This Control has the following implementation support Control(s):
Include the asset removal policy in the cloud service agreement., CC ID: 13161
SELECTED AUTHORITY DOCUMENTS COMPLIED WITH
For Ordinary systems, these measures must be taken in accordance with the content and risk characteristics of the services used. (C24.2. ¶ 2, FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
The interface for provisioning IaaS cloud services (self-service portal) must be secured by the cloud service provider using suitable mechanisms for network separation (e.g. by networks, virtual firewalls, routing) and, if required, module APP.3.1 Web applications must be implemented. (§ 8.3.5 Subsection 3 ¶ 4, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
Furthermore, the cloud service provider must model an IT system with the corresponding operating system. For this IT system, a database or a web server must be modelled on application level depending on the cloud service. (§ 8.3.5 Subsection 4 ¶ 2, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
Principles, procedures and safeguards for rendering (development and/or operation) the cloud service, including the controls established (Section 4 UP-01 Basic requirement ¶ 1 Bullet 2, Cloud Computing Compliance Controls Catalogue (C5))
Technical and organisational safeguards for the monitoring and provisioning and de-provisioning of cloud services are defined. Thus, the cloud provider ensures that resources are provided and/or services are rendered according to the contractual agreements and that compliance with the service level … (Section 5.6 RB-02 Basic requirement ¶ 1, Cloud Computing Compliance Controls Catalogue (C5))
From Friday 31 December 2021, the EBA Outsourcing GL expect banks to maintain an up-to-date register of information on all their outsourcing arrangements, distinguishing between those which are material and those which are not ('Outsourcing Register'). Banks are already expected to maintain a regist… (§ 4.16, SS2/21 Outsourcing and third party risk management, March 2021)
Review supply chain agreements between CSPs and CSCs at least annually. (STA-10, Cloud Controls Matrix, v4.0)
Review and validate SSRM documentation for all cloud service offerings the organization uses. (STA-05, Cloud Controls Matrix, v4.0)
The information security policies should be augmented by a statement concerning support for and commitment to achieving compliance with applicable PII protection legislation and the contractual terms agreed between the public cloud PII processor and its clients (cloud service customers). (§ 5.1.1 ¶ 3, ISO/IEC 27018:2019, Information technology -- Security techniques -- Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors, Second edition)
The identities of the countries where PII can possibly be stored should be made available to cloud service customers. The identities of the countries arising from the use of sub-contracted PII processing should be included. Where specific contractual agreements apply to the international transfer of… (§ A.12.1 ¶ 4, ISO/IEC 27018:2019, Information technology -- Security techniques -- Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors, Second edition)
In cloud computing environments, financial institutions may outsource the management of different controls over information assets and operations to the cloud service provider. Careful review of the contract between the financial institution and the cloud service provider along with an understanding… (Risks ¶ 1, FFIEC Security in a Cloud Computing Environment)
Contractual responsibilities, capabilities, and restrictions for the financial institution and cloud service provider. Contracts between the financial institution and cloud service provider should be drafted to clearly define which party has responsibilities for configuration and management of syste… (Risk Management Cloud Security Management Bullet 2, FFIEC Security in a Cloud Computing Environment)
