Back

Establish, implement, and maintain cloud management procedures.


CONTROL ID
13149
CONTROL TYPE
Technical Security
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Manage cloud services., CC ID: 13144

This Control has the following implementation support Control(s):
  • Establish, implement, and maintain a migration process and/or strategy to transfer systems from one asset to another., CC ID: 16384
  • Define and enforce the deployment requirements for applications and virtual network devices in a public cloud., CC ID: 16383
  • Include cloud security requirements in the cloud management procedures., CC ID: 16366


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • Institutions should be aware of CS' typical characteristics such as multi-tenancy, data commingling and the higher propensity for processing to be carried out in multiple locations. Hence, institutions should take active steps to address the risks associated with data access, confidentiality, integr… (6.7, Guidelines on Outsourcing)
  • Only community or private clouds are used for outsourced cloud services. (Security Control: 1529; Revision: 1, Australian Government Information Security Manual, March 2021)
  • outsourcing and cloud computing. (§ 8.1 Subsection 5 ¶ 2 Bullet 15, BSI Standard 200-1, Information Security Management Systems (ISMS), Version 1.0)
  • Furthermore, the cloud service provider must model an IT system with the corresponding operating system. For this IT system, a database or a web server must be modelled on application level depending on the cloud service. (§ 8.3.5 Subsection 4 ¶ 2, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • Principles, procedures and safeguards for rendering (development and/or operation) the cloud service, including the controls established (Section 4 UP-01 Basic requirement ¶ 1 Bullet 2, Cloud Computing Compliance Controls Catalogue (C5))
  • Technical and organisational safeguards for the monitoring and provisioning and de-provisioning of cloud services are defined. Thus, the cloud provider ensures that resources are provided and/or services are rendered according to the contractual agreements and that compliance with the service level … (Section 5.6 RB-02 Basic requirement ¶ 1, Cloud Computing Compliance Controls Catalogue (C5))
  • The provider's segregation concept is documented and adapted to any changes. The following aspects are considered: (5.3.4 Requirements (should) Bullet 1, Information Security Assessment, Version 5.1)
  • In material cloud outsourcing arrangements, the PRA expects firms to assess the resilience requirements of the service and data that are being outsourced and, with a risk-based approach, decide on one or more available cloud resiliency options, which may include: (§ 10.5, SS2/21 Outsourcing and third party risk management, March 2021)
  • Systems used for administration of a cloud service will have highly privileged access to that service. Their compromise would have significant impact, including the means to bypass security controls and steal or manipulate large volumes of data. (12. ¶ 1, Cloud Security Guidance, 1.0)
  • The methods used by the IaaS provider's administrators to manage the operational service should be designed to mitigate any risk of exploitation. (12: ¶ 1, Cloud Security Guidance, 1.0)
  • However, you will be responsible for much of the operational security of your applications. (5: ¶ 2, Cloud Security Guidance, 1.0)
  • Your provider should make the tools available for you to securely manage your access to their service, preventing unauthorised access and alteration of your resources, applications and data. (9. ¶ 2, Cloud Security Guidance, 2)
  • Establish, document, approve, communicate, apply, evaluate and maintain policies and procedures for the application of the Shared Security Responsibility Model (SSRM) within the organization. Review and update the policies and procedures at least annually. (STA-01, Cloud Controls Matrix, v4.0)
  • Procedures for administrative operations of a cloud computing environment should be defined, documented and monitored. (Annex A: § CLD.12.1.5 ¶ 2, ISO/IEC 27017:2015, Information technology — Security techniques — Code of practice for information security controls based on ISO/IEC 27002 for cloud services, First edition 2015-12-15)
  • the service organization's use of technology, including its applications, infrastructure, network architecture, use of mobile devices, use of cloud technologies, and the types of external party access or connectivity to the system; (¶ 3.59 Bullet 9 Sub-Bullet 1, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • Integration with DoD PKI is typically a CSP responsibility. Minimally, the CSP is responsible for providing capabilities that enable Mission Owners to configure a CSP service offering that integrates with DoD PKI. (Section 5.4.1.1 ¶ 1 Bullet 2, sub-bullet 1, Department of Defense Cloud Computing Security Requirements Guide, Version 1, Release 3)
  • All MPE CAP instantiations must be approved by the DoD CIO. (Section 5.10.1.4 ¶ 5, Department of Defense Cloud Computing Security Requirements Guide, Version 1, Release 3)
  • All on-premises Level 6 IaaS/PaaS/SaaS CSOs and Mission Owner systems/applications will be addressed using DoD SIPRNet IP addresses. (Section 5.10.4.1 ¶ 13, Department of Defense Cloud Computing Security Requirements Guide, Version 1, Release 3)
  • All off-premises CSP Level 6 SaaS and some PaaS service offerings connected to SIPRNet must utilize DoD assigned and managed SIPRNet IP addresses throughout. Alternate addressing will require a waiver. (Section 5.10.4.1 ¶ 11, Department of Defense Cloud Computing Security Requirements Guide, Version 1, Release 3)
  • Provide visibility by the Mission Owner's CSSP entities as defined in Section 6, Cyberspace Defense and Incident Response. (Section 5.10.6 ¶ 1 Bullet 14, Department of Defense Cloud Computing Security Requirements Guide, Version 1, Release 3)
  • All off-premises CSP's Level 6 CSOs will be treated, designed, and addressed as an extension of the SIPRNet (i.e., a SIPRNet network enclave) or other SECRET mission partner network. (Section 5.10.4.1 ¶ 9, Department of Defense Cloud Computing Security Requirements Guide, Version 1, Release 3)
  • Strategies for using cloud computing services as part of the financial institution's IT strategic plan and architecture. The financial institution's plans for the use of cloud computing services should align with its overall IT strategy, architecture, and risk appetite. This includes determining the… (Risk Management Governance Bullet 1, FFIEC Security in a Cloud Computing Environment)