Page 1059 - Cloud computing: From paradigm to operation
P. 1059

Security                                                   7


                          Cloud service customer                           Cloud service provider
             –  the cloud service users and the context in which they   –  virtualization security;
                use the cloud service;                        –  access to and protection of cloud service customer
             –  the cloud service administrators of the cloud service   data;
                customer who have privileged access;          –  lifecycle management of cloud service customer
             –  the geographical locations of the cloud service   accounts;
                provider's organization and the countries where the   –  communication of breaches and information sharing
                cloud service provider can store the cloud service   guidelines to aid investigations and forensics.
                customer data (even temporarily).

            Other information for cloud services

            The cloud service customer's information security policy for cloud computing is one of the topic-specific
            policies described in ISO/IEC 27002 5.1.1. The information security policy of an organization deals with its
            information and business processes. When an organization uses cloud services, it can have a policy for cloud
            computing as a cloud service customer. An organization's information can be stored and maintained in the
            cloud  computing  environment,  and  the  business  processes  can  be  operated  in  the  cloud  computing
            environment. General information security requirements stated in the information security policy at the top
            level are followed by the policy for cloud computing.
            In contrast to this, the information security policy for providing cloud services deals with the cloud service
            customers'  information  and  business  processes,  not  with  the  cloud  service  provider's  information  and
            business processes. Information security requirements for the provision of the cloud service should meet
            those of the prospective cloud service customers. As a result, they might not be consistent with information
            security requirements of the information and business processes of the cloud service provider. The scope of
            the information security policy is often defined in  terms of the service, but not solely by organizational
            structure or physical locations.

            There are several virtualization security aspects for cloud computing, including  lifecycle management of
            virtual instances, storage and access controls for virtualized images, handling of dormant or offline virtual
            instances, snapshots, protection of hypervisors and security controls governing use of self-service portals.

            5.1.2   Review of the policies for information security
            Control 5.1.2 and the associated implementation guidance and other information specified in ISO/IEC 27002
            apply.


            6       Organization of information security

            6.1     Internal organization
            The objective specified in clause 6.1 of ISO/IEC 27002 applies.

            6.1.1   Information security roles and responsibilities
            Control 6.1.1 and the associated implementation guidance and other information specified in ISO/IEC 27002
            apply. The following sector-specific guidance also applies.



















                                                                                                        1051
   1054   1055   1056   1057   1058   1059   1060   1061   1062   1063   1064