Page 1063 - Cloud computing: From paradigm to operation
P. 1063

Security                                                   7


            Other information for cloud services

            There are cloud service applications that provide functions for managing information by adding cloud service
            derived data to the cloud service customer data. Identifying such cloud service derived data as assets and
            maintaining them in the inventory of assets can contribute to improving information security.

            8.1.2   Ownership of assets
            Control 8.1.2 and the associated implementation guidance and other information specified in ISO/IEC 27002
            apply.

            Other information for cloud services
            The ownership of assets will likely vary depending on the category of the cloud service being used. Application
            software will belong to the cloud service customer when using a platform as a service (PaaS) or infrastructure
            as a service (IaaS) service, whereas for a software as a service (SaaS) service, the application software will
            belong to the cloud service provider.

            8.1.3   The acceptable use of assets
            Control 8.1.3 and the associated implementation guidance and other information specified in ISO/IEC 27002
            apply.

            8.1.4   Return of assets
            Control 8.1.4 and the associated implementation guidance and other information specified in ISO/IEC 27002
            apply.

            8.2     Information classification
            The objective specified in clause 8.2 of ISO/IEC 27002 applies.

            8.2.1   Classification of information
            Control 8.2.1 and the associated implementation guidance and other information specified in ISO/IEC 27002
            apply.

            8.2.2   Labelling of information
            Control 8.2.2 and the associated implementation guidance and other information specified in ISO/IEC 27002
            apply. The following sector-specific guidance also applies.

            Implementation guidance for cloud services
                          Cloud service customer                          Cloud service provider

             The cloud service customer should label information   The cloud service provider should document and
             and associated assets maintained in the cloud    disclose any service functionality it provides allowing
             computing environment in accordance with the cloud   cloud service customers to classify and label their
             service customer's adopted procedures for labelling.   information and associated assets.
             Where applicable, functionality provided by the cloud
             service provider that supports labelling can be adopted.

            8.2.3   Handling of assets
            Control 8.2.3 and the associated implementation guidance and other information specified in ISO/IEC 27002
            apply.

            8.3     Media handling
            The objective specified in clause 8.3 of ISO/IEC 27002 applies.







                                                                                                        1055
   1058   1059   1060   1061   1062   1063   1064   1065   1066   1067   1068