Page 1079 - Cloud computing: From paradigm to operation
P. 1079

Security                                                   7


            Implementation guidance for cloud services

                          Cloud service customer                          Cloud service provider

             The cloud service customer should request information   The cloud service provider should provide mechanisms
             from the cloud service provider about the mechanisms   for:
             for:                                            –  the cloud service customer to report an information
             –  the cloud service customer to report an information   security event to the cloud service provider;
                security event it has detected to the cloud service   –  the cloud service provider to report an information
                provider;                                       security event to a cloud service customer;
             –  the cloud service provider to receive reports   –  the cloud service customer to track the status of a
                regarding an information security event detected by   reported information security event.
                the cloud service provider;
             –  the cloud service customer to track the status of a
                reported information security event.

            Other information for cloud services
            The mechanisms should not only define the procedures but also give essential information like contact phone
            numbers,  email  addresses  and  service  times  for  both  the  cloud  service  customer  and  the  cloud  service
            provider.
            An information security event can be detected either by the cloud service customer or by the cloud service
            provider. Therefore, the main additional responsibility relating to cloud computing is that the party detecting
            the event should have procedures to report the event to the other party immediately.

            16.1.3  Reporting information security weaknesses
            Control 16.1.3 and the associated implementation guidance and other information specified in ISO/IEC 27002
            apply.

            16.1.4  Assessment of and decision on information security events
            Control 16.1.4 and the associated implementation guidance and other information specified in ISO/IEC 27002
            apply.

            16.1.5  Response to information security incidents
            Control 16.1.5 and the associated implementation guidance and other information specified in ISO/IEC 27002
            apply.
            16.1.6  Learning from information security incidents

            Control 16.1.6 and the associated implementation guidance and other information specified in ISO/IEC 27002
            apply.

            16.1.7  Collection of evidence

            Control 16.1.7 and the associated implementation guidance and other information specified in ISO/IEC 27002
            apply. The following sector-specific guidance also applies.

            Implementation guidance for cloud services

                          Cloud service customer                          Cloud service provider
             The cloud service customer and the cloud service provider should agree upon the procedures to respond to
             requests for potential digital evidence or other information from within the cloud computing environment.










                                                                                                        1071
   1074   1075   1076   1077   1078   1079   1080   1081   1082   1083   1084