+OPS-30 Separation of Datasets - Policies and Procedures
---+OPS-30.01B
|
1. Übersicht
OPS-30 Separation of Datasets - Policies and Procedures
-
| Bezeichnung |
Standard |
|
OPS-30.01B
|
Based on a risk assessment (cf. OIS-07), the cloud service provider established policies and procedures with technical and organisational measures to ensure separation of cloud service customer data between different customers and between customers and the cloud service provider. These policies and procedures are documented, communicated and provided in accordance with SP-01 and contain specifications regarding the client separation based on a documented cloud layer model and include the following:
1. Illustration of which cloud layers are used for the particular cloud service. The used cloud layers should be appropriate to enable client separation;
2. Measures used to separate cloud service customer data along the used cloud layers. Those measures are categorised according to the protection goals of confidentiality, integrity and availability and if they are preventive, detective or reactive measures;
3. Monitoring and compliance with these measures; and
4. Initiation of suitable measures in the event of deviations.
The policies and procedures of this criteria are meant to serve as an umbrella guideline for all cyber security measures against all threats that stem from sharing physical or virtual resources and that lead to a loss of separation of data sets. Ideally, the cloud service provider has already ensured the separation of data sets between different customers and between customers and cloud service provider via all other policies, procedures and the corresponding measures. The systematic approach of the policies and procedures addressed by this criterion ensures that no aspect of this separation is overlooked. It also provides a good basis to explain the cyber security of the cloud service to the customer in an appealing manner (cf. PSS-01).
Cloud layers in the sense of this criterion can be found in the *CISA Cloud Security Technical Reference Architecture*. The layers provided in version 2.0 of this document include identity, credential and access management, data, networking, applications, runtime, middleware, operating systems, virtualisation, servers, storage and physical security. The cloud service provider may use its own categorisation of cloud layers as appropriate for the provided cloud service.
There are nine combinations for confidentiality, integrity and availability with prevention, detection and reaction. Applying this to every cloud layer may lead to a large number of combinations. However, depending on the cloud service, it can be acceptable that it may not be possible to provide meaningful information in the policy for every possible combination of prevention, detection and reaction as well as confidentiality, integrity and availability. Those cases should be comprehensibly documented in the policies and procedures.
|
1.1 Referenzen
1.2 Identifizierte Anforderungen
1.2 Related Regulation
2. Identifizierte Anforderungen
Anforderungen
| Source |
Anforderung |
3. Related Regulations
Regulations
| Source |
Regulierung |
|