Database Reference
In-Depth Information
these investigations should be able to be conducted without affecting data
integrity and without interference from the CSP. In addition, CSPs should
only be allowed to make changes to the cloud environment under specific
standard operating procedures agreed to by the CSP and organization in
the contract.
Audit Logs
Organizations must work with CSPs to ensure that audit logs of a CSP
environment are preserved with the same standards as are required by
organizations. Organizations must outline which CSP personnel have
access to audit logs prior to placing data in the CSP environment. All CSP
personnel who have access to the audit logs must have the proper clear-
ances as required by the organization. Essentially:
1. All audit/transaction files should be made available to authorized
personnel in read-only mode.
2. Audit transaction records should never be modified or deleted.
3. Access to online audit logs should be strictly controlled. Only autho-
rized users may be allowed to access audit transaction files.
4. Audit/transaction records should be backed up and stored safely off
site.
Privacy Impact Assessments (PIA)
The PIA process helps ensure that organizations evaluate and consider
how they will mitigate privacy risks while complying with applicable pri-
vacy laws and regulations governing an individual's privacy in order to
ensure confidentiality, integrity, and availability of an individual's per-
sonal information at every stage of development and operation. Typically,
organizations conduct a PIA during the security authorization process for
IT systems before operating a new system and update.
Some of the normal PIA considerations to include are:
1. What information will be collected and put into the CSP environment
2. Why the information is being collected
3. Intended use of the information
4. With whom the information might be shared
Search WWH ::




Custom Search