Cloud Control Matrix

1
Human Resources (12) Asset Returns Background Screening Employment Agreements Employment Termination Industry Knowledge / Benchmarking Mobile Device Management Non-Disclosure Agreements Roles / Responsibilities Technology Acceptable Use Training / Awareness User Responsibility Workspace Governance and Risk Management (3) Risk Assessments Risk Management Framework Risk Mitigation / Acceptance Identity & Access Management (13) Audit Tools Access Credential Lifecycle / Provision Management Diagnostic / Configuration Ports Access Policies and Procedures Segregation of Duties Source Code Access Restriction Third Party Access Trusted Sources User Access Authorization User Access Reviews User Access Revocation User ID Credentials Utility Programs Access Infrastructure & Virtualization Security (12) Audit Logging / Intrusion Detection Change Detection Clock Synchronization Information System Documentation Management - Vulnerability Management Network Security OS Hardening and Base Conrols Production / Non-Production Environments Segmentation VM Security - vMotion Data Protection VMM Security - Hypervisor Hardening Wireless Security Interoperability & Portability (5) APIs Data Request Policy & Legal Standardized Network Protocols Virtualization Mobile Security (20) Anti-Malware Application Stores Approved Applications Approved Software for BYOD Awareness and Training Cloud Based Services Compatibility Device Eligibility Device Inventory Device Management Encryption Jailbreaking and Rooting Legal Lockout Screen Operating Systems Passwords Policy Remote Wipe Security Patches Users Security Incident Management, E- Discovery & Cloud Forensics (5) Contact / Authority Maintenance Incident Management Incident Reporting Incident Response Legal Preparation Incident Response Metrics Threat and Vulnerability Management (3) Anti-Virus / Malicious Software Vulnerability / Patch Management Mobile Code Application & Interface Security (4) Application Security Customer Access Requirements Data Integrity Data Security / Integrity Business Continuity Management & Operational Resilience (12) Business Continuity Planning Business Continuity Testing Datacenter Utilities / Environmental Conditions Documentation Environmental Risks Equipment Location Equipment Maintenance Equipment Power Failures Impact Analysis Management Program Policy Retention Policy Change Control & Configuration Management (5) New Development / Acquisition Outsourced Development Quality Testing Unauthorized Software Installations Production Changes Data Security & Information Lifecycle Management (8) Classification Data Inventory / Flows eCommerce Transactions Handling / Labeling / Security Policy Information Leakage Non-Production Data Ownership / Stewardship Secure Disposal Datacenter Security (9) Asset Management Controlled Access Points Equipment Identification Off-Site Authorization Off-Site Equipment Policy Secure Area Authorization Unauthorized Persons Entry User Access Encryption & Key Management (4) Entitlement Key Generation Sensitive Data Protection Storage and Access Cloud Control Matrix 3.0 Audit Assurance and Compliance (3) Audit Planning Independent Audits Information System Regulatory Mapping Supply Chain Management, Transparency and Accountability (9) Data Quality and Integrity Incident Reporting Network / Infrastructure Services Provider Internal Assessments Supply Chain Agreements Supply Chain Governance Reviews Supply Chain Metrics Third Party Assessment Third Party Audits Allen Zhang HMSA 2014 V1

Transcript of Cloud Control Matrix

Page 1: Cloud Control Matrix

Human Resources(12)Asset ReturnsBackground ScreeningEmployment AgreementsEmployment TerminationIndustry Knowledge / BenchmarkingMobile Device ManagementNon-Disclosure AgreementsRoles / ResponsibilitiesTechnology Acceptable UseTraining / AwarenessUser ResponsibilityWorkspace

Governance and Risk Management(3)Risk AssessmentsRisk Management FrameworkRisk Mitigation / Acceptance

Identity & Access Management(13) Audit Tools AccessCredential Lifecycle / Provision ManagementDiagnostic / Configuration Ports AccessPolicies and ProceduresSegregation of DutiesSource Code Access RestrictionThird Party AccessTrusted SourcesUser Access AuthorizationUser Access ReviewsUser Access RevocationUser ID CredentialsUtility Programs Access

Infrastructure & Virtualization Security(12)Audit Logging / Intrusion DetectionChange DetectionClock SynchronizationInformation System DocumentationManagement - Vulnerability ManagementNetwork SecurityOS Hardening and Base ConrolsProduction / Non-Production EnvironmentsSegmentationVM Security - vMotion Data ProtectionVMM Security - Hypervisor HardeningWireless Security

Interoperability & Portability(5)APIsData RequestPolicy & LegalStandardized Network ProtocolsVirtualizationMobile Security(20)Anti-MalwareApplication StoresApproved ApplicationsApproved Software for BYODAwareness and TrainingCloud Based ServicesCompatibilityDevice EligibilityDevice InventoryDevice ManagementEncryptionJailbreaking and RootingLegalLockout ScreenOperating SystemsPasswordsPolicyRemote WipeSecurity PatchesUsersSecurity Incident Management, E-Discovery & Cloud Forensics(5)Contact / Authority MaintenanceIncident ManagementIncident ReportingIncident Response Legal PreparationIncident Response Metrics

Threat and Vulnerability Management(3)Anti-Virus / Malicious SoftwareVulnerability / Patch ManagementMobile Code

Application & Interface Security(4)Application SecurityCustomer Access RequirementsData IntegrityData Security / Integrity

Business Continuity Management & Operational Resilience(12)Business Continuity PlanningBusiness Continuity TestingDatacenter Utilities / Environmental ConditionsDocumentationEnvironmental RisksEquipment LocationEquipment MaintenanceEquipment Power FailuresImpact AnalysisManagement ProgramPolicyRetention Policy

Change Control & Configuration Management(5)New Development / AcquisitionOutsourced DevelopmentQuality TestingUnauthorized Software InstallationsProduction Changes

Data Security & Information Lifecycle Management (8)ClassificationData Inventory / FlowseCommerce TransactionsHandling / Labeling / Security PolicyInformation LeakageNon-Production DataOwnership / StewardshipSecure Disposal

Datacenter Security(9)Asset ManagementControlled Access PointsEquipment IdentificationOff-Site AuthorizationOff-Site EquipmentPolicySecure Area AuthorizationUnauthorized Persons EntryUser Access

Encryption & Key Management(4)EntitlementKey GenerationSensitive Data ProtectionStorage and Access

Cloud Control Matrix 3.0

Audit Assurance and Compliance(3)Audit PlanningIndependent AuditsInformation System Regulatory Mapping

Supply Chain Management, Transparency and Accountability(9)Data Quality and IntegrityIncident ReportingNetwork / Infrastructure ServicesProvider Internal AssessmentsSupply Chain AgreementsSupply Chain Governance ReviewsSupply Chain MetricsThird Party Assessment Third Party Audits

Allen ZhangHMSA

2014 V1