The Cloudcontrols project has released the first draft of the list of Risks which will provide the base for future releases. The release consists of 118 risks divided in 5 groups: Technical, Security and Legal risks and specific Outsourcing and specific Co-tenancy risks. The list is available on http://www.cloudcontrols.org/cloudcontrols/risks/. We welcome interested parties to leave their comments. The next steps are creating further versions of the risks and adding controls to manage the identified risks. After that measures to implement the controls will be specified.
ISACA, the organisation behind COBIT, released a document called “IT Control Objectives for Cloud Computing” (E-paper, $50). This document adds comments to the existing COBIT control objectives but relies heavily on the earlier texts written by NIST. Additionally, it is remarkable that not the COBIT 5.0 draft framework but the current COBIT 4.1 framework was used instead. A useful addition to the existing pool of documents is chapter 5, providing an overview of assurance frameworks and their applicability.
The document is available at ISACA.org
NIST has released a draft of Appendix J of the upcoming revision 4 of it’s security standard, detailing privacy security by providing measurable controls.
Appendix J consists of 23 controls divided in 8 categories, addressing the risks related to the lifecycle of privacy and “Personally Identifiable Information” (PII).
The PCI Security Standards Council has released a document outlining additional guidelines to the existing PCI DSS requirements. The 12 PCI DSS Requirements have been enhanced with Virtualization Considerations assisting in managing the additional risks virtualization technologies bring.
NIST, the National Institute of Standards and Technology, has released a new guidance on Cloud touching many different subjects briefly. This document is a must-read for both managers and system/network operators.
Read more on NIST SP 800-146 (Draft)
KPMG NL has published a positioning paper informing their customers and partners of the current state of the cloud. The document is a useful read for CIO/CEO’s and other decision-makers.
New standard proposal by FedRamp – Proposed Security Assessment & Authorization for U.S. Government Cloud Computing (v0.96)
The US CIO council has released a new proposal regarding the FedRamp program. This proposal is currently being adopted throughout US Agencies.
The document has close ties to the NIST SP800-53 release, enhancing it with cloud-specific controls.