cork city council information security - cloud … › en › test-location › test-content ›...

Information Security - Cloud Computing

Information Security - Cloud Computing policy v0_6.pdf CONFIDENTIAL of 14

Cork City Council Information Security - Cloud Computing

Prepared by Arnaud Autin

Ward Solutions



1 Document Control

1.1 Revision History

Version Date Author Summary of Changes

0.1 20.02.2015 Arnaud Autin Initial policy created

0.2 16.03.2015 Brendan Fay Review by practice leader

0.4 18.03.2015 Arnaud Autin Update following internal review

0.6 16.04.2015 Arnaud Autin Update following Cork City Council comments

1.2 Distribution

This document has been distributed to:

Name Company/Title Date of Issue Version

Gerard Desmond Applications and Database Section, ICT and Business Process Improvement

18.03.2015 0.4

Gerard Desmond Applications and Database Section, ICT and Business Process Improvement

16.04.2015 0.6

All queries to be addressed to:

Arnaud Autin

Ward Solutions

Unit 2054

Citywest Business Campus

Dublin

Ireland

Tel: +353 (0) 1 6420100

Fax: +353 (0) 1 6420161



All rights reserved. No part of this publication may be reprinted, reproduced, stored in a retrieval system or transmitted, in any form or by any means, without prior permission in writing from Ward Solutions, Ltd, other than for the internal business use of Cork City Council.



Table of Contents

1 Document Control ................................................................................................... 2 1.1 Revision History .................................................................................................................. 2 1.2 Distribution .......................................................................................................................... 2

2 Introduction ............................................................................................................. 5 2.1 Introduction .......................................................................................................................... 5 2.2 Scope .................................................................................................................................... 5 2.3 Reference Documentation .................................................................................................... 5

3 Cloud Computing security policy ......................................................................... 6 3.1 Background .......................................................................................................................... 6

3.1.1 Introduction ......................................................................................... 6 3.1.2 Cloud Deployment Models .................................................................. 6 3.1.3 Cloud Service Delivery ....................................................................... 6 3.1.4 Cloud risk management ....................................................................... 7 3.1.5 Data classification applicable for the Cloud Computing policy ......... 7

3.2 Security requirements........................................................................................................... 8 3.2.1 Identification of the requirements related to the type of cloud

deployment model and service delivery ............................................... 8 3.2.2 Approval to use Cork City Council data or information in cloud ....... 8 3.2.3 Certification and audit ........................................................................ 9 3.2.4 Cloud Risk Management ..................................................................... 9 3.2.5 Security requirements for all cloud services ....................................... 9 3.2.6 Contractual agreements ...................................................................... 9 3.2.7 Specific requirements to Cloud Computing ....................................... 12



2 Introduction

2.1 Introduction

Cork City Council has implemented an information security management system in order to protect the organisation from all threats, whether internal or external, deliberate or accidental. To ensure continuity of the security governance within the Cloud Computing, this manual documents Cork City Council’s approach to Cloud Computing to ensure a consistent approach to the establishment, implementation, operation, review, maintenance and improvement of all aspects of information security in line within internationally recognised best practices when applied to Cloud Computing. Its purpose is to communicate management directives and standards of care to ensure consistent and appropriate protection of information throughout Cork City Council when specifically applied to Cloud Computing.

This manual is based on Cork City Council requirements, best security practices and Cloud Computing standards such as the Cloud Security Alliance.

These rules are in place to protect both the employees and Cork City Council and to ensure resources are utilised in an effective, efficient, ethical and lawful manner.

2.2 Scope

The Information Security –Cloud Computing applies to all projects hosted within the Cloud. The policies included in this operations manual are applicable to:

C-level management

Heads of Function

Line Managers

Project Managers

Asset/Business Owners

Legal department

Solutions Architects/Technical Design Leads

ICT Support Staff

Business Partners or third party suppliers

2.3 Reference Documentation

Key policies of the Cork City Council Security Management System are: 1) Information Security Charter

This Security charter defines the overall objectives, requirements and responsibilities of all users in Cork City Council, and demonstrates management commitment to the Information Security Management System.

2) Information Security - Operations Manual 3) Information Security- Staff Manual

This document details information security rules and responsibilities for all users in Cork City Council as an end-user of these systems.



3 Cloud Computing security policy

3.1 Background

3.1.1 Introduction

There are many definitions today that attempt to address cloud. A definition can be that cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services).

3.1.2 Cloud Deployment Models

There are four deployment models for cloud services with derivative variations that address specific requirements:

Public Cloud. The cloud infrastructure is made available to the general public or a large industry group and is owned by an organization selling cloud services. Examples include Amazon Web Service or Microsoft Azure.

Community Cloud. The cloud infrastructure is shared by several organizations and supports a specific community that has shared concerns (e.g., mission, security requirements, policy, or compliance considerations). It may be managed by the organizations or by a third party and may be located on-premise or off-premise. This could for instance a Government Cloud for Public services / entities.

Private Cloud. The cloud infrastructure is operated solely for a single organization. It may be managed by the organization or by a third party and may be located on-premise or off-premise.

Hybrid Cloud. The cloud infrastructure is a composition of two or more clouds (private, community, or public)that remain unique entities but are bound together by standardized or proprietary technology that enables data and application portability (e.g., cloud bursting for load-balancing between clouds).

3.1.3 Cloud Service Delivery

Cloud service delivery is divided among three archetypal models and various derivative combinations:

Cloud Software as a Service (SaaS). The capability provided to the consumer is to use the provider’s applications running on a cloud infrastructure. The applications are accessible from various client devices through a thin client interface such as a web browser (e.g., web-based email). The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, storage, or even individual application capabilities with the possible exception of limited user-specific application configuration settings. A public cloud SaaS is Office365 for instance.

Cloud Platform as a Service (PaaS). The capability provided to the consumer is to deploy onto the cloud infrastructure consumer-created or acquired applications created using programming languages and tools supported by the provider. The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, or storage, but has control over the deployed applications and possibly application hosting environment configurations. Example of PaaS are Cloud Foundry or AWS Elastic Beanstalk.

Cloud Infrastructure as a Service (IaaS). The capability provided to the consumer is to provision processing, storage, networks, and other fundamental computing resources where the consumer is able to deploy and run arbitrary software, which could include operating systems and applications. The consumer does not manage or control the underlying cloud infrastructure but has control over operating systems, storage, deployed applications, and possibly limited control of select networking components (e.g., host firewalls). Example would include Amazon EC2.



3.1.4 Cloud risk management

Risk management is the process of identifying and assessing risk to Cork City Council. This includes, for all assets, operations, or individuals assessing and understanding the exposure to risk and the capability of managing it, aligned with the risk appetite and tolerance of Cork City Council. This can includes also identifying the necessary steps to reduce the risks to an acceptable level.

In cloud services, assessing and managing risk in systems can be a challenge and is sometimes the responsibility of a Third Party which can only be governed by appropriate contract.

Cork City Council must ensure that all the risks are assessed, all the requirements of the cloud service identified, establish adequate arrangements in the service agreement, make any needed adjustments, and monitor compliance of the service controls within the terms of the agreement. The first part of this assessment is to define the Cloud Deployment Model (ref. 3.1.2) and the Cloud Service Delivery Model (ref. 3.1.3).

3.1.5 Data classification applicable for the Cloud Computing policy

Data classification is the conscious decision to assign a level of sensitivity to data that is being managed, stored and transmitted by the organisation. As defined in the “Information Security – Staff Manual” policy (as of v.1 2014-01-03), the Data Classification policy is defined as follow:

Classification Description

CONFIDENTIAL

(Priority Data)

Our classification has defined “Priority System” as being those whose data attributes match at least one the following three categories;

The system holds sensitive personal information relating to staff or the public.

The system holds commercially sensitive information relating to our suppliers or the City Council

If the system was not operational forlonger than two days, the council would be expected to incur a significant financial loss i.e. > €15,000.

These systems in particular must be part of a Business Continuity and Disaster Recovery.

This includes information that must be kept inside Cork City Council and must be restricted to a limited audience (e.g. divisions or projects to which a small group of persons, not the whole company, must have controlled access).

Highly sensitive information that is protected because of its relevance to strategic decisions, financial impact, business opportunities, potential for fraud or legal requirements.

INTERNAL USE ONLY

(Legitimately Held Data)

Legitimate data is all other data relating to the operation of Cork City Council but which is not defined as priority data. This data is recognised as important to the council, however the loss of the information for a period of time (i.e. > 2 days) would not a present a major business threat to the organisation.

The data does not contain personal information and is not commercially sensitive relating to suppliers or the Council.

Only data which directly relates to the on-going operations of Cork City Council must be stored on the network or its components. Staff must ensure this data is stored in accordance with I.S. policy guidelines.

This includes information that is neither public nor priority but must be kept inside Cork City Council and must not be available externally except to third parties involved that have entered into a confidentiality agreement.

Where a document or record is not classified according to another category, it is to be handled as – Legitimately Held Data. This is the default classification.

PUBLIC Information available to the general public and approved for distribution outside of the organisation or public use



3.2 Security requirements

3.2.1 Identification of the requirements related to the type of cloud deployment model and service delivery

The following table defines the type of Cloud Deployment Model (ref. 3.1.2) and Service Delivery Model (ref. 3.1.3) authorised for each type of classification (ref 3.1.5) in Cork City Council:

Colour legend:

If the data classification/ Deployment or Service Delivery models are not authorised as described in the matrix above, a detailed security assessment must be performed.

In addition to this, all the security and contractual requirements defined in this document(3.2 “Security requirements”) must be implemented in all cloud deployments.

3.2.2 Approval to use Cork City Councildata or information in cloud

When Cork City Council data or information is proposed to be hosted in a Cloud provider, appropriate written sign off must be received from the data or information owner / controller. This should be retained for audit purposes.



3.2.3 Certification and audit

All security certified private sector community or hybrid cloud provider as described in the table in section 3.2.1“Identification of the requirements related to the type of cloud deployment model and service delivery” should hold one or more of the following certification:

SkyHigh Enterprise Ready

ISO 27001

SSAE 16 SOC2 type 2

Other security certifications should be assessed specifically. While SOC 1 (SSAE 16) compliance is generally tailored for service organizations who have a requirement for Internal Control over Financial Reporting, SOC 2 compliance is designed for the growing number of technology and cloud computing entities that are becoming very common in the world of service organizations. Therefore, SOC 1 should not be considered relevant for Cloud Computing.

Also, the Cloud Provider should be certified / provide reasonable assurance for any other compliance requirements (e.g.: PCI-DSS if the Cloud Provider should host any Credit Card information, etc.).

All non-certified private sector community, hybrid and public cloud provider must evidence and provide the results of regular vulnerability and penetration testing audits.

3.2.4 Cloud Risk Management – Due Diligence

When a cloud provider/service is proposed to host data in contradiction to Cork City Council data classification policy and the table defined in 3.2.1 “Identification of the requirements related to the type of cloud

deployment model and service delivery”, approval defined in3.2.2“Approval to use Cork City Councildata or information in cloud” must be obtained and a detailed security assessment must be performed. This can

be done by following the checklist “Security evaluation of Cloud providers”.

Reading the Cloud Provider marketing materials or relying on their claims of secure operations must not be considered as a Due Diligence. There must be sufficient assurance that the Cloud Provider is currently achieving all the security requirements as defined in a contract.

3.2.5 Security requirements for all cloud services

All Cloud Services must comply with all existing Policies. This would notably include:

Form 002 Cork City Council Information Sharing Agreement,

Information Security - Operations Manual,

Information Security- Staff Manual.

3.2.6 Contractual agreements For many cloud deployments, a major element of governance will be the agreement between provider and customer.

Cork City Council has to ensure that their cloud hosted applications and data will be secured in accordance with its security and compliance policies. This is performed by verifying that the contract between Cork City Council and the Cloud provider contain all the requirements. It is vital to Cork City Council to understand all the terms related to security and to ensure that those terms meet all the requirements. If a suitable contract and SLA is not available, then it is inadvisable to proceed with the use of cloud services.



3.2.6.1 Non-disclosure agreement / confidentiality agreement

A Non-Disclosure Agreement / Confidentiality clause must be defined, covering the contracting process as well as external supplier staff.

3.2.6.2 Location of data

The location of data must be clearly defined within the contract. Furthermore, if the service will be hosting personal data (covered by the Data Protection Acts 1988 and 2003), the countries hosting data or where personal data will be transferred (including the backup and disaster recovery) must be within the following list of approved countries (as of February 2015 and described in https://www.dataprotection.ie/docs/Transfers-Abroad/37.htm):

- EU country,

- Switzerland,

- Guernsey,

- Argentina,

- Isle of Man,

- Faroe Islands,

- Jersey,

- Andorra ,

- Israel,

- New Zealand,

- Uruguay,

- USA, if the company is member of the EU-US Safe Harbour arrangement. (see http://safeharbor.export.gov/list.aspx for list of companies).

3.2.6.3 Jurisdiction

In order to prevent any issue related to the applicability of the clauses, jurisdiction over contract terms and data must not be divided and should clearly defined that Irish Laws solely are applicable.

3.2.6.4 Data ownership

The data ownership must be established in the service contract that Cork City Council retains exclusive ownership over all its data and that the Third Party acquires no rights or licenses through the agreement, including intellectual property rights or licenses, to use Cork City Council data for its own or any partner purposes.

3.2.6.5 Creation of derivative works

The contract must clearly define that Cork City Council data must not be analysed anonymously, used or shared by the third party.

3.2.6.6 Compliance with laws and regulations

The contract must state that the Third Party must adhere to the legislation in force at the time. Particular attention must be paid to:

- Copyright and Related Rights Acts 2000, 2004 and 2007;

- Data Protection Acts 1988 and 2003;

- Freedom of Information Act 1997 and 2003;

- Contract Law;

- EU Public Procurement Directives;

- The Child Trafficking and Pornography Acts 1998 and 2004;

https://www.dataprotection.ie/docs/Transfers-Abroad/37.htm

https://www.dataprotection.ie/docs/Transfers-Abroad/37.htm

http://safeharbor.export.gov/list.aspx



- Defamation Act 2009;

- Prohibition of Incitement to Hatred Act 1989.

3.2.6.7 Service level agreements (SLA) and security metrics

The SLA should be negotiated up front to ensure that there is no conflict of interest. The performance targets (e.g. service availability, problem resolution, security, etc.) and mechanisms for compensating Cork City Council if the SLA targets are not met must be defined in the contract.

SLA guarantees should be defined, objective and measurable with an appropriate scaled penalty matrix which complements the impact of non-performance by the provider. There should be a process defined with the Cloud Provider in case of breach of SLA guarantees (e.g. availability of 99.999%):

Escalation procedures,

How penalties are administered,

Remedy circumstances and mechanisms.

Metrics for measuring performance and effectiveness of information security management should be established prior to moving into the cloud. Best security practices include usually these security metrics:

Vulnerability coverage (percentage of the organization’s systems under management that were checked for vulnerabilities during vulnerability scanning and identification processes.),

Number of Vulnerabilities identified,

Patch level of all assets involved in the service delivery,

Number of security incidents and their severity,

Anti-Malware Coverage and status,

Resolution times for incidents,

Guaranteed uptime.

Refer to the following resources for specific information on security metrics:NIST Special Publication (SP) 800-55 Rev.1

1, Performance Measurement Guide for Information Security and CIS Consensus Security Metrics

v1.1.02

3.2.6.8 Right to audit

Cork City Council should have the 'right to audit' regularly and / or on demand if the Third

Party is not certified by an independent party (e.g. ISO 27001, SSAE 16 SOC2 type 2, SkyHigh Enterprise Ready or any other relevant external standard. SOC1 reports should not be considered relevant for Cloud Computing at the present time).

3.2.6.9 Ending of contract

The contract must define the process for the termination of the contract or for declaration of bankruptcy bythe Third Party. This includes notably that:

- The notice the Third Party has to give to Cork City Council,

- The notice Cork City Councilmust give to terminate the service,

1See http://csrc.nist.gov/publications/nistpubs/800-55-Rev1/SP800-55-rev1.pdf

2 See http://benchmarks.cisecurity.org/en-us/?route=downloads.show.single.metrics.110

http://csrc.nist.gov/publications/nistpubs/800-55-Rev1/SP800-55-rev1.pdf

http://benchmarks.cisecurity.org/en-us/?route=downloads.show.single.metrics.110



- Data destruction, escrow, asset return and survival of obligation (e.g. data retention) (if applicable) must be defined in the contract,

- A certificate of return and / or destruction of all assets/data must be provided to Cork City Council,

- A nominated contract responsible for handling the contract termination must be defined within the contract and notified to Cork City Council in case of change.

3.2.6.10 Other clauses

The other matters to be included in the contract are:

- Intellectual property rights;

- Freedom of information obligations;

- Law enforcement and loss of control;

- Licensing;

- Confidentiality of data;

- Monitoring by the cloud provider;

- Data retention schedules;

- Subcontracting;

- Acceptable use policy;

- Warranties;

- Indemnities;

- Exclusions and limitations of liability;

- Change of service by the cloud provider.

3.2.7 Specific requirements to Cloud Computing

3.2.7.1 Identity management

Prior to access to cloud applications, the user must be authenticated. An identity management framework must be integrated into Cloud-based applications to ensure continuity of user identities management in the cloud:

The Cloud Provider should support Single Sign-On mechanisms. Users should be able to access all cloud services without further authentication,

Strong authentication using two-factor authentication must be used to infrastructure hosted in Cloud Providers.

3.2.7.2 Encryption

Encryption is required for sensitive and sensitive-enhanced data, both at rest and in transit, to meet security requirements. Encryption keys must be changed on an agreed schedule. Encryption mechanisms and key length must be using current best practices.

3.2.7.3 Log management / Security Audit Information

Security audit data must be maintained for every aspect of the cloud service and defined in the contract. High-level summaries of security audit information must provide enough information for the following:

The Third Party must perform quarterly vulnerability scans, with the results and the related action plan available on request.

The Third Party must continually monitor systems to detect and remediate attacks (including denial-of-service, malware, and other attempts to breach system),



The Third Party must segregate log data applicable for each client and provide it to each respective client for analysis without exposing log data from other clients,

For PAAS and SAAS cloud deployment models, the Third Party must perform a yearly penetration testing, with the results and the related action plan available on request.

The Third Party must have the ability to maintain an accurate and complete audit trail. This may require logs from all levels of the infrastructure.

3.2.7.4 e-Discovery

a) Background

Identification, preservation, collection, processing, review and production of Electronically Stored Information (ESI) are the different stages of Electronic discovery (e-Discovery). ESI includes any data objects stored on a computer system or storage media, but also any associated metadata, such as dates of object creation or modification.

b) Requirements

The Cloud provider must have implemented capabilities and processes for e-Discovery. This notably includes the availability of e-Discovery related tools, the form in which data is maintained and the supporting process, for example, to place legal hold on one area. The e-Discovery capabilities and processes of the Cloud provider must not compromise the privacy or security of the data and applications while satisfying the discovery obligations of other cloud consumers, and vice versa.

3.2.7.5 Business continuity

An adequate backup and recovery plan must be implemented to ensure that is available and can be retrieved in a timely manner to meet business requirements. A business continuity and disaster recovery plan must be implemented for high-availability requirements.

3.2.7.6 Archiving

Cork City Council must retrieve on a regular basis all information stored within the Cloud Provider. This is done for archiving purpose as well as ensuring that almost all information is still accessible in case of an incident (e.g.: dispute with Cloud Provider, Disaster Recovery, etc.).Especially for SaaS, the Cloud Provider should have process to retrieve all stored information.

3.2.7.7 Incident management

An incident management process must be defined with the Cloud Provider and include time recovery objectives. The procedure for handling incidents must include the following elements:

Notification

Identification of costs and responsibilities

Responsibility for containing or mitigating the incident

3.2.7.8 Data centre security

The Cloud Provider must have implement and must evidence implementation of the following elements:

Physical Data Centre Architecture and Physical Security Controls,

Redundant Power Supplies Entering and throughout the Data Centre,

Generator Backup and UPS Capabilities from the Data Centre to the Solution,

Procedures for testing of generator backup, frequency etc.

Air Cooling Systems, Capacity and Redundancy in case of failure,

Physical Layout of the Data Centre Hosting Room including Ceiling Pipes etc.

Early Moisture Detection and Alerting Systems,

ISP Network Architecture and Redundancy (if applicable),



ISP Transit Providers, and BGP Setup (if applicable),

MPLS/WAN providers and redundancy (if applicable),

Demarcation Point from Data Centre to Vendor Solution and Redundancy.

cork city council information security - cloud … › en › test-location › test-content ›...

Documents