3.4.3 Cloud Computing
| No: 381000091275 | Date(g): 24/5/2017 | Date(h): 28/8/1438 | Status: In-Force |
Principle
The Member Organization should define, implement and monitor the required cyber security controls within the cloud computing policy and process for hybrid and public cloud services. The effectiveness of the defined cyber security controls should periodically be measured and evaluated.
Please note that this requirement is not applicable to private cloud services (= internal cloud).
Objective
To ensure that all functions and staff within the Member Organization are aware of the agreed direction and position on hybrid and public cloud services, the required process to apply for hybrid and public cloud services, the risk appetite on hybrid and public cloud services and the specific cyber security requirements for hybrid and public cloud services.
Control Considerations
| 1. | The cyber security controls within the cloud computing policy for hybrid and public cloud services should be defined, approved and implemented and communicated within Member Organization. | |||
| 2. | The compliance with the cloud computing policy should be monitored. | |||
| 3. | The cyber security controls regarding the cloud computing policy and process for hybrid and public cloud services should be periodically measured and evaluated. | |||
| 4. | The cloud computing policy for hybrid and public cloud services should address requirements for: | |||
| a. | the process for adopting cloud services, including that: | |||
| 1. | a cyber security risk assessment and due diligence on the cloud service provider and its cloud services should be performed; | |||
| 2. | the Member Organization should obtain SAMA approval prior to using cloud services or signing the contract with the cloud provider; | |||
| 3. | a contract should be in place, including the cyber security requirements, before using cloud services; | |||
| b. | data location, including that: | |||
| 1. | in principle only cloud services should be used that are located in Saudi Arabia, or when cloud services are to be used outside Saudi Arabia that the Member Organization should obtain explicit approval from SAMA; | |||
| c. | data use limitations, including that: | |||
| 1. | the cloud service provider should not use the Member Organization’s data for secondary purposes; | |||
| d. | security, including that: | |||
| 1. | the cloud service provider should implement and monitor the cyber security controls as determined in the risk assessment for protecting the confidentiality, integrity and availability of the Member Organization’s data; | |||
| e. | data segregation, including that: | |||
| 1. | the Member Organization’s data is logically segregated from other data held by the cloud service provider, including that the cloud service provider should be able to identify the Member Organization’s data and at all times should be able to distinguish it from other data. | |||
| f. | business continuity, including that: | |||
| 1. | business continuity requirements are met in accordance with the Member Organization’s business continuity policy; | |||
| g. | audit, review and monitoring, including that: | |||
| 1. | the Member Organization has the right to perform a cyber security review at the cloud service provider; | |||
| 2. | the Member Organization has the right to perform a cyber security audit at the cloud service provider; | |||
| 3. | the Member Organization has the right to perform a cyber security examination at the cloud service provider; | |||
| h. | exit, including that: | |||
| 1. | the Member Organization has termination rights; | |||
| 2. | the cloud service provider has to return the Member Organization’s data on termination; | |||
| 3. | the cloud service provider has to irreversibly delete the Member Organization’s data on termination. | |||