The Cloud Industry Forum Cloud Service Provider
Code of Practice:Guidance for Cloud Service Providers
www.cloudindustryforum.org
Purpose of this Document 3
Process Stages Covered Within this Document 3
“Prepare” Guidance 4
Preparation Checklist 4
Project Charter Template (MS Word Document) 4
Project Plan Template (MS Excel Spreadsheet) 4
“Assess”, “Improve” and “Declare” Guidance 5
Assessment Spreadsheet (MS Excel Spreadsheet) 5
Guidance for Presentation of Information for sections A and B of the Code 5
Format for Public Disclosure Requirements (Section A.1) 7
Format and Naming Conventions for Supporting Documentation 8
Documentation Requirements for All Applications 8
Demonstrating Capability (Section B) 9
Signing Documents Electronically 11
Creating a digital signature 12
Digitally signing a document 15
Creating the FDF document 17
Guidance for Other Information Required for Application 20
Professional Reference Guidance and Template 20
Management Declaration Guidance and Template 20
“Publish” Guidance 21
Updating Public Disclosure Information 21
Using the CIF Certified Logo 21
Further information 21
Governance of The Code Of Practice 21
About the Cloud Industry Forum (CIF) 21
The CIF and The APM Group Limited (APMG) 22
Code Governance Board 22
Development and Maintenance of the Code 22
Audit and Appeal 23
Collaboration with Standards organizations and related Bodies 23
Contact Us 23
Table of Contents
The Cloud Industry Forum Cloud Service Provider Code of Practice: 04/2013 V1.0
The CLOUD INDUSTRY FORUM and CIF words and associated logos are trade marks. © Cloud Forum IP Limited 2013. All rights reserved
NOTICE: This document is intended to provide general information in relation to the Cloud Industry Forum’s Code of Practice journey for Certification. It is not intended to be comprehensive and should not be acted or relied upon as being so. Professional advice appropriate to specific circumstances should always be obtained.
supported by
The Cloud Industry Forum Cloud Service Provider Code of Practice: 04/2013 V1.0 3
Purpose of this Documentthis document (document 3) is aimed at organizations undertaking the Cloud Industry Forum (CIF) Cloud service provider (Csp) Code of practice (Code) self-Certification process. It is also relevant to any organization that may be considering self-Certification against the Code.
this document provides instructional and informational guidance for organizations going through the self-Certification process, and includes templates and resources, which will need to be referenced during various stages of the process, from initial preparation through to publishing certified status.
Organizations should also download and refer to the following
information provided by the CIF, downloadable from the CIF
website www.cloudindustryforum.org:
■ Document 1: An Executive Briefing
■ Document 2: Conducting the Self-Certification
■ Terms and Conditions for Self-Certification
■ Cloud Service Provider Code of Practice
Further information or guidance can also be sought directly from the
CIF ([email protected]) or APM Group, CIF’s Independent
Certification Partner ([email protected]).
Process Stages Covered Within this DocumentThis document covers the following stages of the Self
Certification process:
■ Prepare
■ Assess
■ Improve
■ Declare
■ Publish
The following additional documents are accessible to download by organizations registered for Self-Certification from
www.selfcert.cloudindustryforum.org once registered.
■ Project Charter (MS Word)
■ Assessment Spreadsheet (MS Excel)
■ Project Plan Template (MS Excel)
■ Professional Reference template (MS Word)
■ Management Declaration (pdf)
For information on earlier stages of the process, refer to the following documents:
■ Document 1: An Executive Briefing
■ Document 2: Conducting the Self-Certification
ASSESSthe organisation must conduct
an Assessment of its compliance with Code requirements
REGISTER
DETERMINE REQUIREMENTS
RECOGNIZE NEED
VALIDATE
AUTHORIZE
PREPARETo achieve optimum results, a formal project should
be established to perform the self-assessmentand achieve Certification
IMPROVEIf any non-conformances are noted in the
Assessment step, then improvement actionsare undertaken
DECLAREThe organization completes the Application andrequired declarations which are submitted to CIF
via the online system
PUBLISHThe organization displays the Code Certification Mark
on its website,together with hyperlinksto the CIF website
The Cloud Industry Forum Cloud Service Provider Code of Practice: 04/2013 V1.0
Project Charter Template (MS Word Document) The Project Charter will serve as an internal document that
captures high level planning information (scope deliverables
assumptions etc) about the Code of Practice Project.
The Project Manager or Team leader creates the Project Charter
in the Initiation Phase of the Project, in consultation with the
Executive Sponsor. Its purpose is to recognize the existence
of the project and to begin the planning process required to
accomplish the Project goals. It does not need to be shared with
external parties as a formal contract of legal document.
The completed Project Charter does not need to be shared with
the CIF or submitted with the final application.
To access and download the Project Charter Template, log into
the self-certificate website
Project Plan Template (MS Excel Spreadsheet)
The Project Plan Template is provided in Excel format to facilitate
practical use in conducting a Self-Certification.
The Excel file includes the following tabs/worksheets:
■ Example Diagram (Gantt Chart)
■ Example task table
■ Example resource table
■ Example assignment table
To access and download the Project Plan Template, log into the
Self-Certification website.
Task Done?When complete?
Who? Guidance
1 Download:Doc.1: Executive BriefingDoc.2: Conducting the Self-CertificationDoc.3: Guidance for Self-CertificationCloud Service Provider Code of Practice
All Information can be sourced from:-http://www.cloudindustryforum.org/code-of-practice/cloud-service-provider-info-pack
OR, only once registered via https://selfcert.cloudindustryforum.org for specific templates
2 Read:Doc.1: Executive BriefingDoc.2: Conducting the Self-CertificationDoc.3: Guidance for Self-CertificationCloud Service Provider Code of PracticeTerms and Conditions (available on-line)
3 Register https://selfcert.cloudindustryforum.org
4 Identify Team Leader/Project Manager
5 Identify the Executive Sponsor
6 Download / Review Additional Templates
7 Establish detailed plan with assigned responsibilities, estimated timeline and estimated costs
8 Review plan with APMG and clarify what additional help/guidance may be available
Contact APMG via [email protected]
4
“Prepare” Guidance Preparation Checklist
The following Preparation Checklist has been created to aid Self-
Certification registrants in the initial ‘set-up” activities involved in
the Self-Certification process.
A version of this table can also be found in the Assessment
Spreadsheet (see “Assess and Improve” section). Preparation
tasks do not have to be done in this precise sequence, but all
should be done.
The Cloud Industry Forum Cloud Service Provider Code of Practice: 04/2013 V1.0
“Assess”, “Improve” and “Declare” Guidance Assessment Spreadsheet (MS Excel Spreadsheet)
The Assessment Spreadsheet is provided in Excel format and
is for preparatory work during an assessment. It is particularly
suited for use as a control tool to track corrective actions
needed to achieve conformance with the Code but can also be
used to collect information.
The final results demonstrating full conformance as entered
into or tracked via the Assessment Spreadsheet must be
transferred into the required presentation formats (webpage,
documentation and entered or uploaded via the online system)
prior to submitting an application for validation of Self-
Certification.
The Excel file includes the following tabs/worksheets:
■ Overview
■ Preparation Checklist
■ Registration (ID and Scop)
■ Transparency
■ Capability
■ Other Information
■ Notes
■ FAQs
■ Feedback
To access and download the Assessment spreadsheet log into
the Self-Certification website
Guidance for Presentation of Information for sections A and B of the CodeFormat for Public Disclosure Requirements (Section A.1) To meet the requirements of section A.1 of the Code, applicant
organizations must disclose information publically via means of
a published, online webpage.
In addition to including all relevant information and evidence
required by section A.1 of the Code, the online Public
Disclosure content should conform to certain requirements
in terms of format and, in some cases content to facilitate
comparison by end users between different organizations.
Requirements for Online Presentation of Information
To comply with section A.1, information must be presented in
the following way:-
■ The information must be available on a free-standing web
page or web pages where more than one website is used to
support provision of services covered by the Code.
■ The link to the free-standing web page must be called ‘CIF
Code of Practice Disclosures’.
■ The link must be hyperlinked at a minimum from the home
page of the organization’s website and should be situated
on the home page in a similar location to legal-type notices,
disclaimers or site terms and conditions (usually found in
menus which appear at the very bottom or top of standard
web page designs).
■ POST CERTIFICATION ONLY: The link must be displayed
alongside the Certification Mark after the Mark has been
granted.
Organization of Page Content
All information shall be presented sequentially on the web page
and should be identifiable by the relevant code sub section e.g.
A.1.1, A.1.2 etc.
Information can be presented on the webpage in free text or
table format.
5
The Cloud Industry Forum Cloud Service Provider Code of Practice: 04/2013 V1.0
Mandatory Content for Section A.1.1.Post registration Content (Pre-application)The following text must be included against section A1.1 on the
disclosure web page (where ‘Xxx’ is the organization’s name)
at the time that an application has been submitted but prior to
award of certification:
The Certification Mark may also be shown in other places, as
specified in the Logo Pack supplied when the organization is
formally informed that it is authorized to display it.
NOTICE: While Xxx has made the commitment to the
Code, customers/ third parties shall note that information
or certification provided by the Cloud Industry Forum does
not constitute advice from or endorsement by the Cloud
Industry Forum.
The Cloud Industry Forum disclaims any and all liability
arising out of the use of services or otherwise of certified
organizations. Where disclosed information or capabilities
as specified by the Code of Practice are essential in
purchasing cloud services from
a certified organization, it/these should be cited
contractually. Professional advice appropriate to specific
circumstances should always be obtained.
Xxx has completed the Self-Certification against the ‘Code
of Practice for Cloud Service Providers’ (the ‘Code’) of the
Cloud Industry Forum (‘CIF’, at www.cloudindustryforum.
org), which the mark above demonstrates. Clicking on the
mark will take you to the CIF website where supporting
information for this Certification is available.
Xxx is committed to the Code. One of the main objectives
of the Code is to help ensure disclosure of essential
information so that consumers of Cloud Services can make
better business decisions based on this information. The
information on this page addresses the public disclosure
requirements of the Code.
NOTICE: While Xxx has made the commitment to the
Code and has been self-certified as compliant with the
Code, customers/ third parties shall note that information
or certification provided by the Cloud Industry Forum
does not constitute advice from or endorsement by
the Cloud Industry Forum. The Cloud Industry Forum
disclaims any and all liability arising out of the use of
services or otherwise of certified organizations. Where
disclosed information or capabilities as specified by the
Code of Practice are essential in purchasing cloud services
from a certified organization, it/these should be cited
contractually. Professional advice appropriate to specific
circumstances should always be obtained.
Post Self-Certification Content
(NOTE: this section is repeated in the “Publish” guidance within
this document)
Once the organization has had its Self-Certification recognized by
the CIF, i.e. once the organization has received formal notification
that it is authorized to display the Code Certification Mark, the
following text shall be added to the web page in place of the text
above (Post Registration text):
6
The Cloud Industry Forum Cloud Service Provider Code of Practice: 04/2013 V1.0
A.1.1. Compliance with Code Cloud Service Provider Example Limited is committed to the
principles of Transparency, Capability and Accountability
which are embodied in the Cloud Industry Forum’s Code of
Practice, because these help create a more trustworthy business
environment for cloud-based processing.
Cloud Service Provider Example Limited is committed to complying with the specific
requirements of the Cloud Industry Forum’s Code of Practice for the period of
Certification, for the scope defined below in A.1.3.The CLOUD INDUSTRY FORUM and
Cloud Service Provider Example Limited has completed the Self-Certification against
the ‘Code of Practice for Cloud Service Providers’ (the ‘Code’) of the Cloud Industry
Forum (‘CIF’, at www.cloudindustryforum.org), which the Self-Certification mark
demonstrates. Clicking on the mark will take you to the CIF website where supporting
information for this Certification is available.
Cloud Service Provider Example Limited is committed to the Code. One of the main
objectives of the Code is to help ensure disclosure of essential information so that
consumers of Cloud Services can make better business decisions based on this
information. The information on this page addresses the public disclosure requirements
of the Code.
NOTICE: While Cloud Service Provider Example Limited has made the commitment
to the Code and has been self-certified as compliant with the Code, customers/third
parties shall note that information or certification provided by the Cloud Industry Forum
does not constitute advice from or endorsement by the Cloud Industry Forum. The
Cloud Industry Forum disclaims any and all liability arising out of the use of services
or otherwise of certified organizations. Where disclosed information or capabilities
as specified by the Code of Practice are essential in purchasing cloud services from
a certified organization, it/these should be cited contractually. Professional advice
appropriate to specific circumstances should always be obtained.
Cloud Service Provider Example Limited’s website page where publicly disclosed
information is available is at
www.CloudServiceProvider ExampleLimited.com/CIF-Code-of-Practice-Disclosures
Example Public Disclosure Contentthe following is an example public disclosure for a self-certified organization ‘Cloud service provider example Limited’ using the required structure.
A.1.2. Corporate Identity and Responsibilities
A.1.3. Scope Covered by the Code
A.1.4. Public Branding
A.1.5. Third-Party Coverage Transparency
Corporate name: Cloud Service Provider Example LimitedLegal status: Private Limited CompanyDate of formation: 01 January 2012Location of registration: EnglandRegistration number: 1234567
Ownership (major shareholders):Cloud Service Provider Venture Capital Investments
John Henry AdamsLuke Howard
Members of board of directorsJohn Henry AdamsLuke HowardCharles Thomson Wilson
Executive management Luke Howard (CEO)Charles Thomson Wilson (CFO)Corporate fixed address:123 High Street, Anycity, Anycounty, UK XX1 2YY
Scope of services: web archiving services
Geographical scope: Countries with local sales and/or support: UK
Countries where customer data may be held or processed: UK
Customer data will only be held in the UK. No other options are available.
Alternative trading name(s): Storage Rainbows Unlimited
Website address(es): www.CloudServiceProviderExampleLimited.com
www.StorageRainbowsUnlimitedLimited.com
Cloud Service Provider Example Limited does not accept any indirect responsibility for our suppliers.
Cloud Service Provider Example Limited’s suppliers do not accept indirect responsibility to Cloud Service Provider Example Limited’s customers.
Cloud Service Provider Example Limited does not accepts indirect responsibility to customers of customers
7
The Cloud Industry Forum Cloud Service Provider Code of Practice: 04/2013 V1.0
Format and Naming Conventions for Supporting DocumentationCSPs are required to provide documented evidence that they meet the specific
requirements of the Code.
CIF require documentation to be submitted in specific formats and according to
specific filename conventions to:-
■ Be assured that requirements are being met by applicant
CSPs specifically and not broadly; and
■ To enable information to be sourced easily for the purposes
of audit or complaint resolution.
Documentation uploaded to the online system as part of a CSP’s application
is likely to include:
In addition to the files uploaded as part of the application, a self-certified organization
shall maintain auditable records of its disclosure information as specified in
the ‘Accountability’ section of the Code. Such records shall be accessible both
chronologically, and also by potential customer, when provided to potential customers
on an individual basis.
Documentation requirements for all Applications
General ■ The documentation shall be created exclusively using PDFs.
■ The documentation shall be supplied to CIF via the online application system.
■ The documentation shall be electronically signed using Adobe Acrobat.
■ For information and instructions on electronically signing documentation,
see the – “Signing Documents Electronically” section of this document.
Code of Practice Requirement
SECTION A A.1. Information for public disclosure (a print screen of the online web page)A.2. Information for contracting disclosure
SECTION B Management system documentation for required capability areas OREvidence of existing certification including a document outlining the scope of the certification
OTHER INFORMATION
Professional Reference
Cloud Service Provider Example Limited has not completed the Consensus Assessments Initiative Questionnaire from the Cloud Security Alliance
A.1.6. Security Control Transparency with the Cloud Security Alliance
Cloud Service Provider Example Limited does not commit to any additional transparency, capability, or accountability requirements in addition to those contained directly in this Code of Practice.
A.1.7. Other Extended Commitments to Code of Practice Principles
Cloud Service Provider Example Limited does not publicly commit to supporting any specific technologies, standards, or inter-operabilities. Any such support must be separately negotiated.
A.1.8. Technological Commitments*
Cloud Service Provider Example Limited does not have any other certifications.
A.1.9. Existing Certifications*
Cloud Service Provider Example Limited is a member of the Cloud Industry Forum, in addition to being self-certified under its Code of Practice.
A.1.10. Industry Association Memberships (Optional) **
*In this example, the disclosure of information relating to sections A.1.8 and A.1.9 has been included on the pubic web page. If an organization chooses instead to disclose this information under section A.2, this information does not need to appear on the web page.
** information has been disclosed against section A.10, which is fully optional e.g. it does not need to be disclosed.
8
The Cloud Industry Forum Cloud Service Provider Code of Practice: 04/2013 V1.0
File Naming Conventions
All files shall include the prefix reference issued by the CIF at the
time of registration. This prefix can be found on confirmation
of registration or payment details issued by the CIF and is a
combination of alpha-numeric characters e.g. CFW100000.
Document references (when entered into online system) When entered into the online system all references to supporting
documentation shall include a filename and an explicit reference
within the file to a page or paragraph number, or a clause
reference where the information can be found. A file name alone
is not acceptable.
If the amount of information to be put into an online reference
field exceeds the character limit, which may be the case if
multiple files are used in support of one Code requirement
or area, it is acceptable for an applicant to do either of the
following:
■ Remove the prefix reference from the filename when entering
the name into the online form field for a particular requirement;
or,
■ Create and submit an additional supporting document or
page which contains all references mapping Code areas to
submitted documentation. In this case, the online field can be
completed with a reference to this new document/page
instead.
Demonstrating Capability (Section B)
There are two ways of demonstrating capability at the time of
application for Self-Certification:
■ Using Existing Certifications: Providing evidence of
appropriate existing certifications against relevant standards
covering the same capability requirements; or,
■ Using Primary Documentation: Providing primary
documentation of required capabilities, including key policy
and procedure-type documentation.
Using Existing Certifications
There are two types of certifications upon which reliance may
be placed for demonstrating capability:
■ International and national standards with prefixes like ISO,
ISO/IEC, BS, ANSI, etc.
■ The CIF Code of Practice Self-Certification, relevant if a CSP
is relying in its application on another CSP which is already
self-certified, e.g. for the provision of infrastructure services.
■ Scope. The organizational scope and scope of services of
the existing certification must be directly relevant to the
scope covered by the intended CIF Code of Practice Self-
Certification. In order to use an existing certification to meet
100% of the requirements of any specific Code of Practice
capability area, the scope of the existing certification must
include 100% of the scope being self-certified under the CIF
Code of Practice. If this is not the case, then there are two
other alternatives that may be considered:
o Alternative one is that it is possible to use the certificate
for the part of scope which is relevant, and provide primary
documentation for the rest of scope. In this case the
application needs to clearly differentiate between the two
sub-scopes. For applicants relying on the Self-Certification
of another CSP, this would typically be the case, as there
will almost always be some internal capability requirement
which cannot be outsourced or subcontracted.
o Alternative two is that it should be possible to use
supporting materials for the existing certification as part of
primary documentation, but not cite the certification itself.
Examples of Acceptable Document filenames
■ PROFESSIONAL REFERENCE CFW0000_ProfRef.pdf
■ STANDARD TERMS AND CONDITIONS
CFW0000CloudOrgT&Cs2012.pdf
■ ORGANIZATION CHART CFW0000_CloudOrg_
OrgChart_2012.pdf
Examples of acceptable online references
■ CFW0000DocFile p17
■ CFW0000DocFile 17-19,36
■ DocFile p17 para 5
■ DocFile1 pp17-19; TsAndCs clause 14
9
The Cloud Industry Forum Cloud Service Provider Code of Practice: 04/2013 V1.0
■ Period of Validity. The certification must be valid on the date
of the application. In the event that the period of validity
for the certification does not include the entire period, i.e.
in the event that the certification will end during the Code
of Practice Self-Certification period, no further supporting
documentation is required during the period of the CIF Code
of Practice Self-Certification. Nonetheless, the self-certified
CSP is committed to complying with the Code of Practice’s
capability requirements for the entire period, regardless of
what supporting documentation was supplied at the time of
application
■ Internationally Recognized Certification. For certifications
other than the CIF Code of Practice Self-Certification, the
certification must have been performed by an organization
which is accredited for that standard by an accreditation
body which is a signatory to the Multilateral Recognition
Arrangement (MLA) of the International Accreditation Forum.
This includes most of the major certification companies in the
world, but may not include smaller companies, or companies
whose primary business is not certifications.
The following should be submitted to the CIF as supporting
documentation for any capabilities to be demonstrated through
such certifications:
■ For certifications against international and national standards: a scanned copy of the certification certificate
including scope and validity dates, and clarification of the
accreditation body if it is not shown on the certificate.
■ For reliance on other CIF Self-Certifications: a letter from
the self-certified CSP which states the scope of their Self-
Certification, the validity dates, and an acknowledgement
that they know the applicant CSP is placing reliance on their
capabilities and that a contract is in place between them to
justify this reliance.
■ A statement from the applicant CSP affirming that all criteria
required for the acceptance of the certification are met.
Furthermore, if a reseller CSP seeking Self-Certification is relying
on a supplier CSP’s Code of Practice Self-Certification (e.g. if a
reseller is relying on an infrastructure provider CSP, such as for
IT security management capability), then the reseller’s Self-
Certification scope statement must clearly state that it is for
services provided by the named supplier CSP.
If the reseller changes its supplier for these services to another
supplier, then the reseller cannot continue to claim to be
certified itself. It may therefore be more practical for the reseller
simply to market the fact that it is reselling services from a
Code of Practice self- certified CSP, rather than to have its own
Self-Certification under these circumstances. However, this is a
business decision and not one driven by the Code of Practice
itself. See also ‘Leveraging Considerations for Subcontracted
Cloud Service Providers’.
The following are examples of international and national
standards for which certifications could provide all necessary
support for the CIF Code of Practice capability requirements,
assuming that the scopes cover the relevant CIF capabilities:
Using Primary Documentation In principle it should be relatively straightforward to demonstrate
capability as required by section B of the Code by using primary
documentation, except for the first capability area, which is
Information Security Management.
Primary documentation must be documentation actually in use
within the CSP, and not something that exists solely for the Code
of Practice Self-Certification application. One of the benefits
cited by CSPs that have been self-certified to the Code is that
it has helped them to identify gaps in their existing policies and
procedures and to fill them, strengthening the business in the
process. It is therefore expected, especially in smaller or younger
organizations which may not have any existing certifications, that
it will be necessary to improve or at least document some existing
informal practices. Copies of this documentation, reflecting
actual implemented practices, should then be included as primary
supporting documentation for the Self-Certification application.
Primary documentation does not need to be extensive, but it
must exist even if limited in detail. For example, the complaint
handling capability for a very small CSP could be supported with
two documents; one could be a half-page long, consisting of a
policy statement (e.g. a requirement to respond to all complaints
within x time, and to track and analyze for underlying root
causes) and a procedure with assigned responsibilities (e.g. all
complaints are handled initially by x, with appeals to be handled
by y). The second document could be evidence of a course
attended – external or internal – which includes this area to
demonstrate the provision for competence/training.
The general requirements for primary documentation are as
follows, which may be covered in multiple ways, in individual or
combined documents:
■ Policy
■ Procedures (or work instructions)
■ Assignment of responsibilities
■ Competence (or training)
Capability Standard
Information Security Management (Including Data Protection)
ISO/IEC 27001
Service Continuity Management BS 25999
Service Level Management ISO/IEC 20000-1
Supplier Management ISO/IEC 20000-1; ISO 9001
Software License Compliance ISO/IEC 19770-1
Complaint Handling ISO 9001
Environmental Impact Management ISO 14001
10
The Cloud Industry Forum Cloud Service Provider Code of Practice: 04/2013 V1.0
Signing Documents ElectronicallyAlthough the CIF Code of Practice scheme is based on Self-Certification, it needs to be enforceable, and therefore the supporting documentation on which it is based needs to be verifiable.
The CIF has chosen, as its preferred method of achieving this, to use features of Adobe Standard/Professional (version 8 or later), which provide strong authentication capabilities. The screenshots in this HowTo guide have been produced using Adobe Professional v8.
All materials should be saved as Adobe PDF documents, including the Professional Reference, and the full Documentation File of supporting documentation.
The documents should be signed and certified with no fields being left as modifiable.
The signature used should be for the person officially signing.
Additionally, the CIF reserves the right to require the following, which are not shown in this “HowTo” guide:
■ The signature used should be certified by a major publicly recognized certification authority.
■ ‘Long-Term Validation’ (LTV) should be used, which ensures the ability to validate a document’s authenticity in the future in spite of whether the certificate has expired or has been revoked, or even if the issuing authority has gone out of business.
■ A secure time stamp should be added to the digital signature, to confirm the time of the original signing.
■ Fonts should be embedded and the RGB color scheme used when the documents are created, to avoid possible incompatibilities between originator and recipient systems. (The PDF/A option does this.)
The remainder of this document is a ‘how-to’ for digitally signing documents as required for the CIF Code of Practice scheme.
In order to digitally sign a document using Adobe®, a digital signature must already exist. There are various desktop applications that can be used to create a digital signature, including Adobe Professional. Irrespective of the application used to create a digital signature, for the purpose of this HowTo guide, the format of the resulting signature must be compatible with Adobe applications.
Adobe, the Adobe logo, Acrobat, the Adobe PDF logo, Distiller and Reader are
either registered trademarks or trademarks of Adobe Systems Incorporated in the
United States and/or other countries.
There is also a requirement for ‘Awareness’ for people besides those directly responsible for task execution, e.g. for awareness about security issues. In a CSP with a small number of employees (5 or less) it may not be realistic to expect documentation for awareness building, but for larger CSPs it is considered realistic.
Awareness building can be accomplished In many ways, but one of the easiest to document is via an internal annual training session to ensure that everyone is aware of overall policies, procedures, and assigned responsibilities. It can also provide an excellent opportunity for feedback and self-improvement.
As indicated above, additional guidance is appropriate for the capability area of ‘Information Security Management (Including Data Protection)’. It is recommended that primary documentation be provided to demonstrate that the CSP is competently addressing the following areas:
■ Security policy/data protection policy
■ Responsibility for security management within the organization
■ How security is built into the personnel processes (joining checks in terms of experience/qualifications/right to work, leaving procedures including revoking permissions/access)
■ Guidance provided to staff on security best practice including training and awareness
■ Examples of security methods in use in relation to premises, equipment, network and backups
■ Approach to information classification to reduce risk of information slipping into the wrong hands
■ How the above are monitored and reported on (could be internal audits, spot checks, monthly reports and analysis etc)
■ Data Protection Act Registration (or the equivalent requirement in different jurisdictions) and/or processes implemented to ensure compliance.
Leveraging Considerations for Subcontracted CSPs The guidance above addresses one way that CSPs working together can leverage the benefits of a self-certified supplier CSP helping a reseller CSP become self-certified.
There are two further ways for a reseller CSP to obtain significant benefits from working together with a self-certified supplier CSP.
Mentoring Partnership If the reseller CSP wants to obtain its own Code of Practice Self-Certification, it may be possible for the reseller CSP to be mentored by the supplier CSP, including through the sharing of policy and procedure documentation which the reseller CSP can adopt with suitable modifications. This will expedite the process of the reseller developing its own internal capabilities which can then be self-certified on a freestanding basis without reference to the supplier CSP’s Self-Certification.
Marketing Partnership Instead of obtaining its own Code of Practice Self-Certification, the reseller CSP can simply market the fact that it is reselling services from a self-certified supplier CSP. This should already provide a significant level of reassurance to the reseller CSP’s potential customers.
Note, however, that the supplier CSP must formally accept responsibility towards the customers of its own customers (i.e. towards the customers of the reseller CSP) for there to be any clear basis on which the ultimate customers can place reliance. This type of responsibility information should be available in the supplier CSP’s public disclosures in the third sub-point of section A.1.5 of the Code
11
The Cloud Industry Forum Cloud Service Provider Code of Practice: 04/2013 V1.0
Creating a Digital Signature
A digital signature is used to approve a document much like a hand-written signature does. A digital signature can, optionally, include an image of your hand-written signature (and computer text setting out your contact details). This HowTo guide includes details about encapsulating an image of your hand-written signature. For the purpose of this HowTo guide, a fictitious signature has been created for ‘TestSample’.
The CLOUD INDUSTRY FORUM and CIF words and associated logos are trade marks. © Cloud Forum IP Limited 2010. All rights reservedNOTICE: This document is intended to provide general information in relation to the Cloud Industry Forum’s Code of Practice journey for Certification. It is not intended to be comprehensive and should not be acted or relied upon as being so. Professional advice appropriate to specific circumstances should always be obtained.
2AP11-v6.1
create a digital signature, including Adobe Professional. Irrespective of the application used to create a digital signature, for the purpose of this HowTo guide, the format of the resulting signature must be compatible with Adobe applications.
Creating a digital signatureA digital signature is used to approve a document much like a hand-written signature does.
A digital signature can, optionally, include an image of your hand-written signature (and computer text setting out your contact details). This HowTo guide includes details about encapsulating an image of your hand-written signature. For the purpose of this HowTo guide, a fictitious signature has been created for ‘TestSample’ (pictured right).
Hand-written signatureThis section assumes that you have the technical knowledge to scan, crop, tidy up and publish an image of your signature in the format of either a .JPG or .TIFF file.
If you wish to include an image of your handwritten signature in the digital signature, then please do so by:
Sign on a blank sheet of paper
Scan the paper
Save the resulting image as a .JPG or .TIFF image file
Crop and tidy the image as necessary The image that you have created will need to be converted into a .PDF format. There are several ways to do this.
As this HowTo guide makes use of Adobe Professional, it is logical to use the same application to perform the conversion.
Converting a .JPE or .TIFF image to a .PDF fileWith Adobe Professional open in the foreground, open Windows Explorer.
Hand-written signature This section assumes that you have the technical knowledge to scan, crop, tidy up and publish an image of your signature in the format of either a .JPG or .TIFF file.
If you wish to include an image of your handwritten signature in the digital signature, then please do so by:
■ Sign on a blank sheet of paper
■ Scan the paper
■ Save the resulting image as a .JPG or .TIFF image file
■ Crop and tidy the image as necessary
The image that you have created will need to be converted into a .PDF format.
There are several ways to do this.
As this HowTo guide makes use of Adobe Professional, it is logical to use the same application to perform the conversion.
Converting a .JPEG or .TIFF image to a .PDF file
With Adobe Professional open in the foreground, open
Windows Explorer.
With Windows Explorer open in the foreground and Adobe
Professional immediately behind, navigate to the location where
your image file is stored. With relevant the file name highlighted,
simply click and drag the image file into the (currently empty)
work area of the Adobe application.
When the left-button on the mouse is released, the image file
will appear in Adobe, and the Adobe Professional will appear as
the foreground application.
With the Adobe application in the foreground, select the
following from the pull down menu: File/Save As… Shift+Ctrl+S,
and save the file as a .PDF format.
12
The Cloud Industry Forum Cloud Service Provider Code of Practice: 04/2013 V1.0
The CLOUD INDUSTRY FORUM and CIF words and associated logos are trade marks. © Cloud Forum IP Limited 2010. All rights reservedNOTICE: This document is intended to provide general information in relation to the Cloud Industry Forum’s Code of Practice journey for Certification. It is not intended to be comprehensive and should not be acted or relied upon as being so. Professional advice appropriate to specific circumstances should always be obtained.
3AP11-v6.1
With Windows Explorer open in the foreground and Adobe Professional immediately behind, navigate to the location where your image file is stored. With relevant the file name highlighted, simply click and drag the image file into the (currently empty) work area of the Adobe application.
When the left-button on the mouse is released, the image file will appear in Adobe, and the Adobe Professional will appear as the foreground application.
With the Adobe application in the foreground, select the following from the pull down menu: File/Save As… Shift+Ctrl+S, and save the file as a .PDF format.
Adding Time/Date stamp and other attributesIn order to make your digital signature fit for purpose, it will need to be capable of capturing adequate metadata for the purpose of future validation. Adobe Professional can be used to add additional functionality to your digital signature file as described below:
With the .PDF signature image file open, open the Preferences window by choosing Edit/Preferences… Ctrl+K from the pull down menu.
Once the Preferences window has opened, using the left pane, scroll down and highlight [Security]. Next, click the [New…] button.
The CLOUD INDUSTRY FORUM and CIF words and associated logos are trade marks. © Cloud Forum IP Limited 2010. All rights reservedNOTICE: This document is intended to provide general information in relation to the Cloud Industry Forum’s Code of Practice journey for Certification. It is not intended to be comprehensive and should not be acted or relied upon as being so. Professional advice appropriate to specific circumstances should always be obtained.
3AP11-v6.1
With Windows Explorer open in the foreground and Adobe Professional immediately behind, navigate to the location where your image file is stored. With relevant the file name highlighted, simply click and drag the image file into the (currently empty) work area of the Adobe application.
When the left-button on the mouse is released, the image file will appear in Adobe, and the Adobe Professional will appear as the foreground application.
With the Adobe application in the foreground, select the following from the pull down menu: File/Save As… Shift+Ctrl+S, and save the file as a .PDF format.
Adding Time/Date stamp and other attributesIn order to make your digital signature fit for purpose, it will need to be capable of capturing adequate metadata for the purpose of future validation. Adobe Professional can be used to add additional functionality to your digital signature file as described below:
With the .PDF signature image file open, open the Preferences window by choosing Edit/Preferences… Ctrl+K from the pull down menu.
Once the Preferences window has opened, using the left pane, scroll down and highlight [Security]. Next, click the [New…] button.
Adding Time/Date stamp and other attributes
In order to make your digital signature fit for purpose, it will need
to be capable of capturing adequate metadata for the purpose of
future validation. Adobe Professional can be used to add additional
functionality to your digital signature file as described below:
With the .PDF signature image file open, open the Preferences
window by choosing Edit/Preferences… Ctrl+K from the pull
down menu.
Once the Preferences window has opened, using the left pane,
scroll down and highlight [Security]. Next, click the [New…]
button.
13
The Cloud Industry Forum Cloud Service Provider Code of Practice: 04/2013 V1.0
The CLOUD INDUSTRY FORUM and CIF words and associated logos are trade marks. © Cloud Forum IP Limited 2010. All rights reservedNOTICE: This document is intended to provide general information in relation to the Cloud Industry Forum’s Code of Practice journey for Certification. It is not intended to be comprehensive and should not be acted or relied upon as being so. Professional advice appropriate to specific circumstances should always be obtained.
4AP11-v6.1
Configure Graphic section[1] Click the radio button [Imported graphic]
[2] Click the [File…] button and navigate to the .PDF image file with your signature in it.
Configure Text section[3] Leaving the ‘Name’, and ‘Date’ options,
remove all of the other checkmarks.
[4] Click [OK] to finish.
Click [OK] to commit your selection
Click [OK] to finish
Digitally signing a documentOpen the .PDF file that you want to digitally sign.
From the pull down options, select:Sign/Certify with Visible Signature
Click [OK] to continue.
Configure Text section[3] Leaving the ‘Name’, and ‘Date’ options, remove all of the
other checkmarks.
[4] Click [OK] to finish.Click [OK] to commit your selection
Click [OK] to finish
Configure Graphic section[1] Click the radio button
[Imported graphic]
[2] Click the [File…] button and
navigate to the .PDF image
file with your signature in it.
The CLOUD INDUSTRY FORUM and CIF words and associated logos are trade marks. © Cloud Forum IP Limited 2010. All rights reservedNOTICE: This document is intended to provide general information in relation to the Cloud Industry Forum’s Code of Practice journey for Certification. It is not intended to be comprehensive and should not be acted or relied upon as being so. Professional advice appropriate to specific circumstances should always be obtained.
4AP11-v6.1
Configure Graphic section[1] Click the radio button [Imported graphic]
[2] Click the [File…] button and navigate to the .PDF image file with your signature in it.
Configure Text section[3] Leaving the ‘Name’, and ‘Date’ options,
remove all of the other checkmarks.
[4] Click [OK] to finish.
Click [OK] to commit your selection
Click [OK] to finish
Digitally signing a documentOpen the .PDF file that you want to digitally sign.
From the pull down options, select:Sign/Certify with Visible Signature
Click [OK] to continue.
The CLOUD INDUSTRY FORUM and CIF words and associated logos are trade marks. © Cloud Forum IP Limited 2010. All rights reservedNOTICE: This document is intended to provide general information in relation to the Cloud Industry Forum’s Code of Practice journey for Certification. It is not intended to be comprehensive and should not be acted or relied upon as being so. Professional advice appropriate to specific circumstances should always be obtained.
4AP11-v6.1
Configure Graphic section[1] Click the radio button [Imported graphic]
[2] Click the [File…] button and navigate to the .PDF image file with your signature in it.
Configure Text section[3] Leaving the ‘Name’, and ‘Date’ options,
remove all of the other checkmarks.
[4] Click [OK] to finish.
Click [OK] to commit your selection
Click [OK] to finish
Digitally signing a documentOpen the .PDF file that you want to digitally sign.
From the pull down options, select:Sign/Certify with Visible Signature
Click [OK] to continue.
14
The Cloud Industry Forum Cloud Service Provider Code of Practice: 04/2013 V1.0
Digitally signing a documentOpen the .PDF file that you want to digitally sign. From the pull
down options, select: Sign/Certify with Visible Signature
The CLOUD INDUSTRY FORUM and CIF words and associated logos are trade marks. © Cloud Forum IP Limited 2010. All rights reservedNOTICE: This document is intended to provide general information in relation to the Cloud Industry Forum’s Code of Practice journey for Certification. It is not intended to be comprehensive and should not be acted or relied upon as being so. Professional advice appropriate to specific circumstances should always be obtained.
4AP11-v6.1
Configure Graphic section[1] Click the radio button [Imported graphic]
[2] Click the [File…] button and navigate to the .PDF image file with your signature in it.
Configure Text section[3] Leaving the ‘Name’, and ‘Date’ options,
remove all of the other checkmarks.
[4] Click [OK] to finish.
Click [OK] to commit your selection
Click [OK] to finish
Digitally signing a documentOpen the .PDF file that you want to digitally sign.
From the pull down options, select:Sign/Certify with Visible Signature
Click [OK] to continue.
The CLOUD INDUSTRY FORUM and CIF words and associated logos are trade marks. © Cloud Forum IP Limited 2010. All rights reservedNOTICE: This document is intended to provide general information in relation to the Cloud Industry Forum’s Code of Practice journey for Certification. It is not intended to be comprehensive and should not be acted or relied upon as being so. Professional advice appropriate to specific circumstances should always be obtained.
4AP11-v6.1
Configure Graphic section[1] Click the radio button [Imported graphic]
[2] Click the [File…] button and navigate to the .PDF image file with your signature in it.
Configure Text section[3] Leaving the ‘Name’, and ‘Date’ options,
remove all of the other checkmarks.
[4] Click [OK] to finish.
Click [OK] to commit your selection
Click [OK] to finish
Digitally signing a documentOpen the .PDF file that you want to digitally sign.
From the pull down options, select:Sign/Certify with Visible Signature
Click [OK] to continue.
Click [OK] to continue.Please
read the notes in this dialogue
box, and then click [OK] to
continue
The CLOUD INDUSTRY FORUM and CIF words and associated logos are trade marks. © Cloud Forum IP Limited 2010. All rights reservedNOTICE: This document is intended to provide general information in relation to the Cloud Industry Forum’s Code of Practice journey for Certification. It is not intended to be comprehensive and should not be acted or relied upon as being so. Professional advice appropriate to specific circumstances should always be obtained.
5AP11-v6.1
Please read the notes in this dialogue box, and then click [OK] to continue.
Once you have clicked [OK] above, the mouse pointer will change to a crosshair.
Click and drag out an area on the page to indicate where the image of your signature will appear.
Once you release the left mouse button, another dialogue box, ‘Certify Document’, will appear.
If the area that you indicate is quite small, then an alternative dialogue will appear, inviting you to start over. In either case, please follow the onscreen prompt. In the Certify Document dialogue box, you will see many of the details that you elected in the ‘Configure Signature Appearance’ section.
In the Appearance pull down menu, select the file name that features a scanned copy of your signature and Time/Date stamp details, as selected in the ‘Configure Signature Appearance’ section.
When selected, you will note that a copy of your scanned hand written signature will appear here Next, click on [Sign]
You will be prompted to save the resulting file. Enter the new file name as required.
The CLOUD INDUSTRY FORUM and CIF words and associated logos are trade marks. © Cloud Forum IP Limited 2010. All rights reservedNOTICE: This document is intended to provide general information in relation to the Cloud Industry Forum’s Code of Practice journey for Certification. It is not intended to be comprehensive and should not be acted or relied upon as being so. Professional advice appropriate to specific circumstances should always be obtained.
5AP11-v6.1
Please read the notes in this dialogue box, and then click [OK] to continue.
Once you have clicked [OK] above, the mouse pointer will change to a crosshair.
Click and drag out an area on the page to indicate where the image of your signature will appear.
Once you release the left mouse button, another dialogue box, ‘Certify Document’, will appear.
If the area that you indicate is quite small, then an alternative dialogue will appear, inviting you to start over. In either case, please follow the onscreen prompt. In the Certify Document dialogue box, you will see many of the details that you elected in the ‘Configure Signature Appearance’ section.
In the Appearance pull down menu, select the file name that features a scanned copy of your signature and Time/Date stamp details, as selected in the ‘Configure Signature Appearance’ section.
When selected, you will note that a copy of your scanned hand written signature will appear here Next, click on [Sign]
You will be prompted to save the resulting file. Enter the new file name as required.
Once you have clicked [OK] above, the mouse pointer will change
to a crosshair.
Click and drag out an area on the page to indicate where the image of
your signature will appear.
Once you release the left mouse button, another dialogue box,
‘Certify Document’, will appear.
If the area that you indicate is quite small, then an alternative dialogue
will appear, inviting you to start over. In either case, please follow the
onscreen prompt.
15
The Cloud Industry Forum Cloud Service Provider Code of Practice: 04/2013 V1.0
In the Certify Document dialogue box, you will see many of the
details that you elected
In the Certify Document dialogue box, you will see many of the
details that you elected in the ‘Configure Signature Appearance’
section.
In the Appearance pull down menu, select the file name that
features a scanned copy of your signature and Time/Date stamp
details, as selected in the ‘Configure Signature Appearance’
section.
When selected, you will note that a copy of your scanned hand
written signature will appear here
Next, click on [Sign]
You will be prompted to save the resulting file. Enter the new file
name as required.
When the digitally signed file is saved, notice the additional
security marks
16
The Cloud Industry Forum Cloud Service Provider Code of Practice: 04/2013 V1.0
Creating the FDF documentIn order for the recipient to authenticate the digitally signed
document, you will need to export and send (via email) the key
(Adobe FDF file) associated with the document that you have
created. To export and email the Adobe FDF file, please follow the
steps below:
With the relevant document open, click on the Signature Properties
button.
When the Signature Properties dialogue box appears, select (from
the Summary or Signer tab) ‘Show Certificate’.
When the Certificate Viewer dialogue box
appears, select [Export...]
In the Data Exchange File dialogue box, note
the ‘Destination’ section.
Change the selection to ‘Email the exported
data’, and click [Next >]
And click [Next >] again in the next window.
Next, click [Sign...] to sign the outgoing
message, and select [Sign...] again in the
dialogue box that follows
17
The Cloud Industry Forum Cloud Service Provider Code of Practice: 04/2013 V1.0
Clicking [Next >] will prompt you to
enter the email address of the intended
recipient.
In the next dialogue box, please enter
the following email address into the
[To:] field
18
The Cloud Industry Forum Cloud Service Provider Code of Practice: 04/2013 V1.0
Click [Next >] to proceed.
Click [Finish] to accept and
continue.
Adobe will now automatically
send the FDF file associated with
you digital signature to the Cloud
Industry Forum email address that
you have entered.
When the Finish button is clicked,
the first of the ‘Certificate
Viewer’ dialogue boxes will
re-appear. Click [OK], and then
[Close] on the screen that follows
to conclude this process.
NOTE: this is just a test sample
email address
19
The Cloud Industry Forum Cloud Service Provider Code of Practice: 04/2013 V1.0
Guidance for Other Information Required for Application
Professional Reference Guidance and Template The following is the letter template to be provide on professional
advisor letterhead to accompany all Self-Certification
applications, which must be reproduced as presented below.
The signed Professional Reference must come from your
registered accountant, solicitor, certification body auditor,
or similar individual from an organization which provides
professional services to you on an on-going basis.
on the professional services organizations letter headed paper
I hereby:
1. acknowledge that this Declaration will be submitted
together with our client’s application for the Cloud Industry
Forum’s Self-Certification, and in so doing,
2. declare:
a. My organization’s details are as follows:
i. Name, address and contact of firm/practice
ii. These details may be found in public at [URL].
b. My professional qualifications may be validated as follows:
i. Name of accrediting organization
ii. These details may be found in public at [URL].
c. The capacity of the professional relationship is [state].
d. We have advised the organization for [state time] in this
firm’s professional capacity as stated above.
Signed by:
duly authorized for
and on behalf of:
Date:
The Professional Reference should also be electronically
signed and provided in pdf, electronically signed with all other
documentation.
To access and download a Word version of the Professional
Reference, log into the Self-Certification website.
When the on-line application is formally submitted, an email will be sent to the named senior executive to confirm the Management Declaration which has been recorded in his/her name, and a confirming response is required to complete the application. The confirming response should include sufficient information to identify the individual, including name and position.
The Management Declaration will be available on the CIF website together with other publicly available information about the certified organization, showing the executive’s name and position, but not the email.
The on-line Management Declaration contains the following wording:
I declare that:
a. [Organization Name] is committed to the principles of
Transparency, Capability and Accountability which are embodied in the Cloud Industry Forum’s Code of Practice, because these help create a more trustworthy business environment for cloud-based processing.
b. [Organization Name] is committed to complying with the
specific requirements of the Cloud Industry Forum’s Code of Practice for the period of Certification, for the scope defined in the application.
c. [Organization Name] is willing to submit any customer disputes to formal external dispute resolution.
d. The information provided in this application for Self- Certification is a true and accurate reflection of the business and practices of [Organization Name]
e. I am authorized to commit [Organization Name] to the contents of this Management Declaration.
I also acknowledge that:
a. This Management Declaration is a part of the full application for Self-Certification
b. The Cloud Industry Forum’s Terms and Conditions (IP14) apply to this application for Self-Certification
c. An audit may be conducted by the CIF to ensure compliance with the Code of Practice
d. Any non-conformance with the Code of Practice, at the sole determination of the CIF, as confirmed after the conclusion of appeal procedures, will result in the withdrawal of the Code of Practice certification in accordance with the General Cloud Industry Forum Terms and Conditions.
e. Any withdrawal of the Code of Practice certification may be publicized including on the CIF web site, and other ways in the press.
To access and download a pdf copy of the Management
Declaration to circulate to the named senior executive, log into
the Self-Certification website.
Management Declaration Guidance and Template The Management Declaration is made on-line, as part of the application process.
Because it is not realistic to expect a senior executive to physically perform part of an on-line application process, reliance is placed on the organization’s internal procedures and communications to ensure that the relevant member of management has properly approved the Management Declaration.
20
The Cloud Industry Forum Cloud Service Provider Code of Practice: 04/2013 V1.0
“Publish” Guidance Updating Public Disclosure Information Once APMG has validated and authorized the Self-Certification, an organization will be issued with a Certificate stating the date of award, and will be required to add the following text to their website, to replace the Post Registration (Pre-Certification) text.
Using the CIF Certified Logo Once a Self-Certification has been recognized, an organization will be supplied with the CIF logo pack, which includes:
■ LP01 Guidelines for Self Certification Mark Use-
■ CIF Self-Certified Logo / Mark (in a number of formats and colours)
The LP01 document issued upon certification authorization provides guidance on the use of the mark, as well as the expectations for its use which includes instructions on inclusion of the mark on Public Disclosures web pages.
Post Self-Certification Text
Xxx has completed the Self-Certification against the ‘Code of Practice for Cloud Service Providers’ (the ‘Code’) of the Cloud Industry Forum (‘CIF’, at www.cloudindustryforum.org), which the mark above demonstrates. Clicking on the mark will take you to the CIF website where supporting information for this Certification is available.
Xxx is committed to the Code. One of the main objectives of the Code is to help ensure disclosure of essential information so that consumers of Cloud Services can make better business
decisions based on this information. The information on this page addresses the public disclosure requirements of the Code.
NOTICE: While Xxx has made the commitment to the Code and has been self-certified as compliant with the Code, customers/ third parties shall note that information or certification provided by the Cloud Industry Forum does not constitute advice from or endorsement by the Cloud Industry Forum. The Cloud Industry Forum disclaims any and all liability arising out of the use of services or otherwise of certified organizations. Where disclosed information or capabilities as specified by the Code of Practice are essential in purchasing cloud services from a certified organization, it/these should be cited contractually. Professional advice appropriate to specific circumstances should always be obtained.
Further information
About the Cloud Industry Forum (CIF) The CIF was established in direct response to the evolving supply models for the delivery of software and IT services. Our aim is to provide much needed clarity for end users when assessing and selecting Cloud Service Providers based upon the clear, consistent and relevant provision of key information about the organization, its capabilities and its operational commitments.
We achieve this through a process of Self-Certification of vendors to a Cloud Service Provider Code of Practice requiring executive commitment and operational actions to ensure the provision of critical information through the contracting process. This Code of Practice, and the use of the related Certification Mark on participants’ websites, is intended to promote trust to businesses and individuals wishing to leverage the commercial, financial and agile operations capabilities that Cloud-based and hosted solutions can provide.
For further information about the Cloud Industry Forum, please refer to www.cloudindustryforum.org
Governance of The Code Of Practice The Cloud Industry Forum has set up a governance board to be responsible for the stewardship of the Code of Practice, and full details of the board composition and committees can be found on the CIF website.
This operates independently of the CIF Management Board of the not-for-profit member body, and includes representatives from outside CIF membership, including end user representatives, industry advisors and IT legal practices to ensure a balanced and transparent approach to governance.
21
The Cloud Industry Forum Cloud Service Provider Code of Practice: 04/2013 V1.0
Code of Practice Governance Board The Code Governance of Practice Board is chaired by an elected representative from the governance board members, and is responsible for the following:
■ Approving the CIF Code of Practice’s goals, objectives and strategies in relation to the Code of Practice
■ Reviewing the requirements of the Code of Practice on an annual basis and approving any changes
■ Identifying the principal risks of the Code of Practice CIF CoP operations and scope and overseeing the implementation of appropriate risk assessment systems to manage these risks.
■ Reviewing and approving changes the CIF Code of Practice financial performance to ensure it operates viably.
■ Monitoring participant appeals, third party complaints and operational standards and consistency associated to the operation of the CIF Code of PracticeCoP
■ Assessing its own effectiveness in fulfilling its responsibilities, including monitoring the effectiveness of individual representatives
■ Ensuring the integrity of the CIF Code of Practice’s internal control system and management information systems.
The Board can set up committees to delegate specific responsibilities from time to time as required and the composition of such committees will be set out on the CIF website.
Audit and Appeal In order for the Code Self-Certification process to be credible and trusted it needs to have an appropriate enforcement model to challenge any false submissions.
These validations will be based upon either a random audit, external complaint or a whistle blower alert. As such the CIF will manage an audit process (directly or through accredited 3rd parties) and will have the capability and authority to enforce
removal of the Certification Mark from organizations deemed not to have complied with the Code. Independent Certification will only be enabled through bodies approved and accredited by the CIF and as such the process of carrying out an Independent Certification will automatically imbue the participant with a higher degree of trust than is achieved through Self-Certification.
If an external complaint or whistle blower statement is made about a self-certified participant that questions the validity of their declaration, the participant will be allowed to know the nature of the complaint and to provide any evidence to uphold their position as self-certified to the Code. The CIF will operate a Compliance Committee to oversee complaints and decide on their validity. In the event that the Compliance Committee upholds the complaint, the self- certified participant shall have the ability to challenge the findings by appeal to the Code Governance Board. The opinion of the Code Governance Board is final and no further route of appeal is available.
The CIF Compliance Committee will acknowledge all complaints and reserve the right to publish opinions publicly. Only the Code Governance Board or its nominated representative/s will approve
any public comment on complaints.
Collaboration with Standards organizations and related Bodies By nature of the industry, the CIF will need to operate on an international stage as the Cloud has no geographic boundary (though our legal remit will focus initially on the UK). The CIF will collaborate and endorse appropriate security and technical interoperability standards that are outside of, but complement, the Code.
The CIF participates in the activities of ISO/IEC JTC1 SC38, which includes cloud computing via participation in the corresponding committee of the British Standards Institution.
22
The Cloud Industry Forum Cloud Service Provider Code of Practice: 04/2013 V1.0
Contact Us
Mail: The Cloud Industry Forum, Sword House, Totteridge Road, High Wycombe, HP13 6DG
www.cloudindustryforum.org
https://selfcert.cloudindustryforum.org
Email: [email protected] / [email protected]
Telephone: +44 (0)844 583 2521 / +44 (0)1494 459 559
The Role of The APM Group Limited (APMG) in Supporting Certification
APMG was established in 1993 and is a global business
providing accreditation and certification services. APMG
has a worldwide presence, with offices in Australia, China,
Denmark, Germany, India, Italy, Malaysia, the Netherlands,
the UK and the US. APMG has been working with the CIF
to provide the administration behind the Code of Practice
scheme.
APMG have been appointed as the CIF’s independent
certification partner. APMG will use its independence to
ensure those organizations which sign up to the Code
of Practice are confident of an impartial, reasonable,
consistent and professional approach to the processing of
their information and assessments.
APMG will also attend the Code Governance Board to
provide a direct route for feedback from applicants working
through the scheme into this monitoring body.
APMG does not provide any commercial services within
the Cloud and so are able to complete the assessments of
organizations without any conflict of interest, protecting
the integrity and confidentiality of the information provided
as part of the application process
For further information about the APM Group Limited, please refer to www.apmgroupltd.com
23