T6.3.1 - INFORMATION SECURITY REQUIREMENTS FOR CLOUD ENVIRONMENTS Implementation Guidance
The entity shall define information security requirements covering the retention, processing, and storage of data in cloud environments.
Back to T6.3.1 - P2 - INFORMATION SECURITY REQUIREMENTS FOR CLOUD ENVIRONMENTS
Critical entities shall also take into account any other NESA’s relevant issuances, guidance, and activities in this regard.
A risk-based approach used to establish data security requirements for cloud environments should consider the following:
- A. Regulatory and other requirements potentially limiting the processing, storage and retention of information in external entities, for example laws or business agreements preventing certain types of information from being stored outside national borders, privacy legislation, and / or regulatory, statutory, contractual, business, and other requirements
- B. The complete life cycle of information across entire networks, including both within cloud and non-cloud elements, as well as the interchange of information between these two elements
- C. Awareness of where sensitive information is stored and transmitted across applications, databases, servers and network infrastructure
- D. Compliance with defined retention periods and end-of-life disposal requirements
- E. Information classification and protection from unauthorized use, access, loss, destruction, and falsification
- F. Balancing the expected benefits of leveraging cloud-based services against the potential risks
Back to T6.3.1 - P2 - INFORMATION SECURITY REQUIREMENTS FOR CLOUD ENVIRONMENTS
