5th January 2017

6 information security considerations for G Cloud 9

Even though G Cloud 8 has only just been launched, GDS are soon to begin the Discovery phase of G Cloud 9. In this blog, we look at how GDS should approach security requirements and recommend appropriate information security considerations for G Cloud 9.

G Cloud 9 is expected to encompass some significant changes and support more fundamental changes to the user journey. A recent Digital Marketplace blog confirmed that the team will be assisted by CESG (the information security arm of GCHQ). The aim will be to help buyers evaluate suppliers’ security credentials as well as enable suppliers to better describe and communicate their approach to security.

Ultimately, digital transformation means that more interaction occurs online. In WTG’s experience there are a number of things to consider when addressing information security.

Clarify terminology
Buyers need to be sure they understand what they are buying. This isn’t always helped by suppliers and technology vendors. Some talk about Private Cloud, whilst others refer to Virtual Private Cloud. Phrases like this can obscure subtle, but important, distinctions. In this case, Virtual Private Cloud is likely to be a platform that is shared with other clients – so somewhat less private. This might not be an issue but buyers must be aware of what services they are purchasing. They need to know what to ask and drill into the detail. We would recommend being pedantic and asking for formal confirmation of the service you are buying.

Look for ISO/IEC 27017 – 27001 for Cloud
The key point is that all organisations need to drive out which party is responsible for what operational, security or service management activity. 27017 is a very good structure for going through the various areas that cover all systems. This is very important for things like incident management, security incidents, investigations, disaster recovery. Buyers cannot assume the Cloud Provider will deliver the service for you, so document your understanding and get it confirmed.

Commit to risk assessments
We believe strongly that creating a documented risk assessment is a key part of the information security process. By following a process in this way, you ensure that the risks presented by the use of Cloud Supplier are identified and assessed.

Retain the right level of operational control
Ensure you retain the level of operational control you need to meet your organisational, legal and regulatory requirements. It will be a very rare organisation that doesn’t need to maintain some level of ICT management of the solution.

Understand where data will be stored
Is your data going to be stored/hosted in the EU, the Far East, Antartica, the USA or where? You need to know and you need to be sure that the answer is acceptable from a regulatory and legal standpoint. If within the EU you will need to consider General Data Protection Requirements (GDPR) which will come into effect in 2018.

Ask what the COO thinks
Once you have agreed what each party is responsible for, run it all past your Chief Operations Officer. He or she will need to ensure it meets the business requirements and is within the risk appetite of the organisation.