ISSP-017b - Addendum for Cloud Computing Providers

advertisement
ISSP-017 Addendum for Cloud Computing Providers 1
Information Technology
I.
Purpose
The purpose of this ISSP-017 Addendum for Cloud Computing Providers document serves as a
questionnaire to ensure that any Institutional Data placed with cloud computing providers is protected
and maintained in accordance with all applicable USF System requirements. This is addendum to be
filled out when the USF Institutional Data will be stored in Cloud Services.
II.
When is this form completed?
This form is to be completed and approved by IT Security and the Data Owner prior to entering into any
agreement that will involve Institutional Data being processed, stored, or transmitted on or through
systems that are not fully hosted and/or managed at USF System facilities by USF System personnel.
This includes any proposed agreement with external third-parties to provide the USF System with
Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and/or Software as a Service (SaaS)
utilizing private cloud, community cloud, public cloud, and/or hybrid cloud.
Per USF System Policy 0-507, Institutional Data is defined as all data elements created, maintained,
received, or transmitted as a result of business, educational or research activities of a USF system unit.
III.
Who should complete this questionnaire?
The Data/Application Owner should complete this form, collaborating as necessary with the cloud
computing provider as well as IT project managers, technical leads, business analysts, Purchasing,
General Counsel, and department representatives planning to purchase the software.
Upon completion, submit this form for review and approval to Alex Campoe campoe@usf.edu.
Form Version: 20150716
ISSP-017 Addendum for Cloud Computing Providers 2
Information Technology
IV.
About the Vendor
These questions are to be answered by the USF data or application owners
Is this a commonly known and recognized cloud
computing provider with an overall positive
industry reputation?
Does the cloud computing provider’s website
give you confidence with up-to-date, useful
information and links to articles and reviews?
Does the clouding computing provider’s website
have support or customer forums?
Are the support or customer forums active and
generally positive?
What are the applicable USF System data
retention policies for this data?
Can this cloud service provider adhere to the
applicable USF System data retention policies
listed above?
Can the cloud service provider secure and
provide Institutional Data timely as may be
necessary for the USF System to comply with
public records requests, subpoenas, etc.?
If answers to any of the above are not satisfactory, consider if the proposed cloud computing
provider should be deemed unsuitable.
<move all above to first form>
Form Version: 20150716
ISSP-017 Addendum for Cloud Computing Providers 3
Information Technology
V.
Analysis
This section is required only if the data is considered restricted, essential, or required. If the data
stored with the cloud provider fits in this classification, obtain and review the provider’s SOC 2. If a
SOC 2 is not available, or if not adequately addressed within the SOC 2 scope, proceed with the analysis
section.
Answer the following if the data is considered restricted
What are the specific compliance requirements
(e.g., FERPA, PCI, etc.) that will apply, and can the
cloud computing provider demonstrate ongoing
adherence to these requirements?
How does the cloud computing provider ensure
adequate PII protection?
How is data protected while in motion and at
rest, and what are the encryption levels?
If the same servers are used to store data from
multiple customers, how will the provider ensure
that other customers cannot see our data, and
that we will not see theirs?
Are there mandatory background checks for
employees of the cloud computing provider?
Form Version: 20150716
ISSP-017 Addendum for Cloud Computing Providers 4
Information Technology
What measures does the provider have in place
to protect against insider threat?
Is there a clear incident response notification
procedure?
Have there been any security breaches at the
cloud computing provider?
If one occurs, will the University be notified, even
if the breach only affected other customers?
Is it guaranteed in writing that the cloud
computing provider has no ownership in anything
USF stores on its servers, and that they cannot
resell USF data, even in the aggregate?
Will the cloud computing provider distribute its
load and USF data across the world in multiple
data centers, and if so, might the data be stored
on servers in a country with less stringent privacy
protection rules?
How is data deletion accomplished?
If the University terminates its contract with the
cloud computing provider, can the provider
certify that all copies of USF data, including on
backups are destroyed?
Form Version: 20150716
ISSP-017 Addendum for Cloud Computing Providers 5
Information Technology
Does the application have password controls in
place that meet minimum University standards,
and if not will the application support USF Single
Sign-On?
Does the cloud vendor undergo regular IT
security audits or reviews (internal or external)?
Has the cloud provider obtained industry specific
certifications?
Does the cloud provider regularly undergo
periodic vulnerability and/or penetration testing?
Have the cloud computing provider explain
physical security at least at a high level of detail?
Have the cloud computing provider explain
system administration responsibilities and
practices for application/databases/operating
systems and networks including updates, virus
protection, firewalls, and network monitoring at
least at a high level of detail.
Form Version: 20150716
ISSP-017 Addendum for Cloud Computing Providers 6
Information Technology
How many of the cloud computing provider’s
personnel will have access to USF System data?
In what roles, and for what business purposes?
Answer the following if the data is considered essential or required data
Will the cloud computing provider provide the
University with SLA’s consistent with these
requirements?
Is there scheduled down time for maintenance?
What is the level of client support? Can someone
on the USF staff pick up the phone and call a
technical rep after hours?
What is their disaster recovery plan?
Does the cloud computing provider provide
redundant sites?
Have the cloud provider explain application
controls (i.e. input controls, completeness and
validity checks, etc.) in place to ensure the
integrity of processed data at least at a high level
of detail.
Form Version: 20150716
ISSP-017 Addendum for Cloud Computing Providers 7
Information Technology
Have the cloud provider explain change
management procedures designed to ensure
changes meet business requirements and are
authorized.
If the University terminates its contract with the
cloud computing provider, will Institutional Data
be returned or otherwise available to the USF
System in accessible/usable form?
Form Version: 20150716
ISSP-017 Addendum for Cloud Computing Providers 8
Information Technology
VI.
Conclusion
Overall conclusion/recommendation (proceed/do not proceed)
Basis for “proceed” recommendation, if response to any of the above items were not satisfactory
(added controls, assuming risk, etc.)
Data Owner Approval Signature
Form Version: 20150716
IT Security Approval Signature
Download