An outsourced cloud service register contains the following for each outsourced cloud service: • cloud service provider’s name • cloud service’s name • purpose for using the cloud service • sensitivity or classification of data involved • due date for the next security assessment of the cloud service • contractual arrangements for the cloud service • point of contact for users of the cloud service • 24/7 contact details for the cloud service provider.
Topic
Outsourced cloud services
Applicable to
Non Classified, Official, Protected, Secret, Top Secret
History
Sep 2022
An outsourced cloud service register contains the following for each outsourced cloud service:
• cloud service provider’s name
• cloud service’s name
• purpose for using the cloud service
• sensitivity or classification of data involved
• due date for the next security assessment of the cloud service
• contractual arrangements for the cloud service
• point of contact for users of the cloud service
• 24/7 contact details for the cloud service provider.
The existing control recommending 24/7 contact details be recorded for managed services and cloud services (ISM-1433) was merged into existing controls for managed service registers and cloud service registers.
Sep 2022
An outsourced cloud service register contains the following for each outsourced cloud service:
• cloud service provider’s name
• cloud service’s name
• purpose for using the cloud service
• sensitivity or classification of data involved
• due date for the next security assessment of the cloud service
• contractual arrangements for the cloud service
• point of contact for users of the cloud service
• 24/7 contact details for the cloud service provider.
Existing controls were modified to ensure similar information is being recorded within managed service registers and cloud service registers. In addition, a new requirement was added to existing controls to ensure that copies of contractual arrangements for managed services and cloud services are kept with associated registers.
Mar 2022
An outsourced cloud service register contains the following for each outsourced cloud service:
• cloud service provider’s name
• cloud service’s name
• purpose for using the cloud service
• sensitivity or classification of data involved
• due date for the next security assessment of the cloud service
• point of contact for users of the cloud service
• point of contact for the cloud service provider.
Miscellaneous changes were made to rationale and recommendations throughout the publication to clarify content without changing intent. This included a review from the Guidelines for System Hardening chapter through to the Guidelines for Data Transfers chapter.
Jan 2021
Outsourced cloud services registers contain the following for each outsourced cloud service:
• cloud service provider’s name
• cloud service’s name
• purpose for using the cloud service
• sensitivity or classification of information involved
• due date for the next security assessment of the cloud service
• point of contact for users of the cloud service
• point of contact for the cloud service provider.
Two new security controls have been added to capture the identification and recording of outsourced cloud services.