Hi Anna, hi Sean,
Thanks for your advice. I will take a closer look at the Enterprise Architecture Working Group. Surely I will get useful information there.
Enterprises establish policies for various IT-specific topics like a network security policy, a patch management policy, a cryptography policy and so on. They are multiple templates available for the classic IT topics (e.g.
https://www.sans.org/information-security-policy/?msc=main-nav), but you rarely find something comparable for cloud computing.
I'm talking about a specific template in the form of a word document which companies might use when they want to govern the usage and installation of cloud computing within their enterprise. This is usually a document about 10-15 pages describing how an enterprise could deal with different aspects of cloud computing. My idea is to develop such kind of a cloud computing policy to regulate how things should work when it comes to cloud-specific aspects of governance.
I think I'm going to develop such a template for cloud computing and will provide it here to the community that others might use it as a template for their cloud computing governance. Will take a while.
------------------------------
Martin Kerkmann, CISSP, CISA, CISM
IT Security Architect
Düsseldorf, Germany
------------------------------
Original Message:
Sent: Jul 22, 2020 03:09:48 PM
From: Sean Heide
Subject: Template for Cloud Computing Policy
Hi Martin,
As Anna said I believe this topic fits nicely in our EA CCM mapping as well as our new shared responsibility model that will be released within the next month.
Are you speaking of generating more policy surrounding the different aspects of cloud usage, or a framework for deploying all of them? Let me know if you would like to take a meeting regarding all of these topics.
Thanks!
------------------------------
Sean Heide
Research Analyst
CSA
Original Message:
Sent: Jul 10, 2020 12:43:52 PM
From: Martin Kerkmann
Subject: Template for Cloud Computing Policy
Hi all,
I would like to draft a general and enterprise-wide valid guideline for dealing with cloud computing. This kind of guideline does not exist yet in our organization, and we strive to have fundamental guidance for cloud computing established in a suitable guideline. We are a big company utilizing cloud computing on a large scale on IaaS basis, including the full stack of developing web-apps which are later provided as SaaS to our customers. Hybrid Model. Here is some of the envisaged content:
• Governance topics (due diligence, risk, contract, SLA etc.)
• Cloud Provider Evaluation Process
• CP exit strategies
• Incident Response / BCM
• Security of Management Plane and RBAC
• Entitlement Matrix
• Best Practices for CI/DI
• Software development lifecycle & DevSecOps
• Providing of artifacts (logs etc.)
• Use of immutable workloads
• Use of SECaaS
• Use of Federated Identity & MFA
The policy content should be formulated in a generic way, not describing dedicated technics or products in the cloud environment.
On my way to develop such kind of policy, I am asking myself, if meaningful templates are available from other organizations who already dealt with this topic. On the first view, there seem to be nothing in the internet. However, in the evaluation process to find well-written content I kindly would like to ask for your help to find suitable templates where I can take a benefit from.
Thanks a lot in advance.
/Martin
------------------------------
Martin Kerkmann, CISSP, CISA, CISM, CCSK
IT Security Architect
Düsseldorf, Germany
------------------------------