The Cloud Industry Forum Cloud Service Provider Code of Practice: Guidance for Cloud Service Providers www.cloudindustryforum.org
Table of Contents Purpose of this Document 3 Process Stages Covered Within this Document 3 supported by Prepare Guidance 4 Preparation Checklist 4 Project Charter Template (MS Word Document) 4 Project Plan Template (MS Excel Spreadsheet) 4 Assess, Improve and Declare Guidance 5 Assessment Spreadsheet (MS Excel Spreadsheet) 5 Guidance for Presentation of Information for sections A and B of the Code 5 Format for Public Disclosure Requirements (Section A.1) 7 Format and Naming Conventions for Supporting Documentation 8 Documentation Requirements for All Applications 8 Demonstrating Capability (Section B) 9 Signing Documents Electronically 11 Creating a digital signature 12 Digitally signing a document 15 Creating the FDF document 17 Guidance for Other Information Required for Application 20 Professional Reference Guidance and Template 20 Management Declaration Guidance and Template 20 Publish Guidance 21 Updating Public Disclosure Information 21 Using the CIF Certified Logo 21 Further information 21 Governance of The Code Of Practice 21 About the Cloud Industry Forum (CIF) 21 The CIF and The APM Group Limited (APMG) 22 Code Governance Board 22 Development and Maintenance of the Code 22 Audit and Appeal 23 Collaboration with Standards organizations and related Bodies 23 Contact Us 23 The CLOUD INDUSTRY FORUM and CIF words and associated logos are trade marks. Cloud Forum IP Limited 2013. All rights reserved NOTICE: This document is intended to provide general information in relation to the Cloud Industry Forum s Code of Practice journey for Certification. It is not intended to be comprehensive and should not be acted or relied upon as being so. Professional advice appropriate to specific circumstances should always be obtained.
Purpose of this Document This document (Document 3) is aimed at organizations undertaking the Cloud Industry Forum (CIF) Cloud Service Provider (CSP) Code of Practice (Code) Self-Certification process. It is also relevant to any organization that may be considering Self-Certification against the Code. This document provides instructional and informational guidance for organizations going through the Self-Certification process, and includes templates and resources, which will need to be referenced during various stages of the process, from initial preparation through to publishing certified status. Organizations should also download and refer to the following information provided by the CIF, downloadable from the CIF website www.cloudindustryforum.org: Document 1: An Executive Briefing Document 2: Conducting the Self-Certification Terms and Conditions for Self-Certification Cloud Service Provider Code of Practice Further information or guidance can also be sought directly from the CIF (info@cloudindustryforum.org) or APM Group, CIF s Independent Certification Partner (servicedesk@apmgroupltd.com). Process Stages Covered Within this Document This document covers the following stages of the Self Certification process: Prepare Assess Improve Declare Publish The following additional documents are accessible to download by organizations registered for Self-Certification from www.selfcert.cloudindustryforum.org once registered. Project Charter (MS Word) Assessment Spreadsheet (MS Excel) Project Plan Template (MS Excel) Professional Reference template (MS Word) Management Declaration (pdf) For information on earlier stages of the process, refer to the following documents: Document 1: An Executive Briefing Document 2: Conducting the Self-Certification RECOGNIZE NEED DETERMINE REQUIREMENTS REGISTER PREPARE To achieve optimum results, a formal project should be established to perform the self-assessment and achieve Certification ASSESS the organisation must conduct an Assessment of its compliance with Code requirements IMPROVE If any non-conformances are noted in the Assessment step, then improvement actions are undertaken DECLARE The organization completes the Application and required declarations which are submitted to CIF via the online system VALIDATE AUTHORIZE PUBLISH The organization displays the Code Certification Mark on its website,together with hyperlinks to the CIF website 3
Prepare Guidance Preparation Checklist The following Preparation Checklist has been created to aid Self- Certification registrants in the initial set-up activities involved in the Self-Certification process. A version of this table can also be found in the Assessment Spreadsheet (see Assess and Improve section). Preparation tasks do not have to be done in this precise sequence, but all should be done. Task Done? When complete? Who? Guidance 1 Download: Doc.1: Executive Briefing Doc.2: Conducting the Self-Certification Doc.3: Guidance for Self-Certification Cloud Service Provider Code of Practice 2 Read: Doc.1: Executive Briefing Doc.2: Conducting the Self-Certification Doc.3: Guidance for Self-Certification Cloud Service Provider Code of Practice Terms and Conditions (available on-line) 3 Register https://selfcert.cloudindustryforum.org All Information can be sourced from:-http://www. cloudindustryforum.org/code-ofpractice/cloud-service-providerinfo-pack OR, only once registered via https://selfcert. cloudindustryforum.org for specific templates 4 Identify Team Leader/Project Manager 5 Identify the Executive Sponsor 6 Download / Review Additional Templates 7 Establish detailed plan with assigned responsibilities, estimated timeline and estimated costs 8 Review plan with APMG and clarify what additional help/guidance may be available Contact APMG via adminsc@cloudindustryforum.org Project Charter Template (MS Word Document) The Project Charter will serve as an internal document that captures high level planning information (scope deliverables assumptions etc) about the Code of Practice Project. The Project Manager or Team leader creates the Project Charter in the Initiation Phase of the Project, in consultation with the Executive Sponsor. Its purpose is to recognize the existence of the project and to begin the planning process required to accomplish the Project goals. It does not need to be shared with external parties as a formal contract of legal document. The completed Project Charter does not need to be shared with the CIF or submitted with the final application. Project Plan Template (MS Excel Spreadsheet) The Project Plan Template is provided in Excel format to facilitate practical use in conducting a Self-Certification. The Excel file includes the following tabs/worksheets: Example Diagram (Gantt Chart) Example task table Example resource table Example assignment table To access and download the Project Plan Template, log into the Self-Certification website. To access and download the Project Charter Template, log into the self-certificate website 4
Assess, Improve and Declare Guidance Assessment Spreadsheet (MS Excel Spreadsheet) The Assessment Spreadsheet is provided in Excel format and is for preparatory work during an assessment. It is particularly suited for use as a control tool to track corrective actions needed to achieve conformance with the Code but can also be used to collect information. The final results demonstrating full conformance as entered into or tracked via the Assessment Spreadsheet must be transferred into the required presentation formats (webpage, documentation and entered or uploaded via the online system) prior to submitting an application for validation of Self- Certification. The Excel file includes the following tabs/worksheets: Overview Preparation Checklist Registration (ID and Scop) Transparency Capability Other Information Requirements for Online Presentation of Information To comply with section A.1, information must be presented in the following way:- The information must be available on a free-standing web page or web pages where more than one website is used to support provision of services covered by the Code. The link to the free-standing web page must be called CIF Code of Practice Disclosures. The link must be hyperlinked at a minimum from the home page of the organization s website and should be situated on the home page in a similar location to legal-type notices, disclaimers or site terms and conditions (usually found in menus which appear at the very bottom or top of standard web page designs). POST CERTIFICATION ONLY: The link must be displayed alongside the Certification Mark after the Mark has been granted. Organization of Page Content All information shall be presented sequentially on the web page and should be identifiable by the relevant code sub section e.g. A.1.1, A.1.2 etc. Information can be presented on the webpage in free text or table format. Notes FAQs Feedback To access and download the Assessment spreadsheet log into the Self-Certification website Guidance for Presentation of Information for sections A and B of the Code Format for Public Disclosure Requirements (Section A.1) To meet the requirements of section A.1 of the Code, applicant organizations must disclose information publically via means of a published, online webpage. In addition to including all relevant information and evidence required by section A.1 of the Code, the online Public Disclosure content should conform to certain requirements in terms of format and, in some cases content to facilitate comparison by end users between different organizations. 5
Mandatory Content for Section A.1.1. Post registration Content (Pre-application) The following text must be included against section A1.1 on the disclosure web page (where Xxx is the organization s name) at the time that an application has been submitted but prior to award of certification: Post Self-Certification Content (NOTE: this section is repeated in the Publish guidance within this document) Once the organization has had its Self-Certification recognized by the CIF, i.e. once the organization has received formal notification that it is authorized to display the Code Certification Mark, the following text shall be added to the web page in place of the text above (Post Registration text): NOTICE: While Xxx has made the commitment to the Code, customers/ third parties shall note that information or certification provided by the Cloud Industry Forum does not constitute advice from or endorsement by the Cloud Industry Forum. The Cloud Industry Forum disclaims any and all liability arising out of the use of services or otherwise of certified organizations. Where disclosed information or capabilities as specified by the Code of Practice are essential in purchasing cloud services from a certified organization, it/these should be cited contractually. Professional advice appropriate to specific circumstances should always be obtained. Xxx has completed the Self-Certification against the Code of Practice for Cloud Service Providers (the Code ) of the Cloud Industry Forum ( CIF, at www.cloudindustryforum. org), which the mark above demonstrates. Clicking on the mark will take you to the CIF website where supporting information for this Certification is available. Xxx is committed to the Code. One of the main objectives of the Code is to help ensure disclosure of essential information so that consumers of Cloud Services can make better business decisions based on this information. The information on this page addresses the public disclosure requirements of the Code. NOTICE: While Xxx has made the commitment to the Code and has been self-certified as compliant with the Code, customers/ third parties shall note that information or certification provided by the Cloud Industry Forum does not constitute advice from or endorsement by the Cloud Industry Forum. The Cloud Industry Forum disclaims any and all liability arising out of the use of services or otherwise of certified organizations. Where disclosed information or capabilities as specified by the Code of Practice are essential in purchasing cloud services from a certified organization, it/these should be cited contractually. Professional advice appropriate to specific circumstances should always be obtained. The Certification Mark may also be shown in other places, as specified in the Logo Pack supplied when the organization is formally informed that it is authorized to display it. 6
Example Public Disclosure Content The following is an example public disclosure for a self-certified organization Cloud Service Provider Example Limited using the required structure. A.1.1. Compliance with Code Cloud Service Provider Example Limited is committed to the principles of Transparency, Capability and Accountability which are embodied in the Cloud Industry Forum s Code of Practice, because these help create a more trustworthy business environment for cloud-based processing. Cloud Service Provider Example Limited is committed to complying with the specific requirements of the Cloud Industry Forum s Code of Practice for the period of Certification, for the scope defined below in A.1.3.The CLOUD INDUSTRY FORUM and Cloud Service Provider Example Limited has completed the Self-Certification against the Code of Practice for Cloud Service Providers (the Code ) of the Cloud Industry Forum ( CIF, at www.cloudindustryforum.org), which the Self-Certification mark demonstrates. Clicking on the mark will take you to the CIF website where supporting information for this Certification is available. Cloud Service Provider Example Limited is committed to the Code. One of the main objectives of the Code is to help ensure disclosure of essential information so that consumers of Cloud Services can make better business decisions based on this information. The information on this page addresses the public disclosure requirements of the Code. NOTICE: While Cloud Service Provider Example Limited has made the commitment to the Code and has been self-certified as compliant with the Code, customers/third parties shall note that information or certification provided by the Cloud Industry Forum does not constitute advice from or endorsement by the Cloud Industry Forum. The Cloud Industry Forum disclaims any and all liability arising out of the use of services or otherwise of certified organizations. Where disclosed information or capabilities as specified by the Code of Practice are essential in purchasing cloud services from a certified organization, it/these should be cited contractually. Professional advice appropriate to specific circumstances should always be obtained. Cloud Service Provider Example Limited s website page where publicly disclosed information is available is at www.cloudserviceprovider ExampleLimited.com/CIF-Code-of-Practice-Disclosures A.1.2. Corporate Identity and Responsibilities Corporate name: Cloud Service Provider Example Limited Legal status: Private Limited Company Date of formation: 01 January 2012 Location of registration: England Registration number: 1234567 Ownership (major shareholders): Cloud Service Provider Venture Capital Investments John Henry Adams Luke Howard Members of board of directors John Henry Adams Luke Howard Charles Thomson Wilson Executive management Luke Howard (CEO) Charles Thomson Wilson (CFO) Corporate fixed address: 123 High Street, Anycity, Anycounty, UK XX1 2YY A.1.3. Scope Covered by the Code Scope of services: web archiving services Geographical scope: Countries with local sales and/or support: UK Countries where customer data may be held or processed: UK Customer data will only be held in the UK. No other options are available. A.1.4. Public Branding Alternative trading name(s): Storage Rainbows Unlimited Website address(es): www.cloudserviceproviderexamplelimited.com www.storagerainbowsunlimitedlimited.com A.1.5. Third-Party Coverage Transparency Cloud Service Provider Example Limited does not accept any indirect responsibility for our suppliers. Cloud Service Provider Example Limited s suppliers do not accept indirect responsibility to Cloud Service Provider Example Limited s customers. Cloud Service Provider Example Limited does not accepts indirect responsibility to customers of customers 7
A.1.6. Security Control Transparency with the Cloud Security Alliance Cloud Service Provider Example Limited has not completed the Consensus Assessments Initiative Questionnaire from the Cloud Security Alliance A.1.7. Other Extended Commitments to Code of Practice Principles Cloud Service Provider Example Limited does not commit to any additional transparency, capability, or accountability requirements in addition to those contained directly in this Code of Practice. A.1.8. Technological Commitments* Cloud Service Provider Example Limited does not publicly commit to supporting any specific technologies, standards, or inter-operabilities. Any such support must be separately negotiated. A.1.9. Existing Certifications* Cloud Service Provider Example Limited does not have any other certifications. A.1.10. Industry Association Memberships (Optional) ** Cloud Service Provider Example Limited is a member of the Cloud Industry Forum, in addition to being self-certified under its Code of Practice. *In this example, the disclosure of information relating to sections A.1.8 and A.1.9 has been included on the pubic web page. If an organization chooses instead to disclose this information under section A.2, this information does not need to appear on the web page. ** information has been disclosed against section A.10, which is fully optional e.g. it does not need to be disclosed. Format and Naming Conventions for Supporting Documentation CSPs are required to provide documented evidence that they meet the specific requirements of the Code. CIF require documentation to be submitted in specific formats and according to specific filename conventions to:- Be assured that requirements are being met by applicant CSPs specifically and not broadly; and To enable information to be sourced easily for the purposes of audit or complaint resolution. Documentation uploaded to the online system as part of a CSP s application is likely to include: SECTION A SECTION B OTHER INFORMATION Code of Practice Requirement A.1. Information for public disclosure (a print screen of the online web page) A.2. Information for contracting disclosure Management system documentation for required capability areas OR Evidence of existing certification including a document outlining the scope of the certification Professional Reference In addition to the files uploaded as part of the application, a self-certified organization shall maintain auditable records of its disclosure information as specified in the Accountability section of the Code. Such records shall be accessible both chronologically, and also by potential customer, when provided to potential customers on an individual basis. Documentation requirements for all Applications General The documentation shall be created exclusively using PDFs. The documentation shall be supplied to CIF via the online application system. The documentation shall be electronically signed using Adobe Acrobat. For information and instructions on electronically signing documentation, see the Signing Documents Electronically section of this document. 8
File Naming Conventions All files shall include the prefix reference issued by the CIF at the time of registration. This prefix can be found on confirmation of registration or payment details issued by the CIF and is a combination of alpha-numeric characters e.g. CFW100000. Examples of Acceptable Document filenames PROFESSIONAL REFERENCE CFW0000_ProfRef.pdf STANDARD TERMS AND CONDITIONS CFW0000CloudOrgT&Cs2012.pdf ORGANIZATION CHART CFW0000_CloudOrg_ OrgChart_2012.pdf Document references (when entered into online system) When entered into the online system all references to supporting documentation shall include a filename and an explicit reference within the file to a page or paragraph number, or a clause reference where the information can be found. A file name alone is not acceptable. If the amount of information to be put into an online reference field exceeds the character limit, which may be the case if multiple files are used in support of one Code requirement or area, it is acceptable for an applicant to do either of the following: Remove the prefix reference from the filename when entering the name into the online form field for a particular requirement; or, Create and submit an additional supporting document or page which contains all references mapping Code areas to submitted documentation. In this case, the online field can be completed with a reference to this new document/page instead. Examples of acceptable online references CFW0000DocFile p17 CFW0000DocFile 17-19,36 DocFile p17 para 5 DocFile1 pp17-19; TsAndCs clause 14 Demonstrating Capability (Section B) There are two ways of demonstrating capability at the time of application for Self-Certification: Using Existing Certifications: Providing evidence of appropriate existing certifications against relevant standards covering the same capability requirements; or, Using Primary Documentation: Providing primary documentation of required capabilities, including key policy and procedure-type documentation. Using Existing Certifications There are two types of certifications upon which reliance may be placed for demonstrating capability: International and national standards with prefixes like ISO, ISO/IEC, BS, ANSI, etc. The CIF Code of Practice Self-Certification, relevant if a CSP is relying in its application on another CSP which is already self-certified, e.g. for the provision of infrastructure services. Scope. The organizational scope and scope of services of the existing certification must be directly relevant to the scope covered by the intended CIF Code of Practice Self- Certification. In order to use an existing certification to meet 100% of the requirements of any specific Code of Practice capability area, the scope of the existing certification must include 100% of the scope being self-certified under the CIF Code of Practice. If this is not the case, then there are two other alternatives that may be considered: o Alternative one is that it is possible to use the certificate for the part of scope which is relevant, and provide primary documentation for the rest of scope. In this case the application needs to clearly differentiate between the two sub-scopes. For applicants relying on the Self-Certification of another CSP, this would typically be the case, as there will almost always be some internal capability requirement which cannot be outsourced or subcontracted. o Alternative two is that it should be possible to use supporting materials for the existing certification as part of primary documentation, but not cite the certification itself. 9
Period of Validity. The certification must be valid on the date of the application. In the event that the period of validity for the certification does not include the entire period, i.e. in the event that the certification will end during the Code of Practice Self-Certification period, no further supporting documentation is required during the period of the CIF Code of Practice Self-Certification. Nonetheless, the self-certified CSP is committed to complying with the Code of Practice s capability requirements for the entire period, regardless of what supporting documentation was supplied at the time of application Internationally Recognized Certification. For certifications other than the CIF Code of Practice Self-Certification, the certification must have been performed by an organization which is accredited for that standard by an accreditation body which is a signatory to the Multilateral Recognition Arrangement (MLA) of the International Accreditation Forum. This includes most of the major certification companies in the world, but may not include smaller companies, or companies whose primary business is not certifications. The following should be submitted to the CIF as supporting documentation for any capabilities to be demonstrated through such certifications: For certifications against international and national standards: a scanned copy of the certification certificate including scope and validity dates, and clarification of the accreditation body if it is not shown on the certificate. For reliance on other CIF Self-Certifications: a letter from the self-certified CSP which states the scope of their Self- Certification, the validity dates, and an acknowledgement that they know the applicant CSP is placing reliance on their capabilities and that a contract is in place between them to justify this reliance. A statement from the applicant CSP affirming that all criteria required for the acceptance of the certification are met. Furthermore, if a reseller CSP seeking Self-Certification is relying on a supplier CSP s Code of Practice Self-Certification (e.g. if a reseller is relying on an infrastructure provider CSP, such as for IT security management capability), then the reseller s Self- Certification scope statement must clearly state that it is for services provided by the named supplier CSP. If the reseller changes its supplier for these services to another supplier, then the reseller cannot continue to claim to be certified itself. It may therefore be more practical for the reseller simply to market the fact that it is reselling services from a Code of Practice self- certified CSP, rather than to have its own Self-Certification under these circumstances. However, this is a business decision and not one driven by the Code of Practice itself. See also Leveraging Considerations for Subcontracted Cloud Service Providers. The following are examples of international and national standards for which certifications could provide all necessary support for the CIF Code of Practice capability requirements, assuming that the scopes cover the relevant CIF capabilities: Capability Information Security Management (Including Data Protection) Service Continuity Management BS 25999 Using Primary Documentation In principle it should be relatively straightforward to demonstrate capability as required by section B of the Code by using primary documentation, except for the first capability area, which is Information Security Management. Primary documentation must be documentation actually in use within the CSP, and not something that exists solely for the Code of Practice Self-Certification application. One of the benefits cited by CSPs that have been self-certified to the Code is that it has helped them to identify gaps in their existing policies and procedures and to fill them, strengthening the business in the process. It is therefore expected, especially in smaller or younger organizations which may not have any existing certifications, that it will be necessary to improve or at least document some existing informal practices. Copies of this documentation, reflecting actual implemented practices, should then be included as primary supporting documentation for the Self-Certification application. Primary documentation does not need to be extensive, but it must exist even if limited in detail. For example, the complaint handling capability for a very small CSP could be supported with two documents; one could be a half-page long, consisting of a policy statement (e.g. a requirement to respond to all complaints within x time, and to track and analyze for underlying root causes) and a procedure with assigned responsibilities (e.g. all complaints are handled initially by x, with appeals to be handled by y). The second document could be evidence of a course attended external or internal which includes this area to demonstrate the provision for competence/training. The general requirements for primary documentation are as follows, which may be covered in multiple ways, in individual or combined documents: Policy Procedures (or work instructions) Assignment of responsibilities Competence (or training) Standard ISO/IEC 27001 Service Level Management ISO/IEC 20000-1 Supplier Management ISO/IEC 20000-1; ISO 9001 Software License Compliance ISO/IEC 19770-1 Complaint Handling ISO 9001 Environmental Impact Management ISO 14001 10
There is also a requirement for Awareness for people besides those directly responsible for task execution, e.g. for awareness about security issues. In a CSP with a small number of employees (5 or less) it may not be realistic to expect documentation for awareness building, but for larger CSPs it is considered realistic. Awareness building can be accomplished In many ways, but one of the easiest to document is via an internal annual training session to ensure that everyone is aware of overall policies, procedures, and assigned responsibilities. It can also provide an excellent opportunity for feedback and self-improvement. As indicated above, additional guidance is appropriate for the capability area of Information Security Management (Including Data Protection). It is recommended that primary documentation be provided to demonstrate that the CSP is competently addressing the following areas: Security policy/data protection policy Responsibility for security management within the organization How security is built into the personnel processes (joining checks in terms of experience/qualifications/right to work, leaving procedures including revoking permissions/access) Guidance provided to staff on security best practice including training and awareness Examples of security methods in use in relation to premises, equipment, network and backups Approach to information classification to reduce risk of information slipping into the wrong hands How the above are monitored and reported on (could be internal audits, spot checks, monthly reports and analysis etc) Data Protection Act Registration (or the equivalent requirement in different jurisdictions) and/or processes implemented to ensure compliance. Leveraging Considerations for Subcontracted CSPs The guidance above addresses one way that CSPs working together can leverage the benefits of a self-certified supplier CSP helping a reseller CSP become self-certified. There are two further ways for a reseller CSP to obtain significant benefits from working together with a self-certified supplier CSP. Mentoring Partnership If the reseller CSP wants to obtain its own Code of Practice Self- Certification, it may be possible for the reseller CSP to be mentored by the supplier CSP, including through the sharing of policy and procedure documentation which the reseller CSP can adopt with suitable modifications. This will expedite the process of the reseller developing its own internal capabilities which can then be selfcertified on a freestanding basis without reference to the supplier CSP s Self-Certification. Marketing Partnership Instead of obtaining its own Code of Practice Self-Certification, the reseller CSP can simply market the fact that it is reselling services from a self-certified supplier CSP. This should already provide a significant level of reassurance to the reseller CSP s potential customers. Note, however, that the supplier CSP must formally accept responsibility towards the customers of its own customers (i.e. towards the customers of the reseller CSP) for there to be any clear basis on which the ultimate customers can place reliance. This type of responsibility information should be available in the supplier CSP s public disclosures in the third sub-point of section A.1.5 of the Code Signing Documents Electronically Although the CIF Code of Practice scheme is based on Self- Certification, it needs to be enforceable, and therefore the supporting documentation on which it is based needs to be verifiable. The CIF has chosen, as its preferred method of achieving this, to use features of Adobe Standard/Professional (version 8 or later), which provide strong authentication capabilities. The screenshots in this HowTo guide have been produced using Adobe Professional v8. All materials should be saved as Adobe PDF documents, including the Professional Reference, and the full Documentation File of supporting documentation. The documents should be signed and certified with no fields being left as modifiable. The signature used should be for the person officially signing. Additionally, the CIF reserves the right to require the following, which are not shown in this HowTo guide: The signature used should be certified by a major publicly recognized certification authority. Long-Term Validation (LTV) should be used, which ensures the ability to validate a document s authenticity in the future in spite of whether the certificate has expired or has been revoked, or even if the issuing authority has gone out of business. A secure time stamp should be added to the digital signature, to confirm the time of the original signing. Fonts should be embedded and the RGB color scheme used when the documents are created, to avoid possible incompatibilities between originator and recipient systems. (The PDF/A option does this.) The remainder of this document is a how-to for digitally signing documents as required for the CIF Code of Practice scheme. In order to digitally sign a document using Adobe, a digital signature must already exist. There are various desktop applications that can be used to create a digital signature, including Adobe Professional. Irrespective of the application used to create a digital signature, for the purpose of this HowTo guide, the format of the resulting signature must be compatible with Adobe applications. Adobe, the Adobe logo, Acrobat, the Adobe PDF logo, Distiller and Reader are either registered trademarks or trademarks of Adobe Systems Incorporated in the United States and/or other countries. 11
Sign on a blank sheet of paper Scan the paper Creating a Digital Signature Save the resulting image as a.jpg or.tiff image file A digital signature is used to approve a document much like a hand-written signature does. A digital signature can, optionally, include an image of your hand-written signature (and computer text setting out your contact details). This HowTo guide includes Crop details and about tidy encapsulating the image an as image necessary of your hand-written signature. For the purpose of this HowTo guide, a fictitious signature has been created for TestSample. The image that you have created will need to be converted into a.pdf fo The image that you have created will need to be converted into There are several ways to do this. a.pdf format. Hand-written signature This section assumes that you have the technical knowledge to scan, crop, tidy up and publish an image of your signature in the format of either a.jpg or.tiff file. As this HowTo guide makes use of logical Adobe to use the Professional, same application to perform it is the logical conversion. to use application to perform the conversion. If you wish to include an image of your handwritten signature in the digital signature, then please do so by: Sign on a blank sheet of paper Scan the paper Save the resulting image as a.jpg or.tiff image file There are several ways to do this. As this HowTo guide makes use of Adobe Professional, it is Converting Crop and tidy the image as a necessary.jpe or.tiff image to a.pdf file With Adobe Professional open in the foreground, open Windows Explore The CLOUD INDUSTRY FORUM and CIF words and associated logos are trade marks. Cloud Forum IP Limited 2010. All rights reser Converting NOTICE: This document a.jpeg is intended or.tiff to provide image general information When in the relation left-button to the on Cloud the mouse Industry is released, Forum s the Code image of file Practice journey intended to be comprehensive and should not be acted or relied will upon appear as in being Adobe, so. and Professional the Adobe advice Professional appropriate will appear to specific as circum to a.pdf file obtained. the foreground application. With Adobe Professional open in the foreground, open Windows Explorer. With the Adobe application in the foreground, select the AP11-v6.1 following from the pull down menu: File/Save As Shift+Ctrl+S, With Windows Explorer open in the foreground and Adobe and save the file as a.pdf format. Professional immediately behind, navigate to the location where your image file is stored. With relevant the file name highlighted, simply click and drag the image file into the (currently empty) work area of the Adobe application. 12
Adding Time/Date stamp and other attributes In order to make your digital signature fit for purpose, it will need to be capable of capturing adequate metadata for the purpose of future validation. Adobe Professional can be used to add additional functionality to your digital signature file as described below: With the.pdf signature image file open, open the Preferences window by choosing Edit/Preferences Ctrl+K from the pull down menu. Once the Preferences window has opened, using the left pane, scroll down and highlight [Security]. Next, click the [New ] button.. All rights reserved imited ractice 2010. journey All for rights Certification. reserved It is not specific s Code circumstances of Practice journey should for always Certification. be It is not propriate to specific circumstances should always be 3 3 13
n mported graphic] Configure Graphic section and navigate [1] Click the radio to the button [2].PDF Click the [File ] button and navigate to the.pdf [Imported graphic] ature in it. image file with your signature in it. [2] Click the [File ] button and navigate to the.pdf image d Date options, checkmarks. file with your signature in it. Configure Graphic section [1] Click the radio button [Imported graphic] Configure Text section [3] Leaving the Name, and Date options, remove all of the other checkmarks. [4] Click [OK] to finish. lection Click [OK] to commit your selection Click [OK] to finish Configure Text section [3] Leaving the Name, and Date options, remove all of the other checkmarks. [4] Click [OK] to finish.click [OK] to commit your selection Click [OK] to finish ent Digitally signing a document ant to digitally sign. Open the.pdf file that you want to digitally sign. select: ignature From the pull down options, select: Sign/Certify with Visible Signature 14
gitally sign. Digitally signing a document Open the.pdf file that you want to digitally sign. From the pull down options, select: Sign/Certify with Visible Signature ease read the notes in this dialogue box, and then ck [OK] to continue. Click [OK] to continue.please read the notes in this dialogue box, and then click [OK] to continue re trade marks. Cloud Forum IP Limited 2010. All rights reserved relation to the Cloud Industry Forum s Code of Practice journey for Certification. It is not n as being so. Professional advice appropriate to specific circumstances should always be nce you have clicked [OK] above, the mouse pointer 4 ll change to a crosshair. orum IP Limited 2010. All rights reserved try Forum s Code of Practice journey for Certification. It is not advice appropriate to specific circumstances should always be ick and drag out an area on the page to indicate ere the image of your signature will appear. 4 nce you release the left mouse button, another alogue box, Certify Document, will appear. Once you have clicked [OK] above, the mouse pointer will change to a crosshair. the area that you indicate is quite small, then alternative your signature dialogue will appear. will appear, inviting you to rt over. Once In you either release the case, left mouse please button, follow another the dialogue onscreen box, Certify Document, will appear. ompt. Click and drag out an area on the page to indicate where the image of If the area that you indicate is quite small, then an alternative dialogue will appear, inviting you to start over. In either case, please follow the onscreen prompt. the Certify Document dialogue box, you will see any of The the Cloud details Industry Forum that Cloud Service you Provider elected Code of Practice: in the 04/2013 Configure V1.0 15
In the Certify Document dialogue box, you will see many of the details that you elected In the Certify Document dialogue box, you will see many of the details that you elected in the Configure Signature Appearance section. In the Appearance pull down menu, select the file name that features a scanned copy of your signature and Time/Date stamp details, as selected in the Configure Signature Appearance section. When selected, you will note that a copy of your scanned hand written signature will appear here Next, click on [Sign] You will be prompted to save the resulting file. Enter the new file name as required. When the digitally signed file is saved, notice the additional security marks 16
Creating the FDF document In order for the recipient to authenticate the digitally signed document, you will need to export and send (via email) the key (Adobe FDF file) associated with the document that you have created. To export and email the Adobe FDF file, please follow the steps below: With the relevant document open, click on the Signature Properties button. When the Signature Properties dialogue box appears, select (from the Summary or Signer tab) Show Certificate. When the Certificate Viewer dialogue box appears, select [Export...] In the Data Exchange File dialogue box, note the Destination section. Change the selection to Email the exported data, and click [Next >] And click [Next >] again in the next window. Next, click [Sign...] to sign the outgoing message, and select [Sign...] again in the dialogue box that follows 17
Clicking [Next >] will prompt you to enter the email address of the intended recipient. In the next dialogue box, please enter the following email address into the [To:] field adminsc@cloudindustryforum.org 18
Click [Next >] to proceed. Click [Finish] to accept and continue. Adobe will now automatically send the FDF file associated with you digital signature to the Cloud Industry Forum email address that you have entered. When the Finish button is clicked, the first of the Certificate Viewer dialogue boxes will re-appear. Click [OK], and then [Close] on the screen that follows to conclude this process. NOTE: this is just a test sample email address 19
Guidance for Other Information Required for Application Professional Reference Guidance and Template The following is the letter template to be provide on professional advisor letterhead to accompany all Self-Certification applications, which must be reproduced as presented below. The signed Professional Reference must come from your registered accountant, solicitor, certification body auditor, or similar individual from an organization which provides professional services to you on an on-going basis. on the professional services organizations letter headed paper I hereby: 1. acknowledge that this Declaration will be submitted together with our client s application for the Cloud Industry Forum s Self-Certification, and in so doing, 2. declare: a. My organization s details are as follows: i. Name, address and contact of firm/practice ii. These details may be found in public at [URL]. b. My professional qualifications may be validated as follows: i. Name of accrediting organization ii. These details may be found in public at [URL]. c. The capacity of the professional relationship is [state]. d. We have advised the organization for [state time] in this firm s professional capacity as stated above. Signed by: duly authorized for and on behalf of: Date: The Professional Reference should also be electronically signed and provided in pdf, electronically signed with all other documentation. To access and download a Word version of the Professional Reference, log into the Self-Certification website. Management Declaration Guidance and Template The Management Declaration is made on-line, as part of the application process. Because it is not realistic to expect a senior executive to physically perform part of an on-line application process, reliance is placed on the organization s internal procedures and communications to ensure that the relevant member of management has properly approved the Management Declaration. When the on-line application is formally submitted, an email will be sent to the named senior executive to confirm the Management Declaration which has been recorded in his/her name, and a confirming response is required to complete the application. The confirming response should include sufficient information to identify the individual, including name and position. The Management Declaration will be available on the CIF website together with other publicly available information about the certified organization, showing the executive s name and position, but not the email. The on-line Management Declaration contains the following wording: I declare that: a. [Organization Name] is committed to the principles of Transparency, Capability and Accountability which are embodied in the Cloud Industry Forum s Code of Practice, because these help create a more trustworthy business environment for cloud-based processing. b. [Organization Name] is committed to complying with the specific requirements of the Cloud Industry Forum s Code of Practice for the period of Certification, for the scope defined in the application. c. [Organization Name] is willing to submit any customer disputes to formal external dispute resolution. d. The information provided in this application for Self- Certification is a true and accurate reflection of the business and practices of [Organization Name] e. I am authorized to commit [Organization Name] to the contents of this Management Declaration. I also acknowledge that: a. This Management Declaration is a part of the full application for Self-Certification b. The Cloud Industry Forum s Terms and Conditions (IP14) apply to this application for Self-Certification c. An audit may be conducted by the CIF to ensure compliance with the Code of Practice d. Any non-conformance with the Code of Practice, at the sole determination of the CIF, as confirmed after the conclusion of appeal procedures, will result in the withdrawal of the Code of Practice certification in accordance with the General Cloud Industry Forum Terms and Conditions. e. Any withdrawal of the Code of Practice certification may be publicized including on the CIF web site, and other ways in the press. To access and download a pdf copy of the Management Declaration to circulate to the named senior executive, log into the Self-Certification website. 20
Publish Guidance Updating Public Disclosure Information Once APMG has validated and authorized the Self-Certification, an organization will be issued with a Certificate stating the date of award, and will be required to add the following text to their website, to replace the Post Registration (Pre-Certification) text. Post Self-Certification Text Xxx has completed the Self-Certification against the Code of Practice for Cloud Service Providers (the Code ) of the Cloud Industry Forum ( CIF, at www.cloudindustryforum.org), which the mark above demonstrates. Clicking on the mark will take you to the CIF website where supporting information for this Certification is available. Xxx is committed to the Code. One of the main objectives of the Code is to help ensure disclosure of essential information so that consumers of Cloud Services can make better business decisions based on this information. The information on this page addresses the public disclosure requirements of the Code. NOTICE: While Xxx has made the commitment to the Code and has been self-certified as compliant with the Code, customers/ third parties shall note that information or certification provided by the Cloud Industry Forum does not constitute advice from or endorsement by the Cloud Industry Forum. The Cloud Industry Forum disclaims any and all liability arising out of the use of services or otherwise of certified organizations. Where disclosed information or capabilities as specified by the Code of Practice are essential in purchasing cloud services from a certified organization, it/these should be cited contractually. Professional advice appropriate to specific circumstances should always be obtained. Further information About the Cloud Industry Forum (CIF) The CIF was established in direct response to the evolving supply models for the delivery of software and IT services. Our aim is to provide much needed clarity for end users when assessing and selecting Cloud Service Providers based upon the clear, consistent and relevant provision of key information about the organization, its capabilities and its operational commitments. We achieve this through a process of Self-Certification of vendors to a Cloud Service Provider Code of Practice requiring executive commitment and operational actions to ensure the provision of critical information through the contracting process. This Code of Practice, and the use of the related Certification Mark on participants websites, is intended to promote trust to businesses and individuals wishing to leverage the commercial, financial and agile operations capabilities that Cloud-based and hosted solutions can provide. For further information about the Cloud Industry Forum, please refer to www.cloudindustryforum.org Governance of The Code Of Practice The Cloud Industry Forum has set up a governance board to be responsible for the stewardship of the Code of Practice, and full details of the board composition and committees can be found on the CIF website. This operates independently of the CIF Management Board of the not-for-profit member body, and includes representatives from outside CIF membership, including end user representatives, industry advisors and IT legal practices to ensure a balanced and transparent approach to governance. Using the CIF Certified Logo Once a Self-Certification has been recognized, an organization will be supplied with the CIF logo pack, which includes: LP01 Guidelines for Self Certification Mark Use- CIF Self-Certified Logo / Mark (in a number of formats and colours) The LP01 document issued upon certification authorization provides guidance on the use of the mark, as well as the expectations for its use which includes instructions on inclusion of the mark on Public Disclosures web pages. 21
Code of Practice Governance Board The Code Governance of Practice Board is chaired by an elected representative from the governance board members, and is responsible for the following: Approving the CIF Code of Practice s goals, objectives and strategies in relation to the Code of Practice Reviewing the requirements of the Code of Practice on an annual basis and approving any changes Identifying the principal risks of the Code of Practice CIF CoP operations and scope and overseeing the implementation of appropriate risk assessment systems to manage these risks. Reviewing and approving changes the CIF Code of Practice financial performance to ensure it operates viably. Monitoring participant appeals, third party complaints and operational standards and consistency associated to the operation of the CIF Code of PracticeCoP Assessing its own effectiveness in fulfilling its responsibilities, including monitoring the effectiveness of individual representatives Ensuring the integrity of the CIF Code of Practice s internal control system and management information systems. The Board can set up committees to delegate specific responsibilities from time to time as required and the composition of such committees will be set out on the CIF website. Audit and Appeal In order for the Code Self-Certification process to be credible and trusted it needs to have an appropriate enforcement model to challenge any false submissions. These validations will be based upon either a random audit, external complaint or a whistle blower alert. As such the CIF will manage an audit process (directly or through accredited 3rd parties) and will have the capability and authority to enforce removal of the Certification Mark from organizations deemed not to have complied with the Code. Independent Certification will only be enabled through bodies approved and accredited by the CIF and as such the process of carrying out an Independent Certification will automatically imbue the participant with a higher degree of trust than is achieved through Self-Certification. If an external complaint or whistle blower statement is made about a self-certified participant that questions the validity of their declaration, the participant will be allowed to know the nature of the complaint and to provide any evidence to uphold their position as self-certified to the Code. The CIF will operate a Compliance Committee to oversee complaints and decide on their validity. In the event that the Compliance Committee upholds the complaint, the self- certified participant shall have the ability to challenge the findings by appeal to the Code Governance Board. The opinion of the Code Governance Board is final and no further route of appeal is available. The CIF Compliance Committee will acknowledge all complaints and reserve the right to publish opinions publicly. Only the Code Governance Board or its nominated representative/s will approve any public comment on complaints. Collaboration with Standards organizations and related Bodies By nature of the industry, the CIF will need to operate on an international stage as the Cloud has no geographic boundary (though our legal remit will focus initially on the UK). The CIF will collaborate and endorse appropriate security and technical interoperability standards that are outside of, but complement, the Code. The CIF participates in the activities of ISO/IEC JTC1 SC38, which includes cloud computing via participation in the corresponding committee of the British Standards Institution. 22
The Role of The APM Group Limited (APMG) in Supporting Certification APMG was established in 1993 and is a global business providing accreditation and certification services. APMG has a worldwide presence, with offices in Australia, China, Denmark, Germany, India, Italy, Malaysia, the Netherlands, the UK and the US. APMG has been working with the CIF to provide the administration behind the Code of Practice scheme. APMG have been appointed as the CIF s independent certification partner. APMG will use its independence to ensure those organizations which sign up to the Code of Practice are confident of an impartial, reasonable, consistent and professional approach to the processing of their information and assessments. APMG will also attend the Code Governance Board to provide a direct route for feedback from applicants working through the scheme into this monitoring body. APMG does not provide any commercial services within the Cloud and so are able to complete the assessments of organizations without any conflict of interest, protecting the integrity and confidentiality of the information provided as part of the application process For further information about the APM Group Limited, please refer to www.apmgroupltd.com Contact Us Mail: The Cloud Industry Forum, Sword House, Totteridge Road, High Wycombe, HP13 6DG www.cloudindustryforum.org https://selfcert.cloudindustryforum.org Email: info@cloudindustryforum.org / servicedesk@apmgroupltd.com Telephone: +44 (0)844 583 2521 / +44 (0)1494 459 559 23