Section 8: Cloud UsageAnchor: #i1057885
Selecting the appropriate virtual environment for computing resources is the first critical step in procuring secure cloud services. Cloud services includes both the hosting of content on a virtual network and accessing the service through an Internet connection. This section establishes how TxDOT uses these services as part of its Intrusion Prevention Policy and describes the minimum protocols and responsibilities that must be in place. It specifies and defines what considerations to address, aligning the discussions with the “Identify” objective of the Texas CyberSecurity Framework.Anchor: #i1054068
Regardless of the service provider or the type of cloud-based service sought, TxDOT shape service agreements that specify the appropriate levels of service, the standards for the service, and how TxDOT information assets are protected. Customarily, Texas State agencies seek cloud services through the Texas Data Center Services. The Texas Department of Information Resources (DIR) may grant exceptions for alternate cloud service providers (CSP) when business reasons are justified. These services include Software as a Service (SaaS), Infrastructure as a Service (IaaS), or Platform as a Service (PaaS).Anchor: #i1032868
TxDOT employees and contractors seeking a cloud-based solution must carefully define the roles and responsibilities among all the service providers and TxDOT to effectively manage cloud-based services that are of benefit to the Agency. This collaboration with a potential provider must fully:
- integrate all terms of service in the contract.
- define performance with clear terms and definitions; demonstrate how to measure performance; and create enforcement mechanisms that allow for service adjustments when necessary.
- detail the security requirements to maintain the confidentiality, integrity, and availability of cloud-based information assets.
- identify both the use of National Institute of Standards and Technology and TxDOT standards for cloud architecture.
Those who seek a cloud-based solution must also address potential privacy risks, legal discovery, and electronic records management and disposition in keeping with all applicable laws and regulations.
Information custodians must ensure proper administration of cloud services as specified in the agreements between TxDOT and the cloud service provider.
Information owners help to select and manage the information assets residing with a cloud service provider.
Information Security Officer must ensure individuals and cloud service providers comply with the cloud usage mandates issued in the Intrusion Prevention Policy.
Compliance and Standards
See the “Cloud Standards” in the Information Security Standards manual for the minimum standards necessary to comply with this objective of the Intrusion Prevention Policy.