Google Cloud Security Requirements -part 4

This blog series consists of detailed set of cloud security requirements that can be used for any organization who wants to implement securely cloud services. The requirements expressed below are cloud agnostic and can be applied to any public cloud or even private clouds.

The sub domain and requirement description are mapped to *ISO 27002:2013 controls and standards. The overall theme of this blog series covers all the cloud security controls stated by NIST 800-53 series.

Domain: Vulnerability and Threat Management

Sub-DomainReq. NameReq. Description
Governance and Operating ModelPolicyPolicy that includes responsibilities related to threat and vulnerability management, reporting, rating criteria, remediation timelines, and escalation/exception processes shall be established
Governance and Operating ModelAsset InventoryAsset inventory (to include physical systems, virtual systems, sensitive information) that is to be included in the Vulnerability & Threat management scope shall be maintained. A list of technologies able to monitor for vulnerability impacts shall be maintained
Reporting and AnalysisIntegration with Risk ManagementVulnerabilities for their impact on identified risks shall be analyzed.  Technical vulnerabilities shall be aligned with / inform risks in the risk register and the effectiveness of controls
Reporting and AnalysisPatch ManagementPatch management strategy and process shall be defined that outlines recurring patch management activities, defines acceptable implementation timelines, requires bac-kout procedures, tests patches for operational and security implications before deployment, has an exception process for not implementing patches, has a defined emergency patching process
Vulnerability TestingCloud TestingRegularly scheduled, recurring security testing of the cloud environment shall be conducted. Testing shall follow the cloud provider’s process and guidelines. Client shall require the cloud provider to regularly conduct assessments and remediation and provide attestation of such to client.  Client shall review provider attestation on a regular basis.

Client shall:
a. Periodically monitor third parties’ compliance with security requirements
b. Supervise and monitor outsourced software development
c. Periodically monitor and review the services, reports, and records provided by third parties
Vulnerability TestingCode ScanningCode reviews/scanning to identify potential security issues shall be conducted
Vulnerability TestingPre-deployment testingSecurity testing before deployment of changes to code or environment shall be conducted
Vulnerability TestingDatabase TestingRegularly scheduled reviews of database security shall be conducted
Vulnerability TestingPenetration Testing (Internal)Regularly scheduled penetration testing of it’s perimeter and public-facing environment shall be conducted
Vulnerability TestingApplication TestingApplication reviews/testing to identify potential security issues shall be conducted
Vulnerability TestingTools and TechniquesVulnerability scanning tools and techniques that shall be deployed to:
a. Promote interoperability among tools and accommodate the virtualization technologies used
b. Automate parts of the vulnerability management process by using standards for enumerating platforms, software flaws, and improper configurations; formatting and making transparent, checklists and test procedures; measuring vulnerability impact; and readily updating the list of information system vulnerabilities scanned
c. Analyze vulnerability scan reports and results from security control assessments. Remediate legitimate high-risk vulnerabilities mitigated within 30 days and moderate risk vulnerabilities within 90 days, in accordance with an organizational assessment of risk
d. Share information obtained from the vulnerability scanning process and security control assessments with designated personnel throughout the organization to help eliminate similar vulnerabilities in other information systems (i.e., systemic weaknesses or deficiencies)
Threat IntelligenceVulnerability Monitoring of AssetsRegularly scheduled reviews of the Vulnerability Management program and results of vulnerabilities shall be conducted
Threat IntelligenceCollection and Dissemination of AlertsReceive information system security alerts, advisories, and directives from designated external organizations from GCP. In addition, the capability shall disseminate security alerts, advisories, and directives to all staff with system administration, monitoring, and/or security responsibilities, and implement security directives in accordance with established time frames. Client shall establish and execute a plan for communicating how, if, and when Client is remediating security issues affecting each customer or with appropriate regulatory entities as needed. Appropriate contacts with special interest groups, relevant authorities, or other specialist security forums and professional associations shall be maintained
Technical RequirementOS SupportUnix/Linux/BSD, CISCO IOS, Junos, and Windows scanning shall be supported
Technical RequirementData ProtectionData shall be stored and transmitted securely 
Technical RequirementData AccessAccess to scanning data shall be restricted to those with a need for it

Are you ready to audit and secure your Google cloud environment? Contact our security specialists, today!