CLD-01.1: Cloud Infrastructure Onboarding

There is no evidence of a capability to ensure cloud services are designed and configured so Technology Assets, Applications and/or Services (TAAS) are secured in accordance with applicable organizational standards, as well as statutory, regulatory and contractual obligations.

C|P-CMM1 is N/A, since a structured process is required to ensure cloud services are designed and configured so Technology Assets, Applications and/or Services (TAAS) are secured in accordance with applicable organizational standards, as well as statutory, regulatory and contractual obligations.

C|P-CMM2 is N/A, since a well-defined process is required to ensure cloud services are designed and configured so Technology Assets, Applications and/or Services (TAAS) are secured in accordance with applicable organizational standards, as well as statutory, regulatory and contractual obligations.

Cloud Security (CLD) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist: o Ensure the cloud security architecture supports the organization's technology strategy to securely design, configure and maintain cloud employments. o Ensure multi-tenant CSP assets (physical and virtual) are designed and governed such that provider and customer (tenant) user access is appropriately segmented from other tenant users. o Ensure CSPs use secure protocols for the import, export and management of data in cloud-based services. o Implement a dedicated subnet to host security-specific technologies on all cloud instances, where technically feasible. o Governs changes to cloud-based systems, applications and services to ensure their stability, reliability and predictability. o Reviews processes to identify and prevent use of unapproved CSPs.

• Roles and associated responsibilities for governing cloud instances, including provisioning, maintaining and deprovisioning, are formally assigned.
• A Shared Responsibility Matrix (SRM), or similar Customer Responsibility Matrix (CRM), is documented for each Cloud Service Providers (CSPs) instance that takes into account differences between Software as a Service (SaaS), Platform as a Service (PaaS) and Infrastructure as a Service (IaaS) methodologies.
• IT architects, in conjunction with cybersecurity architects:
• A Change Advisory Board (CAB), or similar function:
• A dedicated IT infrastructure team, or similar function, enables the implementation of cloud management controls to ensure cloud instances are both secure and compliant, leveraging industry-recognized secure practices that are CC|P-specific.
• Cybersecurity and data privacy requirements are identified and documented for each CSP instance to address sensitive/regulated data processing, storing and/ or transmitting and provide restrictions on data processing and storage locations.
• A Data Protection Impact Assessment (DPIA) is used to help ensure the protection of sensitive/regulated data processed, stored or transmitted on external systems.
• Roles and associated responsibilities for governing cloud instances, including provisioning, maintaining and deprovisioning, are formally assigned to qualified individuals.
• IT architects, in conjunction with cybersecurity architects, ensure multi-tenant CSP assets (physical and virtual) are designed and governed such that provider and customer (tenant) user access is appropriately segmented from other tenant users.
• IT architects, in conjunction with cybersecurity architects, ensure CSPs use secure protocols for the import, export and management of data in cloud-based services.
• IT architects, in conjunction with cybersecurity architects, implement a dedicated subnet to host security-specific technologies on all cloud instances, where technically feasible.
• IT infrastructure personnel and Data Protection Officers (DPOs) work with business stakeholders to identify business-critical systems and services, as well as associated sensitive/regulated data, including Personal Data (PD).
• The DPO function oversees the storage, processing and transmission of PD in CSPs.
• An IT Asset Management (ITAM) function, or similar function, governs cloud-based assets leveraging an established Configuration Management Database (CMDB), or similar tool, as the authoritative source of IT assets to provide oversight of purchasing, updating, repairing and disposing of cloud-based assets.
• Formal Change Management (CM) program governs cloud-based systems, applications and services and ensures that no unauthorized changes are made, that all changes are documented, that services are not unnecessarily disrupted and that resources are used efficiently.
• An IT infrastructure team, or similar function, enables the implementation of a Content Delivery Network (CDN) by restricting access to the origin server's IP address to the CDN and an authorized management network.

See C|P-CMM3. There are no defined C|P-CMM4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to ensure cloud services are designed and configured so Technology Assets, Applications and/or Services (TAAS) are secured in accordance with applicable organizational standards, as well as statutory, regulatory and contractual obligations.

See C|P-CMM4. There are no defined C|P-CMM5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to ensure cloud services are designed and configured so Technology Assets, Applications and/or Services (TAAS) are secured in accordance with applicable organizational standards, as well as statutory, regulatory and contractual obligations.