| 2.5.1 | PR.PT-1: Are all records pertaining to audits and logs of cloud usage documented and reviewed in accordance with the SME’s internal policy? | MEDIUM | · CCS CSC 14 · COBIT 5 APO11.04 · ISO/IEC 27001:2013 A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1 · NIST SP 800-53 Rev. 4 AU Family | Admins to administer logging software or tools | Sub Metric | Met2.5.1 |
| 2.5.2 | PR.PT-2: Are any removable media used in the SME’s premises protected and its use restricted according to the SME’s policy? | MEDIUM | · COBIT 5 DSS05.02, APO13.01 · ISA 62443-3-3:2013 SR 2.3 · ISO/IEC 27001:2013 A.8.2.2, A.8.2.3, A.8.3.1, A.8.3.3, A.11.2.9 · NIST SP 800-53 Rev. 4 MP-2, MP-4, MP-5, MP-7 | Administrator to enforce rules | Sub Metric | Met2.5.2 |
| 2.5.3 | PR.PT-3: Is Access to equipment, systems and IT assets controlled in a manner that enforces the least functionality principle? | MEDIUM | · COBIT 5 DSS05.02 · ISA 62443-2-1:2009 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, · ISA 62443-3-3:2013 SR 1.1, SR 1.2, SR 1.3, SR 1.4, SR 1.5, · ISO/IEC 27001:2013 A.9.1.2 · NIST SP 800-53 Rev. 4 AC-3, CM-7 | Administrator to enforce rules | Sub Metric | Met2.5.3 |
| 3 | DETECT SECURITY INCIDENTS IN THE CLOUD |
|
|
| Group Metric | Met3 |
| 3.1 | Anomalies and Events (3.1): Unusual or irregular activity is detected in a timely manner and the potential impact of events is understood. |
|
|
| Metric | Met3.1 |
| 3.1.1 | DE.AE-1: Does the SME manage network operations and data flow for users through the cloud? | LOW | · COBIT 5 DSS03.01 · ISA 62443-2-1:2009 4.4.3.3 · NIST SP 800-53 Rev. 4 AC-4, CA-3, CM-2, SI-4 | Administrator | Sub Metric | Met3.1.1 |
| 3.1.2 | DE.AE-2: Does the SME have measures to detect events and analyse attacks and methods?
| LOW | · ISA 62443-2-1:2009 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8 · ISA 62443-3-3:2013 SR 2.8, SR 2.9, SR 2.10, SR 2.11, SR · 2.12, SR 3.9, SR 6.1, SR 6.2 · ISO/IEC 27001:2013 A.16.1.1, A.16.1.4 · NIST SP 800-53 Rev. 4 AU-6, CA-7, IR-4, SI-4 | Administrator. Use of IPD/IDS | Sub Metric | Met3.1.2 |
| 3.1.4 | DE.AE-4: Does the cloud provider give means of determining the impact of events in the cloud? | MEDIUM | · COBIT 5 APO12.06 · NIST SP 800-53 Rev. 4 CP-2, IR-4, RA-3, SI -4 | Cloud Provider | Sub Metric | Met3.1.4 |
| 3.1.5 | DE.AE-5: Are incident alert thresholds established by the cloud provider for their cloud services? | MEDIUM | · COBIT 5 APO12.06 · ISA 62443-2-1:2009 4.2.3.10 · NIST SP 800-53 Rev. 4 IR-4, IR-5, IR-8 | Cloud Provider | Sub Metric | Met3.1.5 |
| 3.2 | Security Continuous Monitoring (3.2): The IT systems and assets are monitored at appropriate intervals to identify any security events and to verify the effectiveness of security controls. |
|
|
| Metric | Met3.2 |
| 3.2.1 | DE.CM-1: Is the LAN and WAN monitored to detect potential cloud security events? | MEDIUM | · CCS CSC 14, 16 · COBIT 5 DSS05.07 · NIST SP 800-53 Rev. 4 AC-2, AU-12, | Administrator. Use network monitoring tools. | Sub Metric | Met3.2.1 |