Cloud Computing Compliance Controls Catalogue (C5) : Criteria To Assess The Information Security of Cloud Services
Cloud Computing Compliance Controls Catalogue (C5) : Criteria To Assess The Information Security of Cloud Services
Cloud Computing Compliance Controls Catalogue (C5) : Criteria To Assess The Information Security of Cloud Services
Table of Content
1 Introduction 10
2.1 Structure of C5 13
3.1 Introduction 18
3
Cloud Computing ComplianCe Controls Catalogue (C5) | taBle oF Content
5.3 Personnel 35
4
Cloud Computing ComplianCe Controls Catalogue (C5) | taBle oF Content
5.6 Operations 41
5
Cloud Computing ComplianCe Controls Catalogue (C5) | taBle oF Content
6
Cloud Computing ComplianCe Controls Catalogue (C5) | taBle oF Content
7
Cloud Computing ComplianCe Controls Catalogue (C5) | taBle oF Content
8
1 Introduction
9
Cloud Computing ComplianCe Controls Catalogue (C5) | introduCtion
1 Introduction
10
Cloud Computing ComplianCe Controls Catalogue (C5) | introduCtion
11
2 Structure and contents of C5
12
Cloud Computing ComplianCe Controls Catalogue (C5) | struCture and Contents oF C5
13
Cloud Computing ComplianCe Controls Catalogue (C5) | struCture and Contents oF C5
Section Objective
Security policies and work Providing policies and instructions with respect to the security claim
instructions and to support the business requirements.
Personnel Making sure that employees, service providers and suppliers under-
stand their tasks, are aware of their responsibility with regard to infor-
mation security and that the assets of the organisation are protected if
the tasks are modified or completed.
Asset management Identifying the organisation's own assets and responsible persons as
well as ensuring an appropriate level of protection.
Physical security Preventing unauthorised physical access and protection against theft,
damage, loss and failure of operations.
Identity and access Securing the authorisation and authentication of users of the cloud
management provider (usually privileged user) and the cloud customer in order to
prevent unauthorised access.
Cryptography and key Using appropriate and effective cryptography in order to safeguard
management information security.
Portability and Providing the ability to securely operate the service on different IT
interoperability platforms as well as the possibility of secure connections to different
IT platforms and termination of the service.
Procurement, development Complying with the security targets in case of new developments and
and maintenance of infor- procurement of information systems as well as changes.
mation systems
14
Cloud Computing ComplianCe Controls Catalogue (C5) | struCture and Contents oF C5
Section Objective
Control and monitoring Protecting information that can be accessed by service providers and/
of service providers and or suppliers of the cloud provider (subcontractors) and monitoring the
suppliers services and security requirements agreed upon.
Security check and Checking and verifying that the information security safeguards
verification are implemented and carried out in accordance with the organisa-
tion-wide policies and instructions.
Compliance and data Preventing violations against statutory or contractual duties with
protection respect to information security.
Mobile device management Guaranteeing secure access to IT systems via mobile devices in the
cloud provider's responsibility to develop and operate the cloud
service.
15
Cloud Computing ComplianCe Controls Catalogue (C5) | struCture and Contents oF C5
» ISO/IEC 27001:2013
16
3 Proving conformity with
the requirements by an
independent audit
17
Cloud Computing ComplianCe Controls Catalogue (C5) | proving ConFormity
18
Cloud Computing ComplianCe Controls Catalogue (C5) | proving ConFormity
In case of special questions regarding the audit- For several aspects, however, the BSI has specific
ing procedure as well as documentation and additional expectations. These expectations relate,
reporting, ISAE 3402 “Assurance Reports on for example, to the qualification of the auditor or
Controls at a Service Organization” is to be used details of the presentation of deviations identi-
correspondingly. As an alternative or supplement, fied in the reporting. They are summarised and
the auditor can also refer to the German version explained in section 3.5 as “Separate and supple-
of this standard (IDW PS 951 new version “Die mentary requirements of the BSI”.
Prüfung des internen Kontrollsystems bei Dien-
stleistungsunternehmen” [Auditing the internal
control system of service companies]) and/or
the US-American targets of the “Statements
19
Cloud Computing ComplianCe Controls Catalogue (C5) | proving ConFormity
» Reliability: Criteria are reliable if they allow for For an audit regarding C5, a distinction is made
a consistent and comprehensible assessment between two types of audits and reporting, as is
of the principles, procedures and safeguards also the case in ISAE 3402 or IDW PS 951 new
established by the cloud provider. version.
» Neutrality: Criteria are neutral if they ensure an » Type 1 audit and reporting: The auditor has to
objective assessment of the principles, proce- assess whether the system description properly
dures and safeguards established by the cloud reflects the actual design and implementation
provider. of the internal control system related to the
cloud services at the time of the audit and
» Comprehensibility: Criteria are comprehensi- whether the controls presented have been
ble as far as they allow for clear conclusions and designed appropriately. For example, type 1
misinterpretations are thus avoided. reporting is suitable, for initial audits of newly
developed cloud services in order to obtain an
The requirements of C5 are based on the stand- audit result in a timely manner. It is not suitable
ards and publications listed in section 2.3. By for demonstrating effective implementation
means of this reference, it is ensured according over a retrospective period of time.
to the BSI’s point of view that the requirements
included therein are suitable for use as a basis for » Type 2 audit and reporting: As compared to
a proper and comprehensible assessment of the type 1 audit and reporting, the auditor performs
cloud services by the cloud provider themselves additional audit activities with respect to the
and by an independent auditor. effectiveness of the controls (functional tests).
For this purpose, the audit period usually
covers twelve months, but not less than six
months. Shorter audit periods can be taken into
3.3 Subject of the audit including account in exceptional cases (e. g. foundation
system description of the cloud provider, acquisition of new cloud
services) and must be justified within the report.
3.3.1 Subject of the audit According to the BSI’s professional point of view,
type 2 audit and reporting is required in order
The subject of the audit includes the following to provide an appropriate informative opinion.
two areas: Type 1 reporting should only be carried out in the
20
Cloud Computing ComplianCe Controls Catalogue (C5) | proving ConFormity
exceptional cases as mentioned above and must » Type and scope of the provided cloud services
be justified and should under no circumstances be
considered several times in a row. » Principles, procedures and measures for provid-
ing (development and/or operation) the cloud
C5 makes a distinction between basic require- service, including the implemented controls
ments and additional requirements (see section
2.1). » Description of the infrastructure, network and
system components used for the development
» The audit and reporting can be based either on and operation of the cloud service, including
the basic requirements alone or on the basic the geographical location of the data in use or
requirements together with the additional at rest
requirements.
» Regulation for handling significant incidents
» The basic requirements (and, where applicable, and conditions which constitute exceptions to
the additional requirements) must be addressed regular operations, such as the failure of critical
completely and without omissions. To demon- IT systems
strate a higher level of confidentiality, addi-
tional requirements relating to confidentiality » Roles and responsibilities of the cloud provider
can be taken into consideration (in section 5, and the cloud customer, including the obliga-
column “C/A” classified with “C” and/or “C/A”). tion to cooperate and required corresponding
The same applies to demonstrating a higher controls at the cloud customer
level of availability. Which additional require-
ments were used as criteria for the audit must » Functions assigned or outsourced to
be reflected in the system description of the subcontractors
cloud provider. If all additional requirements
relating to confidentiality (C and C/A) and/or For type 2 reporting, the system description must
all requirements with reference to availability represent all essential changes to the internal con-
(A and C/A) have been met in full, this must trol system related to the cloud services, which
also be marked in the description of the subject were made during the period covered, in a suffi-
of the audit by the supplement “The system ciently detailed manner. This also includes those
description addresses all additional require- changes resulting from an update of C5 which has
ments regarding [the confidentiality]/[(and) the taken place in the meantime (see section 3.5.4).
availability] in full”. If individual requirements
cannot be applied from the cloud provider’s Information which is relevant to the environment
point of view, this is to be justified accordingly of the internal control system related to the
in the system description. The supplement in cloud services must not be omitted or distorted
the description of the subject of the audit is in the system description. However, this does
omitted in this case. not include all aspects that can be considered to
be important from the perspective of individual
contractors or prospects.
3.3.2 System description of the cloud
provider In this respect, it must be noted that the system
description is usually drawn up for a large num-
The system description of the cloud services is ber of cloud customers for whom the cloud pro-
created by the cloud provider. The minimum vider may follow individual processes customized
scope of the system description results from to meet individual cloud customer requirements.
applying ISAE 3402 (or the standard(s) used as
an alternative, see section 3.2) correspondingly. In many cases, the cloud provider outsource parts
The following components have to be listed, for of their business processes for the development
example: and/or operation of the cloud service to other
service companies (use of subcontractors). This
21
Cloud Computing ComplianCe Controls Catalogue (C5) | proving ConFormity
must be taken into account accordingly in the 3.3.3 Use of evidence from other audits
system description (and also in the course of the
audit). For this purpose, a distinction is made The requirements of C5 are largely based on
between the “inclusive method” and the “carve- nationally and internationally recognised stand-
out method”. ards. If those standards are already used by the
cloud provider as references, the provider will
» Inclusive method: The system description also have already aligned the processes and controls
includes the type and scope of the outsourced of his operations to the related requirements of
functions and the controls implemented at the C5. These processes and controls typically also
subcontractor, which, together with the con- constitute the basis for further audits which
trols at the cloud provider themselves, are also are carried out at the cloud provider, usually by
subject of the audit. independent external auditors. In this context,
audits according to ISAE 3402, IDW PS 951 and/or
» Carve-out method: The system description the US- American regulations for SOC 1 or SOC 2
does not include a detailed description of the in particular should be mentioned.
outsourced functions. The controls imple-
mented at the subcontractor are not subject of In these cases, it is recommended to combine the
the audit. In this case, at least the controls of organisation and timing of these audits with an
the service provider which are used to monitor audit according to C5. This enables the auditor
the effectiveness of the controls at the subcon- and cloud provider, in case of overlapping con-
tractor are audited (see also the requirements trols, to use parts of the system descriptions and
DLL-01 and DLL-02 in section 5). The most audit results for both the reporting according to
straightforward approach in this case is if the ISAE 3402 and/or SOC 2, for example, and for the
subcontractor is audited (and will be audited reporting according to C5. It usually makes sense
regularly) according to the requirements of this to cover the same audit period for C5 as for the
document and submits an audit report on the other audits.
effectiveness of the outsourced controls to the
cloud provider, which the provider processes This enables to reduce additional effort for cov-
as part of their procedures used to control and ering the requirements of C5, for the documenta-
monitor their subcontractors. tion of the measures in a system description and
for the audit itself.
The cloud provider must select the method to be
applied for his audit. This selection must be out- If the cloud provider aims for further certificates
lined clearly in the audit report and made trans- (e. g. according to ISO/IEC 27001, ISO 22301 or
parent to the (potential) cloud customer. When data protection certificates), it is recommended
the carve-out method is applied, the certified to incorporate the corresponding auditors in the
public auditor assesses whether the scope of the audit team and to perform a joint audit as far as
outsourcing is presented in the system descrip- practicable. This allows further optimisation of
tion (e. g. on the basis of the contract and audit the audit efficiency. The reference table provided
reports on the service-related internal control in a separate document for C5 may help to iden-
system of the subcontractor) and the effectiveness tify overlaps between the standards mentioned in
of the outsourced controls is monitored by the section 2.3 and C5.
cloud provider according to requirement DLL-02.
The auditor’s other general possibilities of also
To what extent subcontractors meet the require- using audit results as work of others are part of
ments from this catalogue and how the surround- his or her individual responsibility and remain
ing parameters for transparency are designed at unaffected by the statements above.
the subcontractor must be documented in the
audit report.
22
Cloud Computing ComplianCe Controls Catalogue (C5) | proving ConFormity
3.4 Audit objective and reporting » Independence and quality assurance of the
auditor/auditing company, including infor-
3.4.1 Audit objective mation on the technical qualification of the
auditor
With respect to the audit objective, a distinction
has to be made as to whether type 1 or type 2 » Responsibility of the auditor
reporting (see section 3.3.1) has been agreed
upon. Depending on the type, the auditor issues » Inherent limits of controls at service
different audit opinions. The objective of the companies
audit is to allow the auditor to issue a statement
with reasonable assureance (audit opinion) as to » Audit opinion
whether
» Addressees and use of the certificate
» the provider’s system description properly
reflects the actual design and implementation » Notes on the assignment conditions
of the internal control system related to the
cloud services at the point in time of the audit 2. Statement of the legal representatives of the
(type 1 reporting) and/or during the period of cloud service provider and/or of the cloud
time to be audited (type 2 reporting), provider management responsible for the
cloud services (internationally also referred to
» the controls presented in the system description as “written assertion” or “written statement”)
at the time of the audit (type 1 reporting) and/
or during the period of time to be audited (type 3. Description of the internal control system
2 reporting) are designed appropriately with related to the cloud services (as part of the
respect to the fulfilment of the requirements of system description)
C5 and
4. Presentation of the requirements and the
» the controls presented in the system description assigned controls (part of the system descrip-
(only in the case of type 2 audit and reporting) tion) as well as presentation of the audit
were effective during the period of time to be activities carried out and the individual audit
audited. results of the auditor
23
Cloud Computing ComplianCe Controls Catalogue (C5) | proving ConFormity
In addition to the general requirements for the » If the deficiency was identified by the service
auditor associated with the application of ISAE provider, it must be specified when and with
3000 (Revised), the following supplementary which measures the deficiency was identified.
requirements are imposed on the auditor respec-
tively the audit team. » If the deficiency had already been subject of the
reporting over a previous audit period, it must
At least half of the members of the audit team be specified when and with which measures
has more than 3 years of professional experience the deficiency was identified, in addition to a
in accounting (auditing) and, in addition to separate note that it was identified in a previous
this, at least one of the following professional audit period. This assumes that the auditor has
examinations/certifications: access to previous audit reports of the cloud
provider. The auditor must seek separate assur-
» Information Systems Audit and Control Associ- ance of this as part of his assignment.
ation (ISACA) – Certified Information Systems
Auditor (CISA) or Certified Information Security » In any case, it should be specified which meas-
Manager (CISM) or Certified in Risk and Infor- ures for the future elimination of the deficiency
mation Systems Control (CRISC) and the date when these measures will be
completed and/or implemented effectively.
» ISO/IEC 27001 Lead Auditor or BSI-certified
ISO 27001 Auditor for Audits on the basis of BSI This can be reported, for example, in a separately
IT-Grundschutz marked section of the system description or in the
optional section “Other information, provided by
» Cloud Security Alliance (CSA) – Certificate of the service provider”.
Cloud Security Knowledge (CCSK)
As part of the reporting, it must be specified Regulations regarding the auditor’s liability to the
which of the professional examinations/certifica- service provider and other recipients of the report
tions are held by the audit team (e. g. in the section may be designed differently, also depending
“Independence and quality assurance of the on country-specific regulations concerning the
auditor”). Upon request, appropriate documents auditor.
(e. g. certificates etc.) must be submitted to the
client. In the BSI’s professional point of view, specifica-
tions regarding the type and limit of the auditor’s
liability is important information for the recipient
3.5.2 Reporting on existing and/or identified of the report and therefore must be included in
exceptions to the requirements the reporting according to the agreement.
It is in the nature of audits that “negative” audit Information on this can be provided, for example,
findings may come up during the course of an in the section “Notes on the assignment con-
audit. Whether or not such a finding has an ditions” (if necessary, with reference to further
impact on the audit opinion, the customers of annexes).
the cloud provider expect remediating measures
for error correction as well as system and process
optimisation to be performed.
24
Cloud Computing ComplianCe Controls Catalogue (C5) | proving ConFormity
25
4 Framework conditions of the
cloud service (surrounding
parameters for transparency)
26
Cloud Computing ComplianCe Controls Catalogue (C5) | surrounding parameters
27
Cloud Computing ComplianCe Controls Catalogue (C5) | surrounding parameters
UP-03 Disclosure and investigatory powers » Proof of compliance with data protection
accepted by the responsible data protection
Basic requirement authorities
In service level agreements, their process docu- » Audit reports according to ISAE 3402/SSAE 16/
mentation or comparable documentation, the SOC 1/IDW PS 951
cloud provider provides comprehensible and
transparent specifications regarding applicable » Software certificates according to IDW PS 880
disclosure and investigatory powers of govern-
ment agencies which allow access to data of the In this respect, the target of certification and/
cloud customer. The specifications must allow an or, in the case of system certifications, the corre-
expert third party to assess the general suitability sponding scope is important.
of the cloud service for the customer application.
If the cloud provider accesses third-party services,
the provider has obtained these specifications
from them.
UP-04 Certifications
Basic requirement
» ISO 22301
28
5 Objectives and requirements
29
Cloud Computing ComplianCe Controls Catalogue (C5) | oBjeCtives and requirements
30
Cloud Computing ComplianCe Controls Catalogue (C5) | oBjeCtives and requirements
Supplementary information for the basic to respond to them appropriately with organisa-
requirement tional and technical safeguards, before the change
becomes effective.
The security policy required here is a basic
requirement. Further policies and instructions Supplementary information for the basic
must be based on the size and complexity of the requirement
organisation of the cloud provider and the type of
the cloud service offered. Documentation and job profiles which define
Whereas the general security objectives and a and determine the authorities in the framework
strategy to achieve these objectives have to be of information security should be available.
formulated concisely in the security policy, it The appropriateness of the assignment of roles
typically does not include organisational and and responsibilities to one or several persons
technical details. It has proved to be successful at the cloud provider must be assessed against
to regulate these details in further policies and the backdrop of the size and complexity of the
instructions on different levels. At the lower lev- organisation.
els, the level of detail increases, while the change
intervals are reduced. Description of additional requirements
(confidentiality)
OIS-03 Authorities and responsibilities The cloud provider identifies all risks related
in the framework of information security to overlapping or incompatible authorities and
responsibilities.
Basic requirement
31
Cloud Computing ComplianCe Controls Catalogue (C5) | oBjeCtives and requirements
Operative and controlling functions should not OIS-06 Policy for the organization
be performed by one and the same person at of the risk management
the same time. If it is not possible to achieve a
separation of duties for organisational or techni- Basic requirement
cal reasons, appropriate compensating controls
are established in order to prevent or uncover Policies and instructions for the general proce-
improper activities. dure applicable to the identification, analysis,
assessment and handling of risks and IT risks in
Description of additional requirements particular are documented, communicated and
(confidentiality) provided according to SA-01.
Supplementary information for the basic If the cloud provider is a German Aktienge-
requirements sellschaft (AG) [public limited company] or a
German Kommanditgesellschaft auf Aktien
Relevant contacts include, for example: (KGaA) [partnership limited to shares], § 91 Para. 2
AktG [German Public Companies Act] is applied.
» Federal Office for Information Security (BSI) (or According to this, the board of directors must
comparable agencies in other countries) take suitable safeguards, i.e. especially establish a
monitoring system so that developments putting
» OWASP Foundation the company at risk are detected at an early
stage. If these safeguards have already been the
» CERT alliances DFN-CERT, TF-CSIRT etc. subject of an audit carried out by a certified public
auditor, these results can be taken into account.
Description of additional requirements In this respect, it must be ensured that the risks
(confidentiality and availability) relevant to the cloud service (usually IT risks) are
the subject of the monitoring system audited. If
Procedures are defined and documented to com- business processes for the development and/or
municate the information received to the internal operation of the cloud service are outsourced to
and external employees of the cloud provider and other service companies, the cloud provider still
to be able to respond to it appropriately and in a remains responsible for these risks. They must
timely manner.
32
Cloud Computing ComplianCe Controls Catalogue (C5) | oBjeCtives and requirements
be addressed by appropriate procedures for the 5.2 Security policies and work instructions
selection, control and monitoring of the service
companies (see requirements DLL-01 and DLL-02). Objective: providing policies and instructions
with respect to the security claim and to
Description of additional requirements support the business requirements.
(confidentiality and availability)
» Goals
» Scopes of application
33
Cloud Computing ComplianCe Controls Catalogue (C5) | oBjeCtives and requirements
» Addressing the topic of policies and instructions SA-02 Review and approval of policies and
when new employees start their work instructions
» Cryptography and key management (KRY-01) SA-03 Deviations from existing policies and
instructions
» Communication security (KOS-05)
Basic requirement
» Portability and interoperability (PI-03)
Exceptions of policies and instructions for
» Procurement and development of cloud information security are approved by committees
services (BEI-01) or bodies of the cloud provider authorised to do
so in a documented form. The appropriateness of
» Change management (BEI-03) approved exceptions and the assessment of the
risks resulting from this are reviewed by special-
» Policies for the handling of and security require- ists of the cloud provider who are familiar with
ments for service providers and suppliers of the the topic against the backdrop of the current and
cloud provider (DLL-01) future expected threat environment regarding
information security at least once a year.
» Business continuity management (BCM-02)
34
Cloud Computing ComplianCe Controls Catalogue (C5) | oBjeCtives and requirements
The appropriateness of approved exceptions and Objective: making sure that employees, service
the assessment of the risks resulting from this are providers and suppliers understand their tasks,
reviewed by an independent third party at least that they are aware of their responsibility
once a year as to whether they reflect a realistic with regard to information security and that
picture of the current and future expected threat the assets of the organisation are protected
environment regarding information security (see if the tasks are modified or completed.
SPN-01).
Basic requirement
35
Cloud Computing ComplianCe Controls Catalogue (C5) | oBjeCtives and requirements
36
Cloud Computing ComplianCe Controls Catalogue (C5) | oBjeCtives and requirements
The assets (e. g. PCs, peripheral devices, tele- AM-03 Instruction manuals for assets
phones, network components, servers, installation
documentation, process instructions, IT applica- Basic requirement
tions, tools) used to render the cloud service are
identified and inventoried. By means of appropri- Policies and instructions with technical and
ate processes and safeguards, it is ensured that this organisational safeguards for the proper handling
inventory remains complete, correct, up-to-date of assets are documented, communicated and
and consistent. A history of the changes to the provided according to SA-01 in the respectively
entries in the inventory is kept in a comprehensi- current version.
ble manner. If no effective automatic procedures
are established for this, this is ensured by a
manual review of the inventory data of the assets AM-04 Handing in and returning assets
which takes place at least once a month.
Basic requirement
Supplementary information for the basic
requirement All internal and external employees of the cloud
provider are obliged to return or irrevocably
For asset management, see also ISO standards delete all assets which were handed over to them
55001 and 55002. in relation to the cloud service and/or for which
they are responsible as soon as the employment
Description of additional requirements relationship has been terminated.
(availability)
37
Cloud Computing ComplianCe Controls Catalogue (C5) | oBjeCtives and requirements
» Criticality for the rendering of the cloud service AM-07 Management of data media
» Sensitivity to unauthorised disclosure or Basic requirement
modification
Policies and instructions with technical and
» Data type organisational safeguards for the secure handling
of data media of any type are documented, com-
» Applicable legislation of the assets municated and provided according to SA-01. The
targets establish a reference to the classification of
» Geographical location information (see AM-05). They include the secure
use, the secure transport as well as the irrevocable
» Context deletion and destruction of data media.
Supplementary information for the basic Devices, hardware, software or data may only be
requirement transferred to external premises after it has been
approved by authorised committees or bodies
The labeling of information must be carried out of the cloud provider. The transfer takes place
after the classification has been performed and is securely according to the type of the assets to be
usually the responsibility of the asset owners. A transferred.
labeling method could be a provision for docu-
ments so that the confidentiality level is specified
in the same place on each page of the document.
Methods for the handling of assets should include
information as to how assets are to be protected
according to each confidentiality level.
38
Cloud Computing ComplianCe Controls Catalogue (C5) | oBjeCtives and requirements
Objective: preventing unauthorised physical The physical site access controls require two-fac-
site access and protection against theft, tor authentication.
damage, loss and failure of operations.
The security concept includes the setup of differ- » Sensors to monitor temperature and humidity
ent security zones which are separated by security
lines as monitored and secured gateways between » Connecting the building to a fire alarm system
the zones. with notification of the local fire department
39
Cloud Computing ComplianCe Controls Catalogue (C5) | oBjeCtives and requirements
» Use of appropriately dimensioned uninterrupti- Policies and instructions with technical and
ble power supplies (UPS) and emergency power organisational safeguards are documented,
systems (EPS) communicated and provided according to SA-01
which describe the maintenance (especially
» Redundant network connection via different remote maintenance), deletion, updating and
physical connections re-use of assets in information processing in
outsourced premises or by external personnel.
Furthermore, the cloud provider should deter-
mine and communicate which external tempera- Supplementary information for the basic
tures the air conditioning of the computer centre requirement
can withstand for how long (e. g. 30°C/14 days,
35°C/6 days, 40°C/4 days). If river water is used Policies and instructions should take the follow-
for cooling, it should be specified at which water ing aspects into account:
levels the air conditioning can be maintained
for how long. To demonstrate resilience against » Secure deletion of sensitive data prior to exter-
interception and the protection against damage, nal repair or maintenance
wiring diagrams and a corresponding protection
concept can be submitted, which is checked for » Analyses of the assets prior to re-use in order to
plausibility in discussion with the person respon- avoid manipulations or malfunctions
sible. During visual inspection, attention should
be paid, among other things, to traces of violent » Renewal of assets if availability, security, integ-
opening attempts at closed distributors, currency rity or confidentiality could be at risk
of the documentation inside the distributors, con-
formity of the actual wiring and patches with the
documentation, intactness of the short circuits
and grounding of non-required lines as well as for
impermissible installations and changes.
40
Cloud Computing ComplianCe Controls Catalogue (C5) | oBjeCtives and requirements
41
Cloud Computing ComplianCe Controls Catalogue (C5) | oBjeCtives and requirements
Supplementary information for the basic to protect them against malware. The update is
requirement performed with the highest frequency that is
contractually offered by the manufacturer(s).
This requirement supplements requirement
UP-02 in which the locations are to be docu-
mented. If a cloud provider renders their services RB-06 Data backup and restoration –
at several sites, this requirement demands the concept
cloud provider to define precisely at which site
the service is rendered and the data processed. Basic requirement
42
Cloud Computing ComplianCe Controls Catalogue (C5) | oBjeCtives and requirements
43
Cloud Computing ComplianCe Controls Catalogue (C5) | oBjeCtives and requirements
Supplementary information for the basic IP addresses, GPS position of the customer, which
requirement resources (network, storage, computer) were used,
which data was accessed when, with whom the
Security-relevant events include, among other data was shared, who was communicated with etc.
things: Part of this data is used for accounting and billing
purposes and for the (security) incident manage-
» Login and logout processes ment. Moreover, it is also suitable for making the
customer behaviour and (depending on the cloud
» Creation, change or deletion of users and service) a large part of decision-making and work
extension of authorisations processes transparent for the cloud provider. With
the requirement, the collection and use of the
» Use, extension and changes of privileged data meta data should be limited in a transparent and
access authorisations clear manner.
44
Cloud Computing ComplianCe Controls Catalogue (C5) | oBjeCtives and requirements
The logs should contain the following The availability of the logging and monitoring
information: software is monitored independently. In case the
logging and monitoring software fails, the respon-
» User ID sible employees are informed immediately.
45
Cloud Computing ComplianCe Controls Catalogue (C5) | oBjeCtives and requirements
» Regular follow-up of safeguards in order to The tests are carried out every six months. They
address identified safeguards (e. g. installation must always be performed by independent exter-
of security updates according to internal target nal auditors. Internal personnel for penetration
specifications) tests may support the external service providers.
46
Cloud Computing ComplianCe Controls Catalogue (C5) | oBjeCtives and requirements
vulnerabilities at least once a month. In the event RB-23 Segregation of stored and processed
of deviations from the expected configurations data of the cloud customers in jointly used
(for example, the expected patch level), the resources
reasons for this are analysed in a timely manner
and the deviations remedied or documented Basic requirement
according to the exception process (see SA-03).
Data is separated securely and strictly on jointly
Supplementary information for the basic used virtual and physical resources (storage
requirement network, memory) according to a documented
concept in order to guarantee the confidentiality
In contrast to the penetration tests (see RB-18) and integrity of the stored and processed data.
which are performed manually and according
to an individual scheme, the checking for open Supplementary information for the basic
vulnerabilities is carried out automatically using requirement
so-called vulnerability management tools.
A technical segregation (separation) of stored and
Description of additional requirements processed data of the cloud customers in jointly
(confidentiality) used resources can be achieved by firewalls, access
lists, tagging (identification of the data), VLANs,
Upon customer request, the cloud provider virtualisation and safeguards in the storage
informs the cloud customer of open vulnerabili- network (e. g. LUN Masking). If the appropriate-
ties in an appropriate form. The open vulnerabili- ness and effectiveness of the segregation cannot
ties are remedied promptly without exception. be assessed with sufficient certainty (e. g. due to
a complex implementation), evidence can also
be demonstrated by audit results of expert third
RB-22 Handling of vulnerabilities, parties (e. g. penetration tests for the validation of
malfunctions and errors – system hardening the concept). The segregation of transmitted data
is the subject of control KOS-05.
Basic requirement
Description of additional requirements
System components which are used for the ren- (confidentiality)
dering of the cloud service are hardened accord-
ing to generally established and accepted industry Resources in the storage network (Storage) are
standards. The hardening instructions used are segmented by secure zoning (LUN Binding and
documented as well as the implementation status. LUN Masking).
47
Cloud Computing ComplianCe Controls Catalogue (C5) | oBjeCtives and requirements
» Separation of functions in the administration » Data access authorisations comply with the
of roles, approval and granting of data access “least-Privilege principle”.
authorisations
» When granting data access authorisations, only
» Regular review of granted authorisations access authorisations necessary to perform the
corresponding tasks should be granted (“need-
» Withdrawal of authorisations (de-provision- to-know principle”).
ing) in case of changes to the employment
relationship » Formal approval is given by an authorised
person, before the data access authorisations are
» Requirements for the approval and documen- set up (i. e. before the user can access data of the
tation of the management of system and data cloud customers or components of the shared
access authorisations IT infrastructure).
48
Cloud Computing ComplianCe Controls Catalogue (C5) | oBjeCtives and requirements
Data access authorisations of users under the Secret authentication credentials (e. g. passwords,
cloud provider’s responsibility (internal and certificates, security token) is assigned to internal
external employees) are reviewed at least once a and external users of the cloud provider or cloud
year in order to adjust them promptly to changes customer, provided that this is subject to organ-
to the employment relationship (dismissal, isational or technical procedures of the cloud
transfer, longer period of absence/sabbatical/ provider, in a proper organised procedure which
parental leave). The review is performed by ensures the confidentiality of the information. If
persons authorised to do so from corresponding it is assigned initially, it is valid only temporarily,
part of the cloud provider, who are able to review but not longer than 14 days. Moreover, users are
the appropriateness of the granted authorisations forced to change it when using it for the first
due to their knowledge of the responsibilities. The time. Access of the cloud provider to the authen-
review as well as the adjustments to the authori- tication information of the cloud customer is
sations are documented comprehensibly. strictly regulated, communicated with the cloud
customer and only takes place if it is necessary to
Description of additional requirements perform the corresponding tasks (“need-to-know
(confidentiality) principle”). Access is documented and reported to
the cloud customer.
Administrative authorisations are checked at least
every six months.
49
Cloud Computing ComplianCe Controls Catalogue (C5) | oBjeCtives and requirements
The users sign a declaration in which they assure At least once a month, the activations of the
that they will treat personal (or shared) authen- emergency users and the corresponding approv-
tication information confidentially and keep it als are compared manually. Irregularities are
private (within the members of the group). examined in order to determine any misuse of
these users and to avoid this in the future. The
activities of the emergency users are logged in an
IDM-08 Secure login methods audit-proof manner. The logging is sufficiently
detailed so that an expert third party is able to
Basic requirement comprehend the activities.
Supplementary information for the basic » At least two of the following character types
requirement must be included: Capital letters, minor letters,
special characters and numbers
The approval can also be granted subsequently
provided that this is justified. » Maximum validity of 90 days, minimum validity
of 1 day
» Password history of 6
50
Cloud Computing ComplianCe Controls Catalogue (C5) | oBjeCtives and requirements
» Transmission and storage of the passwords in restricted to authorised persons. Granting and
an encrypted procedure that conforms to the changes to corresponding data access authorisa-
state of the art. tions comply with the policy for the management
of system and data access authorisations. Access
Supplementary information for the basic is controlled by means of strong authentication
requirement techniques, including multi-factor authentication
(see KOS-06).
Security parameters include, for example, the use
of secure login methods (see IDM- 08), lock after
failed login attempts, no multiple logins with one IDM-13 Control of access to source code
and the same user, automatic logout/lock after
inactivity) Basic requirement
Basic requirement
51
Cloud Computing ComplianCe Controls Catalogue (C5) | oBjeCtives and requirements
KRY-01 Policy for the use of encryption » BSI TR-02102-4 Cryptographic Mechanisms:
procedures and key management Recommendations and Key Lengths
Part 4 – Use of Secure Shell (SSH)
Basic requirement
Policies and instructions with technical and KRY-02 Encryption of data for transmission
organisational safeguards for encryption pro- (transport encryption)
cedures and key management are documented,
communicated and provided according to SA-01, Basic requirement
in which the following aspects are described:
Procedures and technical safeguards for strong
» Using strong encryption procedures (e. g. AES) encryption and authentication for the transmis-
and the use of secure network protocols that sion of data of the cloud customers (e. g. electronic
correspond to the state of the art (e. g. TLS, IPsec, messages transported via public networks) are
SSH) established.
» Risk-based regulations for the use of encryption Supplementary information for the basic
which are compared to schemes for the classi- requirement
fication of information and take the communi-
cation channel, type, strength and quality of the When transmitting data with normal protection
encryption into account requirements within the cloud provider’s infra-
structure, encryption is not mandatory provided
» Requirements for the secure generation, storage, that the data is not transmitted via public net-
archiving, retrieval, distribution, withdrawal works. In this case, the non-public environment
and deletion of the keys of the cloud provider can generally be deemed
trusted. Strong transport encryption that con-
» Taking the relevant legal and regulatory obliga- forms to the state of the art is currently consid-
tions and requirements into consideration ered to be the TLS 1.2 protocol in combination
with Perfect Forward Secrecy. Furthermore, the
Supplementary information for the basic BSI Technical Guideline TR-02102-2
requirement Cryptographic Mechanisms: Recommendations
and Key Lengths
The state of the art regarding strong encryption Part 2 – Use of Transport Layer Security (TLS)
procedures and secure network protocols is applies in the respectively current version. Using
defined in the respectively current version of the SSL (including version 3.0) is not considered to be
following BSI Technical Guidelines: a secure procedure.
52
Cloud Computing ComplianCe Controls Catalogue (C5) | oBjeCtives and requirements
Description of additional requirements » Secure storage of own keys (not those of the
(confidentiality) cloud customers or other third parties) includ-
ing the description as to how authorised users
If data with higher protection requirements are granted access
are transmitted, strong encryption must also
be implemented within the cloud provider’s » Changing or updating cryptographic keys
infrastructure. including policies defining under which condi-
tions and in which manner the changes and/or
updates are to be realised
KRY-03 Encryption of sensitive data for
storage » Handling of compromised keys
53
Cloud Computing ComplianCe Controls Catalogue (C5) | oBjeCtives and requirements
5.9 Communication security purpose. In addition, the review also includes the
justifications for compensating controls for the
use of logs which are considered to be insecure.
Objective: ensuring the protection of
information in networks and the corresponding
information-processing systems. KOS-03 Cross-network access
Basic requirement
54
Cloud Computing ComplianCe Controls Catalogue (C5) | oBjeCtives and requirements
cloud customers on the network level in order to KOS-06 Documentation of the network
guarantee the confidentiality and integrity of the topology
data transmitted.
Basic requirement
Supplementary information for the basic
requirement The architecture of the network is documented
comprehensibly and currently (e. g. in the form of
If the appropriateness and effectiveness of diagrams) in order to avoid errors in the man-
the logical segmentation cannot be assessed agement during live operation and ensure timely
with sufficient certainty (e. g. due to a complex restoration according to the contractual duties in
implementation), evidence can also be demon- the event of damage. Different environments (e. g.
strated by audit results of expert third parties administration network and shared network seg-
(e. g. penetration tests for the validation of the ments) and data flows become apparent from the
concept). The segregation of stored and processed documentation. Furthermore, the geographical
data is the subject of the control. RB-23. For the locations, in which the data is stored, are specified.
secure segmentation of jointly used resources for
web applications which are provided as SaaS, the
session ID in the basic level should: KOS-07 Policies for data transmission
» be generated randomly and has an adequate Basic requirement
entropy of at least 128 Bit (16 characters) in
order to withstand the educated guessing of the Policies and instructions with technical and
session ID (for example, by means of a brute- organisational safeguards in order to protect the
force attack), transmission of data against unauthorised inter-
ception, manipulation, copying, modification,
» be adequately protected for transmission and redirection or destruction (e. g. use of encryption)
client-side storage, are documented, communicated and provided
according to SA-01. The policy and instructions
» have limited validity (timeout) which is as short establish a reference to the classification of
as possible, measured by the requirements for information (see AM-05).
the use of the web application.
55
Cloud Computing ComplianCe Controls Catalogue (C5) | oBjeCtives and requirements
of the cloud provider prior to the start of the 5.10 Portability and interoperability
contract relationship and/or before access to data
of the cloud users is granted.
Objective: allowing the property to be
Supplementary information for the basic able to securely operate the service on
requirement different it platforms as well as the
possibility of securely connecting different
The following should be described in a non-dis- it platforms and terminating the service.
closure agreement:
Description of additional requirements At the end of the contract, the cloud customer
(confidentiality) can request the data to which they are entitled
according to the contractual framework condi-
If adjustments to the non-disclosure or confi- tions, from the cloud provider and receives them
dentiality agreements result from the review, in processable electronic standard formats such as
the internal and external employees of the cloud CSV or XML.
provider must be informed about this and new
confirmations shall be obtained.
PI-03 Policy for the portability and
interoperability
Basic requirement
56
Cloud Computing ComplianCe Controls Catalogue (C5) | oBjeCtives and requirements
PI-04 Secure data import and export 5.11 Procurement, development and
maintenance of information systems
Basic requirement
The cloud provider uses secure network protocols Objective: Complying with the security targets
for the import and export of information as well in case of new developments and procurement
as for the management of the service in order to of information systems as well as changes.
ensure the integrity, confidentiality and availabil-
ity of the transported data.
Both when changing the storage media for main- Policies and instructions with technical and
tenance purposes and upon request of the cloud organisational safeguards for the proper devel-
customer or the termination of the contract rela- opment and/or procurement of information
tionship, the content data of the cloud customer, systems for the development or operation of the
including the data backups and the meta data (as cloud service, including middleware, databases,
soon as they are no longer required for the proper operating systems and network components
documentation of the accounting and billing), are documented, communicated and provided
is deleted completely. The methods used for this according to SA-01. The policies and instructions
(e. g. by overwriting data several times, deletion of describe at least the following aspects:
the key) prevent the data from being restored via
forensic methods. » Security in software development methods
in compliance with security standards estab-
Supplementary information for the basic lished in the industry (e. g. OWASP for web
requirement applications)
The deletion of meta data and log files is the » Security of the development environment
subject of the requirements RB-11 and RB-13. (e. g. separate development/test/production
environments)
57
Cloud Computing ComplianCe Controls Catalogue (C5) | oBjeCtives and requirements
If the development of the cloud service (or parts » Requirements for the documentation of
thereof) is outsourced regarding the design, changes to the system, operating and user
development, test and/or provision of source documentation
code of the cloud service, a high level of security is
required. Therefore, at least the following aspects Supplementary information for the basic
must be agreed upon contractually between the requirement
cloud provider and external service providers:
Changes to the existing network configuration
» Requirements for a secure software develop- must also run through a controlled procedure,
ment process (especially design, development since they are necessary for an effective client
and testing) segregation.
Policies and instructions with technical and All changes are categorised on the basis of a risk
organisational safeguards for the proper manage- assessment (e. g. as insignificant, significant or far-
ment of changes to information systems for the reaching impacts) in order to obtain an appro-
development or operation of the cloud service, priate authorisation prior to making the change
including middleware, databases, operating sys- available to the production environment.
tems and network components are documented,
communicated and provided according to SA-01.
At least the following aspects are to be taken into BEI-06 Prioritisation of changes
account in this respect:
Basic requirement
» Criteria for the classification and prioritisation
of changes and related requirements for the All changes are prioritised on the basis of a risk
type and scope of tests to be carried out and assessment (e. g. as low, normal, high, emergency)
permits to be obtained in order to obtain an appropriate authorisation
prior to making the change available to the
» Requirements for the notification of affected production environment.
cloud customers according to the contractual
agreements
58
Cloud Computing ComplianCe Controls Catalogue (C5) | oBjeCtives and requirements
All changes to the cloud service are subjected to Emergency changes are to be classified as such
tests (e. g. for integration, regression, security and by the change manager who creates the change
user acceptance) during the development and documentation before applying the change to the
before they are made available to the production production environment. Afterwards (e. g. within
environment. The tests are carried out by ade- 5 working days), the change manager supple-
quately qualified personnel of the cloud provider. ments the change documentation with a justi-
According to the service level agreement (SLA), fication and the result of the application of the
changes are also tested by the customers (tenants) emergency change. This justification must show
suitable for this. why the regular change process could not have
been run through and what the consequences of a
delay resulting from compliance with the regular
BEI-08 Rollback of changes process would have been. The change documen-
tation is forwarded to the customers concerned
Basic requirement and a subsequent release by authorised bodies is
obtained according to the contractual agreements.
Processes are defined in order to be able to roll
back required changes as a result of errors or
security concerns and restore affected systems or BEI-11 System landscape
services into its previous state.
Basic requirement
BEI-09 Review of proper testing and Production environments are separated physically
approval or logically by non-production environments in
order to avoid unauthorised access or changes
Basic requirement to the production data. Production data is not
replicated in test or development environments
Before a change is released to the production in order to maintain their confidentiality.
environment, it must be reviewed by an author-
ised body or a corresponding committee whether
the planned tests have been completed success- BEI-12 Separation of functions
fully and the required approvals are granted.
Basic requirement
Description of additional requirements
(confidentiality and availability) Change management procedures include
role-based authorisations in order to ensure an
At least every three months, it is reviewed for an appropriate separation of duties regarding the
appropriate random sample of changes made to development, release and migration of changes
the production environment (i. e. at least 10% of between the environments.
all changes completed during this period of time)
whether the internal requirements regarding
the proper classification, testing and approval of
changes were met.
59
Cloud Computing ComplianCe Controls Catalogue (C5) | oBjeCtives and requirements
5.12 Control and monitoring of service » Disclosure and contractual obligation to the
providers and suppliers minimum security requirements also to sub-
contractors if they do not only contribute insig-
nificant parts to the development or operation
Objective: ensuring the protection of of the cloud service (e. g. service provider of the
information which can be accessed by the computing centre)
service providers and/or suppliers of the cloud
provider (subcontractors) and monitoring the The definition of the requirements is inte-
services and security requirements agreed upon. grated into the risk management of the cloud
provider. According to requirements OIS-07,
they are checked at regular intervals for their
appropriateness.
DLL-01 Policies for the handling of and
security requirements for service providers Description of additional requirements
and suppliers of the cloud provider (confidentiality and availability)
» Legal and regulatory requirements, including Procedures for the regular monitoring and review
data protection, intellectual property right, of agreed services and security requirements
copyright, handling of meta data (see RB-11) as of third parties (e.g. service providers and/or
well as a description as to how they are ensured suppliers of the cloud provider) who contribute
(e. g. site of data processing and liability, see essential parts to the development or operation of
surrounding parameters for transparency) the cloud service are established. The safeguards
include at least the following aspects:
» Requirements for incident and vulnerability
management (especially notifications and » Regular review of service reports (e. g. SLA
collaborations when eliminating malfunctions) reports) if they are provided by third parties
60
Cloud Computing ComplianCe Controls Catalogue (C5) | oBjeCtives and requirements
61
Cloud Computing ComplianCe Controls Catalogue (C5) | oBjeCtives and requirements
The customer can either actively agree to solu- Supplementary information for the basic
tions or the solution is agreed upon after a certain requirement
period of time has expired. Information about
security incidents or confirmed security violations Supporting bodies can be external service
is made available to all affected customers. It is providers or government agencies (in Germany
contractually agreed upon between the cloud for instance the Federal Office for Information
provider and the cloud customer which data is Security (BSI)).
made available to the cloud customer for their
own analysis in the event of security incidents.
62
Cloud Computing ComplianCe Controls Catalogue (C5) | oBjeCtives and requirements
» Possible scenarios based on a risk analysis (e. g. » Defined purpose and scope by taking the
loss of personnel, failure of building, infrastruc- relevant dependencies into account
ture and service providers)
63
Cloud Computing ComplianCe Controls Catalogue (C5) | oBjeCtives and requirements
» Ownership by at least one appointed person Drills also take place on the tactical and strategic
who is responsible for review, updating and level. These modules include, for example:
approval
» Tabletop exercise
» Defined communication channels, roles and
responsibilities including the notification of the » Crisis team exercise
customer
» Command post exercise
» Restoration procedures, manual temporary
solutions and reference information (by taking » Communication and alarm exercise
the prioritisation into account for the recov-
ery of cloud infrastructure components and » Simulation of scenarios
services as well as orienting to customers)
» Full scale exercise
» Methods used for the implementation of the
plans After a drill has been performed:
» Continuous improvement process of the plans » Review and possible adjustment of the existing
alert plan
» Interfaces with the security incident
management Description of additional requirements
(availability)
BCM-04 Verification, updating and In addition to the tests, drills are also carried out,
testing of the business continuity which are, among other things, based on scenar-
ios resulting from security incidents that have
Basic requirement already occurred in the past.
64
Cloud Computing ComplianCe Controls Catalogue (C5) | oBjeCtives and requirements
upon. After this period of time has expired, the 5.15 Security check and verification
maintenance protocols are destroyed properly
and permanently.
Objective: Checking and verifying that
Description of additional requirements the information security safeguards
(availability) are implemented and carried out in
accordance with the organisation-
Simulated failures of the supply of computing wide policies and instructions.
centres are integrated into the drills (see BCM-03).
Basic requirement
Basic requirement
65
Cloud Computing ComplianCe Controls Catalogue (C5) | oBjeCtives and requirements
SPN-03 Internal audits of the compliance 5.16 Compliance and data protection
of IT systems with internal security policies
and standards
Objective: avoiding violations against
Basic requirement statutory or contractual duties with
respect to information security.
At least on an annual basis, qualified personnel
(e. g. internal revision) of the cloud provider or
expert third parties commissioned by the cloud
provider audit the compliance of the IT systems, COM-01 Identification of applicable legal,
provided that they are completely or partially in contractual and data protection requirements
the cloud provider’s area of responsibility and are
relevant to the development or operation of the Basic requirement
cloud service, with the corresponding internal
policies and standards as well as the legal, reg- Legally, regulatory and statutory prescribed
ulatory and statutory prescribed requirements requirements, as well as the procedure to comply
relevant to the cloud service. The deviations with these requirements and regulations must be
identified are prioritised and, depending on their identified, documented and updated regularly by
criticality, safeguards for their elimination are the cloud provider for the cloud service related to
defined, followed up and implemented in a timely the respective application.
manner.
Supplementary information for the basic
Description of additional requirements requirement
(confidentiality and availability)
The documentation of the cloud provider may,
Upon request of the cloud customer, the cloud among other things, refer to the following regula-
provider provides information of the results, tory requirements:
impacts and risks of these audits and assessments
in an appropriate form. The cloud provider com- » Generally accepted accounting principles [Ger-
mits their subcontractors to such audits, asks for man Commercial Code] or IFRS [International
the submission of the audit reports in the same Financial Reporting Standards])
intervals and uses them for their own audits.
» Requirements regarding data access and the
auditability digital documents (in Germany e. g.
according to GDPdU [German principles of data
access and auditability of digital records)
66
Cloud Computing ComplianCe Controls Catalogue (C5) | oBjeCtives and requirements
Basic requirement
67
Cloud Computing ComplianCe Controls Catalogue (C5) | oBjeCtives and requirements
5.17 Mobile device management cloud service (among other things, with infor-
mation of the operating system and patch status,
assigned employees, approval regarding BYOD) is
Objective: guaranteeing security when maintained (see AM-01).
using mobile terminal devices in the
cloud provider’s area of responsibility
for the access to it systems in order to
develop and operate the cloud service.
Basic requirement
» Ban on jailbreaking/rooting
68
Imprint
Published by
Federal Office for Information Security
Godesberger Allee 185–189
D-53175 Bonn
Email: [email protected]
Internet: www.bsi.bund.de/EN/C5
Source
Federal Office for Information Security
Godesberger Allee 185–189
D-53175 Bonn
Phone: +49 (0) 22899 9582-0
Fax: +49 (0) 22899 9582-5400
Last updated
September 2017
Printed by
Druck- und Verlagshaus Zarbock GmbH & Co. KG
Sontraer Straße 6
63086 Frankfurt am Main
Internet: www.zarbock.de
Image credits
Title: Fotolia
Item number
BSI-Cloud17/202e
This brochure is part of the Federal Office for Information Securityʼs public
relations work. It is provided free of charge and is not intended for sale.
www.bsi.bund.de