| Level | DESCRIPTION | Priority | Validation References | Classification | Type | Metric |
| 1 | IDENTIFY RISKS IN CLOUD |
|
|
| Group Metric | Met1 |
| 1.1 | Asset Administration (1.1): The information, employees, equipment, structures, and services that allow the SME to achieve business processes are identified and managed consistent with their relative importance to business objectives and the SME’s risk strategy. |
|
|
| Metric | Met1.1 |
| 1.1.1 | ID.AM-1: Are all physical IT equipment (computers, laptops, BYOD) within the SME inventoried? | HIGH | · COBIT 5 BAI09.01, BAI09.02 · ISO/IEC 27001:2013 A.8.1.1, A.8.1.2 · NIST SP 800-53 Rev. 4CM-8 | SME Administrators need to comply | Sub Metric | Met1.1.1 |
| 1.1.2 | ID.AM-2: Are all system and application software within the SME inventoried? | HIGH | · COBIT 5 BAI09.01, BAI09.02, BAI09.05 · ISO/IEC 27001:2013 A.8.1.1, A.8.1.2 · NIST SP 800-53 Rev. 4CM-8 | SME Administrators need to comply | Sub Metric | Met1.1.2 |
| 1.1.3 | ID.AM-3: Cloud Providers allow the SME to determine where their content will be stored, how it will be secured in transit or at rest, and managed? | LOW | · COBIT 5DSS05.02 · ISA 62443-2-1:20094.2.3.4 · ISO/IEC 27001:2013A.13.2.1 · NIST SP 800-53 Rev. 4 AC-4, CA-3, CA-9, PL-8 | Cloud providers need to provide information | Sub Metric | Met1.1.3 |
| 1.1.4 | ID.AM-4: Does the SME ensure that providers of external information system services comply with the SME’s information security requirements like applicable laws, directives, policies, regulations, standards, and guidance? | HIGH | · COBIT 5APO02.02 · ISO/IEC 27001:2013A.11.2.6 · NIST SP 800-53 Rev. 4 AC-20, SA-9 | SME Administrators need to comply | Sub Metric | Met1.1.4 |
1.1.5 | ID.AM-5: Does the cloud provider specify what sort of resilience to support delivery of critical services are established for all operating states (e.g. under duress/attack, during recovery, normal operations)? | MEDIUM | · ISO/IEC 27001:2013A.8.2.1 · NIST SP 800-53 Rev. 4 CP-2, RA-2, SA-14 · COBIT 5 APO03.03, · APO03.04, BAI09.02 | Cloud providers need to provide information | Sub Metric | Met1.1.5 |
| 1.2 | Governance (1.2): The guidelines, policies and methods to manage and monitor the SME’s regulatory, legal, risk, environmental, and operational requirements are understood and inform the SME owner(s) of cyber security risk. |
|
|
| Metric | Met1.2 |
| 1.2.1 |
|
| · COBIT 5 APO01.03, EDM01.01, EDM01.02 |
|
| Met1.2.1 |
|
| ID.GV-1: Has the cloud provider established and communicated a well-informed security policy in relation to the data stored on the cloud? | MEDIUM | · ISA 62443-2-1:2009 4.3.2.6 · ISO/IEC 27001:2013 A.5.1.1 · NIST SP 800-53 Rev. 4 -1 controls | Cloud providers need to provide information | Sub Metric |
|
| 1.2.2 |
ID.GV-2: Are the staff trained regularly on Information security roles & responsibilities including third party providers? | MEDIUM | · COBIT 5 APO13.12 · ISA 62443-2-1:2009 4.3.2.3.3 · ISO/IEC 27001:2013 A.6.1.1, A.7.2.1 · NIST SP 800-53 Rev. 4 PM-1, PS-7 | SME Owner/Admin/Users need to be regularly trained | Sub Metric | Met1.2.2 |
| 1.2.3 | ID.GV-3: Are legal and regulatory requirements regarding cloud security understood and managed by the SME and explained well by the cloud provider? | HIGH | · COBIT 5 MEA03.01, MEA03.04 · ISO/IEC 27001:2013 A.18.1 · ISA 62443-2-1:2009 4.4.3.7 | SME Owner/Admin/ Users | Sub Metric | Met1.2.3 |