Understanding and implementing the 14 Cloud Security Principles – Part 6: personnel security
In our latest blog post covering the 14 Cloud Security Principles and the National Cyber Security Centre’s (NCSC) guidance on how to configure, deploy and use cloud services securely, it’s time to look at principle number 6: personnel security.
What is personnel security?
Personnel security is a combination of policies and procedures that aim to mitigate the risk of individuals exploiting their legitimate access to that business’s assets for unauthorised purposes.
In this specific area, the ‘individuals’ referred to are the personnel employed by your service provider. Certain of these personnel will have access to your company’s data and its systems, therefore you require a high degree of confidence that they are trustworthy. High level screening and regular security training can reduce the possibility of an accidental or malicious compromise by service provider personnel. As such, all providers should make it very clear how they screen and manage personnel within privileged roles.
In relation to personnel security there are two specific goals. “You should be confident that:
• the level of security screening conducted on service provider staff with access to your information, or with ability to affect your service, is appropriate
• the minimum number of people necessary have access to your information or could affect your service”
The next step, after reading this blog post, is to contact your service provider and ask them how they screen their personnel and what types of security training do they provide. If your service provider is unable to answer these questions, or is unwilling to offer you any answers, we recommend reviewing your contract!
If you have any specific queries concerning personnel security or any of the other Cloud Security Principles we have explored so far on our blog, please feel free to contact a member of the team here at etiCloud – we’ll be very happy to help in any way we can.
Next up: Secure development