| 2.3 | Data Security (2.3): Information and records (data) are managed consistent with the organisation’s risk strategy to protect the confidentiality, integrity, and availability of information. |
|
|
| Metric | Met2.3 |
| 2.3.1 | PR.DS-1: Is the Data protected while at rest in the cloud? | HIGH | · CCS CSC 17 · COBIT 5 APO01.06, BAI02.01, BAI06.01, DSS06.06 · ISA 62443-3-3:2013 SR 3.4, SR 4.1 · ISO/IEC 27001:2013 A.8.2.3 · NIST SP 800-53 Rev. 4 SC-28 | Cloud Provider/Use of Encryption | Sub Metric | Met2.3.1 |
| 2.3.2 | PR.DS-2: Is the Data protected while in transit (upload/download from the cloud)? | HIGH | · ISA 62443-3-3:2013 SR 3.1, SR 3.8, SR 4.1, SR 4.2 · CCS CSC 17 · ISO/IEC 27001:2013 A.8.2.3, A.13.1.1, A.13.2.1, A.13.2.3, A.14.1.2, A.14.1.3 | Cloud Provider/Use of TLS | Sub Metric | Met2.3.2 |
| 2.3.4 | PR.DS-4: Does the SME have Adequate bandwidth capacity to ensure availability is maintained for data in the cloud? | HIGH | · COBIT 5 APO13.01 · ISA 62443-3-3:2013 SR 7.1, SR 7.2 · ISO/IEC 27001:2013 A.12.3.1 | Administrators/Use of secondary link | Sub Metric | Met2.3.4 |
| 2.3.5 | PR.DS-5: Does the cloud provider have approved firewall rule sets and access control lists between network fabrics to restrict the flow of information to specific information system services and counter for multi-tenancy? | MEDIUM | · ISO/IEC 27001:2013 A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, · A.9.4.5, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3 · NIST SP 800-53 Rev. 4 AC-4, AC-5, AC-6, PE-19, PS-3, PS-6, SC-7, SC-8, SC-13, SC-31, SI-4 | Cloud Provider | Sub Metric | Met2.3.5 |
| 2.3.6 | PR.DS-6: Does the SME or cloud provider employ integrity verification tools to monitor and detect unauthorised changes to organisation’s software and information? | LOW | · ISA 62443-3-3:2013 SR 3.1, SR 3.3, SR 3.4, SR 3.8 · ISO/IEC 27001:2013 A.12.2.1, A.12.5.1, A.14.1.2, A.14.1.3 · NIST SP 800-53 Rev. 4 SI-7 | Cloud Provider, use of monitoring tools | Sub Metric | Met2.3.6 |
| 2.4 | Information Protection Processes and Procedures (2.4): Security policies addressing roles, responsibilities, and scope, processes, and procedures are maintained and used to manage protection of information systems and assets. |
|
|
| Metric | Met2.4 |
| 2.4.1 | PR.IP-1: Does the SME create and maintain configuration of IT control systems for the cloud as well as internal systems? | HIGH | · COBIT 5 BAI10.01, BAI10.02, BAI10.03, BAI10.05 · ISA 62443-2-1:2009 4.3.4.3.2, 4.3.4.3.3 · ISA 62443-3-3:2013 SR 7.6 · ISO/IEC 27001:2013 A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4 · CCS CSC 3, 10 | Cloud Provider | Sub Metric | Met2.4.1 |
| 2.4.2 | PR.IP-2: Does the SME have a System Development Life Cycle to manage cloud and internal systems implemented? | MEDIUM | · COBIT 5 APO13.01 · ISO/IEC 27001:2013 A.6.1.5, A.14.1.1, A.14.2.1, A.14.2.5 · NIST SP 800-53 Rev. 4 SA-3, SA-4, SA-8, SA-10, SA-11, SA-12, SA-15, SA-17, PL-8 | SME users | Sub Metric | Met2.4.2 |