Cloud security guideline

G3 - Cloud Security Guidelines

Guideline ID 3
Guideline status Reviewed
Guideline description Information security guideline for cloud solutions
Guideline owner Information Security Services (ISS)
Guideline contact

Table of Contents

Changes

This document is subject to change and review at least annually.

Purpose

The purpose of this document is to provide information security guidelines for cloud applications and solutions that are hosted externally by a service provider or vendor.

Applicability

This guideline applies to University of Waterloo departments and university businesses that are considering a cloud solution.

Risk assessments

Information risk assessments can help to identify potential information security threats and determine the amount and level of security controls that are required to ensure the confidentiality, integrity and availability of information for cloud solutions. 

Information management

When considering cloud solutions it is important to manage information through all aspects of the information lifecycle in accordance with Policy 46 - Information Management.

Security standards and frameworks

Cloud solutions should conform to industry recognized security standards and security frameworks. While individual business needs will vary, these are some of most common examples of security standards and frameworks applicable to cloud solutions.

  • AICPA SOC
  • ISO 27001 - Information security management systems
  • ISO 27017 - Information security guidelines for cloud computing
  • ISO 27018 - Code of practice for protection of personally identifiable information in public clouds 
  • NIST Cyber Security Framework

Security controls

The security controls for cloud solutions help to ensure the confidentiality, integrity and availability of information. While individual business needs and requirements will vary, these are some examples of the security control considerations for cloud solutions.

  • Information Security Program
  • Authentication and Single Sign-On
  • Threat and Vulnerability Management
  • Encryption and Cryptographic Key Management
  • Asset Management
  • Availability
  • Business Continuity Planning
  • Disaster Recovery

Document history

Date

Revision summary

2018-11-13

Initial Version

Reviews

Date

Reviewed by

2018-11-13

Information Security Services (ISS)