ISLAMABAD: The government has formulated accreditation criteria for cloud service providers (CSPs) which will help to ensure that CSPs have the necessary security and compliance control to protect government data.
A Cloud Office has been established under the Ministry of Information Technology and Telecommunication (MoIT&T) to facilitate and supervise the matters related to Pakistan Cloud First Policy (PCFP).
Besides other implementation measures, Cloud Office has formulated accreditation criteria for CSPs which will help to ensure that CSPs have the necessary security and compliance control to protect government data.
The criteria are formulated for CSPs opting to provide services to public sector entities (PSE). The criteria are based on international benchmarks such as security, reliability, cost, interoperability, availability, and any other established parameters.
The PFCP was approved by the Government of Pakistan in February 2022 which envisions the digital transformation of Pakistan by optimised ICT spending and efficient utilisation of the latest cloud-based technologies. The policy mainly applies to all the PSE intended to procure Cloud-based services from CSPs.
This provides the general and certification requirements along with the list of artifacts required from CSPs. The accreditation procedure, audit process and suspension/termination clauses are also included in this document. CSPs will be required to meet the requirements to get the accreditation from Cloud Office.
PSE will be required to provision services from the accredited list of the CSP only. The Cloud Office will maintain an accredited list of CSP for PSE and will have the authority to revoke the accreditation of CSP in case of non-compliance.
The general requirements include; (1) CSP shall be any public sector or private sector organization; (2) CSP shall abide by all relevant policies and legal requirements issued by Government of Pakistan as may be amended or revised from time to time; (3) CSP must fulfil contractual requirements as mentioned in Section 10.2 of PCFP that is Service Level Agreements (SLA), Interoperability Require-ment, Migration between CSPs and Data Ownership; (4) CSP shall offer Cloud Services by choosing a model from the Cloud Deployment Models (Public Cloud, Government Cloud, Private Cloud, and Hybrid Cloud) [As specified in Section 7 of PCFP]; (5) CSP shall adhere to the shared responsibility matrix referred in Annex C of PCFP or as agreed in SLA between CSP and PSE; (6) There should be sufficient capacity offered by CSP at an overall level in the compute, network and storage etc. to swiftly provision new resources in response to unanticipated additional/reduced requirement from PSE (as per the SLA between CSP and PSE); (7) The PSE shall be provided by CSPs with access rights (including the underlying secure connection) to the user administration/portal of cloud services (availed by PSE) to have visibility into the dashboard, SLAs, management reports, etc.
The certifications include, (1) A CSP seeking to get accredited shall have the certifications listed under this section; (2) The certificates should have been issued in the name of the CSP for the relevant facility; (3) A CSP shall renew all applicable certifications 30 days prior to the date of expiry and submit a copy of the renewed certification of compliance (with applicable ISO Standards issued by a certification body accredited by Assurance Services International) to Cloud Office; (4) A CSP shall maintain a list of certified staff as required in relevant certification.
Privacy includes, (1) for Baseline Level - ISO/IEC 27018:2019 Information technology — Security techniques — Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors; (2) for Intermediate, Enhanced and Highest levels - Sector specific HIPAA (Health Insurance Portability and Accountability Act) - Requirement for cloud services handling healthcarerelated information to maintain confidentiality, integrity, and availability of electronic protected health information (ePHI), with stringent controls on data access and transfer.
For service and quality management include; (1)ISO/IEC20000-1:2018Information technology — Service management — Part 1: Service management system requirements; (2)ISO 9000 Family – Quality Management Note: for Intermediate, Enhanced and Highest level only.
All the accredited CSP are subject to comply to ICT audits requirements mandated by PCFP. Audits can either be carried out at regular intervals or on as the need be.
The Cloud Office will publish a list of designated auditing bodies on its website. CSP to ensure that their audit is done by an auditor registered with the Cloud Office.
If Cloud Office finds the CSP in violation of any requirement, it may: a. Issue warnings and impose financial penalties; b. Suspend some of the services being provided by the CSP; c. Suspend all the services being provided by the CSP; and, d. Terminate the accreditation of the CSP.
Copyright Business Recorder, 2024