Co-author of the article is Mgr. Jakub Klodwig ↗.
Have you successfully entered the cloud computing provider directory ↗? This was only the first step towards providing cloud computing services to public administrations.
Here's how to proceed. The next step for providing cloud computing services to a public authority is to register your services as a cloud computing offer. However, this part is more complicated organizationally compared to the first step.
The first step is to complete a form issued by the Ministry of the Interior, including documents that demonstrate the required level of protection of confidentiality, integrity and availability of information (for simplicity, we will use the term "information security assurance" in the text) in accordance with Annex 2 of the Decree ↗ on Certain Requirements for Registration in the Cloud Computing Catalogue (hereinafter referred to as the "Decree on Entry Criteria").
Due to the number of documents that need to be provided with the form, a brief methodology ↗ has been issued, including a template for completing the required documents, which describes the procedure for submitting, matching and identifying the documents attached to the request for registration of a tender
Any public administration information system that uses cloud computing must be classified in an appropriate security level. To this end, a decree ↗ on security levels for the use of cloud computing by public authorities has been issued.
The decree establishes four security levels for the use of cloud computing: low, medium, high and critical.
An information system classified in the critical security level can only use cloud computing listed in the critical security level of the catalogue. Only a state cloud computing provider may be the provider of such cloud computing.
The Security Levels Decree also sets out nine impact areas and, for each of these, four categories of scenarios that may occur as a result of a potential cyber security incident. The security level is based on the highest identified impact value of the incident under consideration.
The impact areas assessed are:
The inclusion of the information system shall be carried out by the public administration authority after assessing the level of impact of a possible cyber security incident in the identified areas. A written record shall be kept of the determination of the security level of the requested cloud computing, with justification of the relevant conclusions, in accordance with the published template on the website of the National Office for Cyber and Information Security.
Why keep this mechanism in mind, even though it is a procedure for public authorities? Because it will help private cloud computing providers for the public sector to identify what security level they want and need to write their cloud computing offer to.
For some of the listed public administration information systems, security levels are given, regardless of the worst-case impact assessment. Therefore, for example, a public administration information system that is designated as a major information system will always correspond at least to a security classification of 'high' or 'critical'. An information system that is part of a critical information infrastructure will always be classified at the highest 'critical' security level.
The requirements for entry into each security level are set out in Annex 2 of the Entry Criteria Decree. Although the table may appear intimidating, this is due to the formatting rather than the complexity of the facts to be documented.
In addition, you will have experience with most of the required documents as part of your track record of providing cloud computing to your customers. As the level of security increases, so does the volume of verified facts that validate the security of the cloud computing you provide.
The following documents must be obtained at the lowest security level:
Specifically, this means that in order to register an offer at the lowest level, you need to provide a written description of the service offered. This will then provide information on the national territories in which the cloud computing data you provide can be stored. As well as information on where it is managed.
If the provision is dependent on multiple cloud computing providers, these providers must also be listed in the cloud computing directory and this fact must be stated in the application.
The documentation must also include a report or other evidence of an assessment of the natural and man-made sources of risk to the data centre. You also need to document a business continuity and disaster recovery strategy, a so called business continuity and disaster recovery plan.
In addition, the Ministry is interested in your contractual model and terms of service, which must ensure that in the event of a legally binding request for access to data provided by cloud computing, you do not automatically comply with such a request, but refer the requestor to your customer to whom the data belongs.
You also declare that you will legally review such a request and assess its validity.
In addition, you must use these documents to demonstrate your ability to ensure adequate operational availability of the cloud computing provided at a minimum level of 96,16 % (SLA ↗). You must also provide information on sufficient capacity to operate the backup data centre and ensure its security, the provision of tools or services to increase resilience against DoS/DDoS attacks and information on cryptographic measures for data transmission and storage.
In the contract or terms of service, you must also address measures in the context of security incidents - making records of access to unencrypted data by internal and external personnel, introducing a tool for monitoring and evaluating cyber security events, and in the event of a breach of the security of customer data, the customer is informed immediately, but no later than 72 hours after the breach is detected.
Other mandatory documents that you must provide for registration include:
A similar set of documents, supplemented by ISO/IEC 27 001 certification and, in some cases, a SOC 2 Type 2 report, is required for entry into higher security categories. Certification to a higher level differs primarily in the scope of the verified facts contained in the documents.
We can help you with every area of enrollment. If you need to enroll in the directory itself, check out our next article ↗. If you are already in the directory and need to list an offer, then we can help with: