Policy Development
Overview
Effective policies provide the foundation for ISO 27017 implementation, defining security requirements and expectations for cloud services.
Learning Objectives
- Develop cloud security policies
- Align policies with ISO 27017
- Create supporting procedures
- Communicate policies effectively
- Maintain and update policies
ISO 27017 Policy Requirements
A.5.1.1 - Policies for Information Security
Policy Requirements:
- Documented information security policy
- Management approval
- Published and communicated
- Reviewed at planned intervals
- Updated as appropriate
Cloud-Specific Policy Needs
Cloud Security Policy Framework
┌────────────────────────────────────┐
│ Information Security Policy │
│ (High-level, board-approved) │
└──────────┬─────────────────────────┘
│
┌──────┴──────────┬──────────────┬────────────┐
│ │ │ │
┌───▼────────┐ ┌─────▼──────┐ ┌────▼──────┐ ┌──▼────────┐
│ Cloud │ │ Data │ │ Access │ │ Incident │
│ Usage │ │ Protection │ │ Control │ │ Response │
│ Policy │ │ Policy │ │ Policy │ │ Policy │
└───┬────────┘ └─────┬──────┘ └────┬──────┘ └──┬────────┘
│ │ │ │
┌───▼────────────────▼──────────────▼────────────▼───────┐
│ Procedures and Work Instructions │
└────────────────────────────────────────────────────────┘
Cloud Usage Policy
Template Structure
Cloud Usage Policy
1. Purpose
Define acceptable use of cloud services
2. Scope
All employees, contractors, cloud services
3. Policy Statements
3.1 Approved Services
├─ Only pre-approved cloud services may be used
├─ Shadow IT is prohibited
├─ Approval process defined
└─ Approved service catalog maintained
3.2 Data Protection
├─ Data classification must be considered
├─ Restricted data requires encryption
├─ Data residency requirements must be met
└─ Data sovereignty laws must be followed
3.3 Access Control
├─ MFA required for all cloud access
├─ Least privilege access
├─ Quarterly access reviews
└─ Shared credentials prohibited
3.4 Security Configuration
├─ Security baselines must be applied
├─ Default passwords must be changed
├─ Unnecessary services disabled
└─ Regular security scans required
4. Roles and Responsibilities
├─ Cloud Administrator: Service management
├─ Data Owner: Data classification
├─ Users: Compliance with policy
└─ Security Team: Monitoring and enforcement
5. Compliance
├─ Violations investigated
├─ Disciplinary action may result
└─ Regular audits conducted
6. Review
├─ Annual review required
├─ Updated as needed
└─ Version control maintained
Approved by: [CIO/CISO]
Date: [Date]
Next Review: [Date + 1 year]
Version: 1.0
Data Protection Policy for Cloud
Key Components
Data Protection Policy
1. Data Classification
├─ Public: No restrictions
├─ Internal: Employee access only
├─ Confidential: Authorized personnel
└─ Restricted: Strict need-to-know
2. Data Handling by Classification
Restricted Data:
├─ Storage: Encrypted (AES-256, customer-managed keys)
├─ Transit: TLS 1.3
├─ Access: MFA required, logged
├─ Sharing: Prohibited externally
├─ Retention: Per regulatory requirement
└─ Deletion: Secure deletion, verified
Confidential Data:
├─ Storage: Encrypted (AES-256)
├─ Transit: TLS 1.2+
├─ Access: Authorized users, logged
├─ Sharing: Approved channels only
├─ Retention: 7 years
└─ Deletion: Secure deletion
3. Cloud-Specific Requirements
├─ Data residency: EU data in EU regions
├─ Encryption: Mandatory for confidential+
├─ Backup: Encrypted, tested quarterly
├─ Access logging: Enabled for all data access
└─ DLP: Enabled for restricted data
4. Data Subject Rights (GDPR)
├─ Right to access
├─ Right to rectification
├─ Right to erasure
├─ Right to data portability
└─ Procedures documented
Access Control Policy
Cloud Access Requirements
Access Control Policy for Cloud Services
1. Authentication
1.1 Multi-Factor Authentication
├─ Required for all cloud access
├─ Hardware tokens for privileged access
├─ TOTP acceptable for standard users
└─ SMS not acceptable
1.2 Password Requirements
├─ Minimum 12 characters
├─ Complexity requirements
├─ No password reuse (last 24)
├─ 90-day expiration
└─ Password manager recommended
2. Authorization
2.1 Least Privilege
├─ Minimum access required
├─ Time-limited where possible
├─ Just-in-Time for privileged access
└─ Regular right-sizing
2.2 Role-Based Access Control
├─ Roles defined by job function
├─ Pre-approved role templates
├─ Manager approval required
└─ Security approval for privileged roles
3. User Lifecycle
3.1 Provisioning
├─ Automated via HR system
├─ Manager approval
├─ Security training before access
└─ Maximum 24 hours
3.2 Changes
├─ Manager approval
├─ Security review for escalation
├─ Logged and audited
└─ Maximum 48 hours
3.3 Deprovisioning
├─ Automated on termination
├─ Immediate for termination
├─ 24 hours for resignation
└─ Data ownership transferred
4. Access Reviews
├─ Quarterly for all users
├─ Monthly for privileged access
├─ Manager certification
└─ Auto-revoke uncertified access
5. Federation
├─ SSO via corporate identity provider
├─ Automated provisioning (SCIM)
├─ Attribute-based access control
└─ Session timeout: 8 hours
Encryption Policy
Cryptographic Requirements
Encryption Policy
1. Encryption Requirements
1.1 Data at Rest
├─ Algorithm: AES-256
├─ Key Management: Customer-managed (confidential+)
├─ Provider-managed: Acceptable for internal
└─ No unencrypted storage of sensitive data
1.2 Data in Transit
├─ Protocol: TLS 1.2 minimum (1.3 preferred)
├─ Cipher Suites: Strong ciphers only
├─ Certificate Management: Automated renewal
└─ HSTS enforced for web applications
1.3 Client-Side Encryption
├─ Required for restricted data
├─ Customer controls all keys
├─ Encrypt before cloud upload
└─ Decryption only in secure environment
2. Key Management
2.1 Key Generation
├─ Cryptographically secure RNG
├─ Minimum 256-bit keys
├─ HSM-generated for sensitive keys
└─ Documented procedure
2.2 Key Storage
├─ Cloud KMS for cloud-stored data
├─ Hardware HSM for highest sensitivity
├─ On-premises HSM for HYOK
└─ Never in application code
2.3 Key Rotation
├─ Automatic: 365 days
├─ Sensitive: 90 days
├─ Upon compromise: Immediate
└─ Maintain old keys for decryption
2.4 Key Access
├─ Least privilege
├─ MFA required
├─ All access logged
└─ Quarterly access reviews
3. Approved Algorithms
├─ Symmetric: AES-256
├─ Asymmetric: RSA 2048+, ECDSA P-256+
├─ Hashing: SHA-256+
└─ Prohibited: DES, 3DES, MD5, SHA-1
Incident Response Policy
Cloud Incident Management
Incident Response Policy for Cloud
1. Incident Classification
├─ P1 - Critical: Data breach, service down
├─ P2 - High: Major degradation, security compromise
├─ P3 - Medium: Minor impact, potential threat
└─ P4 - Low: Informational, no impact
2. Response Times
├─ P1: 15 minutes
├─ P2: 1 hour
├─ P3: 4 hours
└─ P4: 24 hours
3. Notification Requirements
3.1 Internal Notification
├─ P1: Immediate (CISO, CIO, CEO)
├─ P2: Within 1 hour (CISO, CIO)
├─ P3: Within 4 hours (Security Manager)
└─ P4: Daily digest
3.2 External Notification
├─ Cloud Provider: Per SLA
├─ Customers: If customer data affected
├─ Regulators: Per legal requirements
└─ Public: If required by law
4. Response Procedures
├─ Detection and reporting
├─ Initial assessment
├─ Containment
├─ Eradication
├─ Recovery
└─ Post-incident review
5. Cloud Provider Coordination
├─ Defined communication channels
├─ Escalation procedures
├─ Evidence collection process
├─ Joint investigation approach
└─ Notification timelines
Supporting Procedures
Procedure Development
Procedure: Cloud Service Provisioning
Purpose: Ensure secure and compliant cloud service setup
Scope: All new cloud service implementations
Responsibilities:
├─ Requestor: Business justification
├─ Cloud Admin: Technical implementation
├─ Security: Security review
└─ Compliance: Regulatory review
Procedure Steps:
1. Request Submission
├─ Complete service request form
├─ Business justification
├─ Data classification
├─ Compliance requirements
└─ Submit for approval
2. Security Review
├─ Provider evaluation
├─ Security questionnaire
├─ Certification review
├─ Risk assessment
└─ Security approval or rejection
3. Compliance Review
├─ Regulatory requirements check
├─ Data residency verification
├─ Contract review
└─ Compliance approval
4. Procurement
├─ Vendor selection
├─ Contract negotiation
├─ SLA definition
└─ Purchase order
5. Implementation
├─ Initial setup
├─ Security configuration
├─ Integration (SSO, etc.)
├─ Security testing
└─ Production approval
6. Documentation
├─ Service catalog update
├─ Configuration documentation
├─ User guides
└─ Runbooks
Timeline: 30-60 days
Review: Quarterly
Policy Communication
Communication Strategy
Policy Rollout Plan
1. Stakeholder Engagement
├─ Executive briefing
├─ Manager training
├─ User awareness
└─ Feedback collection
2. Communication Channels
├─ Policy portal (intranet)
├─ Email announcements
├─ Training sessions
├─ Lunch & learns
└─ Posters/infographics
3. Training Program
├─ Role-based training
├─ Online modules
├─ Hands-on workshops
├─ Certification (for critical roles)
└─ Regular refreshers
4. Acknowledgment
├─ Annual policy acknowledgment
├─ New hire onboarding
├─ Change acknowledgment
└─ Tracked and reported
Policy Maintenance
Review and Update Process
Annual Policy Review
Q1: Preparation
├─ Gather feedback
├─ Review incidents
├─ Regulatory changes
└─ Technology changes
Q2: Review and Update
├─ Working group review
├─ Draft updates
├─ Stakeholder review
└─ Incorporate feedback
Q3: Approval
├─ Security committee
├─ Executive approval
├─ Board approval (if required)
└─ Version control
Q4: Communication
├─ Change summary
├─ Training updates
├─ Policy publication
└─ Acknowledgment campaign
Key Takeaways
- Policies provide foundation for ISO 27017 implementation
- Cloud-specific policies address unique requirements
- Procedures translate policies into actions
- Communication ensures policy awareness
- Regular review keeps policies current
Self-Assessment
- What are the key components of a cloud usage policy?
- How should data be protected by classification?
- What are MFA requirements?
- What incident response notification timelines are appropriate?
- How often should policies be reviewed?