Contents
3. BASE POLICY AND COMPLIANCE REFERENCES
4.3 Privacy and Security Controls for Cloud Hosting
1. PURPOSE
To quickly and economically supply data and tools to employees, businesses are shifting infrastructure and operations to hosted providers. Before EcoXplore-managed infrastructure can host outside of its office, the security posture of Cloud Service Providers (CSP) must be evaluated to establish compliance with corporate security needs.
Within the bounds of its authority, EcoXplore Pte Ltd is in charge of and committed to managing the privacy, integrity, and accessibility of EcoXplore networks, systems, and applications. This includes making every effort to ensure that cloud environments hosting EcoXplore infrastructure adhere to the necessary security rules and do not jeopardise the company’s security posture.
It should be noted that this policy includes suggestions for best practises and factors to take into account, and it is meant to facilitate the secure adoption of Cloud.
2. SCOPE
All company departments’ managed IT systems that are housed in cloud infrastructure must adhere to the terms of this policy. Wherever possible, EcoXplore shall be in charge of enforcing the security of cloud environments in compliance with the specifications in this policy.
The specifications described in this policy will apply to all services inside the cloud environment that fall under this category.
3. BASE POLICY AND COMPLIANCE REFERENCES
The basis for the Company’s policies is based on standards and best practises in the sector. With specific modifications to satisfy the business and operational needs of the organisation, this policy acts as EcoXplore’s authoritative adaptation of those policies.
Policy References: EcoXplore IT Policy
4. POLICY
Enterprises can gain from economies of scale when several enterprises use a single CSP. Utilising a CSP, however, centralises management of data and applications because processes and data are moved out of the direct control of the traditionally separate IT and security departments. In order to manage risks and help assure the security of the business, operations, and IT resources when using a shared CSP, security teams are required to implement a set of (CSP and operational) controls as outlined in this policy.
When possible, EcoXplore’s cloud computing solutions should be configured, deployed, and managed in a way that satisfies the organization’s security, privacy, and other needs for access to or storage of sensitive data.
4.1 Preliminary Requirements
All cloud providers utilized by the Company’s systems with access to Personally Identifiable Information (PII) datamust meet the minimum requirements outlined below.
| # | Name | Requirement |
| A | Compliance with Security Standards | Cloud service providers must be able to adhere to the conditions outlined in the IT Policy, which includes this document. |
| B | Authorization | Before purchasing the service, an IT specialist must do a security review of the cloud service. |
| C | Classification of Data | The business must foresee and, to the extent practical, reduce risks associated with cloud-hosted data and resources in accordance with the data classification set forth in the IT Policy. |
4.2 Secure Usage of Cloud Computing Services
All cloud-based services require approval before they can be purchased or deployed. The following actions must be followed in order to ensure secure adoption and usage of cloud services:
- Specify the priorities and needs of the organisation.
- Identify internal and external service users.
- Choose the sort of cloud service that will be used, taking into account the physical and functional aspects of SaaS, PaaS, and IaaS solutions.
- Specify the sorts of data that will be kept.
- Identify the setups and security solutions needed for encryption, monitoring, backups, etc.
- Compile a list of previous security issues that involved this cloud service provider.
- Obtain any security certifications that are offered.
- Obtain copies of any contracts you have with the provider, such as SLAs.
4.3 Vendor Assessment
A CSP that will have access to Company-managed PII data will be evaluated by EcoXplore to determine whether it can function in accordance with the conditions listed below:
| # | Name | Requirement |
| A | Assess Competency of Provider | The provider’s capabilities and security measures must be thoroughly analysed by EcoXplore, who must use due care and diligence. This can be accomplished using techniques like: Detailed questionnaire given to the CSP Research into the company External vendor-assessment reports or audit results Previous client testimonials Materiality Assessment. Prior to engagement with a CSP Based on the anticipated workloads, the Company must determine the CSP’s capacity to adhere to the minimum controls. |
| | It is important to evaluate the service provider’s financial standing and resources to make sure they can fulfil their commitments even in difficult circumstances. | ||
| | Corporate Governance and Entity Controls. The discipline and structure of internal control are provided by the excellent corporate practises and control consciousness of CSP’s staff, which establish the priority and culture as well as serve as the basis for all other internal control elements. | ||
| | Data Centre. It is crucial for the Company to be able to determine and agree on which nations are suitable for the processing and storage of company data. This identifies the type of risk present in the outsourcing arrangement and is a prerequisite to proving that the company has enough control over its outsourcing arrangement. | ||
| | When data centres assist EcoXplore’s operations, a Threat & Vulnerability Risk Assessment (TVRA) or comparable independent evaluations should be carried out on those data centres. | ||
| B | Establish Contractual Obligations | | If the CSP as a third-party entity undergoes any material change (such as being acquired by another business or declaring bankruptcy), contracts should be reviewed. |
| | Contracts should contain recommendations for tracking tools and service level agreements. | ||
| | CSP should conduct business in nations that typically maintain confidentiality agreements and provisions. | ||
| | Any outsourcing contract should have provisions that make the CSP legally responsible for the work product and risk management of its subcontractor. | ||
| C | Continuous Assessment | | When practicable, EcoXplore should bargain with CSPs to permit continuous assessment by the Company to guarantee that security precautions are adequately put into place and executed. |
| | The Company shall notify the CSP as soon as practicable after becoming aware of any violation of security measures that jeopardises the security of EcoXplore’s data or resources so that the CSPs may take appropriate action. | ||
| | Analyse the financial stability and available resources to make sure CSP can continue to operate and fulfil service obligations even in difficult circumstances. | ||
| | CSP ought to be able to show solid business practises and maintain employee consciousness. | ||
| | To manage the risks connected to its subcontracting arrangement, CSP should set up frameworks for risk management and perform adequate due diligence. | ||
| D | Regulatory Compliance | CSPs should be able to show compliance with relevant legal requirements, such as PDPA, PCI DSS, HIPAA, CSA, SSAE16, ISO, or MAS Technology Risk Management Guidelines, as part of this assessment. | |
| E | Key Performance Indicators (KPIs) | CSPs must show that they can comprehend and carry out the agreed-upon KPIs, or essential actions. An SLA should establish accountabilities, inputs, and outputs, and it should be reviewed on a regular basis. | |
| F | Managed vendor lockin and concentration risks | Employ multi-cloud tactics with various CSPs. When creating data and software interfaces, use open standards and non-proprietary protocols. Check to see if your CSP offers a way for you to quickly and affordably extract data. Before hiring the CSP, EcoXplore should incorporate an exit strategy in our technology roadmap. | |
4.4 Privacy and Security Controls for Cloud Hosting
When a possible cloud service provider (CSP) requests access to the Company’s managed personally identifiable information (PII) data, EcoXplore will evaluate that CSP to make sure it has the capabilities and functionalities described below. If EcoXplore determines them to be pertinent in their assessment, they may be incorporated into the questionnaire or other potential CSP assessment procedures.
| # | Name | Requirement |
| A | Electronic Discovery | Make sure that the electronic discovery procedures, practises, and policies of the cloud provider don’t jeopardise the confidentiality and security of the company’s data stored by the CSP. |
| B | Continuous Monitoring | Where possible, make sure that hosted systems or services will permit EcoXplore to keep an eye on them for functionality related to uptime, availability, and security. |
| C | Architecture | If there is any integration between the current on-premises infrastructure of the Company and the applicable underlying technologies used by cloud providers to host services, that integration should be understood by the Company. |
| D | Identity and Access Management | Assuring that the necessary security measures are in place to protect identity and access management functions, including authentication and authorization, in accordance with the IT Policy’s specifications. For users with access to privileges, EcoXplore ought to implement multi-factor authentication (MFA). |
| The “access keys” that system/application services use for authentication in the public cloud should be changed frequently. The credentials should be erased right away if they are not being utilised. | ||
| E | Cybersecurity and Data Protection | The Company needs to be aware of its security obligations and take the necessary precautions to protect its processing workloads on the public cloud. The proper encryption measures should be applied to sensitive data and files, including data backups, both in-motion and at rest. |
| F | Software and Data Isolation | Where possible, CSPs should guarantee that the architecture or system design of their multi-tenant products can isolate hosted data and operations from other tenants. |
| G | Availability | Establish a service level agreement with the CSP to ensure timely reporting of service disruptions and the resume of essential operations. |
| H | Securing Logs and Backup | Logs should be protected to ensure their availability, confidentiality, and integrity. According to IT policy, backups of logs should be made available as needed. Access to EcoXplore’s data must be specified, including access to data used for backups, contingency plans, and disaster recovery in addition to data required for regular operations. |
| I | Incident Response | A breach that directly affects agency resources or data must be reported to the company by the cloud provider within a reasonable amount of time after it has been identified. |
| J | Source Code Review and Vulnerability Assessment (Customized Application) | The application should be evaluated by CSP based on the OWASP Top 10 security flaws (https://owasp.org/www-project-top-ten/). At least once each year, vulnerability assessments should be carried out. |
5. ENFORCEMENT
Any attempt by staff to get around, get around, or otherwise get around this policy or any supporting policy would be considered a security violation and will be the subject of an inquiry. The investigation’s findings may result in a written reprimand, suspension, or termination, as well as potential criminal or civil fines.