This Control has the following implementation support Control(s):
Use strong data encryption when storing information within a cloud service., CC ID: 16411
Include the roles and responsibilities of cloud service users in the cloud service usage standard., CC ID: 13984
Include information security requirements in the cloud service usage standard., CC ID: 13148
SELECTED AUTHORITY DOCUMENTS COMPLIED WITH
When using a cloud service, it is advisable to start using the service after clarifying the boundary of responsibility between the financial institution and the cloud service provider, taking into account the use pattern of cloud services, including IaaS, PaaS, and SaaS in a broad sense during the s… (C24.6., FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
In accordance with the Australian Government Secure Cloud Strategy, entities are able to self-assess cloud service providers and cloud services using the risk-based approach to cyber security outlined in the ISM. Entities are strongly recommended to use the ACSC's guidance on cloud security when per… (63., IRAP Policies and Procedures Australian Signals Directorate Information Security Registered Assessors Program, 11/2020)
In order to take into account the different protection needs of the users, cloud computing platforms must be multi-client capable and ensure reliable and continuous separation of users for the whole cloud computing stack (servers, networks, storage and management). In addition to the usual security … (§ 8.2.9 Subsection 1 ¶ 4, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
PII-specific responsibilities in this respect can lie with the cloud service customer. Where the public cloud PII processor explicitly provides backup and restore services to the cloud service customer, the public cloud PII processor should provide clear information to the cloud service customer abo… (§ 12.3.1 ¶ 4, ISO/IEC 27018:2019, Information technology -- Security techniques -- Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors, Second edition)
The public cloud PII processor should provide information to the cloud service customer regarding the circumstances in which it uses cryptography to protect the PII it processes. The public cloud PII processor should also provide information to the cloud service customer about any capabilities it pr… (§ 10.1.1 ¶ 3, ISO/IEC 27018:2019, Information technology -- Security techniques -- Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors, Second edition)
Non-CSP DoD contractors and DIB partners may NOT utilize CSOs that have been granted a DoD Level 5 PA as such contractors are outside the supported community of Federal agencies until such time as DoD changes this Level 5 limitation. (Section 5.13.2 ¶ 3, Department of Defense Cloud Computing Security Requirements Guide, Version 1, Release 3)
When using cloud services, mission partners and contractors are responsible for following all guidance in this CC SRG related to the Mission Owner that is not specific to a DISN-provided capability (e.g. CAP) or an enterprise service. The appropriate impact level must be selected based on the DoD da… (Section 5.13 ¶ 2, Department of Defense Cloud Computing Security Requirements Guide, Version 1, Release 3)
Strategies for using cloud computing services as part of the financial institution's IT strategic plan and architecture. The financial institution's plans for the use of cloud computing services should align with its overall IT strategy, architecture, and risk appetite. This includes determining the… (Risk Management Governance Bullet 1, FFIEC Security in a Cloud Computing Environment)
