Information security for use of cloud services

Organization must define (in addition to more detailed practices regarding supplier responsibilities, incidents and the procurement of cloud services) the general principles for managing information security risks related to the use of cloud services.

Principles must take into account e.g.:

• how to utilize security features made possible by service providers
• how to demand evidence of security measures implemented by service providers
• what factors must be taken into account in own operations when utilizing a large number service providers
• considering use of cloud services in own information security risk management process
• procedures for ending the use of cloud services

Whenever new data systems are acquired, a pre-defined procurement process and rules are followed. The rules ensure that the supplier is able to guarantee an adequate level of security, taking into account the priority of the system.

Agreement between a cloud service provider and the organization must include requirements for protecting the organization's data and the availability of services, e.g. in the following ways:

• providing a solution based on generally accepted architecture and infrastructure standards in the industry
• managing access rights to meet organizational requirements
• implementing malware control and protection solutions
• processing and storage of the organization's sensitive data in approved locations (e.g. a certain country or legislative area)
• providing support in the event of a data security breach
• ensuring that the organization's data security requirements are met also in subcontracting chains
• li>providing support in the collection of digital evidence
• providing sufficient support when the organization wants to terminate the use of the service
• required backup and secure management of backups, where applicable
• information owned by the organization (possibly, e.g. source code, data filled/created for the service) restored upon request or when the service ends
• notification requirement in relation to significant changes (such as infrastructure, important features, information location or use by subcontractors)

When utilizing or offering cloud services, both service provider and customer can have security responsibilities. Service provider may be responsible for technical cyber security but e.g. customer for access management and providing user guidelines for secure usage.

Responsibilities for shared information security roles towards offered cloud services and utilizing cloud-based data systems must be clearly defined and documented by both the cloud service customer and provider.

The organization shall define the procedures for reporting security breaches in the supply chain. The process must take into account all kinds of roles in the supply chain, whether we are the customer of the end product or one supplier in the chain.

Policies shall take into account agreements with partners and customers and their commitments regarding the reporting obligations of both parties.

When an organisation is using a cloud-based data system, the organisation should understand and confirm the related information security roles and responsibilities as stated in the service agreement.

These can include responsibilities related e.g. to:

• Malware protection
• Cryptographic controls
• Backup
• Vulnerability and incident management
• Compliance and security testing
• Authentication, identity and access management