| 2.4.3 | PR.IP-3: Does the SME have change control processes in place to track changes in the cloud provider’s functionality? | MEDIUM | · COBIT 5 BAI06.01, BAI01.06 · ISA 62443-3-3:2013 SR 7.6 · ISO/IEC 27001:2013 A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4 · NIST SP 800-53 Rev. 4 CM-3, CM-4 | Cloud Provider to communicate | Sub Metric | Met2.4.3 |
| 2.4.4 | PR.IP-4: Does the cloud provider regularly create, test and validate backups of data stored in the cloud? | HIGH | · COBIT 5 APO13.01 · ISA 62443-2-1:2009 4.3.4.3.9 · ISA 62443-3-3:2013 SR 7.3, SR 7.4 · ISO/IEC 27001:2013 A.12.3.1, A.17.1.2A.17.1.3, A.18.1.3 · NIST SP 800-53 Rev. 4 CP-4, CP-6, CP-9 | Cloud Provider/Use of offshore backup | Sub Metric | Met2.4.4 |
| 2.4.6 | PR.IP-6: Is data in the cloud destroyed according to policy and no copies retained without the SMEs knowledge? |
| · COBIT 5 BAI09.03 | Cloud Provider to ensure | Sub Metric | Met2.4.6 |
|
|
| HIGH | · ISA 62443-2-1:2009 4.3.4.4.4 · NIST SP 800-53 Rev. 4 MP-6 |
|
|
|
| 2.4.8 | PR.IP-8: Does the cloud provider share effectiveness of protection technologies with the SME? | LOW | · ISO/IEC 27001:2013 A.16.1.6 · NIST SP 800-53 Rev. 4 AC-21, CA-7, SI-4 | Cloud Provider | Sub Metric | Met2.4.8 |
| 2.4.9 | PR.IP-9: Are Incident Response, Business Continuity and disaster/incident recovery plans) in place and managed well by the cloud provider? | MEDIUM | · COBIT 5 DSS04.03 · ISA 62443-2-1:2009 4.3.2.5.3, 4.3.4.5.1 · ISO/IEC 27001:2013 A.16.1.1, A.17.1.1, A.17.1.2 · NIST SP 800-53 Rev. 4 CP-2, IR-8 | SME Owners | Sub Metric | Met2.4.9 |
| 2.4.10 | PR.IP-10: Are the above-mentioned BC and DR plans tested and validated periodically? |
| · ISA 62443-2-1:2009 4.3.2.5.7, 4.3.4.5.11 · ISA 62443-3-3:2013 SR 3.3 | SME Owners/Admin/Cloud Provider | Sub Metric | Met2.4.10 |
|
|
| LOW | · ISO/IEC 27001:2013 A.17.1.3 · NIST SP 800-53 Rev.4 CP-4, IR-3, PM-14 |
|
|
|
| 2.4.12 | PR.IP-12: Does the SME have a vulnerability management plan in place? | MEDIUM | · ISO/IEC 27001:2013 A.12.6.1, A.18.2.2 · NIST SP 800-53 Rev. 4 RA-3, RA-5, SI-2 | SME Owners/ Admin/Cloud Provider | Sub Metric | Met2.4.12 |
| 2.4.13 | PR.MA-1: Does the SME maintain and repair their IT assets in a timely manner and are these repair and maintenance activities approved and logged? | LOW | · COBIT 5 BAI09.03 · ISA 62443-2-1:2009 4.3.3.3.7 · ISO/IEC 27001:2013 A.11.1.2, A.11.2.4, A.11.2.5 · NIST SP 800-53 Rev. 4 MA-2, MA-3, MA-5 | Admins | Sub Metric | Met2.4.13 |
| 2.4.14 | PR.MA-2: Is Remote maintenance of the SME’s IT assets is approved, logged, and performed in a manner that prevents unauthorised access? | HIGH | · COBIT 5 DSS05.04 · ISA 62443-2-1:2009 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.4.4.6.8 · NIST SP 800-53 Rev. 4 MA-4 | Admins | Sub Metric | Met2.4.14 |
| 2.5 | Protective Technology (2.5): Technical security solutions are managed in a manner that ensures the security and resilience of all IT assets, equipment and systems. Also ensures that the management confers with appropriate policies, procedures, and agreements. |
|
|
| Metric | Met2.5 |