+OPS-11 Logging and Monitoring - Policies and Procedures for Handling Cloud Service Derived Data and Account Data
---+OPS-11.01B
---+OPS-11.02B
---+OPS-11.01AC
---+OPS-11.02AC
---+OPS-11 Supplementary Information - Complementary Customer Criteria
|
1. Übersicht
OPS-11 Logging and Monitoring - Policies and Procedures for Handling Cloud Service Derived Data and Account Data
-
| Bezeichnung |
Standard |
|
OPS-11.01B
|
Policies and procedures for the secure handling of cloud service derived data and account data are documented, communicated and provided according to SP-01 with regard to at least the following aspects:
1. Cloud service derived data and account data is collected and used solely to administer and operate the cloud service, including purposes related to the implementation of security controls;
2. No commercial use beyond the aforementioned purpose to administer and operate the cloud service;
3. Storage for a fixed period reasonably related to the purposes of the collection;
4. The confidentiality and integrity of the logs is protected through appropriate security controls;
5. As far as technically possible, anonymised cloud service derived data is used only in a way so that no conclusions can be drawn about the usage behaviour of individual users of the cloud service customer;
6. Cloud service derived data that has been fully anonymised and cannot be traced back to individual cloud service customers may be further processed and retained, provided no contractual or legal restrictions exist, otherwise immediate deletion if the purposes of the collection are fulfilled and further storage is no longer necessary; and
7. Provision to cloud service customers according to contractual agreements.
The collection and use of cloud service derived data and account data for the administration and operation of the cloud service also includes the analysis of the aforementioned data to the purpose of improving the provided cloud service, unless this improvement only serves the economic interests of the cloud service provider.
If the cloud service provider acts as a cloud service broker, the policies and procedures should give special consideration to the complexities of handling cloud service derived data and account data as part of this role.
|
|
OPS-11.02B
|
The cloud service provider specifies in the contractual agreements with cloud service customers all purposes for which cloud service derived data are collected and used, except for those purposes that are inherent to the general operation of all cloud services.
Purposes that are inherent to the general operation of many cloud services are:
1. Capacity planning and resource management;
2. Security monitoring and incident response;
3. Compliance with regulatory requirements; and
4. Service performance and reliability.
|
|
OPS-11.01AC
|
Personal data is automatically removed from the log data before the cloud service provider processes it, as far as technically possible. The removal is done in a way that allows the cloud service provider to continue to use the log data for the purpose for which it was collected.
|
|
OPS-11.02AC
|
Cloud service derived data, particularly log data, is included in regulatory compliance assessments.
|
|
OPS-11 Supplementary Information - Complementary Customer Criteria
|
Cloud service customers ensure with suitable controls that their contracts with the cloud service provider clearly outline the permissible uses of cloud service derived data. Cloud service customers verify that such data processing complies with contractual or legal restrictions and understand that the provider is obligated to delete data when it is no longer necessary for its initial purposes, unless agreed otherwise.
|
1.1 Referenzen
1.2 Identifizierte Anforderungen
1.2 Related Regulation
2. Identifizierte Anforderungen
Anforderungen
| Source |
Anforderung |
3. Related Regulations
Regulations
| Source |
Regulierung |
|