Skip to main content

This section of the ISM provides guidance on information technology and cloud services.

Information technology services

Information technology services encompass business process services, application processes and infrastructure services. The range of information technology services that can be outsourced is extensive.

Cloud services

The terminology and definitions used in this section for cloud services are consistent with National Institute of Standards and Technology (NIST) Special Publication (SP) 800-145, The NIST Definition of Cloud Computing. This section also applies to cloud services that have a payment model which differs to the NIST pay-per-use measured service characteristic.

Cyber supply chain risk management

Outsourcing can be a cost-effective option for providing information technology and cloud services, as well as potentially delivering a superior service; however, it can also affect an organisation’s security risk profile.

As part of cyber supply chain risk management activities, organisations should consider the security risks that may arise as systems, software and hardware is being designed, built, stored, delivered, installed, operated, maintained or decommissioned. This includes identifying and managing jurisdictional, governance, privacy and security risks associated with the use of suppliers and service providers. For example, outsourced information technology or cloud services may also be located offshore and subject to lawful and covert collection, without an organisation’s knowledge. Additionally, use of offshore services introduces jurisdictional risks as foreign countries’ laws could change with little warning. Finally, foreign owned service providers operating in Australia may be subject to a foreign government’s lawful access.

Furthermore, organisations should consider the security risks that a particular service provider may introduce as part of any outsourced services. In doing so, it is important that organisations preference service providers that have demonstrated a commitment to secure practices and have a strong track record of maintaining the security of their systems and services. In some cases a shared responsibly model which clearly defines the responsibilities of service providers and organisations could be highly beneficial.

Ultimately, organisations will still need to decide whether a particular outsourced information technology or cloud service represents an acceptable risk and, if appropriate to do so, authorise it for their own use.

Security Control: 1452; Revision: 2; Updated: Jul-20; Applicability: O, P, S, TS
A review of suppliers and service providers, including their country of origin, is performed before obtaining software, hardware or services to assess the potential increase to an organisation’s security risk profile.

Security Control: 1567; Revision: 0; Updated: Jul-20; Applicability: O, P, S, TS
High risk suppliers and service providers are not used.

Security Control: 1568; Revision: 0; Updated: Jul-20; Applicability: O, P, S, TS
Outsourced information technology and cloud services are chosen from service providers that have made a commitment to secure practices and have a strong track record of maintaining the security of their systems and services.

Security Control: 1395; Revision: 4; Updated: Jul-20; Applicability: O, P, S, TS
Service providers provide an appropriate level of protection for any official, sensitive or classified information entrusted to them or their services.

Security Control: 1569; Revision: 0; Updated: Jul-20; Applicability: O, P, S, TS
A shared responsibility model is created between service providers and organisations in order to articulate the security responsibilities of each party.

Outsourced gateway services

Commercial and government gateway services selected by the Australian Cyber Security Centre (ACSC) will need to undergo regular security assessments to determine their security posture and security risks associated with their use.

Security Control: 0100; Revision: 10; Updated: Jul-20; Applicability: O, P
Commercial and government gateway services selected by the ACSC undergo a joint security assessment by ACSC and Information Security Registered Assessors Program (IRAP) assessors at least every 24 months.

Outsourced cloud services

Outsourcing can be a cost-effective option for providing cloud services, as well as potentially delivering a superior service; however, it can also affect an organisation’s security risk profile. Ultimately, organisations will still need to decide whether a particular outsourced cloud service represents an acceptable risk and, if appropriate to do so, authorise it for their own use.

Cloud service providers and their cloud services will need to undergo regular security assessments to determine their security posture and security risks associated with their use. Following an initial security assessment, subsequent security assessments should focus on any new cloud services that are being offered as well as any security-related changes that have occurred since the previous security assessment.

Security Control: 1570; Revision: 0; Updated: Jul-20; Applicability: O, P, S, TS
Cloud service providers and their cloud services undergo a security assessment by an IRAP assessor at least every 24 months.

Security Control: 1529; Revision: 1; Updated: Jul-20; Applicability: S, TS
Only community or private clouds are used for outsourced cloud services.

Contractual security requirements

Obligations for protecting the confidentiality, integrity and availability of information are no different when using an outsourced information technology or cloud service than using an in-house service. As such, contractual arrangements between an organisation and a service provider should address how security risks will be managed. However, in some cases an organisation may require information technology or cloud services to be used before all security requirements have been implemented by the service provider. In such cases, contractual arrangements should include appropriate timeframes for the implementation of security requirements and break clauses if these are not achieved.

In addition, although information ownership resides with an organisation, this can become less clear in some circumstances, such as when legal action is taken and a service provider is asked to provide access to, or information from, their assets. To mitigate the likelihood of information being unavailable or compromised, organisations can document the types of information and its ownership through contractual arrangements.

Furthermore, organisations may make the decision to move from their current service provider for strategic, operational or governance reasons. This may include scenarios such as changing to another service provider, moving to a different service with the same service provider or moving back to an on-premises solution. In many cases, transferring information and functionality between old and new services or systems will be desired. Service providers can assist organisations by ensuring information is as portable as possible and that as much information can be exported as possible. As such, information should be stored in a documented format, preferably an open standard, noting that undocumented or proprietary formats may make it more difficult for organisations to perform backup, service migration or service decommissioning activities.

Finally, to ensure that organisations are given sufficient time to download their information or move to another service provider should a service provider cease offering a particular service, a one month notification period should be documented in contractual arrangements.

Security Control: 0072; Revision: 6; Updated: Jul-20; Applicability: O, P, S, TS
Security requirements associated with the confidentiality, integrity and availability of information entrusted to a service provider are documented in contractual arrangements.

Security Control: 1571; Revision: 0; Updated: Jul-20; Applicability: O, P, S, TS
The right to audit security controls associated with the protection of information and services is specified in contractual arrangements.

Security Control: 1451; Revision: 2; Updated: Jul-20; Applicability: O, P, S, TS
Types of information and its ownership is documented in contractual arrangements.

Security Control: 1572; Revision: 0; Updated: Jul-20; Applicability: O, P, S, TS
The regions or availability zones where information will be processed, stored and communicated is documented in contractual arrangements.

Security Control: 1573; Revision: 0; Updated: Jul-20; Applicability: O, P, S, TS
Access to all logs relating to an organisation’s information and services are specified in contractual arrangements.

Security Control: 1574; Revision: 0; Updated: Jul-20; Applicability: O, P, S, TS
Information entrusted to a service provider is stored in a portable manner that allows organisations to perform backups, service migration or service decommissioning without any loss of information.

Security Control: 1575; Revision: 0; Updated: Jul-20; Applicability: O, P, S, TS
A minimum notification period of one month for the cessation of any services by a service provider is documented in contractual arrangements.

Access to systems and information by service providers

To perform their contracted duties, service providers may need to access an organisation’s systems and information. However, without proper security controls in place, this access could leave organisations’ systems vulnerable – especially when such access occurs from outside of Australian borders. As such, organisations should ensure that their systems and information are not accessed or administered by service providers unless such requirements, and associated measures to control such requirements, are documented in contractual arrangements. In doing so, it is important that sufficient measures are also in place to detect and record any unauthorised access, such as customer support representatives or platform engineers accessing an organisation’s encryption keys. In such cases, the service provide should immediately report the cyber security incident to organisations and make available all logs pertaining to the unauthorised access.

Security Control: 1073; Revision: 4; Updated: Jul-20; Applicability: O, P, S, TS
An organisation’s systems and information are not accessed or administered by a service provider unless a contractual arrangement exists between the organisation and the service provider to do so.

Security Control: 1576; Revision: 0; Updated: Jul-20; Applicability: O, P, S, TS
If an organisation’s systems or information are accessed or administered by a service provider in an unauthorised manner, organisations are immediately notified.

Further information

Further information on the definition of cloud computing can be found in NIST SP 800-145, The NIST Definition of Cloud Computing, at https://csrc.nist.gov/publications/detail/sp/800-145/final.

The ACSC’s list of certified gateways is available at https://www.cyber.gov.au/acsc/view-all-content/programs/irap/asd-certified-gateways.

The ACSC’s guidance on conducting security assessments for cloud service providers and their cloud services is available at https://www.cyber.gov.au/acsc/government/cloud-security-guidance.

The whole-of-government policy on secure cloud computing can be found in the Digital Transformation Agency’s Secure Cloud Strategy publication at https://www.dta.gov.au/our-projects/secure-cloud-strategy.

Further information on outsourced information technology and cloud services can be found in the Attorney-General’s Department’s Protective Security Policy Framework, Security governance for contracted goods and service providers policy, at https://www.protectivesecurity.gov.au/governance/security-governance-for-contracted-service-providers/Pages/default.aspx.

Further information on the ACSC’s Managed Service Provider Partner Program can be found at https://www.cyber.gov.au/acsc/view-all-content/programs/msp-partner-program-msp3.

Further information on cyber supply chain risk management can be found in the ACSC’s Cyber Supply Chain Risk Management publication at https://www.cyber.gov.au/acsc/view-all-content/publications/cyber-supply-chain-risk-management.

Further information on supply chain integrity can be found in NIST SP 800-161, Supply Chain Risk Management Practices for Federal Information Systems and Organizations, at https://csrc.nist.gov/publications/detail/sp/800-161/final.