Cloud Certification Checklist

Cloud Service Provider: <Name>Date: <DD:MM:YYYY>Intended Service Business Owner: <name of University contact>

Supporting Documents Reviewed: <insert document name(s) reviewed>

The checklist is to be completed by the requesting client and the Cloud Service Provider. Once complete the checklist must be send to Information Security & Risk (ictsecurity@flinders.edu.au) for final review and approval in line with the University’s Cloud Security Standards and Published Certification Guidance.

Version 4.0

Last Updated: 21/12/2016

Overview of Certification Lifecycle

Part A: Internal Assessment of Proposed Cloud ServiceThe below section is required to be completed by the Business Owner or Technical Owner.

Internal Security QuestionsPerson

Answering Question

Comments

Service Overview

A 1. Provide an overview of the service that will be provided by the Cloud Provider. (e.g. is this supporting a business process).

AM

Contract Negotiations

A 2. What is the intended period of the contract? Has an exit strategy been considered to transition away from the cloud service if required?

A 3. Does the proposed Cloud Service Provider Service Level Agreement (SLA) adequately reflect the compensation Flinders University is entitled to, in the event of breach of the SLA such as unscheduled downtime or data loss?

A 4. Is the University willing to be advertised as a customer of the Cloud Service Provider?

A 5. Does the proposed Cloud Service Provider has capability to recover data for a specific customer in the case of a failure or data loss?

Data Access and Integration

A 6. How will users access the cloud service? (e.g. over the internet, web based or client software etc.). Will they be required to sign in with a FAN?

A 7. How will user setup, removal, authentication and privilege assignment be managed?

A 8. How will other systems integrate (if applicable)?

Data Protection

Internal Security QuestionsPerson

Answering Question

Comments

A 9. What is the highest classification for the data to be stored with the Cloud Service Provider? If unknown, answer the following: Will the service store, process, or transmit personally

identifiable information? Will the service store, process, or transmit de-identified

personal information?For more information on Information Classification levels visit the ITS support website.

A 10. Who is the business owner of the data to be stored with the Cloud Service Provider? (if separate from the business owner of the Cloud Service being procured).

A 11. Is the cloud service going to be University branded?

A 12. Will the cloud service store, transmit or process credit card payments in a manner that complies with the University’s Payment Card Data Protection Policy?

A 13. What is the impact if data in the cloud service information was stealthily modified or if the data was published to the media?

Data Sovereignty

A 14. Does the University have any known restrictions regarding where data will be stored (e.g. overseas)? (for example, data sharing agreements, or other Government or legislative requirements).

Data Availability

A 15. Can the University tolerate a downtime of the Cloud Service during a scheduled outage window? Will this interfere with critical business processes?

A 16. Does the vendor’s defined timeframes for restoration, as part of its business continuity and disaster recovery plans, meet the University’s requirements for the service?

Internal Security QuestionsPerson

Answering Question

Comments

A 17. Will the University employ another vendor with automatic failover in the event services from the initial vendor become unavailable? Or a backup business process (for example, manual processing on site)?

A 18. Is the network connection between the University and the vendor’s network adequate in terms of availability, bandwidth, delays (latency) and packet loss? 

A 19. Is the vendor’s network considered to be on AARNET’s network (e.g. on-net), so that bandwidth during business hours is not charged at $0.80 per gigabyte? (Check here: http://lg.aarnet.edu.au/cgi-bin/traffic.cgi).

A 20. Are there any State Records requirements that need to be met to ensure data is retained and/or archived in line with the University Records Management and Freedom of Information Policies? (for example, retention of financial information for up to 7 years).

A 21. In the event of an accidental deletion of a file / email / or other data by a University user, what would the impact if recovery couldn’t occur for:

1 Day? 1 Week? 1 Month?

A 22. In the event the University migrates away from this proposed vendor:

Will the University get access to its data in a vendor-neutral format to avoid lock-in?

How will the University ensure its data is permanently deleted from the vendor’s storage?

Does the vendor facilitate portability and interoperability to easily move to a different vendor?

If the vendor goes bankrupt or enter receivership will the University’s data be accessible?

Internal Security QuestionsPerson

Answering Question

Comments

A 23.I

Is it intended that an existing on premise application will be migrated to the Cloud Service Provider in this instance? If so, what is the timeline for migration and decommission of the existing application?

Part B: Questionnaire for (or on behalf of) the Cloud Service ProviderPlease refer to the Service Level Agreement (SLA) and the terms of service for more information and to get the inputs for the below questionnaire.

Vendor QuestionnaireCompliant?

(Y,N,N/A)

Is this Independently

Audited?Explanation/Clarification/Mitigation

Independent Security Assessment

B. 1 The vendor performs security audits, at least annually, using a reputable third party auditor and against a known standard?

(SOC 1/SSAE 16/ISAE 3402 (formerly SAS 70 Type II), SOC 2, FISMA, DIACAP, and FedRAMP, PCI DSS Level 1, ISO 27001, ITAR or FIPS 140‐2)

B. 2 The vendor performs, on at least an annual basis, network and application vulnerability assessment and penetration testing activities and provides us a high-level report of the findings (to be included in the SLA).

B. 3 The vendor has an internal audit program that allows for cross-functional audit of assessments?

Data Confidentiality

B. 4 Data for each customer is logically segregated as part of a multi-tenancy and/or virtualised environment.

B. 5 The vendor will not advertise the University as a customer of the cloud service without prior written permission of the University.

B. 6 The vendor will encrypt all data during transit and storage with at least AES 256-bit encryption or greater. Define which algorithms including hashes are to be used.

B. 7 The vendor will encrypt all data at rest and backed up with at least AES 256-bit encryption or greater (applies to Internal Only, Restricted and above classified data). Define which encryption algorithms including hashes are to be used.

Vendor QuestionnaireCompliant?

(Y,N,N/A)

Is this Independently

Audited?Explanation/Clarification/Mitigation

B. 8 The University maintains compliance with the Commonwealth Privacy Act 1988 (including recent amendments).Does the vendor commit to adhere to these obligations to help ensure that the obligations are met to the satisfaction of the University?

B. 9 For services that allow a user to submit personal information, does the service allow the configuration of a privacy statement and/or acknowledgement?

B. 10 The vendor acknowledges the University remains the legal owner of its supplied data when stored on the cloud and that such data cannot be shared with any third-party without the written consent of the University.

B. 11 The vendor acknowledges to have documented procedure for responding to requests for tenant data from governments or third parties.

B. 12 When the University deletes portions of its data stored on the Cloud Service, does the vendor use media sanitisation processes before the same storage media is assigned to another customer, especially in a multi-tenancy environment.

B. 13 The vendor has media sanitisation processes to sanitise the storage media for end of life data.

Data Availability

B. 14 The vendor has a defined Service Level Agreement (SLA), guaranteeing system uptime of at least 99.5% and defined RTO/RPO’s. Provide the defined RTO/RPO’s.

B. 15 The SLA guarantee does not exclude scheduled downtime or any specific classes of technical issue, including cyber-attack (for example, denial of service, or network link outage).

Vendor QuestionnaireCompliant?

(Y,N,N/A)

Is this Independently

Audited?Explanation/Clarification/Mitigation

B. 16 The vendor has defined Business Continuity Plans and Disaster Recovery Plans

B. 17 The vendor provides mechanisms such as redundancy and offsite backups to prevent corruption or loss of University data and guarantee both integrity and the availability of the data. Backups are protected with suitable encryption and stored in a physically secure location.

B. 18 The vendor provides scalability options for computing resources to compensate for increased usage from the University in a timely and secure manner.

Security Governance

B. 19 The vendor’s data centre is ISO 27001 compliant (or equivalent). The scope of Statement of Applicability covers the facilities, infrastructure and application.

B. 20 The vendor has policies and processes supporting the vendor’s IT security posture including:

Threat and Risk Assessment Vulnerability Management;

Patch Management; Change Management.

B. 21 The vendor audit’s the actions performed by its employees (or sub-contractors) when working with the University data to detect fraud, unauthorised access and modification. Such audit logs are review periodically.

B. 22 The vendor perform pre-hire background checks on its employees and sub-contractors.

B. 23 The vendor provides, upon request, audit logs to perform a forensic investigation in the event of a major security incident. This is defined in the SLA.

B. 24 The vendor has defined incident management plans for handling security incidents within or against its environment.

Vendor QuestionnaireCompliant?

(Y,N,N/A)

Is this Independently

Audited?Explanation/Clarification/Mitigation

B. 25 During or after the detection of a security incident, the vendor will notify its customers via secure communications within 48 hours. This is defined in the SLA.

Network Security

B. 26 The vendor has implemented firewall and network intrusion prevention technologies to secure gateway access.

Application Security

B. 27 The vendor’s application code is reviewed for security vulnerabilities and issues are addressed prior to deployment to production (for example, mandatory security testing as part of release management).

B. 28 The vendor implements secure development practices as part of the Software Development Life Cycle (SDLC) to ensure security requirements are incorporated in all aspects of software development (for example, OWASP for web application development).

B. 29 The vendor provides options for code escrow that would allow the University to access software code in the event the vendor become insolvent (optional).

B. 30 The vendor solution supports automated user provisioning through an application interface, first-login account creation and/or SAML-based just-in-time user provisioning.

B. 31 The vendor solution supports SAML-based single-sign-on authentication.

B. 32 The vendor has a capability to use system geographic location as an authentication factor.

Host Security

B. 33 The vendor has a defined ‘patch management’ process, ensuring software security updates are applied in accordance with a risk-based approach.

Vendor QuestionnaireCompliant?

(Y,N,N/A)

Is this Independently

Audited?Explanation/Clarification/Mitigation

B. 34 The vendor captures logging from the host and platform and stores this for a specific period of time for review.

B. 35 The vendor allow integration with the University’s internal Security Information and Event Management (SIEM) platform via text file input or API.

B. 36 Administrative access to the vendor application’s underlying infrastructure is strictly controlled and audited.

Physical Security

B. 37 The vendor has physical security controls on hosting facilities, including (but not limited to):

CCTV monitoring; Background checks for staff; Confidentiality agreements for staff; Patrolling guards; and Restricted visitor access.

Vendor Support B. 38 Are information system documents (e.g., administrator and

user guides, architecture diagrams, etc.) made available to authorized personnel to ensure configuration, installation and operation of the information system?