The European Network and Information Security Agency (ENISA) has recently released a new guidance report entitled “Procure Secure: A Guide to Monitoring of Security Service Levels in Cloud Contracts” which should be a valuable reading resource for all information and/or network security and risk management team members.
Marnix Dekker, who co-authored the report states, “Organizations have started switching from running systems internally to outsourcing and using cloud services. So the skills and focus of IT staff have to change.” This guidance document is full of valuable information to assist that change process.
One of those skills reviewed is the procurement and management of service contracts for cloud services — thus indicating a need for more understanding of the security and deliverable capabilities of cloud services along with the measurement indicators and methods to guarantee the consistency of those deliverables called out as requirements in those agreements.
Another example would be the need for users to become more proficient at asking cloud providers about the finer points of availability and vulnerability management challenges and opportunities in those cloud provider contracts.
The guide covers several different parameters that IT staff members need to be on top of. Among the most important ones are incident response, technical compliance and regulatory and compliance driven levels of certification.
As a final point, and as Dekker states in that report, “…you need to be sure that the solution you are buying fits your security requirements.”
Click here to read and download the full ENISA report and add it to your risk mitigation planning library of reading resources.
If applicable, please pass this information along to those network security and risk management team members in your organization.
Photo courtesy of ENISA