Cloud Security Checklist

Cloud Security Compliance Yes No Remarks

Has the cloud service undergone any third-party cloud security assurance or certification
(example: ISO/IEC 27001/27002:2013, ISO 27018, IRAP, SOC 2 etc.)? ☐ ☐
If yes, please indicate which certification was achieved and provide a copy of the
certification or assurance certificate.

Does the cloud service provider comply with standards, policies, and regulations in UAE?
☐ ☐
If yes, please indicate.

Does the cloud service provider meet PII and PHI protection standards? ☐ ☐
Data hosted in UAE or outside UAE? ☐ ☐

Application & Interface Security Yes No Remarks

Do you use industry standards (Build Security in Maturity Model [BSIMM] benchmarks,
Open Group ACS Trusted Technology Provider Framework, NIST, etc.) to build in security ☐ ☐
for your Systems/Software Development Lifecycle (SDLC)?
Do you use an automated source code analysis tool to detect security defects in code
☐ ☐
prior to production?
(SaaS only) Do you review your applications for security vulnerabilities and address any
☐ ☐
issues prior to deployment to production?
Are all identified security, contractual and regulatory requirements for customer access
☐ ☐
contractually addressed and remediated prior to granting customers access to data,
assets and information systems?
Are data input and output integrity routines (i.e., reconciliation and edit checks)
☐ ☐
implemented for application interfaces and databases to prevent manual or systematic
processing errors or corruption of data?
Change Control & Configuration Management Yes No Remarks
Are policies and procedures established for management authorization for development
☐ ☐
or acquisition of new applications, systems, databases, infrastructure, services,
operations and facilities?
Is documentation available that describes the installation, configuration and use of
☐ ☐
products/services/features?
Do you have controls in place to restrict and monitor the installation of unauthorized
☐ ☐
software onto your systems?
Datacenter Location Yes No Remarks

Restricted (AUH) / Confidential (DXB)

NMC IT/FORM/CSC/v1.0
 Cloud Security Checklist
Are your datacenters located and backed up exclusively in UAE?
☐ ☐
If yes, please identify UAE datacenter locations:
Click here to enter text.
If no, please identify the locations (including the country in which data will reside):
Click here to enter text.
Data Security & Information Lifecycle Management Yes No Remarks
Do you have a capability to use system geographic location as an authentication factor?
☐ ☐
Can you provide the physical location/geography of storage of a tenant’s data upon
☐ ☐
request and in advance?
Do you inventory, document, and maintain data flows for data that is resident
☐ ☐
(permanent or temporary) within the services' applications and infrastructure network
and systems?
Can you ensure that data does not migrate beyond a defined geographical residency?
☐ ☐
Do you have procedures in place to ensure production data shall not be replicated or
☐ ☐
used in non-production environments?
Do you support secure deletion (e.g., degaussing/cryptographic wiping) of archived and
☐ ☐
backed-up data as determined by the tenant?
Encryption & Key Management Yes No Remarks
Do you provide encryption for data while in transit and while at rest for tenant data?
☐ ☐
If yes, please list the encryption algorithms used for:

Data in Transit: Click here to enter text.

Data at Rest: Click here to enter text.
Do you have a capability to allow creation of unique encryption keys per tenant?
☐ ☐
Do you have a capability to manage encryption keys on behalf of tenants?
☐ ☐
Governance and Risk Management Yes No Remarks
Do you have documented information security baselines for every component of your
☐ ☐
infrastructure (e.g., hypervisors, operating systems, routers, DNS servers, etc.)?

Do you have a capability to continuously monitor and report the compliance of your
☐ ☐
infrastructure against your information security baselines?
Do you allow your clients to provide their own trusted virtual machine image to ensure
☐ ☐
conformance to their own internal standards?
Do you conduct risk assessments associated with data governance requirements at least
☐ ☐
once a year?
Do you review your Information Security Management Program (ISMP) least once a
☐ ☐
year?

Restricted (AUH) / Confidential (DXB)

NMC IT/FORM/CSC/v1.0
 Cloud Security Checklist
Do your information security and privacy policies align with industry standards (ISO-
☐ ☐
27001, ISO-22307, CoBIT, etc.)?
Do you have a documented, organization-wide program in place to manage risk?
☐ ☐
Identity & Access Management Yes No Remarks
Do you monitor and log privileged access (administrator level) to information security
☐ ☐
management systems?
Do you have controls in place ensuring timely removal of systems access that is no longer
☐ ☐
required for business purposes?
Do you use dedicated secure networks to provide management access to your cloud
☐ ☐
service infrastructure?
Do you manage and store the identity of all personnel who have access to the IT
☐ ☐
infrastructure, including their level of access?
Are controls in place to prevent unauthorized access to tenant application, program or
☐ ☐
object source code, and assure it is restricted to authorized personnel only?

Do you provide multi-failure disaster recovery capability?

☐ ☐
Do you document how you grant and approve access to tenant data?
☐ ☐
Do you support use of, or integration with, existing customer-based Single Sign On (SSO)
☐ ☐
solutions to your service?
Do you use open standards to delegate authentication capabilities to your tenants?
☐ ☐
Do you support identity federation standards (SAML, SPML, WS-Federation, etc.) as a
☐ ☐
means of authenticating/authorizing users?
Do you support password (minimum length, age, history, complexity) and account
☐ ☐
lockout (lockout threshold, lockout duration) policy enforcement?
Do you allow tenants/customers to define password and account lockout policies for
☐ ☐
their accounts?
Do you support the ability to force password changes upon first logon?
☐ ☐
Do you have a capability to detect attacks that target the virtual infrastructure directly
☐ ☐
(e.g., shimming, Blue Pill, Hyper jumping, etc.)?
Infrastructure & Virtualization Security Yes No Remarks
Are audit logs centrally stored and retained?
☐ ☐
Are audit logs reviewed on a regular basis for security events (e.g., with automated
☐ ☐
tools)?
Do you use a synchronized time-service protocol (e.g., NTP) to ensure all systems have a
☐ ☐
common time reference?
Do your system capacity requirements take into account current, projected and
☐ ☐
anticipated capacity needs for all systems used to provide services to the tenants?

Restricted (AUH) / Confidential (DXB)

NMC IT/FORM/CSC/v1.0
 Cloud Security Checklist
Are operating systems hardened to provide only the necessary ports, protocols and
☐ ☐
services to meet business needs using technical controls (i.e. antivirus, file integrity
monitoring and logging) as part of their baseline build standard or template?
For your SaaS or PaaS offering, do you provide tenants with separate environments for
☐ ☐
production and test processes?
Do you logically and physically segregate production and non-production environments?
☐ ☐
Are system and network environments protected by a firewall or virtual firewall to
☐ ☐
ensure business and customer security requirements and regulatory and contractual
requirements??
Are system and network environments protected by a firewall or virtual firewall to
☐ ☐
ensure compliance with legislative, regulatory and contractual requirements?
Threat & Vulnerability Management Yes No Remarks
Do you have anti-malware programs that support or connect to your cloud service
☐ ☐
offerings installed on all your systems?
Do you ensure that security threat detection systems using signatures, lists or behavioral
☐ ☐
patterns are updated across all infrastructure components within industry accepted time
frames?
Do you conduct network-layer vulnerability scans regularly as prescribed by industry best
☐ ☐
practices?
Do you conduct application-layer vulnerability scans regularly as prescribed by industry
☐ ☐
best practices?
Do you conduct local operating system-layer vulnerability scans regularly as prescribed
☐ ☐
by industry best practices?
Do you have a capability to rapidly patch vulnerabilities across all your computing
☐ ☐
devices, applications and systems?
Business Continuity Management & Operational Resilience Yes No Remarks

Do you provide tenants with geographically resilient hosting options? ☐ ☐

Are any of your data centers located in places that have a high probability/occurrence of
☐ ☐
high-impact environmental risks (floods, tornadoes, earthquakes, hurricanes, etc.)?
Does your cloud solution include software/provider independent restore and recovery
☐ ☐
capabilities?
Are security mechanisms and redundancies implemented to protect equipment from
☐ ☐
utility service outages (e.g., power failures, network disruptions, etc.)?
Do you provide tenants with ongoing visibility and reporting of your operational Service
☐ ☐
Level Agreement (SLA) performance?
Do you provide customers with ongoing visibility and reporting of your SLA ☐ ☐
performance?
Have you implemented backup or redundancy mechanisms to ensure compliance with
☐ ☐
regulatory, statutory, contractual, or business requirements?

Restricted (AUH) / Confidential (DXB)

NMC IT/FORM/CSC/v1.0