Information Disclosure Guidelines for Safety and Reliability of IaaS / PaaS



Similar documents
Information Disclosure Guidelines for Safety and Reliability of ASP / SaaS

OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE

by New Media Solutions 37 Walnut Street Wellesley, MA p f Avitage IT Infrastructure Security Document

Information Disclosure Reference Guide for Cloud Service Providers

Best Practices For Department Server and Enterprise System Checklist

Why SaaS (Software as a Service) and not COTS (Commercial Off The Shelf software)?

Chapter 11 Cloud Application Development

IT - General Controls Questionnaire

SWAP EXECUTION FACILITY OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE

FIREWALL CHECKLIST. Pre Audit Checklist. 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review.

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

Hosted Testing and Grading

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

DESIGNATED CONTRACT MARKET OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE

Hardware/Software Deployment Strategies. Introduction to Information System Components. Chapter 1 Part 4 of 4 CA M S Mehta, FCA

APPENDIX G ASP/SaaS SECURITY ASSESSMENT CHECKLIST

HIPAA RISK ASSESSMENT

Information Technology General Controls Review (ITGC) Audit Program Prepared by:

Autodesk PLM 360 Security Whitepaper

Supplier Security Assessment Questionnaire

Information Technology Security Procedures

Information Technology Engineers Examination. Information Security Specialist Examination. (Level 4) Syllabus

HIPAA Security Alert

Storage Guardian Remote Backup Restore and Archive Services

Section 1 CREDIT UNION Member Information Security Due Diligence Questionnaire

Las Vegas Datacenter Overview. Product Overview and Data Sheet. Created on 6/18/2014 3:49:00 PM

Supplier IT Security Guide

ISO COMPLIANCE WITH OBSERVEIT

System Management. What are my options for deploying System Management on remote computers?

Securing the Service Desk in the Cloud

Rajan R. Pant Controller Office of Controller of Certification Ministry of Science & Technology rajan@cca.gov.np

SRA International Managed Information Systems Internal Audit Report

OFFICE OF THE STATE AUDITOR General Controls Review Questionnaire

MSP Service Matrix. Servers

Database Security Guideline. Version 2.0 February 1, 2009 Database Security Consortium Security Guideline WG

How To Protect Decd Information From Harm

Technical Standards for Information Security Measures for the Central Government Computer Systems

CounselorMax and ORS Managed Hosting RFP 15-NW-0016

Information Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis

APPENDIX 8 TO SCHEDULE 3.3

Cloud Computing In a Post Snowden World. Guy Wiggins, Kelley Drye & Warren LLP Alicia Lowery Rosenbaum, Microsoft Legal and Corporate Affairs

SITECATALYST SECURITY

ICT OPERATING SYSTEM SECURITY CONTROLS POLICY

Information Technology Branch Access Control Technical Standard

CHIS, Inc. Privacy General Guidelines

Estate Agents Authority

Retention & Destruction

IT Checklist. for Small Business INFORMATION TECHNOLOGY & MANAGEMENT INTRODUCTION CHECKLIST

Itron Cloud Services Offering

Tk20 Network Infrastructure

a) Encryption is enabled on the access point. b) The conference room network is on a separate virtual local area network (VLAN)

Astaro Services AG Rheinweg 7, CH-8200 Schaffhausen. Supplementary data protection agreement. to the license agreement for license ID: between

FORM 20A.9 SAMPLE AUDIT PROGRAM FOR TESTING IT CONTROLS. Date(s) Completed. Workpaper Reference

The first step in protecting Critical Cyber Assets is identifying them. CIP-002 focuses on this identification process.

A Nemaris Company. Formal Privacy & Security Assessment For Surgimap version and higher

Security Controls for the Autodesk 360 Managed Services

UNIFIED MEETING 5 SECURITY WHITEPAPER INFO@INTERCALL.COM INTERCALL.COM

How To Use Egnyte

InsightCloud. Hosted Desktop Service. What is InsightCloud? What is SaaS? What are the benefits of SaaS?

Cloud Computing. Chapter 10 Disaster Recovery and Business Continuity and the Cloud

UMHLABUYALINGANA MUNICIPALITY IT PERFORMANCE AND CAPACITY MANAGEMENT POLICY

Lauren Hamill, Information Governance Officer. Version Release Author/Reviewer Date Changes (Please identify page no.) 1.0 L.

out of this world guide to: POWERFUL DEDICATED SERVERS

University of Pittsburgh Security Assessment Questionnaire (v1.5)

Privacy Policy. Introduction. Scope of Privacy Policy. 1. Definitions

Approved 12/14/11. FIREWALL POLICY INTERNAL USE ONLY Page 2

TEMPLE UNIVERSITY POLICIES AND PROCEDURES MANUAL

Cybersecurity Health Check At A Glance

Vendor Questionnaire

Consensus Policy Resource Community. Lab Security Policy

MIT s Information Security Program for Protecting Personal Information Requiring Notification. (Revision date: 2/26/10)

RL Solutions Hosting Service Level Agreement

MSP Center Plus Features Checklist

Network and Security Controls

The Cloud is Not Enough Why Hybrid Infrastructure is Shaping the Future of Cloud Computing

Virtual Private Server Services Specific Terms and Conditions

FINAL May Guideline on Security Systems for Safeguarding Customer Information

APPENDIX 8 TO SCHEDULE 3.3

Unless otherwise stated, our SaaS Products and our Downloadable Products are treated the same for the purposes of this document.

Vistara Lifecycle Management

Supplier Information Security Addendum for GE Restricted Data

Oracle Maps Cloud Service Enterprise Hosting and Delivery Policies Effective Date: October 1, 2015 Version 1.0

Office of Information Technology Hosted Services Service Level Agreement FY2009

6. AUDIT CHECKLIST FOR NETWORK ADMINISTRATION AND SECURITY AUDITING

Data Management Policies. Sage ERP Online

Client Security Risk Assessment Questionnaire

OSU INSTITUTE OF TECHNOLOGY POLICY & PROCEDURES

Network Documentation Checklist

IT Security Standard: Computing Devices

TANDBERG MANAGEMENT SUITE 10.0

Transcription:

Information Disclosure Guidelines for Safety and Reliability IaaS / PaaS Condition 1: Objective information disclosure Information disclosure would be made in a unit each IaaS/PaaS. Condition 2: Definition IaaS/PaaS IaaS/PaaS is defined in this guideline as follows. IaaS (Infrastructure as a Service) means which fer hardware resources, such as servers, hard disks and storages, necessary for ASP, SaaS or PaaS. In a broader sense, it means which include data centers. PaaS (Platform as a Service) means which fer system resources, development and operation resources and network facilities in a narrower sense, while meaning which include data centers and IaaS in a broader sense. IaaS and PaaS are collectively called hosting. Items for Information Disclosure Description / Time Date the Information Year, month, date information disclosure (in Western calendar) the Information Disclosure Disclosure Place business enterprise / Business Business Name business Formal name business enterprise (trade name) enterprise Overview enterprise Website business URL homepage business enterprise enterprise Established Year / Established year business enterprise (in Western calendar) Years in Business Years in the business Office (enterprise Address, postal code head fice business enterprise place) Number fices (domestic, overseas) Business Principal business Overview principal business business enterprise overview overview Human resources Management Representatives Name representative Background representative (age, academic, career, certificate etc.) Executive Number executive Employees Number employees Number regular employees (single basis) Financial Conditions Financial Sales Sales the entire business enterprise (Consolidated base) (unit: Yen) Data Ordinary prit Ordinary prit the entire business enterprise (Consolidted base) (unit: Yen) Capital Capital the entire business enterprise (Consolidated base) (unit: Yen)

Equity ratio Ratio equity capital the entire business enterprise (Consolidated base) (unit: %) Financial Listing on stock Whether or not business enterprise is listed on stock market, name Reliability markets market if listed Situation on financial Select appropriate situation from the following; (1) accounting audit by audit / Finan- accounting auditor, (2) audit by accounting adviser, (3) financial data cial data based on checklist according to small and mid-sized enterprise accounting, or (4) none the above Mandatory publication Whether or not financial statements is published mandatorily financial statements Capital relationship / Business connections Capital Shareholder composition Names large shareholders (largest 5) and ratio stock holding each relationship shareholder Business Main dealing financial Name main dealing financial institution connections institution Name industry Names industry organizations, economic organizations and others and/or which enterprise belongs non-governmental organizations which enterprise belongs Compliance Organization-syste m Rulemaking and documentation rules Full-time section and meeting committee structure Policies on the information security Policies on the complaint procedure relating to IaaS / PaaS Policies on the Business Continuity Policies on the Risk Management Presence or absence full-time section and meeting committee structure which is responsible for compliance, name section and meeting committee if present Presence or absence documents such as basic policies, organizational rules, manuals etc. on the information security, names documents if present Presence or absence documents such as basic policies, organizational rules, manuals etc. on the complaint procedure relating to IaaS /PaaS service, names documents if present Presence or absence documents such as basic policies, plans, manuals etc. on business continuity, names documents if present Presence or absence documents such as basic policies, plans, manuals etc. on risk management, names documents if present Basic features Service Name Name IaaS/PaaS service that disclosed information overview Start date Year, month, date service launch IaaS/PaaS service that disclosed information (If major renewal has occurred between service launch and application, sate year, month, date the renewal) Basic types Limitation on service customization Select appropriate type from the following; system platform service, development/runtime platform service, application platform service, hardware platform service, or network platform service Range application customization (It not defined or to be discussed separately, describe so)

(System (Hardware (Network Quality Service Types lines and bandwidths Provided OS Server maintenance ASP / SaaS Support Network provision for the connections by administrators Backup and restore Other (Development and execution (Application Support for stware development Services for domain name management Type line such as dedicated line (including VPN)and Internet Type band provided, description band guaranty if present Presence or absence provision virtualized OS Describe OS that serves as single OS (Windows, Unix, Linux, etc.) Description such as server OS initialization, patch update for OS, etc. Description such as search, authentication, clearing/billing, security, location data, timestamp, media, language conversion, etc. Description access methods such as remote desktop, SSH, etc. Description backup service, restore service at system failure, etc. Description administrative application service, clearing service, representative service, consulting service etc. Provision Java, Servlet, Perl, PHP, Ruby, C/C++ and other open source development environments etc. Description for IP address management, domain acquisition/management, DNS server management, etc. Mail Services Description for Web mail, mailing list, etc. Web Services Description for Web server, FTP server, Web account, access control, access log analysis, access log acquisition, blog, BBS etc. Others Description for API, DB server, etc. Server Description for shared server, dedicated server, etc. Storage Description storage hosting service Rental equipment Presence or absence trouble-shooting service, regular operation service, operation/maintenance support service for rental equipments, description if present Services for integrated Description fered by integrating virtual resources (virtual resource machine, server, storage, network etc.) Load balancer Description load balancer service Network device Description to provide network equipment such as router, switch, etc. Service availability Actual value service availability If actual value cannot be described by an unavoidable reason, the reason and target value must be described Pattern number type service in Information Security Guideline and counter measured reference value History service suspension accidents Management Method detection equipment failure and system delay service performance (point detection, detection interval, detection method such as screen display check) Method to understand service performance (point detection, detection interval, detection method such as screen display check)

Change / termination Prices for the / Cancellation Amount used Reinforcement service performance Acquirement Certification / Implementation Audits Treatment personal information Vulnerability assessment Interval on verifications backup data integrity Maintenance for backup data History award or commendation Service level agreement (SLA) Prior notice the change or termination Response and alternative for the change or termination References relating to the change or termination Charging methods Pricing structure / Prices Method payment Penalty for cancellation the contract Term for the prior notice cancellation from users Number users Number agencies Presence or absence system reinforcement determination criteria or plan Outline technical measure (load balancing, network routing, compression etc.) if determination criteria or plan is present Acquirement Privacy mark, ISMS (JIS Q 27001 etc.), ITSMS (JIS Q 20000-1 etc.), presence or absence audit report created upon ASCR18 (SAS70 in US). Provide name certification or audit if the above is present Clear indication purposes collecting personal information Presence or absence vulnerability assessment Readiness assessment criteria and procedure to take countermeasure, outline state countermeasure taken Backup execution interval Generations backup data(describe the number generations) Interval verification backup History awards received relevant to IaaS/PaaS service Whether or not SLA relevant to this certification items is attached to contract Time and method prior notice to users (Describe time prior notice using such units as 1 month prior, 3 months, 6 months, and 12 months) Presence or absence basic policies on response and alternative, outline if basic policies are present Presence or absence response to users at contract termination (introducing alternative service etc.), outline response if present Presence or absence responsibility to return information assets (user data etc.) at contact termination Presence or absence point contact (including one for regular complaints), name and opening hours point contact if present Charging methods measured rate portion and fixed rate portion respectively Amount initial cost, monthly charge, minimum contract duration * Details such as price chart for each service can be attached as appendix Methods payment such as credit card payment, electronic money payment, etc. Presence or absence cancellation penalty (which user must pay), amount penalty fee if present Presence or absence term for the prior notice cancellation from users, due date if present (describe how many days/months prior the notice should be made) Number or user licenses for IaaS/PaaS service that disclosed information (identify if this is the number concurrent users or actual users) Number agency IaaS/PaaS service that disclosed information

Data Location the Location saved customer data (place where data exists) when IaaS/PaaS Management data service is provided (describe country name) Data center used Number data centers used when IaaS/PaaS service is provided System Operation (Operation PaaS, Security) Operation PaaS Security (Platform, Storage) Security (Network) Live-or-death monitoring Presence or absence live-or-death monitoring, monitoring target if live-or-death monitoring is carried out (platform, storage etc.), and monitoring interval, monitoring time, notification time each live-or-death monitoring target Fault monitoring Presence or absence fault monitoring Time Synchronization Method time synchronization system Anti-virus Presence or absence antivirus measure, if present, update interval pattern file (time from vendor release) Administrator authentication Presence or absence formal procedure to register/remove administrator privileges (although the content is not disclosed, submission standards which describe procedures etc. is required as examination documents for certification) Record (Log) Usage users, whether or not record exception handling and security event (log etc.) is taken, how long record (log) is kept if taken Management Presence or absence standards administration method ID and IDs and passwords password (although the content is not disclosed, submission standards which describe administration method etc. is required as examination documents for certification Security Patch Presence or absence standard that defines how to acquire security patch Management information, assessment method, decision criteria, update procedure, update interval at normal time, emergency response, etc. Firewall Presence or absence firewall Network Intrusion Presence or absence detection mechanism unauthorized server intrusion Detection System by illegal packet or non-privileged user Network monitoring Reporting time when a failure occurs in the network (dedicated line etc.) between enterprise and contract user Virus check Presence or absence to email, download file, and access to files on servers, update interval pattern file (time from vendor release) if measure is present User authentication Presence or absence personal authentication (Web, server) and user authentication by ID/password through authentication platform, method authentication if present Record (Log) Network usage, whether or not record exception handling and security event (log etc.) is taken, how long record (log) is kept if taken Defence against Presence or absence taken for spoing where a third party Spoing pretends to be a user company, method authentication if present Other security Describe freely for information leak and data encryption. Housing ( Location servers ) Building Name data center Beginning year the Data center Building for data centre or not Formal identification name or abbreviated name the data center indicated in the above item No, 75 <*> * the term abbreviated name here means A, B, C... or 1, 2, 3,,, etc. Year from which data center began its business Select whichever is closer between building dedicated to data center and fice building

Electric power facilities Fire extinguishing systems Protection against thunders Air conditioning facilities Security Location Country name, regional block name (if Japan, e.g. Kanto, Tohoku) Describe notable geographical advantages if any (e.g. altitude, ground condition etc.) Earthquake resistant Earthquake resistance value (seismic intensity) structures Building structure relevant to earthquake (quake-absorbing structure, quake-damping structure etc.) Uninterruptible Presence or absence to establish uninterruptible power supply power supply (UPS installation etc.), minimum power supply duration if present, (UPS) and relevance with start-up time emergency power supply Power supply route Whether or not 2 or more power supply routes via different substations are secured (except UPS and emergency power supply) Emergency power Presence or absence emergency power supply (private power generation), supply continuous operating time without refuelling if present, and de- scription emergency power supply operation measure (method continuous fuel supply etc.) Fire extinguishing Presence or absence automated fire extinguishing system, whether or systems in the not it is gas-based fire extinguishing system (whether it is halon gas type Server Room or new gas type) if present Fire sensor / alarm Presence or absence fire detection system and smoke detection system system Protection against Presence or absence for direct lightening stroke direct thunders Protection against Presence or absence for induced lightening stroke, value induced lightning maximum endurable voltage if present (optional) from thunders Adequate air conditioning facilities Control people's entry and leaving Stock recording media Other Service support Service desk (Complaints desk) Coverage / support Guarantee and continuity the security Business hours and dates Liability and amount the limit the accident Description air conditioning facilities (upward blowing air conditioning on the floor, individual air conditioning dedicated for computer, water-cooling/air-cooling, other devices etc.) Presence or absence entry and leaving record, how long record is kept if present Presence or absence surveillance camera, operating hours and monitoring range surveillance camera, how long videos are kept, and availability alternation prevention feature if present Presence or absence personal authentication system Presence or absence cabinet with key lock or stock room to keep medium such as magnetic tape, optical media, etc. Presence or absence stock control procedure document Other notable security Business days and hours (open hours) Availability outside hours response Support coverage Contact method (phone/fax, E-mail etc.) Presence or absence document stating liability data center provider at accident occurrence and compensation coverage policy, name document if present

Prior notice temporary closures by such as maintenances Time prior notice to users (Describe time prior notice using such units as 1 month prior, 3 months, 6 months, and 12 months) Methods prior notice to users Presence or absence emergency maintenance with shorter notification period than described above Presence or absence notification at failure occurrence Notification and report Services Notification systems accidents and disasters Periodical reports Presence or absence regular reporting to users