Google Cloud Security Requirements -part 1

This blog series consists of detailed set of cloud security requirements that can be used for any organization who wants to implement securely cloud services. The requirements expressed below are cloud agnostic and can be applied to any public cloud or even private clouds.

The sub domain and requirement description are mapped to *ISO 27002:2013 controls and standards. The overall theme of this blog series covers all the cloud security controls stated by NIST 800-53 series.

Domain: Governance Risk and Compliance

Sub-domainReq. NameReq. Description
Governance and OversightManagement SupportSecurity through clear direction, demonstrated commitment, explicit assignment, and acknowledgment of information security responsibilities shall be actively supported. This includes Senior Leadership review of the security policy at planned intervals (or when significant change occurs) to coordinate and update changes that enable alignment and relevance to business, legal, or other requirements
Governance and OversightArchitectureReference architectures that addresses the following shall be developed:
*  Cloud architecture
*  Development environment
*  Test environment
*  Support environment (including remote access, administrative workstations)
The reference architectures shall delineate points of demarcation of responsibilities between different groups and identify the security controls in place
Governance and OversightSecurity Program Audit/AssessmentAudit and assessment plans to validate and track compliance with internal and external requirements at scheduled intervals and required intervals shall be developed. This includes:
a. Develop a security assessment plan that describes the scope of the assessment including:
    i. Security controls and control enhancements under assessment
    ii. Assessment procedures to be used to determine security control effectiveness
    iii. Assessment environment, assessment team, and assessment roles and responsibilities
b. Assess the security controls in the information system at least annually to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system
c. Produce a security assessment report that documents the results of the assessment
d. Provide the results of the security control assessment, in writing, to the authorizing official or authorizing official designated representative
e. Employ an independent assessor or assessment team to conduct an assessment of the security controls in the information system
Governance and OversightData RetentionHandle and retain both information within and output from IT systems, in accordance with applicable national and local laws, executive orders, directives, policies, regulations, standards, and operational requirements
Governance and OversightPoliciesA set of policies for information security shall be defined, approved by management, published and communicated to employees and relevant external parties. Policies shall include the following:
*  Encryption
*  User access
*  Privileged access
*  Monitoring
*  Coordination with law enforcement
Governance and OversightPolicy EnforcementInformation security policies shall be enforced by management
Governance and OversightStandardsStandards shall be developed and implemented for:
*  Separation of development, test, and operational environments
*  Security testing before and after implementations
*  Secure configuration of systems (hosted, development, administrative)
Operating Model and Business AlignmentSegregation of DutiesConflicting duties and areas of responsibility shall be segregated to reduce opportunities for unauthorized or unintentional modification or misuse of the organization’s assets
Operating Model and Business AlignmentRoles and ResponsibilitiesSecurity roles and responsibilities of employees, contractors, and third-party users shall be clearly defined and documented in accordance with the information security policy
Risk ManagementRisk and Mitigation TrackingTrack risks and develop and execute mitigation efforts so that risks are mitigated to an acceptable level (based on established risk criteria) within reasonable timeframes and executive approval
Risk ManagementNon-compliance managementProcedures shall exist to provide that issues of noncompliance with security policies are promptly addressed and that corrective measures are taken on a timely basis
Risk ManagementRemediation TrackingRemediate and track progress toward remediation for areas of noncompliance to include:
a. Developing a plan of action and milestones for the information system to document planned remedial actions to correct weaknesses or deficiencies noted during the assessment of the security controls, and to reduce or eliminate known vulnerabilities in the system
b. Updating existing plan of action and milestones at each quarter, based on the findings from security controls assessments, security impact analyses, and continuous monitoring activities
Security CultureTraining and AwarenessA training and awareness program focused on cloud product security shall be in place. The program shall include:
*  Reviewing risks
*  Reviewing actions each group shall take to treat risks
*  Training and testing participants in their responsibilities
*  Requires passing before being allowed to participate in the development and support of cloud products
Security CultureSecurity PoliciesInformation security policies and procedures shall be established and made readily available for review by all impacted personnel and external business relationships. Information security policies shall be authorized by business leadership (or other accountable business role or function) and supported by a strategic business plan and an information security management program inclusive of defined information security roles and responsibilities for business leadership.

Documented procedures shall be used to facilitate the implementation of the information security policy and associated controls. Documented procedures shall address purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and will cover, at a minimum, the following areas:
a. Access control
b. Security awareness and training
c. Audit and accountability
d. Security assessment and authorization
e. Configuration management
f. Contingency planning
g. Identification and authentication
h. Incident response
i. Information system maintenance
j. Media protection
k. Physical and environmental protection
l. Security planning
m. Personnel security
n. Risk assessment
o. System and services acquisition
p. System and communications protection
q. System and information integrity

Are you ready to audit and secure your Google cloud environment? Contact our security specialists, today!

COVID-19 brings unexpected IT challenges

How do we rapidly enable work from home while protecting corporate resources?

Enabling a remote workforce is no trivial challenge in the best of times, and it can seem especially daunting when rolling out during a global crisis.
Many organizations needed to transition their workforce to remote work overnight.

We face several challenges simultaneously:

  • We must ensure our people can be productive while working remotely – that includes making sure they have the right tools. We may need to get people new devices or enable use of personal devices.
  • We’re all experiencing serious spikes in remote app access, which puts a lot of pressure on VPN scalability for on-premises app access.
  • And, of course, bad actors are looking to take advantage of the crisis – we’re seeing increases in cybersecurity threats attempting to exploit the situation.

Contact us today for a FREE security consultation! Let our security experts audit and propose security fixes to your environment.

Secure remote work – part 3

What remote work symptoms are the customers experiencing?

  • We are worried about our data now that everyone is working remotely.
  • New cybersecurity threats are rapidly increasing due to the remote work situation–especially phishing.
  • Risk of confidential information getting
    leaked out of the company.
  • Don’t have a handle on all of the cloud app usage–and the potential security risks.

We can help you get a handle on protecting your apps and data as work gets done remotely, while easing the burden of stopping new attacks.

Contact us today for a FREE security consultation!

Secure remote work – part 2

What remote work symptoms are the customers experiencing?

  • All of our workers are remote, which makes managing their devices a challenge.
  • We expect that some people will be using
    their own devices to get work done.
  • We need to get new devices quickly
    provisioned and shipped to our remote workers.
  • We’re struggling with managing the device lifecycle remotely.

We have a solution for your problems: We can help you simplify the management of your remote devices, and protect the apps and organizational data that lives on those devices.

Contact us today for a FREE security assessment of your remote work environment!

Secure remote work – part 1

All the customers have a dual challenge: They have to keep their organization moving while protecting against new security threats that have emerged due to the rapid and universal move to remote work.

What remote work symptoms are the customers experiencing?

  • Keeping up with the sheer volume of remote workers who need access to apps and info.
  • Remote workers are scattered across the globe.
  • We need to provide access to vendors and third parties to get the work done.
  • Mixed apps that include on-prem and cloud make it hard to provide consistent access.
  • Worried about VPN scalability.

Solution: We can help you quickly provide secure and scalable access to your apps, whether they are on-prem or cloud-based by enabling remote access to apps.

Contact us today for a FREE security consultation about your remote work environment!

Top 4 questions to ask yourself about security

Is your nonprofit prepared to handle increasing cybersecurity threats?

  • Do you know who is accessing your data?

Go beyond passwords and protect against identity compromise, while automatically  identifying potential breaches before they cause damage.

  • Can you manage access to your data and assets based on risk in real time?

Manage organization-owned and employee-owned devices to encrypt data and ensure compliance, automatically detect suspicious activities, and quickly block, quarantine, or wipe compromised devices.

  • Can you quickly find and react to a breach?

Help proactively guard against threats, use advanced analytics to identify breaches, and automate responses organization wide.

  • Can you help protect your data on devices, in the cloud, and in transit?

Safeguard content in creation, transit, and consumption. Use cloud applications without putting organization information at risk, by adding protections ranging from access privileges to data encryption.

Protect your nonprofit from unnecessary security risks.

As a Microsoft partner, we can help you better manage your identity and access controls, secure links and attachments in  emails, and stop breaches before they escalate in severity. If your answers to the questions above have raised concerns about manage cybersecurity in your organization, contact us to learn how Microsoft 365 can help protect you against today’s evolving security threats.

Contact us for a free security assessment and to learn more.