Establish, document, approve, communicate, apply, evaluate and maintain policies and procedures for the application of the Shared Security Responsibility Model (SSRM) within the organization. Review and update the policies and procedures at least annually.
Apply, document, implement and manage the SSRM throughout the supply chain for the cloud service offering.
Provide SSRM Guidance to the CSC detailing information about the SSRM applicability throughout the supply chain.
Delineate the shared ownership and applicability of all CSA CCM controls according to the SSRM for the cloud service offering.
Review and validate SSRM documentation for all cloud services offerings the organization uses.
Implement, operate, and audit or assess the portions of the SSRM which the organization is responsible for.
Develop and maintain an inventory of all supply chain relationships.
CSPs periodically review risk factors associated with all organizations within their supply chain.
Service agreements between CSPs and CSCs (tenants) must incorporate at least the following mutually-agreed upon provisions and/or terms: Scope, characteristics and location of business relationship and services offered Information security requirements (including SSRM) Change management process Logging and monitoring capability Incident management and communication procedures Right to audit and third party assessment Service termination Interoperability…
Review supply chain agreements between CSPs and CSCs at least annually.
Define and implement a process for conducting internal assessments to confirm conformance and effectiveness of standards, policies, procedures, and service level agreement activities at least annually.
Implement policies requiring all CSPs throughout the supply chain to comply with information security, confidentiality, access control, privacy, audit, personnel policy and service level requirements and standards.
Periodically review the organization's supply chain partners' IT governance policies and procedures.
Define and implement a process for conducting security assessments periodically for all organizations within the supply chain.