|
Article 8
|
(Control and management of information security of cloud services)
When using cloud services, an organization shall, in accordance with risk-based approach, implement appropriate control and management measures, such as availability of only necessary port, protocols and services, virus protection, security breach evaluation system, and monitoring of file integrity.
- Encryption and key management
- For transmission and storage of client data to cloud service provider, there should be effective protection measures in place such as encryption or codification of client data, and an adequate encryption key management mechanism shall be created.
- Identification and access control
- The authority of the cloud service access should be managed based on the minimization principle, with appropriate security control and management measures, such as communication management through multi-factor authentication, audit trails, IP filtering, firewall, and Transport Layer Security (TLS) packet.
- In case of direct access to cloud services via the Internet, access control measures such as identification of identity, equipment and source IP shall be strengthened.
- Privilege accounts, e.g. accounts with authority to change configuration setup of cloud services, shall be subject to multi-factor authentication.
- Audi trails and monitoring
- Information about audit trails and monitoring of cloud service platform operation shall be retained.
- There shall be threat and vulnerability detecting and management procedure that continues to watch for threats and vulnerabilities relating to cloud services, and regularly evaluates impact of these threats and vulnerabilities on use of cloud services and effectiveness of network security defense measures.
- It is advisable to create rules that link monitoring and analysis of scenarios for cloud security events to enable early detection of potential information security risks.
- It is advisable to implement central management of audit trails and monitoring information.
- Cloud platform audit trails shall not include unencrypted operation or important client data.
- Where an organization’s cloud services also incorporate interface with on-premise information environment, it is advisable to consider boundary protection between cloud and on-premise services and create methods such as logs and monitoring and control analysis.
- Security of infrastructure
- To ensure use of images from reliable sources for management integrity of images and to retain records of changes to images.
- To ensure use of proper measures for management of virtual machines and containers in use.
- To ensure a cloud service provider shall provide the information about isolation of virtual machines depending on the needs, and should immediately notify the organization when the isolation fails.
- To implement advanced threat defense strategies such as protection against data breach and cross-service attacks and continued protection against threats for protection of access to the cloud environment.
- Configuration security
To implement the cloud service configuration management mechanism to properly control the records of changes to cloud service configuration.
- Data security
- Where registration, processing, exporting or storage of organization data (including client data) are involved, an organization shall ensure the cloud service provider has relevant mechanism in place to ensure security and integrity of data migration upon maintenance and replacement of equipment (e.g. disk replacement), and all organization data on the obsolete equipment shall be deleted or destroyed, and the records of these deletions or destructions shall be retained.
- For cloud services involving cross-border transmission of personal data, an organization shall have the encryption transmission system in place, and make sure to comply with the Personal Data Protection Act of the Republic of China for a cloud service provider’s collection, processing, use, international transmission and control and management of personal data. The data subject’s authorization should be obtained prior to transmission and no transmission may violate the competent authority’s restrictions on international transmission. The full audit records should be kept.
- Client data processed by contracted cloud service provider and the place of storage shall be subject to the following requirements:
- An organization shall have the authority to designate the place where data is processed and stored.
- The requirements of local data protection law in an offshore location shall not be less than those in the R.O.C.
- As a principle, the client data of a natural person’s business information system involving materiality shall be stored within the territory of the R.O.C. Where the data is stored outside of the R.O.C., unless otherwise approved by the competent authority, important client data shall have copies retained in the R.O.C.
- It is advisable to control and manage access to cloud services based on the purpose of use of cloud services.
- For outsourced cloud operation involving materiality, an organization shall be advised to take the following information security control and management measures:
- Adopt the standardized Internet protocol. For transmission of sensitive information, it is advisable to adopt the encryption Internet protocol such as Hypertext Transfer Protocol Secure (HTTPS) and Secret File Transfer Protocol (SFTP).
- Regularly evaluate the infrastructure security management mechanism for cloud services to ensure use of cloud services complies with the organization’s information security policies and other related requirements.
- Use the encryption keys managed by the organization for enhanced control over keys.
- Encryption tools and keys are stored in a separate and secure online environment and access is subject to restriction.
- Avoid use of operation data in the tests and validation of cloud services.
- Monitor and regularly review use of data saved on cloud to prevent breach of customer’s privacy and operation secrets.
|