Page 1075 - Cloud computing: From paradigm to operation
P. 1075

Security                                                   7


            14      System acquisition, development and maintenance

            14.1    Security requirements of information systems

            The objective specified in clause 14.1 of ISO/IEC 27002 applies.

            14.1.1  Information security requirements analysis and specification
            Control 14.1.1 and the associated implementation guidance and other information specified in ISO/IEC 27002
            apply. The following sector-specific guidance also applies.
            Implementation guidance for cloud services

                          Cloud service customer                          Cloud service provider

             The cloud service customer should determine its   The cloud service provider should provide information
             information security requirements for the cloud service   to the cloud service customers about the information
             and then evaluate whether services offered by a cloud   security capabilities they use. This information should
             service provider can meet these requirements.    be informative without disclosing information that could
             For this evaluation, the cloud service customer should   be useful to someone with malicious intent.
             request information on the information security
             capabilities from the cloud service provider.

            Other information for cloud services

            Care should be taken to limit disclosure of implementation details about security controls as they relate to
            the cloud service being provided to those cloud service customers or potential cloud service customers who
            have a non-disclosure agreement in place.

            14.1.2  Securing applications services on public networks
            Control 14.1.2 and the associated implementation guidance and other information specified in ISO/IEC 27002
            apply.
            14.1.3  Protecting application services transactions

            Control 14.1.3 and the associated implementation guidance and other information specified in ISO/IEC 27002
            apply.

            14.2    Security in development and support processes
            The objective specified in clause 14.2 of ISO/IEC 27002 applies.

            14.2.1  Secure development policy
            Control 14.2.1 and the associated implementation guidance and other information specified in ISO/IEC 27002
            apply. The following sector-specific guidance also applies.

            Implementation guidance for cloud services

                          Cloud service customer                          Cloud service provider
             The cloud service customer should request information   The cloud service provider should provide information
             from the cloud service provider about the cloud service   about its use of secure development procedures and
             provider's use of secure development procedures and   practices to the extent compatible with its policy for
             practices                                        disclosure.

            Other information for cloud services
            Secure development procedures and practices of the cloud service provider can be critical to SaaS.

            14.2.2  System change control procedures
            Control 14.2.2 and the associated implementation guidance and other information specified in ISO/IEC 27002
            apply.

                                                                                                        1067
   1070   1071   1072   1073   1074   1075   1076   1077   1078   1079   1080