What to look for when you perform security review of your cloud service provider?
a. Download the checklist below
b. CSP Contract Evaluation
Data ownership statement
Terms that specify the process for retrieving your data should you discontinue the service.
Disaster recovery and business continuity: Your services should provide very clear details about disaster recovery plans and processes. Those details should reflect your business requirements for uptime and data access depending on criticality of the data. Know where your backup offsite location is, what the provider’s disaster recovery plan is, and how your data will be backed up and failed over.
Encryption: Your services that store sensitive or regulated data should offer encryption of data at rest and give you choices for how to manage those encryption keys per your policies. Moreover, they should ensure that your data is managed separately from other tenants in the same cloud.
Audits and alerts: Your services that deal with critical business processes, contain sensitive data, or have access to your enterprise systems should offer robust administrator, user, and data access logging and alerting features. This helps you detect noncompliant behavior as it’s happening, as well as perform forensic audit trails after a suspected event occurs.
c. Common Independent Audit Reporting
ISO/IEC 27001
ISO/IEC 27017 ( Information security controls for cloud services (generic)
ISO 270017 is designed to assist in the recommendation and implementation of controls for cloud-based organizations. This is relevant to organizations who store information in the cloud, but also for organizations who provide cloud-based services to other organizations who may have sensitive information. This standard is built upon the ISO 27002 standard, but allows for specific controls to be added for the needs of cloud organizations and their end-users.
ISO/IEC 27018 (specially designed for protecting privacy in the cloud)
ISO 27018 is designed for cloud computing organizations but specifically is designed to protect personally identifiable information stored and/or processed in the cloud. In addition, this standard is primarily focused on the standards relevant to cloud providers, not customers. This standard creates an additional level of customer confidence, specifically when working with organizations who handle sensitive information. This standard provides for the practical application of minimum protection standards that should be implemented to maximize client and end-user assurance.
Federal Risk and Authorization Management Program (FedRAMP)
Payment Card Industry Data Security Standard (PCI-DSS)
Cloud Security Alliance (CSA) Security, Trust and Assurance Registry (STAR)
AICPA Service Organization Controls (SOC) audit reports or certifications