Insider threat from the cloud service provider
Questions 64 to 68 — check if the service provider has security controls to prevent unauthorised access to your information by the people working there.
Questions 64 to 68 — insider threat from the cloud service provider
Table 1 lists who is responsible for answering each question.
Context and help for questions 64 to 68
Record your answers to these questions in either:
- the Excel version — risk assessment tool for public cloud services
- your organisation’s document for recording risk assessments.
Questions to answer
- Does the service provider undertake appropriate pre-employment vetting for all staff who have access to customer data?
- Does the service provider perform ongoing checks during the period of employment?
- If the service provider is dependent on a third-party to deliver any part of their service, does the third-party undertake appropriate pre-employment vetting for all staff that have access to customer data?
- Does the service provider have a security information event monitoring (SIEM) service that logs and monitors all logical access to customer data?
- Does the service provider enforce separation of duties to ensure that audit logs are protected against unauthorised modification and deletion?
- Do the terms of service or service level agreement require the service provider to report unauthorised access to customer data by its employees?
- If yes — is the service provider required to provide details about the incident to affected customers to enable them to assess and manage the associated impact?
|Entity||Questions to answer|
|Service provider||64, 64a, 65, 66, 67, 68, 68a|
Where to find the service provider’s answers
You can get the answers to the service provider’s questions from a combination of:
- direct communication with the provider
- the provider’s policies and audit reports on their website
- previous assessments by other government organisations.
If you do not have the service provider’s answers
If you need higher assurance for the information, consider a different public cloud service if:
- the provider does not give you their answers or other information you need for your risk assessment
- you cannot get acceptable third-party assurance
- there are no ways to lessen the risk of this incomplete information.
Independent assurance reports — New Zealand Information Security Manual
Context and help for questions 64 to 68
The following guidance gives you context and help for answering questions about the insider threat from the cloud service provider.
Direct contracts — check for information you can use
Another NZ government organisation may have previously assessed the public cloud service you’re looking to use. See which organisation to contact for information by:
NZ government agreements and contracts — check for certification documents you can use
You can use certification documents to help with your risk assessment of using either:
- an all-of-government agreement
- a Marketplace contract.
To get these, contact the security team at the Department of Internal Affairs at email@example.com.
Unauthorised access to information
A common concern for government organisations planning to use public cloud services is the unauthorised access to information by the service provider’s employees.
The controls required to manage this risk are no different from those used to protect against malicious insiders within your organisation or a traditional outsource provider.
Find out whether the service provider has these controls in place to ensure its people are reliable, trustworthy and do not pose a security risk to its clients.
Service provider’s location
The level of assurance your organisation can get varies depending on the physical location of the provider’s services and employees.
Example — service provider’s location affecting the level of assurance
A New Zealand-based service provider will be able to perform a standard Ministry of Justice criminal history check for all employees.
If a public cloud service is delivered or supported from another country, the NZ-specific check is not possible. Government organisations must consider whether the alternative checks available to the service provider are equivalent levels of assurance.
Limitations of criminal record checks
Criminal record checks are limited because they will not identify job applicants who:
- are untrustworthy but have never been caught or have not been convicted
- were previously trustworthy, but have become untrustworthy because they are unhappy at work or their personal circumstances have changed.
Log and monitor employees’ activities
The service provider can manage the limitations of criminal record checks by also logging and monitoring employees’ activities. The provider needs to enforce separation of duties so that any malicious activity requires collusion — people working together for ill-meaning aims. Separation makes malicious activity less likely.
Logging should cover all relevant activities performed by the service provider’s employees that have logical or physical access to equipment or media that has customer data.
The service provider should monitor and review logs to identify any suspicious activity that requires investigation. Duties should also be separated to ensure that logs are protected from unauthorised modification and deletion.
Example of SIEM best practice
The administrator of a service component should not be granted rights to modify or delete in the SIEM.
Utility links and page information