Antonius Yosiko
125130397
Stefanus Kurniawan
125130286
Sugim Winata
125130397
Managing Cloud
Computing Risk
Cloud
subscriber
Resiliency
and
Availability
Security
Operations
Application
Development
Enterprise
Resource
Planning (ERP)
Risk management
Mitigate
principles
Transfer
Bear
Managing Cloud
Computing Risk
Cloud
provider
Resiliency
and
Availability
Security
Operations
Risk management
Mitigate
principles
Transfer
Bear
Application
Development
Enterprise
Resource
Planning (ERP)
Menciptakan review kode pada tingkat aplikasi, memperketat proses SDLC, dan
menyediakan notifikasi untuk manajemen perubahan dan peluncuran
Menawarkan proses penerimaan perubahan mandiri
Risk-Based Approach
Memahami berbagai model cloud dan ancaman yang terkait dan kelemahan
akan membantu memanage risiko
Service
Delivery
Risk
Mengevaluasi
risiko virtualisasi
Mengevaluasi
risiko SaaS
Mengevaluasi
risiko PaaS
Mengevaluasi
risiko IaaS
Deployment
Risk
Memahami risiko
public cloud
Memahami
risiko private
cloud
Memahami
risiko hybrid
cloud
Business
Model
Risk
Mengevaluasi
risiko cloud
consumer
Mengevaluasi
risiko cloud
provider
Security
Risk
Menganalisi
s risiko
keamanan
---
Other
Risks
Control Number
and Name
Additional
Requirements
and Guidance
AC-2
Access AC-1
Control
Policy and
Procedure
s
Account AC-2
Managem
e nt
Requirements
AC-1
1.1. Access
ControlAC-1
(AC)
None.
Control Specification
[Assignment: organization-defined
frequency] Parameter: [at least annually]
Control Area
Compliance - Audit
AC-2
AC-2
(1)
AC-2
(2)
AC-2
(3)
AC-2
(4)
AC-2 (7)
AC-2 (2)
[Assignment: organization-defined time period for
each
type of account (tV em. pCorloaruydand
Parameter: [no more than
emer
nin32gen
et4Tcy)]
yodaccount
tal ayQsue fs ot riotn es mtopobe raA rnys w ae nr
emergency
de d
types]
AC-2 (3)
AC-2 (3)
Que stionnaire Ins tructions:
[Assignment: orgFaonriezaac thioqnu- edsetiofinnechdootisme ee iptheerrioYdes], No or N/A froRmetqheuidrreompQues Num
Ques tion/Re ques t
eenu sepr
ideuser
edp. rI of Nvi/Adeisr cdheofsietime
nespons
,s
anth
xplanation
is
edo nw t:nT mh[ninety
rovv icfor
nRe
e eefor
Parameter:
days
period
non-user
accounts
accounts]
(e.g.,
accounts
with
devices).
Are Cloud Se rvices provided? If
s o, w hat sassociated
ervice m ode l is
provided
(sele ct The
all
V.1
apply):
that
time
periods are approved and accepted by the
V .1.1
Softw are as a Ser vice (SaaS)?JAB.
V .1.2
V .1.3
V.1.4
V.1.4.1
Private cloud?
Public cloud?
V.1.4.3
V.1.4.4
Hybrid cloud?
V.1.5.1
V.1.5.2
m andatory. Use the "Additional Inform ation" fie ld to the right of the que stion. Click on the instruction pop-up box and drag if ne ces s ary.
Additional Inform ation
Se rvice Model
ISO Re f Num
4.1
4.2
N/A
4.1
4.2
V.1.5.5
V.1.5.6
V.1.5.7
V.1.5.8
V .1.6
4.1
4.2
N/A
N/A
W hat legal juris diction does data reside in (selec t all that apply):
Compliance - Third
Party Audits
CO-03
App
Data
Tapplicable regulatory
dem rements (i.e., internal/external
s
audits, ertifications, vulnerability
defi
and penetration
ting)
in
reports
audi
hird
V.1.5.4
Storage
V.1.5.3
Relevan
ce
Comput
e
0%
NetworkArchitect
ural
N/A
V.1.4.2
Phys
CO-01 A
Planning
it
and
des
pro
c pl
s
AC-2j.
[Assignment: organization-defined
frequency] Parameter: [at least annually]
Control Notes
Control ID
N/A
N/A
N/A
N/A
N/A
15.1.1
V.1.6.1
USA ?
N/A
V.1.6.2
Canada?
N/A
V.1.6.3
Asia?
N/A
information
ecurity and confidentiality,
service nitions and delivery
level agreements
cluded in third party contracts.
Third party
, records and services shall
undergo t and review, at planned
intervals, to
ern and maintain compliance
with the ervice delivery
agreements.
s
Cloud Advantages
Capacity Planning: Cloud Provider menjamin keberadaan sumber daya
yang dibutuhkan user.
Variable Load Planning: Tingkat pelayanan untuk variable load handling
bisa dijadikan suatu perjanjian dengan Cloud Computing Provider untuk
menangani muatan berlebih pada hardware dan jaringan.
Pay as you go: Dengan menggunakan cloud computing, bisa
menurunkan biaya hardware, software, infrastruktur, power, dan
jaringan.
Response time: Waktu tanggapan dan ketersediaan bisa lebih baik
karena infrastruktur Cloud Provider yang lebih besar.
Time to market: Peningkatan dan pengembangan sistem bisa
diimplementasikan dalam waktu yang minimal
Cloud Disadvantages
Confidentiality and Security: Data terekspos pada Cloud-Computing
Provider
Mission-critical Applications: Saat sebuah aplikasi bersifat critical,
organisasi akan cenderung tidak mau meng-outsource tanggung jawab.
Availability and Contingency Planning: Beberapa organisasi mungkin
kurang suka menerima garansi Cloud Providers tanpa kemampuan untuk
mengaudit secara independen efektivitas dan mentest sistem.
Service Level Agreement Monitoring: Monitoring bisa menjadi masalah
bila Service Providers mempunyai basis klien yang besar dan tanpa
kontrol langsung terhadap intensitas workload antar klien.
Cost Control: Mengontrol biaya yang digunakan sehingga hanya
menggunakan apa yang mampu dibayar.