Procurement of cloud computing services is an increasingly important task for governments and businesses across the EU — and information security is a key pain-point. To help solve this problem, the EU's cyber security agency, ENISA issued this new, practical guide for IT procurement teams, focusing on continuous security monitoring throughout the life-cycle of a cloud contract.
This publication builds on groundwork done by ENISA in 2009, when the Agency produced an assurance framework and tool for IT teams to assess the security of service providers before making a decision to move to the cloud. ENISA now goes one step further, with a follow-up guide detailing how to monitor the security of cloud services throughout the project life-cycle. The new guide focuses on public procurement.
This guide includes a checklist for procurement teams, as well as an in-depth description of each security parameter; what to measure and how. The security parameters covered are: service availability; incident response; service elasticity and load tolerance; data life cycle management; technical compliance and vulnerability management; change management; data isolation; and log management and forensics.