Wholeof VictorianGovernmentGuidelineInformationSecurity

CloudComputingSecurityConsiderations

Guideline

Keywords: / Cloud, Informationsecurity, riskassessment, out source
Identifier:
SEC/GUIDE/06 / Version no.:
1.0 / Status:
Final
Issue date:
1 December2011 / Date of effect:
01 January2012 / Next review date:
01 January2014
Owner:
Government Services DivisionDepartmentof TreasuryandFinanceVictorianGovernment / Issuing authority:
Government Services DivisionDepartmentof TreasuryandFinanceVictorianGovernment

© TheStateof Victoria2011

Copyrightinthis publicationisreserved to theCrown inright ofthe StateofVictoria.Otherthan forthepurposesofandsubject to the conditionsprescribedunder the CopyrightAct,nopartof itmayin anyformorbyany means (electronic,mechanical,microcopying, photocopying,recordingorotherwise)be reproduced,storedin a retrievalsystem,ortransmittedwithout prior writtenpermission.Inquiries should be addressed to:

Government Services DivisionDepartmentof TreasuryandFinanceGovernment ofVictoria Melbourne

Overview

Cloud computingofferspotentialbenefitsincludingcost savings,agility and improvedbusinessoutcomesforVictoriangovernmentagencies,howeverthereare a varietyof informationsecurityrisks that need tobecarefully considered.

TheVictorianGovernment requiresthateach department and agencydevelop an InformationSecurityManagementFramework(ISMF SEC/STD/01)and assessandmanagetheexposure risk ofconfidentialinformationunderitscontrol(Data Classificationand ManagementStandardSEC/STD/02).

This guidelineidentifiesspecificresourcesandillustratesan example approach thatcan assistagencies toperform the riskassessmentandmake an informeddecisionas to whether cloud computingissuitable to meettheir business requirementswith anacceptablelevelofrisk.

Audience

Theuseofthis guidelineisrecommendedforallVictorianGovernmentdepartments,fourinner budgetagencies(VicRoads,VictoriaPolice,EnvironmentProtectionAuthorityandState RevenueOffice)andCenITex.

Context

Information Security guidelines provideadviceand guidanceto availableresources and are to be used withinthecontext of compliancewiththe WoVG Information Security Policy and Standards. This guidelineprovidesadvice onlyandcan be modifiedorsupplemented to suit theneedsof thedepartment oragency.

TheVictorian Government’sgeneral approach to the developmentofInformationSecurity guidelinesis that:

  • we donot intend to undertakeoriginalresearchonmost informationsecuritytopics;
  • formosttopic areasof a genericnaturethereareusuallyextensive existingresources available toprovideguidance;
  • the mostrelevant, availableandmaintainedcontentshould be identifiedforre‐usebytheVictorianGovernment;
  • the informationand publishingsourceswill include (butare not limitedto):

+AustralianGovernment InformationManagementOffice(AGIMO);

+CommonwealthGovernmentDefence SignalsDirectorate (DSD);

+Information Security Forum(ISF);

+AustralianGovernmentAttorneyGeneral’sDepartment;and

+Commonwealthand VictorianInformation PrivacyCommissioners;

  • the selectionof the subjectmatterfor guidelines will be basedupon an agreedscheduleendorsedbythe InformationSecurity AdvisoryGroup (ISAG).

TheVictorianGovernment ISMFstandard (SEC/STD/01)applies to the management of all aspectsofthesecurity ofICTandtheData Classificationstandard(SEC/STD/02)applies to the management of allinformation. This guidelinesupportsthese standardsin relation to securityconsiderationsforCloudComputing.

Resources

ExampleApproach

An approachtomanaging riskisoutlinedin the Victorian GovernmentRiskManagementFramework (VGRMF),issuedbythe Departmentof TreasuryandFinance,thatprovidesfor a minimumriskmanagement standardacrosspublicsectoragencies. The VGRMFis consistentwiththe Australian/NewZealandRisk ManagementStandard:AS/NZS ISO31000:2009oritssuccessor, andDTF’sInformationSecuritySECSTD 02 – DataClassification.

VGRMF Risk managementprocess

Thekeyelements of the risk managementprocessare asfollows:

  • Communicationandconsultation– communicationand consultationwith externaland internalstakeholdersshould take placeduringallstagesof the riskmanagementprocess.Thisensuresthat thoseaccountableforimplementingtheriskmanagement processand stakeholdersunderstand thebasison whichdecisionsare made, andthereasons why particularactionsarerequired.
  • Establishing thecontext– establish the external,internal, and riskmanagementcontextinwhichthe restofthe riskmanagementprocesswill take place. By establishing thecontext,theorganisationarticulates itsobjectives,defines the external and internalparametersto be takenintoaccount whenmanagingrisk, and setsthescopeand riskcriteriafor the remaining process.
  • Risk assessment– risk assessmentis the overall processofriskidentification,riskanalysis and riskevaluation.IEC/ISO 31010:2009 Risk Management ‐Risk AssessmentTechniquesprovides furtherguidance on riskassessment techniques.
  • Risk identification– theaimis to generate a comprehensivelistofrisks basedonthose eventsthat might create,enhance, prevent,degrade,accelerate ordelay the achievementofobjectives.
  • Risk analysis– riskisanalysedby determining consequences andtheir likelihood, and otherattributes oftherisk.It provides an inputto riskevaluation, decisionson whetherrisks need to betreated, andon the mostappropriaterisktreatmentstrategiesandmethods.
  • Risk evaluation– involvescomparing the levelofriskwith riskcriteriaandmakingdecisionsaboutwhich risksneedtreatmentandthe priorityfortreatmentimplementation.
  • Risk treatment– risktreatmentinvolvesselecting one or moreoptions formodifyingrisks,andimplementing those options. Whenimplemented,treatments provide ormodify the controls.
  • Monitoringandreview– risks andthe effectivenessofcontrols and risk treatments needtobemonitored, reviewedandreported to ensurechanging contextandcircumstancesdo notalterpriorities.

Additionalresources

  • National Instituteof Standardsand Technology‐CloudComputing
  • European Network and InformationSecurityAgency

CloudComputing Security RiskAssessmentSecurity andResilienceinGovernmental Clouds

  • Cloud Security Alliance

Security GuidanceTopThreatsto CloudComputing

Governance, Risk ManagementandComplianceStack

  • Delimiter‐TheAustralian Private Cloud:WhoSellsIt?
  • TorryHarris‐Comparisonof CloudProviders
  • CloudHarmony‐ CloudSpeedTest
  • WebHostingTalk

Furtherinformation

For furtherinformationregarding thisguideline please contact the GovernmentServicesDivision,DepartmentofTreasuryandFinance,.

Glossary

Terms as definedbythe AustralianGovernment InformationManagementOffice(AGIMO)in Cloud ComputingStrategic Directionpaper

Term / Meaning
Cloud / A metaphor for a globalnetwork,first usedinreference to the telephone networkandnowcommonlyused torepresent theInternet.
Cloud computing / Refers to style ofcomputinginwhichvarious resources– servers,applications,data,and other oftenvirtualised resources – are integratedandprovidedasa serviceoverthe Internet.Cloud computingisn’tanew technologynora new architecture.. it’sanew deliverymodel.

Versionhistory

Version / Date / GSDTRIMref / Details
0.1 / 1 September 2011 / D11/192132 / Initial Draft
0.2 / 28 September2011 / D11/192132 / Internal review
0.3 / 1 October 2011 / D11/192132 / ISAG review
0.4 / 3 November2011 / D11/192132 / To ISAGforendorsement.Was endorsedsubject toinclusionofreferenceto the VGRMF
1.0 / 24 November2011 / D11/192132 / ToCIOCouncil fornoting.Was noted,with requestfornextversion to includesummarychecklistofkeyelementsto consider as identifiedinresources.