The level of visibility and control of security incidents is likely to vary considerably across the cloud service models. The service provider is typically responsible for all incident management activities involving a SaaS solution, however, when an incident relates to a system located on an IaaS solution the customer is usually responsible for the incident management activities related to the platform, application and data and the service provider is only responsible for the activities directly related to the infrastructure components they manage. Similarly, the cloud deployment model (i.e. public, private, community or hybrid) adopted by the agency could significantly affect its visibility and control over the incident management activities. For example, customers of public cloud services normally have less visibility and control over incident management activities than those that have implemented a private cloud.
It is not reasonable to expect service providers to implement a separate incident response and management plan for each of their customers, therefore agencies need to gain an appropriate level of assurance that a service provider is capable of effectively and efficiently responding to an information security incident, as even the most meticulously planned, implemented and managed preventative controls can fail to stop a risk from eventuating. As a result, agencies need to review the service provider’s Terms of Service and SLA to identify what, if any, support they provide to their customers during an information security incident.
Regardless of the service or deployment model, the use of cloud services does not preclude the need for an agency to have its own incident response and management process and plans. In fact, these plans are essential as they define how the agency will handle the tasks it is responsible for including roles and responsibilities, key contacts, incident definitions and notification criteria, escalation channels, evidence collection and preservation and post incident activities.
- Does the service provider have a formal incident response and management process and plans that clearly define how they detect and respond to information security incidents? If yes, will they provide the agency with a copy of their process and plans to enable it to determine if they are sufficient?
- Does the service provider test and refine its incident response and management process and plans on a regular basis?
- Does the service provider engage its customers when testing its incident response and management processes and plans?
- Does the service provider provide its staff with appropriate training on incident response and management processes and plans to ensure that they respond to incidents in an effective and efficient manner?
- Does the service provider’s Terms of Service or SLA clearly define the support they will provide to the agency should an information security incident arise? For example, does the service provider:
- Notify customers when an incident that may affect the security of their information or interconnected systems is detected or reported?
- Specify a point of contact and channel for customers to report suspected information security incidents?
- Define the roles and responsibilities of each party during an information security incident?
- Provide customers with access to evidence (e.g. time stamped audit logs and/or forensic snapshots of virtual machines etc.) to enable them to perform their own investigation of the incident?
- Provide sufficient information to enable the agency to cooperate effectively with
- an investigation by a regulatory body, such as the Privacy Commissioner or the Payment Card Industry Security Standards Council (PCI SSC)?
- Define which party is responsible for the recovery of data and services after an information security incident has occurred?
- Share post incident reports with affected customers to enable them to understand the cause of the incident and make an informed decision about whether to continue using the cloud service?
- Specify in the contract limits and provisions for insurance, liability and indemnity for information security incidents? (Note: it is recommended that agencies carefully review liability and indemnity clauses for exclusions.)
Cloud Computing — Information Security and Privacy Considerations (April 2014)