G3 - Cloud Security Guidelines
| Guideline ID | 3 |
|---|---|
| Guideline status | Reviewed |
| Guideline description | Information security guideline for cloud solutions |
| Guideline owner | Information Security Services (ISS) |
| Guideline contact |
Table of Contents
- Changes
- Purpose
- Applicability
- Risk assessments
- Security standards and frameworks
- Security controls
- Document history
- Reviews
Changes
This document is subject to change and review at least annually.
Purpose
The purpose of this document is to provide information security guidelines for cloud applications and solutions that are hosted externally by a service provider or vendor.
Applicability
This guideline applies to University of Waterloo departments and university businesses that are considering a cloud solution.
Risk assessments
Information risk assessments can help to identify potential information security threats and determine the amount and level of security controls that are required to ensure the confidentiality, integrity and availability of information for cloud solutions.
Information management
When considering cloud solutions it is important to manage information through all aspects of the information lifecycle in accordance with Policy 46 - Information Management.
Security standards and frameworks
Cloud solutions should conform to industry recognized security standards and security frameworks. While individual business needs will vary, these are some of most common examples of security standards and frameworks applicable to cloud solutions.
- AICPA SOC
- ISO 27001 - Information security management systems
- ISO 27017 - Information security guidelines for cloud computing
- ISO 27018 - Code of practice for protection of personally identifiable information in public clouds
- NIST Cyber Security Framework
Security controls
The security controls for cloud solutions help to ensure the confidentiality, integrity and availability of information. While individual business needs and requirements will vary, these are some examples of the security control considerations for cloud solutions.
- Information Security Program
- Authentication and Single Sign-On
- Threat and Vulnerability Management
- Encryption and Cryptographic Key Management
- Asset Management
- Availability
- Business Continuity Planning
- Disaster Recovery
Document history
|
Date |
Revision summary |
|---|---|
|
2018-11-13 |
Initial Version |
Reviews
|
Date |
Reviewed by |
|---|---|
|
2018-11-13 |
Information Security Services (ISS) |