Database Reference
In-Depth Information
Organizations must evaluate the type of data they will be placing into a
CSP environment and categorize their security needs accordingly.
Based on the level of security that an organization determines a CSP
environment must meet, the organization then must determine which
security controls a CSP will implement within the cloud environment.
Within this framework, organizations need to explicitly state not only the
security impact level of the system (i.e., the CSP environment must meet
high, moderate, or low impact level), but organizations must also specify
the security controls associated with the impact level the CSP must meet.
Continuous Monitoring
After organizations complete a security authorization of a system based on
clear and defined security authorization requirements detailing the security
controls a CSP must implement on their system, organizations must continue
to ensure that a CSP environment maintains an acceptable level of risk. In
order to do this, organizations should work with CSPs to implement a contin-
uous monitoring program. Continuous monitoring programs are designed to
ensure that the level of security through a CSP's initial security authorization
is maintained while organizational data resides within a CSP's environment.
Incident Response
Incident response
refers to activities addressing breaches of systems, leaks/
spillage of data, and unauthorized access to data. Organizations need to
work with CSPs to ensure that CSPs employ satisfactory incident response
plans and have clear procedures regarding how the CSP responds to inci-
dents as specified in the organization's computer security incident-han-
dling guidelines.
Organizations must ensure that contracts with CSPs include CSP liabil-
ity for data security. An organization's ability to effectively monitor for
incidents and threats requires working with CSPs to ensure compliance
with all data security standards, laws, initiatives, and policies.
Generally, CSPs take ownership of their environment but not the data
placed in their environment. As a best practice, cloud contracts should
not permit a CSP to deny responsibility if there is a data breach within
its environment. Organizations should make explicit in cloud computing
contracts that CSPs indemnify organizations if a breach should occur, and
the CSP should be required to provide adequate capital and/or insurance
Search WWH ::
Custom Search