3.54Institutions should establish change management processes to ensure any changes in the Cloud Computing arrangement by the Institution or the Outsourcing Service Provider are appropriately governed and implemented.
3.55Institutions should ensure that they define the conditions and scenarios in which automated testing and releases can take place for changes to their Cloud Computing arrangements, and that there is a full audit trail, record of the changes and evidence of pre-approval.
3.56Institutions should develop a mechanism by which they are notified of material changes to the Cloud Computing arrangement in a timely manner.
3.57Institutions should develop a configuration management process which includes regular monitoring to detect unauthorised changes to the cloud environment and ensure such changes can be appropriately remediated.
3.58Institutions should ensure that the Cloud Computing arrangement has the capacity to run the Institution’s workloads. Institutions should regularly monitor utilisation and proactively plan for upgrades or enhancements based on anticipated spikes in workloads or resulting from strategic business initiatives.
3.59Institutions should establish a monitoring framework to define, monitor, report and remediate key infrastructure, technology and security related incidents and events in the cloud environment in a timely and effective manner to minimise detriment. The framework should:
a.Cover incidents and events that may impact the stability or availability of the Institution’s applications, networks and systems or the confidentiality or integrity of cloud environments;
b.Be centralised to promote clarity of process and enable consolidation and analysis of threat intelligence, incident and event related Data;
c.Manage incidents and events according to their frequency, criticality and assigned ownership;
d.Identify, monitor and manage systemic issues;
e.Monitor and identify vulnerabilities, incidents, and events on an on-going basis by:
i.Defining a standard set of health and performance metrics;
ii.Utilising analytics and Data from previous security incidents and events to enable retrospective detection;
f.Categorise and record Data associated with incidents and events;
g.Report and escalate incidents and events to relevant stakeholders for notification or action; and
h.Ensure that incidents and events are properly reviewed and identified gaps are remediated to prevent a reoccurrence.
3.60Institutions should be able to swiftly and safely:
a.Detect vulnerabilities in the software used in the cloud environment; and
b.Deploy security and operating system patches.
3.61After implementation of the Cloud Computing arrangement, Institutions should re-assess the risks associated with the Cloud Computing arrangement when there is a material change to existing arrangements and on a regular basis through ongoing:
a.Outsourcing risk assessments to assess adequacy of controls in managing the risks arising from the Outsourcing arrangement; and
b.Security and risk assessments to assess the adequacy of the security and risk controls in managing the risks arising from Cloud Computing. These should include conducting vulnerability assessments and penetration tests specific to the Cloud Computing arrangement on at least an annual basis.
3.62Institutions should establish risk mitigation controls to address any shortcomings of the Cloud Computing arrangement. The degree of risk should inform the stringency of controls and mitigation procedures implemented.