The Public Cloud Security Standard (the Standard) establishes security requirements and controls to maintain the Confidentiality, integrity, and availability of the Company’s data in the public cloud.
The Public Cloud Security Standard is established to ensure proper and effective use of cloud-based services to protect Company’s data and assets. The public cloud is multi-tenant environment and offers limited control over hosted data and services. Lack of sufficient security controls may lead to disclosure of sensitive or confidential data or may adversely impact the data integrity or service availability. This may result in legal, regulatory or contractual non-compliance and reputational loss to the Company.
This standard applies to Company information assets that process or store Company information and to all personnel with access to such assets. This includes any systems operating within Company’s network as well as any third party hosted services. This standard is limited to Company public cloud infrastructure; controls included in this standard are not applicable to private cloud infrastructure.
A public cloud is one in which the infrastructure and computational resources are made available to the general public as a multitenancy service on shared physical resources, generally accessed over the Internet. It is owned and operated by a cloud provider delivering cloud services to consumers and, by definition, is external to the consumers’ organizations.
A private cloud is one in which the computing environment is operated exclusively for a single organization. It may be managed by the organization or by a third party. It may also be hosted within an organization’s data center or a third-party data center.
1.1 PROCEDURE OWNER
1.3 APPLICABLE REGULATIONS
1.4 RELATED [COMPANY] NORMS AND PROCEDURES
1.6 AUDIENCE AND SCOPE
1.7 DOCUMENT SUPPORT
2. DEFINITIONS & ABBREVIATIONS
3. COMPARISON OF TRADITIONAL MODEL VERSUS CLOUD SERVICE DELIVERY MODELS
4.2 GENERAL CONTROLS
4.3 IDENTITY AND ACCESS MANAGEMENT (IAM) CONTROLS
4.4 IAAS / PAAS CONTROLS
4.5 SAAS CONTROLS
5. ROLES AND RESPONSIBILITIES
7. FINAL CONSIDERATIONS
7.1 DISCIPLINARY ACTIONS AGAINST PROCEDURE VIOLATION
7.2 DOCUMENT REVISION
Identity and Access Management Standard describes the management of individuals, their authentication, authorization, and privileges within or across system and enterprise boundaries with the goal of increasing security and productivity while decreasing cost, downtime and repetitive tasks.