| 1.2.4 | ID.GV-4: Does the cloud provider update the SME on any change pertaining to risk management processes? | LOW | · COBIT 5 DSS04.02 · ISA 62443-2-1:2009 4.2.3.1, 4.2.3.3, 4.2.3.8, 4.2.3.9, · 4.2.3.11, 4.3.2.4.3, 4.3.2.6.3 · NIST SP 800-53 Rev. 4 PM-9, PM-11 | Cloud Provider need to confirm | Sub Metric | Met1.2.4 |
| 1.3 | Risk Assessment (1.3): The SME understands the cyber security risk to their operations including their operations, image and reputation, assets, and staff. |
|
|
| Metric | Met1.3 |
| 1.3.1 | ID.RA-1: Does the SME update and patch their operating systems and carry out vulnerability scans on their systems regularly? |
| · COBIT 5 APO12.01, APO12.02, APO12.03, APO12.04 | SME Administrators need to comply | Sub Metric | Met1.3.1 |
|
|
| MEDIUM | · ISO/IEC 27001:2013 A.12.6.1, A.18.2.3 · NIST SP 800-53 Rev. 4 CA-2, CA-7, CA-8, RA-3, RA-5, SA-5, SA-11, SI-2, SI-4, SI-5 |
|
|
|
| 1.3.2 | ID.RA-3: Does the SME perform a continuous risk assessment process to identify, evaluate and mitigate risks across their company? | LOW | · COBIT 5 APO12.01, APO12.02, APO12.03, APO12.04 · ISA 62443-2-1:2009 4.2.3, 4.2.3.9, 4.2.3.12 · NIST SP 800-53 Rev. 4 RA-3, SI-5, PM-12, PM-16 | SME Administrators need to comply | Sub Metric | Met1.3.2 |
| 1.3.3 | ID.RA-4: Does the SME identify potential business impacts and likelihoods related to the cloud? | LOW | · COBIT 5 DSS04.02 · ISA 62443-2-1:2009 4.2.3, 4.2.3.9, 4.2.3.12 · NIST SP 800-53 Rev. 4 RA-2, RA-3, PM-9, PM-11, SA-14 | SME Owner/Admin/Users need to get trained | Sub Metric | Met1.3.3 |
| 1.3.4 | ID.RA-5: Threats, vulnerabilities, likelihoods, and impacts in cloud computing are understood well by the SME? |
LOW | · COBIT 5 APO12.02 · ISO/IEC 27001:2013 A.12.6.1 · NIST SP 800-53 Rev. 4 RA-2, RA-3, PM-16 | SME Owner/Admin/Users need to get trained | Sub Metric | Met1.3.4 |
| 1.3.5 | ID.RA-6: Are cloud Risk responses identified and prioritised? |
| · COBIT 5 APO12.05, APO13.02 | SME Owner/Admin/Users need to get trained | Sub Metric | Met1.3.5 |
|
|
| LOW | · NIST SP 800-53 Rev. 4 PM-4, PM-9 |
|
|
|
| 2 | PROTECT DATA IN THE CLOUD |
|
|
| Group Metric | Met1 |
| 2.1 | Access Control (2.1): Access to IT and related equipment, facilities and systems is limited to only authorised personnel and devices and to carry out only authorised actions and transactions. |
|
|
| Metric | Met2.1 |
| 2.1.1 | PR.AC-1: Does the SMEs user credentials for the cloud issued, managed, verified, revoked, and audited for authorised devices, users and processes only? |
| · COBIT 5 DSS05.04, DSS06.03 · ISA 62443-2-1:2009 4.3.3.5.1 · NIST SP 800-53 Rev. 4 AC-2, IA Family | SME Administrator/ Implement authentication technologies | Sub Metric | Met2.1.1 |
|
|
| HIGH |
|
|
|
|
| 2.1.2 | PR.AC-2: Are physical assets protected and access to assets in the SMEs premises managed? |
| · COBIT 5 DSS01.04, DSS05.05 · ISA 62443-2-1:2009 4.3.3.3.2, 4.3.3.3.8 | SME Owners/Users. Implement physical controls. | Sub Metric | Met2.1.2 |