| Document Type | Policy - Mandatory |
|---|---|
| Document ID | |
| Audience | All employees |
| Confidentiality | For internal use |
| Language | English |
| Applies to | |
| Version | |
| Owner | |
| Author | |
| 1st Reviewer / Review Date | |
| 2nd Reviewer / Review Date | |
| Approver (CEO) / Approval Date | |
| Release Date | |
| Next Review |
This document describes how services provided by third parties will be monitored and reviewed.
The following areas of the ISO/IEC 27001 standard are addressed by this document:
- A.5 Organizational controls
- A.5.1 Policies for Information security
- A.5.19 Information security in supplier relationships
The purpose of this document is to set out the organization's policy in the area of Cloud computing.
Company Name makes extensive use of cloud computing services in the delivery of its core business systems. The nature of these services is such that data is stored outside of the Company Name internal network and is subject to access and management by a third party. Furthermore, many cloud services are offered on a multi-tenant basis in which theinfrastructure is shared across multiple customers of the Cloud Service Provider (CSP), making effective and secure segregation a key requirement.
It is therefore essential that rules are established for the selection and management of cloud computing services so that data is appropriately protected according to its business value and classification.
Cloud computing is generally accepted to consist of the following types of services:
- Software as a Service (SaaS): The provision of a hosted application for use as part of a business process. Hosting usually includes all supporting components for the application such as hardware, operating software, databases, etc.
- Platform as a Service (PaaS): Hardware and supporting software such as operating system, database, development platform, web server, etc. are provided but no business applications.
- Infrastructure as a Service (IaaS): Only physical or virtual hardware components are provided.
This policy applies to the use of all types of cloud computing services and is particularly relevant where personal data is stored.
It is Company Name policy in the area of Cloud computing that:
Data belonging to Company Name will only be stored within cloud services with the prior permission of the CISO .
Appropriate risk assessment must be carried out regarding proposed or continued use of cloud services, including a full understanding of the information security controls implemented by the CSP.
Due diligence must be conducted prior to sign-up to a cloud service provider to ensure that appropriate controls will be in place to protect data. Preference will be given to suppliers who are certified to the ISO/IEC 27001 international standard and who comply to the principles of the ISO/IEC 27017 and ISO/IEC 27018 codes of practice for cloud services.
Service level agreements and contracts with cloud service providers must be reviewed, understood and accepted before sign-up to the service.
Contracts involving personal data must be checked to ensure that they comply with applicable data protection legislation. If not, a separate data processing agreement may be required.
Roles and responsibilities for activities such as backups, patching, log management, malware protection and incident management must be agreed and documented prior to the commencement of the cloud service.
Procedures must be established to ensure that activities that are irreversible in the cloud environment (e.g., deletion of virtual servers, terminating a Cloud service or restoration from backups) are subject to appropriate controls to avoid error. Supervision by a second, suitably qualified person must be a stated part of such procedures.
The location of the data stored with the CSP must be understood e.g., UK, EU, USA and the applicable legal basis established, such as the country whose law applies to the contract.
Where available, multi factor authentication must be used to access all Cloud services.
Sufficient audit logging must be available to allow Company Name to understand the ways in which its data is being accessed and to identify whether any unauthorized access has occurred.
Confidential data stored in cloud services must be encrypted at rest and in transit using acceptable technologies and techniques. Where possible encryption keys will be held by Company Name rather than the supplier.
Company Name policies for the creation and management of user accounts will apply to Cloud services.
Backups must be taken of all data stored in the cloud. This may be performed either directly by Company Name or under contract by the cloud service provider.
All Company Name data must be removed from cloud services in the event of a contract coming to an end for whatever reason. Data must not be stored in the cloud for longer than is necessary to deliver business processes.
Table of Contents
| Target Audience | This Policy is intended to be understood and applied by all employees. |
|---|---|
| Implementation Timing / Impact | Describe when the policy enters into force. |
| Assumptions / Prerequisites | Describe if any. |
| Exception Management | Describe if needed. |
| Version | Date | Description | Revised by |
|---|---|---|---|