securely integrate the cloud-based applications at runtime and contract termination? 9 Do you know the loaction from which the provider will deliver support and management services? 10 Do the procurement processes contain cloud security requirements?

Technology 1 Are there appropriate access controls (e.g. federated single sign-on) that give users controlled access to cloud applications? 2 Is data separation maintained between the organisation s information and that of other customers of the provider, at runtime and during backup (including data disposal) 3 Has the organisation considered and addressed backup, recovery, archiving and decommissioning of data stored in a cloud environment? 4 Are mechanisms in place for identification, authorisation and key management in a cloud environment? 5 Are all cloud-based systems, infrastructure and physical locations suitably protected? 6 Are the network designs suitably secure for the organisation s cloud adoption strategy?

Closing remarks At Fujitsu, we recognise that for companies adopting cloud services, security is a key concern. Our Cloud offerings have built-in security mechanisms that address business concerns and our Cloud Committee ensures our cloud offerings are founded in future-proof security principles. As an active member of the Cloud Alliance and other industry bodies, we are firmly committed to furthering cloud standards. Further reading Cloud Alliance Guidance for Critical Areas of Focus in Cloud Computing V2.1 Gartner ID G00209052: Determining criteria for cloud security assessment: it s more than a checklist Cloud Legal Project at Queen Mary, University of London (http://www.cloudlegal.ccls.qmul.ac.uk/) The German Federal Office for Information s security requirements for cloud computing providers Cloud security study of the Fraunhofer Institute for Secure Information Technology (SIT). In addition, further guidance can be found from the following websites: www.first.org www.enisa.europa.eu www.cloudsecurityalliance.org www.nist.gov Contact us on: Tel: +44 (0) 870 242 7998 Email: askfujitsu@uk.fujitsu.com Web: uk.fujitsu.com Ref: XXXX. Copyright Fujitsu Services Ltd 2014. All rights reserved. No part of this document may be reproduced, stored or transmitted in any form without prior written permission of Fujitsu Services Ltd. Fujitsu Services Ltd endeavours to ensure that the information in this document is correct and fairly stated, but does not accept liability for any errors or omissions.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information