When going down the path of any technology solution for enterprise, your legal team will not often have the full knowledge of what minimum security requirements must be negotiated at the contract level. Before your company engages any technology solution, you should ensure the following minimum requirements are considered as part of their contractual obligations to your business, or at the very least, these issues are investigated and discussed with your IT team.
- Adherence to a recognized framework or standard for effective governance, risk and compliance processes
You should ensure the technology meets industry standards which include the NIST Cyber-Security Framework (NIST CSF), ISO 27001, ISO 38500, ISO 2000, COBIT, ITIL or Cloud Security Alliance (CSA) Cloud Controls Matrix.
- Periodic independent audit of operational and business processes
The solution should evidence how often their business controls are independently audited using the requirements of industry recognized certification schemes or standards such as ISO 27001, SSAE-16, etc. Your business should not be comfortable relying upon an internal review by the third-party on their own controls.
- Identity and Access Management (IAM) controls and processes are in place to manage people, roles and identities
Improper access controls and user permissions is significant risk to your business. Any cloud service provider must have in place appropriate security controls to ensure that provider employees only have controlled and appropriate access to customer services and associated software and data, including but not limited to controls and processes around Privileged Identity Management.
- Protection of data and information
Security considerations apply to data at rest (held on some form of storage system), data in transit (being transferred over some form of communication link) and data in process (e.g., data in memory being used by application code), all of which might be subject to attack in a multi-tenant shared compute environment. Your business should consider contractually protecting the transmission of your business data by third parties by requiring:
- Encryption of data-in-transit over open or public networks. Examples include use of HTTPS, SFTP, TLS, secure VPN, etc;
- Encryption of data-at-rest using strong encryption, e.g. algorithms recommended by FIPS 140-2; and
- Protection of data-in-process including secure management of metadata
- Policies and Controls for Protection of Personal Data
Require the Provider to deliver policies and procedures to evidence adherence to specifications and standards relating to privacy and protection of personal information/data, e.g. Australian Privacy Act, ISO/IEC 27018 (“Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors” and ISO/IEC 29100 (“Privacy Framework”).
- Secure Development Life Cycle of Applications.
The Provider should demonstrate the use of controls and processes to proactively protect applications from external and internal threats throughout the life cycle (i.e. from design, implementation, production and maintenance) and use of industry recognized practices and guidance, examples include:
- Open Web Application Security Project (OWASP);
- NIST SP 800-160 “Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems”; and
- Cloud Security Alliance – “Practices for Secure Development of Cloud Applications”, etc.
- Secure Cloud Networks and Connections.
Use or alignment of guidance from industry standards (such as ISO 27001/2, ISO 27033, etc.) and documented/tested processes of the following as a minimum:
- Identity and access controls, for management of the network infrastructure
- Proper vulnerability management (identification and patching) of the network infrastructure
- Appropriate network segmentation, which separates networks of different sensitivity levels (e.g. where sensitive personal information is stored or processed) or different types (e.g. separate management or administration network)
- Traffic filtering, provided by traditional firewalls or web application firewalls
- Intrusion detection / prevention
- Mitigating the effects of DDoS attacks
- Logging and notification, so that systematic attacks can be reviewed
- Security Information and Event Management (SIEM), for holistic security event monitoring, management and response.
- Incident Response Plan
The Provider must have an established Incident / Breach Response Plan to cater to a major incident such as a data breach. It should align with your business drivers and cyber program. The Provider should also detail who their key management contact would be to handle urgent enquiries in the event of an incident or crisis. They should also attest if they have been subjected to a material data breach in the past.
- Security Controls on Physical Infrastructure and Facilities
The Provider should demonstrate, as it relates to security controls and physical infrastructure, that:
- A physical security perimeter should be in place to prevent unauthorized access, allied to physical entry controls to ensure that only authorized personnel have access to areas containing sensitive infrastructure.
- Protection against external and environmental threats.
- Control of personnel working in secure areas.
- Equipment security controls. Should be in place to prevent loss, theft, damage or compromise of assets.
- Supporting utilities such as electricity supply, gas supply, and water supply should have controls in place.
- Control security of cabling.
- Proper equipment maintenance.
- Control of removal of assets.
- Secure disposal or re-use of equipment.
- Human resources security.
- Backup, Redundancy and Continuity Plans.
- Defined Exit Process
The Provider must have published/formal processes in place to ensure that once customer such as yourself have completed the exit process, “reversibility” or “the right to be forgotten” is achieved – that is, none of the customer’s data should remain with the provider.
- Annual Security Testing
The Provider must have a vulnerability management program to regularly perform security testing of its security controls, including but not limited to vulnerability assessments and internal/external penetration testing.