ACSC オーストラリア政府がクラウドセキュリティのガイダンスを公表していますね。。。
こんにちは、丸山満彦です。
Australia Cyber Security Centreがクラウドセキュリティのガイダンスを公表していますね。。。
次のマニュアル等と合わせて利用する感じなんですね。。。
- Australian Government Information Security Manual (ISM)
- the Attorney-General’s Protective Security Policy Framework (PSPF)
- the DTA’s Secure Cloud Strategy
Australian Cyber Security Centre (ACSC) guidance is also available and supports the new guidance:
- Cloud Computing Security Considerations
- Cloud Computing Security Considerations for Cloud Service Providers
- Cloud Computing Security Considerations for Tenants.
ーーーーー
● Australia Cyber Security Centre
2020.07.27に新たに発行したのは3つのガイダンスとFAQです。
・Anatomy of a cloud assessment and authorisation
The Anatomy of a Cloud Assessment and Authorisation document assists and guides Information Security Registered Assessors Program (IRAP) assessors, cloud consumers, cyber security practitioners, cloud architects and business representatives on how to perform an assessment of a cloud service provider (CSP) and its cloud services. This allows a risk-informed decision to be made about its suitability to handle an organisation’s data.
The Cloud Security Assessment Report Template is used to assess a cloud service provider (CSP) and its cloud services, improving the consistency of the Cloud Security Assessment Reports.
The Cloud Security Assessment Report Template is to be used to document the Phase 1 assessment of the CSP and its cloud services. It details the assessment findings that should be included and how it should be presented in the report. This improves the consistency of the Cloud Security Assessment Reports, allowing cloud consumers to more easily compare CSP's against one another, and determine which CSP is best suited to their security and business needs.
The Cloud Security Assessment Report Template can be customised as needed to best document the findings from the assessment of a CSP and its cloud services. Information Security Registered Assessors Program (IRAP) assessors should, however, limit the changes to the report to only what is necessary, maintaining its structure and headings to ensure reports are consistent.
The Cloud Security Controls Matrix (CSCM) provides additional context to the Australian Government Information Security Manual (ISM) security controls for cloud computing to assist assessments.
The Cloud Security Controls Matrix (CSCM) template is a tool intended to be used by Information Security Registered Assessors Program (IRAP) assessors to capture the implementation of security controls from the Australian Government's Information Security Manual (ISM) by cloud service providers (CSP's) for their systems and services.
The CSCM provides indicative guidance on the scoping of cloud assessments, and inheritance for systems under a shared responsibility model, though it should be noted that guidance is not definitive, and should be interpreted by the security assessor in the context of the assessed system. Further, these comments have generally been developed with reference to OFFICIAL: Sensitive and PROTECTED public clouds. This does not preclude their use for other types of cloud systems, though additional scrutiny should be applied to their reference in this case.
Importantly, the CSCM also captures the ability for cloud consumers to implement security controls for systems built on the CSP's services, identifying where they are responsible for configuring the service in accordance with the ISM.
・[XLSX]
・Cloud assessment and authorisation - frequently asked questions
- What happens to the Cloud Services Certification Program (CSCP) and the Certified Cloud Services List (CCSL)?
- Who was involved in designing the new cloud security guidance?
- What support will there be for the new cloud security guidance?
- Will Government entities have the ability to undertake Cloud Security Assessments themselves?
- When should I expect the new cloud security guidance to be used?
- How should previous Cloud Security Assessment Reports be handled?
- How frequently will a cloud service provider and its services be assessed under the new guidance?
- What are addendums to the Cloud Security Assessment Report?
- What are Supplementary, New and Updated Cloud Services Assessment Reports?
- How will CSP Security Assessment Reports be shared?
- What is the difference between a full cloud security assessment and supplementary, new and updated cloud serviceassessment?
- How will controls inherited from other CSPs be validated in the assessment?
- What is the applicability of international standards?
- How can CSPs state nothing has changed since the previous assessment?
- Will Cloud Security Assessment Reports be invalidated after 24 months?
- Will the ACSC maintain a register of CSPs currently undergoing a Security Assessment?
- Will there now be one ISM for CSPs and one ISM for Government?
- Will the information and training sessions for CSPs, Government entities, and IRAP Assessors be conducted in each Stateand Territory?
- Given the frequent ISM updates, who will be responsible for updating and maintaining the Cloud Security Control Matrix?
- Where can I find the new cloud security guidance?
- What is the ACSC’s role and responsibility in relation to the new process?
- Can I provide feedback on the new cloud security guidance?
« 台湾のQNAP社のNASに感染したQSnatchに関する警告 by CISA & NCSC | Main | 経済産業省 パブコメ 「DX企業のプライバシーガバナンスガイドブックver1.0(案)」 »
Comments