Identification and Authentication

 

  • Use a strong authentication method, such as two-factor authentication, if available from the cloud service.  Examples are combination of any two factors of: what you are (e.g. fingerprint), what you have (e.g. digital certificate) and what you know (e.g. password).
  • Use strong passwords for each account.
  • Use different passwords for different accounts.
  • Use different accounts for different staff.
  • Change passwords periodically.
  • Delete access accounts or change passwords immediately when there are staff changes.

 

Data Protection

 

  • Understand and keep a record of what type of data is stored in the cloud.
  • Protect personal data according to the Personal Data (Privacy) Ordinance [1].
  • Avoid sharing out data to unintended parties by
    • ensuring only the intended recipients have the access permissions if you share sensitive data with others through the cloud;
    • ensuring any software running on the cloud service consumer’s device that accesses a cloud service will only synchronize permitted data between the device and the cloud; and
    • defining proper default permissions of files or folders.
  • Understand the location (and thus the jurisdiction) of your data including resilient copies, and assess whether there are impacts on security procedures in light of the differences in legal and regulatory compliance requirements.

 

Cloud Administration

 

  • Establish a simple access account policy for using the cloud service.
  • Establish simple usage policies for your staff.
  • Appoint suitable staff (who has a basic understanding of the characteristics of cloud services) as the cloud service administrator.
  • Conduct regular reviews of access rights on staff having access to cloud data.
  • Provide basic security awareness training for staff using the cloud service.

 

Service Continuity

 

  • Obtain service support contact information from the service provider; especially keep a list of telephone numbers for reporting computer security incidents.
  • Evaluate the potential damage to the company when the service is unavailable, data is lost or when data is accessed in an unauthorized manner.
  • Develop a business continuity plan and work out alternatives when the cloud service or data is not available.
  • Prepare an exit strategy and ensure termination procedures permit the transfer of data back to the company.
  • Perform a regular backup of your data stored in the cloud service.
  • Maintain a local backup copy of your important data so that this data can still be available when the service provider is out of service temporarily (e.g. network outage) or permanently.

 

Interoperability among Systems

 

  • Conduct thorough testing among the respective interfacing systems to ensure interoperability before and after the migration to cloud.
  • Alert for any latest updates on the interfacing specifications among the respective systems.

 

 

[1] http://www.pcpd.org.hk/english/data_privacy_law/6_data_protection_principles/principles.html

 

 

Back Top