Page 1078 - Cloud computing: From paradigm to operation
P. 1078

7                                                     Security


            15.2    Supplier service delivery management

            The objective specified in clause 15.2 of ISO/IEC 27002 applies.
            15.2.1  Monitoring and review of supplier services

            Control 15.2.1 and the associated implementation guidance and other information specified in ISO/IEC 27002
            apply.
            15.2.2  Managing changes to supplier services

            Control 15.2.2 and the associated implementation guidance and other information specified in ISO/IEC 27002
            apply.


            16      Information security incident management

            16.1    Management of information security incidents and improvements

            The objective specified in clause 16.1 of ISO/IEC 27002 applies.

            16.1.1  Responsibilities and procedures
            Control 16.1.1 and the associated implementation guidance and other information specified in ISO/IEC 27002
            apply. The following sector-specific guidance also applies.
            Implementation guidance for cloud services

                          Cloud service customer                          Cloud service provider

             The cloud service customer should verify the allocation   As a part of the service specifications, the cloud service
             of responsibilities for information security incident   provider should define the allocation of information
             management and should ensure that it meets the   security incident management responsibilities and
             requirements of the cloud service customer.      procedures between the cloud service customer and the
                                                              cloud service provider.
                                                              The cloud service provider should provide the cloud
                                                              service customer with documentation covering:
                                                              –  the scope of information security incidents that the
                                                                cloud service provider will report to the cloud
                                                                service customer;
                                                              –  the level of disclosure of the detection of
                                                                information security incidents and the associated
                                                                responses;
                                                              –  the target timeframe in which notifications of
                                                                information security incidents will occur;
                                                              –  the procedure for the notification of information
                                                                security incidents;
                                                              –  contact information for the handling of issues
                                                                relating to information security incidents;
                                                              –  any remedies that can apply if certain information
                                                                security incidents occur.

            16.1.2  Reporting information security events
            Control 16.1.2 and the associated implementation guidance and other information specified in ISO/IEC 27002
            apply. The following sector-specific guidance also applies.











            1070
   1073   1074   1075   1076   1077   1078   1079   1080   1081   1082   1083