The Federal Office for Information Security (BSI) has published a new minimum standard according to §8 BSI (BSIG) regarding the use of external cloud services such as data rooms. In addition to the data categorization and risk analysis, the minimum standard considers the entire lifecycle of a cloud usage from the procurement to the end of the deployment phase and provides security requirements for each of these phases. In doing so, an emphasis is placed in particular on linking to the basic requirements of the already published BSI Cloud Computing requirements catalog.
Basic requirements for information security
The catalog primarily addresses data room providers and / or cloud providers and, with the basic requirements there, already defines a level of the information security of data room services, which should not be undercut by the BSI. Federal agencies have to take into account when using external cloud services that at least the basic requirements are met by the data room provider and they are proven to this in a suitable form, eg by submitting a test report. On the basis of this report, federal agencies can thus match the offers of cloud providers with their own requirements.
More transparency for providers
Arne Schönbohm, President of the Federal Office for Information Security (BSI), said: „After publishing the catalog, we are once again setting a clear signal to the cloud market with this minimum standard. Cloud services are based on a high degree of trust in the cloud provider, because the details of the cloud are mostly hidden from the customers. The new minimum standard provides for greater transparency as a whole and enables the providers to talk to each other about the defined minimum level of information security. “
Guide for cloud computing also for government agencies
The minimum standard defined by the national cyber security authority BSI defines a minimum security level for the use of external cloud services by the federal agencies. At the same time, the described procedure can also be used by authorities of the Länder and municipalities as well as companies as a guide for their own cloud use. The minimum level of use of external cloud services is available on the BSI website.