Germany’s Federal Office for Information Security ('Bundesamt für Sicherheit in der Informationstechnik', BSI) has published a list of security requirements for cloud services. The catalogue is aimed at providers of cloud services and their clients. Use of the list is not mandatory.
“Particular attention is paid to the transparency of cloud service provision”, the BSI said in a statement. The list helps users understand the location of data, jurisdiction and place of litigation and legal requirements for disclosure to authorities.
The list should give providers of cloud services the chance to test compliance and assist in case of audits. BSI’s list links to ISAE 3000, an assurance standard on compliance to laws and regulations.
“Cloud computing represents a radical change for the ICT industry and its customers, promising cost advantages and increased flexibility”, the BSI writes in its introduction. “Cloud service providers already taut the use of safety recommendations, standards and certificates, but to date there is no accepted base line for security in cloud computing. That makes it difficult for users to assess the security of cloud services.”
To help introduce the list, BSI has made available some basic questions and answers. Here the institute’s IT security experts explain how to make use of the list, detail the validation process and provide references to other standards.