Page 1062 - Cloud computing: From paradigm to operation
P. 1062

7                                                     Security


            Implementation guidance for cloud services

                          Cloud service customer                           Cloud service provider

             The cloud service customer should add the following   The cloud service provider should provide awareness,
             items to awareness, education and training programmes  education and training for employees, and request
             for cloud service business managers, cloud service   contractors to do the same, concerning the appropriate
             administrators, cloud service integrators and cloud   handling of cloud service customer data and cloud
             service users, including relevant employees and   service derived data. This data can contain information
             contractors:                                     confidential to a cloud service customer or be subject to
             –  standards and procedures for the use of cloud   specific limitations, including regulatory restrictions, on
                 services;                                    access and use by the cloud service provider.
             –  information security risks relating to cloud services
                 and how those risks are managed;
             –  system and network environment risks with the use
                 of cloud services;
             –  applicable legal and regulatory considerations.
             Information security awareness, education and training
             programmes about cloud services should be provided to
             management and the supervising managers, including
             those of business units. These efforts support effective
             co-ordination of information security activities.

            7.2.3   Disciplinary process
            Control 7.2.3 and the associated implementation guidance and other information specified in ISO/IEC 27002
            apply.

            7.3     Termination and change of employment

            The objective specified in clause 7.3 of ISO/IEC 27002 applies.
            7.3.1   Termination or change of employment responsibilities

            Control 7.3.1 and the associated implementation guidance and other information specified in ISO/IEC 27002
            apply.


            8       Asset management

            8.1     Responsibility for assets

            The objective specified in clause 8.1 of ISO/IEC 27002 applies.

            8.1.1   Inventory of assets
            Control 8.1.1 and the associated implementation guidance and other information specified in ISO/IEC 27002
            apply. The following sector-specific guidance also applies.
            Implementation guidance for cloud services

                          Cloud service customer                          Cloud service provider

             The cloud service customer's inventory of assets should   The inventory of assets of the cloud service provider
             account for information and associated assets stored in   should explicitly identify:
             the cloud computing environment. The records of the   –  cloud service customer data;
             inventory should indicate where the assets are   –  cloud service derived data.
             maintained, e.g., identification of the cloud service.








            1054
   1057   1058   1059   1060   1061   1062   1063   1064   1065   1066   1067