Page 1060 - Cloud computing: From paradigm to operation
P. 1060
7 Security
Implementation guidance for cloud services
Cloud service customer Cloud service provider
The cloud service customer should agree with the cloud The cloud service provider should agree and document
service provider on an appropriate allocation of an appropriate allocation of information security roles
information security roles and responsibilities, and and responsibilities with its cloud service customers, its
confirm that it can fulfil its allocated roles and cloud service providers, and its suppliers.
responsibilities. The information security roles and
responsibilities of both parties should be stated in an
agreement.
The cloud service customer should identify and manage
its relationship with the customer support and care
function of the cloud service provider.
Other information for cloud services
Even when responsibilities are determined within and between the parties, the cloud service customer is
accountable for the decision to use the service. That decision should be made according to the roles and
responsibilities determined within the cloud service customer's organization. The cloud service provider is
accountable for the information security stated as part of the cloud service agreement. The information
security implementation and provisioning should be made according to the roles and responsibilities
determined within the cloud service provider's organization.
Ambiguity in roles and in the definition and allocation of responsibilities related to issues such as data
ownership, access control, and infrastructure maintenance, can give rise to business or legal disputes,
especially when dealing with third parties.
Data and files on the cloud service provider's systems that are created or modified during the use of the cloud
service can be critical to the secure operation, recovery and continuity of the service. The ownership of all
assets, and the parties who have responsibilities for operations associated with these assets, such as backup
and recovery operations, should be defined and documented. Otherwise, there is a risk that the cloud service
provider assumes that the cloud service customer performs these vital tasks (or vice versa), and a loss of data
can occur.
6.1.2 Segregation of duties
Control 6.1.2 and the associated implementation guidance and other information specified in ISO/IEC 27002
apply.
6.1.3 Contact with authorities
Control 6.1.3 and the associated implementation guidance and other information specified in ISO/IEC 27002
apply. The following sector-specific guidance also applies.
Implementation guidance for cloud services
Cloud service customer Cloud service provider
The cloud service customer should identify the The cloud service provider should inform the cloud
authorities relevant to the combined operation of the service customer of the geographical locations of the
cloud service customer and the cloud service provider. cloud service provider's organization and the countries
where the cloud service provider can store the cloud
service customer data.
Other information for cloud services
Information about geographical locations where the cloud service customer data can be stored, processed
or transmitted can help the cloud service customer in determining the supervisory authorities and
jurisdictions.
1052
