Documente Academic
Documente Profesional
Documente Cultură
Control
Group
Control Group
Number
Control
Number
specific
Multi
Tenancy
Multi
Tenancy
Multi
Tenancy
Multi
Tenancy
Multi
Tenancy
Outsourcing
Management CC-OUTS-01
Information
and Control
Outsourcing
Outsourcing
Outsourcing
Outsourcing
Management
Information
and Control
Management
Information
and Control
Management
Information
and Control
Management
Information
and Control
Control Sub
Group
Shortcode
CC-OUTS-02
CC-OUTS-03
CC-OUTS-04
CC-OUTS-05
Outsourcing
Management CC-OUTS-06
Information
and Control
Outsourcing
Management CC-OUTS-07
Information
and Control
Outsourcing
Outsourcing
Outsourcing
10
Management CC-OUTS-08
Information
and Control
Management CC-OUTS-09
Information
and Control
Management CC-OUTS-10
Information
and Control
Outsourcing
11
Management CC-OUTS-11
Information
and Control
Outsourcing
12
Outsourcing
13
Outsourcing
14
Outsourcing
15
Outsourcing
16
Outsourcing
17
Outsourcing
18
Outsourcing
19
Outsourcing
20
Outsourcing
21
Outsourcing
22
Outsourcing
23
Outsourcing
24
Outsourcing
25
Security
Process
CC-OUTS-25
Outsourcing
26
Security
Process
CC-OUTS-26
Outsourcing
27
Security
Process
CC-OUTS-27
Outsourcing
28
Security
Process
CC-OUTS-28
Outsourcing
29
Security
Process
CC-OUTS-29
Outsourcing
30
Infrastructure CC-OUTS-23
Design
Infrastructure CC-OUTS-24
Design
Operational CC-OUTS-30
Process
Outsourcing
31
Operational CC-OUTS-31
Process
Outsourcing
32
Operational CC-OUTS-32
Process
Outsourcing
33
Outsourcing
34
Operational CC-OUTS-33
Process
Operational CC-OUTS-34
Process
Outsourcing
35
Interfacing
with the
service
CC-OUTS-35
Outsourcing
36
CC-OUTS-36
Outsourcing
37
Interfacing
with the
service
Interfacing
with the
service
Outsourcing
38
CC-OUTS-38
Outsourcing
39
Interfacing
with the
service
Interfacing
with the
service
CC-OUTS-37
CC-OUTS-39
Control Group
6= Cloud Service Integration
5= SaaS
4= PaaS
3= Multi tenancy
2= Outsourcing
Short Control
Control
Cloud provider
Cloud provider will make sure enough capacity is available, taking peaks
capacity management in usage and multi tenancy into account.
Acceptable use other
customers
Network segregation
Control over hardware In case of a subpoena the cloud provider commits to make a
in case of subpoenas commercially reasonable effort to resist, within the limits of applicable
law, any confiscation of hardware and data from other customers.
Clear agreements
All terms of business are clearly described and communicated. Service
Level Agreements clearly describe both the scope and application of
activities.
Changes to
agreements
Measures are in place to mitigate the risk of the cloud provider changing
the Service Level Agreement, Terms of Business or the rest of the
agreement against the customer's wishes.
Portability of services Short term contracts are possible. Customer data is exportable and
transportable in an industry-accepted format. Migrations to other cloud
providers will not be obstructed.
Customer risk
Cloud provider will provide information on request about risk of
assessment
confiscation, provider termination, lock-in risk and change in cloud
provider ownership.
Compliance with SLA Service Level Agreement fulfillment is defined, tracked and
communicated to customers. Procedures are in place to bring SLA
delivery back into compliance in case of a breach.
Breach of uptime
commitment
Extreme provisioning The customer will be informed of extreme provisioning requests made in
requests
its name. It is possible for customers to cap the maximum cost.
Cloud provider
termination
Canceling of services The cloud provider may only cancel a customer contract on short notice
by cloud provider
if required by law, if the services are not paid for or if breaches of the
acceptable use policy are ignored. The customer is warned ahead of time
if possible and there is a procedure that allows the customer access to
its
Suspension of
Thedata.
cloud provider may only suspend a customer's service if required by
services by cloud
law, if services are not paid for or if a breach of the fair use policy is not
provider
remedied or the services or other customers are threatened. The
customer is warned ahead of time if possible and the services will be
made available again as soon as possible.
Data location and
Customer can determine jurisdiction where its data is stored. It will be
applicable
communicated which governments and jurisdictions can lay claim to a
jurisdictions
customer's data.
Evidence collection
for customer
investigations
Supporting Customer
investigations
Disclosure of relevant Cloud provider will communicate legislation relevant to the service.
legislation and
Cloud provider will also provide details on supervisory authority, court of
regulatory contacts
jurisdiction and contact details.
Guaranteed data
ownership
Legal representation
of customers
Privacy policy
Access of cloud
Cloud provider personnel access rights and operator logs relating to the
provider personnel to customer's environments will be made available to the customer on the
the environment
customer's request. Cloud provider can be blocked from customer
environments (with an exception for legal requirements).
Data retention policy A policy relating to the removal of data from cancelled products and
dormant virtual machines and snapshots has been developed and
implemented.
Information over
The expected level of performance, level of redundancy and expected
availability and
recovery times at every level of the processing layer, data storage, the
performance
internal network and the transit connections are available. A backup
policy has been established and made available. Information on
datacenter locations, security, resilience and recovery policies will be
available.
Information on
Disaster recovery plans and availability enhancing measures will be
resiliency
shared with customers when relevant.
management
Changes in
Procedures regarding the provisioning of information on changes to the
technology and
information system wil be established and implemented. Cloud provider
change management will communicate its controls for the procurement of new information
systems and enhancements. Cloud provider will endeavor to keep
existing technologies used by customers available. When such
technology is phased out, there will be a transition period.
Information on
security status and
security policy
changes
Audits of security
weaknesses
The cloud provider will ensure that security policy changes, the security
status and security requirements for customers are communicated.
Customers will be informed about security policy changes with material
impact.
Security weaknesses and their mitigation are audited and the results of
this will be communicated. Audit reports will not include information
which might lead to compromise.
Conflicting roles
Customer
responsibility
regarding incidents
Customer vulnerability Cloud provider will provide the possibility for vulnerability assessment
assessment
by customers and provide information on the policy regarding
vulnerability assessment.
Information on
A policy is available to inform customers in the case of a breach of
incidents
privacy, a security breach or technical failure that could affect the
customer. Fault logs policy will be communicated and relevant logs will
be made available to customers on request.
Information regarding
SLA performance and
service usage
Information and
planning regarding
maintenance and
outages
Information on
degraded services
User manuals
Management Interface Public facing web applications and APIs related to the cloud service shall
Protection
be secured. Connections are made on the basis of strong passwords and
encrypted connections.
Customer payment
data
Requests from customer personnel are only executed if that person has
been authorized based on his or her predefined authorisation level.
Group #
Group Count
Group Short
Future
Future
Future
3
2
Future
Future
Future
5
39
44
Future
Future
Future
MULTI
OUTS
Mapping: 27017
(draft)
Mapping: CSA
11.4.1
IS-26
IS-34
11.5.3
11.1.3, 14.2.8
IS-31
11.5.3
16.1.1
In case the SLA delivery remains out of
compliance customers will get the
opportunity to migrate and will receive
their product without charge for a
reasonable period in order to facilitate
the migration. If compliance with the
SLA can not be achieved because of a
change of law the relevant points of
non-compliance will be deemed
permissible.
7.1.2, 17.3.1,
10.3.1
11.7.2, 17.1.4
15.1.7, 11.7.2,
9.2.7
9.1.2
LG-01
6.1.4, 17.1.1,
17.1.3, 17.1.6
17.1.2
6.1.4
6.1.3, 7.1.2
SA-07
11.8.3, 13.2.2
BO-13
10.3.1, 11.3.1,
11.5.1, 16.1.1,
11.1.3
DG-04
16.1.3
11.1.2, 14.2.2,
14.2.3, 14.1.1
15.1.1, 15.1.2,
15.1.3
15.1.3, 11.2.1,
13.4.4
14.4.1
8.2.1
8.2.1, 5.1.2,
10.2.2, 8.2.1, 5.1.2
10.3.1, 11.8.4
IS-27
11.1.3
IS-27
11.1.1, 11.9.1,
11.10.1
12.1.1, 12.1.2
7.1.2, 13.1.1,
13.2.1, 13.2.3,
13.4.1, 13.4.2,
13.2.2, 13.2.4,
8.3.3
IS-09
Only the cloud specific risks related to the Infrastructure as a Service (IaaS) layer are included, exclu
* Connections with the cloud.
* Software within customer environments.
* Internal security of the cloud provider (covered by ISO27001).
* Availability enhancing measures.
Risk
CloudControl
1 Cloud provider does not maintain enough excess capacity to deal with CC-MULTI-01
peaks in usage.
CC-MULTI-02
CC-MULTI-02
CC-MULTI-03
8 The provider changing the SLA, Terms of Business or the rest of the
agreement against the customers' whishes.
CC-OUTS-02
CC-OUTS-03
CC-MULTI-04
CC-MULTI-05
CC-OUTS-01
CC-OUTS-04
CC-OUTS-06
CC-OUTS-05
CC-OUTS-05
CC-OUTS-05
CC-OUTS-06
CC-OUTS-07
CC-OUTS-07
CC-OUTS-07
CC-OUTS-14
CC-OUTS-15
CC-OUTS-17
CC-OUTS-18
CC-OUTS-16
CC-OUTS-19
CC-OUTS-21
CC-OUTS-22
CC-OUTS-22
CC-OUTS-24
38 The controls that guide changes to the information system are not
clear to the customer.
39 Lack of information on the current security status, policy and
requirements leads to customer reacting incorrectly to a security
situation.
40 Customer can not check if security weaknesses are minigated.
41 Audit reports reveal security weaknesses to third parties.
CC-OUTS-24
CC-OUTS-27
CC-OUTS-25
CC-OUTS-26
CC-OUTS-26
CC-OUTS-27
CC-OUTS-28
CC-OUTS-29
CC-OUTS-30
CC-OUTS-30
CC-OUTS-31
CC-OUTS-36
CC-OUTS-32
CC-OUTS-32
CC-OUTS-33
CC-OUTS-34
CC-OUTS-35
CC-OUTS-37
CC-OUTS-37
CC-OUTS-37
CC-OUTS-37
CC-OUTS-37
CC-OUTS-38
CC-OUTS-39
Multi Tenancy
Multi Tenancy
Multi Tenancy
Multi Tenancy
Multi Tenancy
Management Information and Control
Legal Process
Legal Process
Privacy and Access to Data
Privacy and Access to Data
Privacy and Access to Data
Infrastructure Design
Infrastructure Design
Infrastructure Design
Infrastructure Design
Infrastructure Design
Infrastructure Design
Security Process
Security Process
Security Process
Security Process
Security Process
Security Process
Security Process
Operational Process
Operational Process
Operational Process
Operational Process
Operational Process
Operational Process
Operational Process
Interfacing with the Service
Interfacing with the Service
Interfacing with the Service
Interfacing with the Service
Interfacing with the Service
Interfacing with the Service
Interfacing with the Service
Interfacing with the Service
Interfacing with the Service
Under what circumstances can the cloud provider cancel a contract and
what procedures does the cloud provider follow in these cases?
Under what circumstances can the cloud provider suspend services and
what procedures does the cloud provider follow in these cases?
What foreign entities could the cloud provider be obliged to hand over the
customers' data to?
How does the cloud provider ensure the collection and availability of
evidence when the customer needs it?
Is the cloud provider obliged to cooperate with customer investigations?
How are changes in the law and legal circumstances evaluated and
responded to?
What relevant legislation and regulation is the cloud provider subjct to?
Does the cloud provider have an obligation to disclose any legislation and
or regulatory framework it is subject to?
How is the ownership of the customer with respect to its data guaranteed?
How does the cloud provider respond to cease and desist notices and
subpoenas with respect to its customers' environments and data?
How does the cloud provider privacy policy limit the analysis and distribution
of customer data?
How does the cloud provider limit the privacy risk related to its personnel
having access to customer data.
What is the policy with respect to the removal of data and how is this policy
enforced?
Does the cloud provider disclose all relevant information in order for the
customer to adequately estimate availability risks? For example an
adequate description of the redundancy measures in the networking, server
and storage layers.
Does the cloud provider disclose all relevant information in order for the
customer to adequately estimate the performance of the acquired services?
For example an adequate description of the networking, cpu and storage
capacity available for the different environments.
Does the cloud provider provide relevant information to the customer with
respect to the resiliency management program?
What is the policy with respect to changes to the information system that
effect a customer?
Will the cloud provider continue supporting essential technology that the
customer needs?
Does the cloud provider disclose the controls that guide changes to the
information system?
How does the cloud provider provide information on the current security
policy, security status and the actions related to the security that are
required from the customer?
Is the mitigation of security weaknesses audited?
How does the cloud provider ensure audit reports do not reveal security
weaknesses?
What is the cloud providers' policy with respect to conflicting roles?
What cloud provider personnel could have conflicting roles?
How is the customer informed of its responsibilities in the case an incident
occurs?
Is it possible for the customer to perform a vulnerability assessment? What
could the scope of such an assessment be?
How does the cloud provider ensure that the customer is informed about
incidents that could impact its business?
Does the cloud provider guarantee the availability of incident logs for the
customer?