Avyay Solutions Information Technology Standards (ITS) are the official publications on the IT standards adopted across the organization. These publications support the responsibilities of the Organisation for coordinating standardization of Information & Information Technology (I&IT). In particular, ITS describe where the application of a standard is mandatory and specify any qualifications governing the implementation of standards. This standard describes principles and security requirements for business areas (or other organizations) that are selecting, procuring, adopting, operating, and/or managing Cloud Services on behalf of Avyay Solutions . This document draws some organization and controls from ISO/IEC 27002:2013, ISO/IEC 27018:2014, ISO/IEC FDIS 27017:2015, and NIST SP 800-53.

Cloud First

Cloud computing is fundamentally changing how I&IT services are delivered and used to build user-centered digital services. Adoption of cloud computing helps to ensure timely access to modern technologies, improve efficiencies, and increase value of I&IT services.

Cloud computing benefits include:

Cost reduction

Improved collaboration

Improved security integration

Increased workforce mobility

Greater agility

Greater resiliency

When procuring new or upgrading existing services, organization and customers should consider and fully evaluate potential cloud solutions before considering traditional I&IT systems. Cloud computing can provide fast and competitive options for Avyay Solutions customers. Cloud Services are a mainstream technology choice, which is digitally transforming itself through the Simpler, Faster, Better Services Act.

The key principle that promotes a cloud first approach is Cloud-by-Default. The cloud market offers a broad range of services, and use of Cloud Services should be considered as the default option for the Avyay, provided that appropriate risk management, assessments, and consultations for identifying and addressing privacy and security concerns are aligned with the criticality of services, and the sensitivity of information to be stored, transferred, or processed.

This standard provides guidance on technical and security requirements for the adoption and use of Avyay Services. Avyay Solutions is currently working towards a more comprehensive suite of strategic policy tools that will further promote and accelerate adoption of Cloud Services.

Cloud First Principles
Use Client provided Cloud Services as the default
Adopt a risk-based approach for client cloud adoption and cloud security
Design and architect for the cloud, and avoid customization of cloud components
Take full advantage of Cloud Service functionality, automation practices, cloud-based security, and other features
Monitor the health and usage of Cloud Services in near-real time
Understand and comply with applicable legal and regulatory requirements
Each organization needs to evaluate potential cloud adoption options for their specific services, systems, and information based on the security requirements laid out below in this standard.

Background and rationale

Cloud computing refers to the rise and widespread use of metered, on-demand, elastic, pooled, and networked resources that enable I&IT infrastructure and services. The US National Institute for Standards and Technology (NIST) defines cloud computing as follows:
Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This Cloud model is composed of five essential characteristics, three service models, and four deployment models. (NIST SP 800-145)

Cloud computing presents opportunities for Avyay Solutions – including self-service, flexibility, elasticity, reduced capital costs, and value for I&IT spend. The purpose of this standard is to help ensure that the selection and use of Cloud Services does not result in undue levels of risk, and that Cloud Services are adopted within a risk-based model where security requirements, and requirements for evidence of controls, are geared to clear and appropriate criteria.

Avyay Solutions, has obligations to protect the security of certain information both in use and upon destruction. While this document describes minimum requirements for Cloud Service selection, adoption, and ongoing use, it does not preclude Avyay Solutions business areas from applying a stronger standard to protect information, or selecting enhanced controls for services they seek to acquire or have previously procured.

This document acknowledges several industry-standard cloud audit and reporting frameworks, for the purpose of evaluating, selecting, and adopting Cloud Services. This approach enhances Avyay Solutions’s ability to access the cloud marketplace, by embracing existing models for security and controls within Cloud Services. While this document leverages industry frameworks for selection and procurement, and does not explicitly apply all security requirements to broadly-defined Cloud Services and adoptions in all cases, individual instances, workloads, components, etc. operated by Avyay within cloud environments must comply with those requirements where they are relevant. Examples include, but are not limited to:

Operating system instances that may require security hardening, ongoing maintenance, backup
The need for malware controls within Avyay-managed instances, components, etc.
Access control requirements
Specifications for cryptography used by the Avyay Solutions

In situations where potential gaps in controls are determined to exist regarding Cloud Service adoption or ongoing operation, ITS requirements should also be consulted.

Target audience

This standard applies to all Avyay client cloud service providers, and all application development and integration initiatives that intend to acquire, procure, deploy, and/or operate/manage Cloud Services on behalf of Avyay Solutions.