Database Reference
In-Depth Information
to support their indemnity. In instances where expected standards are not
met, then the CSP must be required to assume the liability if an incident
occurs directly related to the lack of compliance. In all instances, it is vital
for organizations to practice vigilant oversight.
When incidents do occur, CSPs should be held accountable for incident
responsiveness to security breaches and for maintaining the level of secu-
rity required by the organization. Organizations should work with CSPs
to define an acceptable time period for the CSP to mitigate and resecure
the system.
At a minimum, when implementing an incident response policy, orga-
nizations should ensure that:
1. CSPs are contractually complying with organizational security
guidelines.
2. CSPs are accountable for incident responsiveness, including provid-
ing specific time frames for restoration of secure services in the event
of an incident.
Key Escrow
Key escrow (also known as a fair cryptosystem or key management) is an
arrangement in which the keys needed to decrypt encrypted data are held
in escrow so that, under certain circumstances, an authorized third party
may gain access to those keys. Procedural and regulatory regimes in envi-
ronments where the organizations own the systems storing and transport-
ing encrypted data are fairly well settled. These regimes, however, become
increasingly complex when inserted into a cloud environment.
Organizations should carefully evaluate CSP solutions to understand
completely how a CSP fully does key management, including how the key's
encrypted data are escrowed and what terms and conditions of escrow
apply to accessing encrypted data.
Forensics
When an organization uses a CSP environment, it should ensure that a
CSP only makes changes to the environment on pre-agreed-upon terms
and conditions or as required by organization to defend against an actual
or potential incident. Organizations should require CSPs to allow foren-
sic investigations for regulatory, criminal, and noncriminal purposes, and
Search WWH ::
Custom Search