Back

Manage cloud services.


CONTROL ID
13144
CONTROL TYPE
Business Processes
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Operational management, CC ID: 00805

This Control has the following implementation support Control(s):
  • Refrain from implementing network elements in a public cloud., CC ID: 16382
  • Protect clients' hosted environments., CC ID: 11862
  • Establish, implement, and maintain cloud service agreements., CC ID: 13157
  • Establish, implement, and maintain cloud management procedures., CC ID: 13149
  • Establish, implement, and maintain a cloud service usage standard., CC ID: 13143
  • Monitor managing cloud services., CC ID: 13150
  • Disseminate and communicate the legal jurisdiction of cloud services to interested personnel and affected parties., CC ID: 13147


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • Institutions are ultimately responsible and accountable for maintaining oversight of CS and managing the attendant risks of adopting CS, as in any other form of outsourcing arrangements. A risk-based approach should be taken by institutions to ensure that the level of oversight and controls are comm… (6.8, Guidelines on Outsourcing)
  • A cloud service provider is used for hosting online services. (Security Control: 1437; Revision: 3, Australian Government Information Security Manual, March 2021)
  • Cloud service providers are used for hosting online services. (Control: ISM-1437; Revision: 5, Australian Government Information Security Manual, June 2023)
  • Cloud service providers are used for hosting online services. (Control: ISM-1437; Revision: 5, Australian Government Information Security Manual, September 2023)
  • Regarding SaaS (Software as a Service), first the target objects relevant for the underlying cloud infrastructure must be identified like with IaaS and PaaS and assigned to corresponding modules. (§ 8.3.5 Subsection 5 ¶ 1, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • When compared to PaaS, additional applications are modelled on the cloud IT systems regarding SaaS (e.g. a web service, a web application, or an SAP system). Regarding SaaS, in practice the cloud service provider is responsible for the whole cloud computing stack (servers, networks, storage, managem… (§ 8.3.5 Subsection 5 ¶ 2, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • The PaaS IT system with the connected cloud applications must be modelled for every cloud client, with the option of placing clients with the same platforms, applications, and protection requirements according to the specifications in Section 8.1.1 Reduction of complexity through the formation of gr… (§ 8.3.5 Subsection 4 ¶ 3, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • IT services encompass all forms of IT procurement; in particular, this includes the provision of IT systems, projects/computer-aided construction projects or staff. Outsourcing of IT services shall meet the requirements pursuant to AT 9 of MaRisk. This shall also apply to the outsourcing of IT servi… (II.8.52, Circular 10/2017 (BA): Supervisory Requirements for IT in Financial Institutions, 14.09.2018)
  • Cloud providers should recognise the high value of administration systems. (12. ¶ 1, Cloud Security Guidance, 2)
  • Implement, operate, and audit or assess the portions of the SSRM which the organization is responsible for. (STA-06, Cloud Controls Matrix, v4.0)
  • Processes for acquisition, use, management and exit from cloud services should be established in accordance with the organization's information security requirements. (§ 5.23 Control, ISO/IEC 27002:2022, Information security, cybersecurity and privacy protection — Information security controls, Third Edition)
  • Other considerations as realized while assessing the CSO or as a result of lessons learned. (Section 5.1.7 ¶ 2 Bullet 12, Department of Defense Cloud Computing Security Requirements Guide, Version 1, Release 3)
  • OR Order a CSP service that provides a dedicated HSM that is managed solely by the customer/MO (Section 5.11 ¶ 3 Bullet 3, sub-bullet 2, Department of Defense Cloud Computing Security Requirements Guide, Version 1, Release 3)
  • Fully maintaining, patching, monitoring, and protecting the infrastructure, operating systems, and applications supporting all service offerings. (Section 6.4 ¶ 1 Bullet 4, sub-bullet 2, Department of Defense Cloud Computing Security Requirements Guide, Version 1, Release 3)
  • Non-CSP DoD contractors and DIB partners may wish to utilize Cloud Services in the fulfilment of their contract or for the protection/processing of DoD data they possess (i.e., CUI or Covered Defense Information (CDI)). Thus, for the protection of sensitive CUI/CDI, it is highly recommended that Non… (Section 5.13.2 ¶ 2, Department of Defense Cloud Computing Security Requirements Guide, Version 1, Release 3)
  • An ICAP is a DISN boundary consisting of a Cybersecurity stack which protects the DISN (or other network) or the datacenter network to which the CSO is connected (inside / protected side of the boundary) from, and provides detection of, unauthorized network access from the CSP's infrastructure (outs… (Section 5.10.1.2 ¶ 1, Department of Defense Cloud Computing Security Requirements Guide, Version 1, Release 3)
  • As a condition for a DoD Level 4 or Level 5 PA the CSP must offer the private connection service for access to the CSO. DoD recognizes that the CSP may not have one or more PoPs collocated with a DISN BCAP Meet-Me-Point. As such the existence of such a CSP network PoP will not be required for obtain… (Section 5.10.1.1.3 ¶ 2, Department of Defense Cloud Computing Security Requirements Guide, Version 1, Release 3)
  • Integration with DoD PKI is typically a CSP responsibility. Minimally, the CSP is responsible for providing capabilities that enable Mission Owners to configure a CSP service offering that integrates with DoD PKI. (Section 5.4.1.1 ¶ 1 Bullet 1, sub-bullet 1, Department of Defense Cloud Computing Security Requirements Guide, Version 1, Release 3)
  • For dedicated infrastructure that only serves DoD tenants, CSPs must utilize all applicable DoD STIGs and/or SRGs to secure all DoD contracted cloud computing services. This applies at levels 4 and above for IaaS, PaaS, and SaaS offerings. (Section 5.5.1 ¶ 7, Department of Defense Cloud Computing Security Requirements Guide, Version 1, Release 3)
  • DoD's objective requirement for all off-premises Level 4/5 CSP's CSOs serving the DoD is for the CSO to offer a "bring your own" IP address capability for all customer facing interfaces so that DoD NIPRNet IP addresses may be used via the private connection and BCAP. In this case, customer facing in… (Section 5.10.4.1 ¶ 4, Department of Defense Cloud Computing Security Requirements Guide, Version 1, Release 3)
  • DoD CSPs will, and commercial CSPs may (under DoD contract), instantiate their CSO architecture on DoD premises (DoD on-premises). Interconnection with DoD networks will be interoperable IAW engineering requirements that meet cybersecurity guidance and controls. Such implementations will be consider… (Section 5.2.1.1 ¶ 5, Department of Defense Cloud Computing Security Requirements Guide, Version 1, Release 3)
  • Avoids making assumptions on the resilience of the entity's systems simply because they are operating in the cloud. (App A Objective 8:2g, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Identifies assets, applications, and services located in the cloud, if operating in the cloud. (App A Objective 8:2h, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Consideration of solutions that provide visibility into cloud applications. (App A Objective 11:1e Bullet 4, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Considers its implementation of cloud services and addresses the unique access control requirements for cloud environments, as appropriate. (App A Objective 14:3c, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Systems and software operating in the cloud for which the entity is responsible as well as those managed by the entity on its premises. (App A Objective 15:3a Bullet 1, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • If an entity has outsourcing arrangements in the cloud, determine whether management explores the use of tools designed for cloud computing. (App A Objective 17:1e, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Requires appropriate controls over data stored in a cloud environment. (App A Objective 6.18.c, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
  • Management should control and protect access to and transmission of information to avoid loss or damage and do the following: - Establish and supervise compliance with policies for storing and handling information, including storing data on mobile devices and cloud services. - Define and implement… (II.C.13 Control of Information, FFIEC Information Technology Examination Handbook - Information Security, September 2016)