CCSK

  • 1.  Template for Cloud Computing Policy

    Posted Jul 10, 2020 12:44:00 PM
    Hi all,

    I would like to draft a general and enterprise-wide valid guideline for dealing with cloud computing. This kind of guideline does not exist yet in our organization, and we strive to have fundamental guidance for cloud computing established in a suitable guideline. We are a big company utilizing cloud computing on a large scale on IaaS basis, including the full stack of developing web-apps which are later provided as SaaS to our customers. Hybrid Model. Here is some of the envisaged content: 

    • Governance topics (due diligence, risk, contract, SLA etc.)
    • Cloud Provider Evaluation Process
    • CP exit strategies
    • Incident Response / BCM
    • Security of Management Plane and RBAC
    • Entitlement Matrix
    • Best Practices for CI/DI
    • Software development lifecycle & DevSecOps
    • Providing of artifacts (logs etc.)
    • Use of immutable workloads
    • Use of SECaaS
    • Use of Federated Identity & MFA

    The policy content should be formulated in a generic way, not describing dedicated technics or products in the cloud environment. 

    On my way to develop such kind of policy, I am asking myself, if meaningful templates are available from other organizations who already dealt with this topic. On the first view, there seem to be nothing in the internet. However, in the evaluation process to find well-written content I kindly would like to ask for your help to find suitable templates where I can take a benefit from.

    Thanks a lot in advance.
    /Martin

    ------------------------------
    Martin Kerkmann, CISSP, CISA, CISM, CCSK
    IT Security Architect
    Düsseldorf, Germany
    ------------------------------


  • 2.  RE: Template for Cloud Computing Policy

    Posted Jul 22, 2020 03:00:00 PM
    Hello Martin,

    I suggest checking in with the Enterprise Architecture Working Group. @Sean Heide​​ is the CSA research analyst that runs that group and he might have some insight for you on the value that exists here. Does anyone else out there have potential insights for Martin?

    Best,


    ------------------------------
    Anna Schorr
    Administrative Assistant
    CSA
    ------------------------------



  • 3.  RE: Template for Cloud Computing Policy

    Posted Jul 22, 2020 03:10:00 PM
    Hi Martin,

    As Anna said I believe this topic fits nicely in our EA CCM mapping as well as our new shared responsibility model that will be released within the next month.

    Are you speaking of generating more policy surrounding the different aspects of cloud usage, or a framework for deploying all of them? Let me know if you would like to take a meeting regarding all of these topics.

    Thanks!

    ------------------------------
    Sean Heide
    Research Analyst
    CSA
    ------------------------------



  • 4.  RE: Template for Cloud Computing Policy

    Posted Jul 23, 2020 01:21:00 AM
    Edited by Martin Kerkmann Jul 23, 2020 04:16:25 AM
    Hi Anna, hi Sean,

    Thanks for your advice. I will take a closer look at the Enterprise Architecture Working Group. Surely I will get useful information there.

    Enterprises establish policies for various IT-specific topics like a network security policy, a patch management policy, a cryptography policy and so on. They are multiple templates available for the classic IT topics (e.g. https://www.sans.org/information-security-policy/?msc=main-nav), but you rarely find something comparable for cloud computing.

    I'm talking about a specific template in the form of a word document which companies might use when they want to govern the usage and installation of cloud computing within their enterprise. This is usually a document about 10-15 pages describing how an enterprise could deal with different aspects of cloud computing. My idea is to develop such kind of a cloud computing policy to regulate how things should work when it comes to cloud-specific aspects of governance.

    I think I'm going to develop such a template for cloud computing and will provide it here to the community that others might use it as a template for their cloud computing governance. Will take a while.

    ------------------------------
    Martin Kerkmann, CISSP, CISA, CISM
    IT Security Architect
    Düsseldorf, Germany
    ------------------------------



  • 5.  RE: Template for Cloud Computing Policy

    Posted Jul 23, 2020 07:28:00 AM
    That could be something we could develop from within the group even, so you don't have to take it upon by only yourself. Much of what could be included within that the group would probably be happy to help with. Let me know once you get started. Thanks!

    ------------------------------
    Sean Heide
    Research Analyst
    CSA
    ------------------------------



  • 6.  RE: Template for Cloud Computing Policy

    Posted May 27, 2021 06:03:00 AM
    Did you ever get the policy written?  I need the same for my organization.

    ------------------------------
    Carissa Schneider
    Clerk of the Circuit Court & Comptroller, PBC
    Clerk of the Circuit Court & Comptroller, PBC
    ------------------------------



  • 7.  RE: Template for Cloud Computing Policy
    Best Answer

    CSA Instructor
    Posted May 28, 2021 07:28:00 AM
    The CCSK all-in-one guide by Graham Thompson contains two brief examples of cloud policies.

    ------------------------------
    Peter HJ van Eijk
    CCSK & CCAK trainer
    https://www.clubcloudcomputing.com/
    ------------------------------