Page 36 - Cyber Warnings
P. 36
cloud providers will need to provide encryption services just to do business, organizations
would do well to negotiate this requirement sooner rather than later.
NACs, IDS/IPS, DMZ/Firewall: Cloud providers should monitor and manage access to their
respective networks and have a network architecture employing best practices for DMZ and
firewall implementation. When possible, organizations should verify through interviews (if a
network diagram cannot be shared) that expected network security controls are in place.
Vulnerability management, patch management, and penetration testing: A cloud
provider’s organizational resources, not just those included in cloud services, must be
continuously scanned for vulnerabilities, and vulnerabilities patched, according to the
manufacturer’s guidelines or a standardized remediation timeframe. Penetration testing
should be conducted on the cloud service infrastructure regularly, optimally quarterly or after
substantial changes. In-scope applications should be code-scanned, vulnerability scanned,
penetration tested, and evaluated for the OWASP Top 10 prior to any major release. Where
possible, cloud providers should timely provide vulnerability scans and penetration test
reports, at least in summary form.
Incident response capability: Cloud providers should ensure that an incident response
team and operations center is in place to monitor real-time events and timely review and
investigate potential incidents. Teams should exercise the incident response plan regularly.
Security Governance
Organizations should also include requirements to ensure appropriate internal management,
external information sharing, and availability for assessment activities:
Creation and maintenance of security policies, standards, and procedures with at least
annual updates and annual training of employees.
Background checks of employees and sub-contractors applicable to local laws and
custom.
Commitment to fill out periodic vendor assessments and availability for onsite
assessment.
Commitment to comply with business audit requests yearly, or following a data breach
Report sharing including a PCI Attestation of Compliance (most recent version) if
applicable to your organization’s data, ISO 27001 Certification (most recent), and
SSAE16 SOC 1, 2, or 3 reports (an SSAE16 SOC 2, Type II is standard for most
reputable cloud providers).
Compliance with laws or industry standards (non-privacy), such as PCI-DSS.
Data Breach Terms
The most important terms to include in your agreement are data breach liability terms. These
terms specify responsibilities for costs in the event of a data breach. If not included, some
36 Cyber Warnings E-Magazine – June 2016 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
