Data Security

  • Understand what data the CSC has in the cloud and where the data resides, and validate the methods used to protect the data at rest and in transit (also referred to as “data in-flight” or “in motion”).

    • Ask if the CSC has asked their CSP for evidence that their data doesn’t go where it’s not supposed to. Is it part of the contractual obligation?

    • Determine what’s in scope regarding regions and legislation. What CSP regions are being used? What regional/global legislation should be considered?

  • Understand and verify the CSC approach to data protection:

    • Data policies, data communication, and procedures in the cloud? How are they enforcing it?

    • Data sanitization process, Data transmission footprint and sovereignty rules

    • System and information integrity policy and procedure

    • Flaw remediation, Malicious code protection, Information System monitoring

    • Security alerts, advisories, and directives, Security function verification

    • Software, firmware, and information integrity, Information input validation

    • Memory protection, Review regional considerations

    • Multi-region backups, fault tolerant zones, failover zones

  • Understand if CSC is leveraging the existing mechanisms for encryption or building on-top-of the CSPs.

    • Ensure there are appropriate encryption controls in place to protect confidential information (or highly sensitive) in transit and at rest while using CSP services.

    • How is data shared in the cloud? Cloud access security broker (CASB)?

  • Assess if the CSP services are compliant to the framework being assessed. If they are not, is it documented in the CSC’s risk management documentation? Does the CSC have additional controls in place covering the service thereby making it compliant?

  • Review methods for connection to CSP console.

  • Review management API, storage, and databases for enforcement of encryption.

  • Review internal policies and procedures for key management, including CSP services and compute instances.

  • Review the controls the CSC has in place to manage shadow IT (hardware, software, applications being used without the knowledge of virtual firewalls)

  • Review the procedure for conducting a specialized wipe prior to deleting the volume for compliance with established requirements. This is to ensure deletion of CSC data.

PreviousAccess Management¶NextNetwork

Last updated