The Cloud Industry Forum Cloud Service Provider Code of

The Cloud Industry Forum Cloud Service Provider

Code of Practice:Guidance for Cloud Service Providers

www.cloudindustryforum.org

Purpose of this Document 3

Process Stages Covered Within this Document 3

“Prepare” Guidance 4

Preparation Checklist 4

Project Charter Template (MS Word Document) 4

Project Plan Template (MS Excel Spreadsheet) 4

“Assess”, “Improve” and “Declare” Guidance 5

Assessment Spreadsheet (MS Excel Spreadsheet) 5

Guidance for Presentation of Information for sections A and B of the Code 5

Format for Public Disclosure Requirements (Section A.1) 7

Format and Naming Conventions for Supporting Documentation 8

Documentation Requirements for All Applications 8

Demonstrating Capability (Section B) 9

Signing Documents Electronically 11

Creating a digital signature 12

Digitally signing a document 15

Creating the FDF document 17

Guidance for Other Information Required for Application 20

Professional Reference Guidance and Template 20

Management Declaration Guidance and Template 20

“Publish” Guidance 21

Updating Public Disclosure Information 21

Using the CIF Certified Logo 21

Further information 21

Governance of The Code Of Practice 21

About the Cloud Industry Forum (CIF) 21

The CIF and The APM Group Limited (APMG) 22

Code Governance Board 22

Development and Maintenance of the Code 22

Audit and Appeal 23

Collaboration with Standards organizations and related Bodies 23

Contact Us 23

Table of Contents

The Cloud Industry Forum Cloud Service Provider Code of Practice: 04/2013 V1.0

The CLOUD INDUSTRY FORUM and CIF words and associated logos are trade marks. © Cloud Forum IP Limited 2013. All rights reserved

NOTICE: This document is intended to provide general information in relation to the Cloud Industry Forum’s Code of Practice journey for Certification. It is not intended to be comprehensive and should not be acted or relied upon as being so. Professional advice appropriate to specific circumstances should always be obtained.

supported by

The Cloud Industry Forum Cloud Service Provider Code of Practice: 04/2013 V1.0 3

Purpose of this Documentthis document (document 3) is aimed at organizations undertaking the Cloud Industry Forum (CIF) Cloud service provider (Csp) Code of practice (Code) self-Certification process. It is also relevant to any organization that may be considering self-Certification against the Code.

this document provides instructional and informational guidance for organizations going through the self-Certification process, and includes templates and resources, which will need to be referenced during various stages of the process, from initial preparation through to publishing certified status.

Organizations should also download and refer to the following

information provided by the CIF, downloadable from the CIF

website www.cloudindustryforum.org:

■ Document 1: An Executive Briefing

■ Document 2: Conducting the Self-Certification

■ Terms and Conditions for Self-Certification

■ Cloud Service Provider Code of Practice

Further information or guidance can also be sought directly from the

CIF ([email protected]) or APM Group, CIF’s Independent

Certification Partner ([email protected]).

Process Stages Covered Within this DocumentThis document covers the following stages of the Self

Certification process:

■ Prepare

■ Assess

■ Improve

■ Declare

■ Publish

The following additional documents are accessible to download by organizations registered for Self-Certification from

www.selfcert.cloudindustryforum.org once registered.

■ Project Charter (MS Word)

■ Assessment Spreadsheet (MS Excel)

■ Project Plan Template (MS Excel)

■ Professional Reference template (MS Word)

■ Management Declaration (pdf)

For information on earlier stages of the process, refer to the following documents:

■ Document 1: An Executive Briefing

■ Document 2: Conducting the Self-Certification

ASSESSthe organisation must conduct

an Assessment of its compliance with Code requirements

REGISTER

DETERMINE REQUIREMENTS

RECOGNIZE NEED

VALIDATE

AUTHORIZE

PREPARETo achieve optimum results, a formal project should

be established to perform the self-assessmentand achieve Certification

IMPROVEIf any non-conformances are noted in the

Assessment step, then improvement actionsare undertaken

DECLAREThe organization completes the Application andrequired declarations which are submitted to CIF

via the online system

PUBLISHThe organization displays the Code Certification Mark

on its website,together with hyperlinksto the CIF website


Project Charter Template (MS Word Document) The Project Charter will serve as an internal document that

captures high level planning information (scope deliverables

assumptions etc) about the Code of Practice Project.

The Project Manager or Team leader creates the Project Charter

in the Initiation Phase of the Project, in consultation with the

Executive Sponsor. Its purpose is to recognize the existence

of the project and to begin the planning process required to

accomplish the Project goals. It does not need to be shared with

external parties as a formal contract of legal document.

The completed Project Charter does not need to be shared with

the CIF or submitted with the final application.

To access and download the Project Charter Template, log into

the self-certificate website

Project Plan Template (MS Excel Spreadsheet)

The Project Plan Template is provided in Excel format to facilitate

practical use in conducting a Self-Certification.

The Excel file includes the following tabs/worksheets:

■ Example Diagram (Gantt Chart)

■ Example task table

■ Example resource table

■ Example assignment table

To access and download the Project Plan Template, log into the

Self-Certification website.

Task Done?When complete?

Who? Guidance

1 Download:Doc.1: Executive BriefingDoc.2: Conducting the Self-CertificationDoc.3: Guidance for Self-CertificationCloud Service Provider Code of Practice

All Information can be sourced from:-http://www.cloudindustryforum.org/code-of-practice/cloud-service-provider-info-pack

OR, only once registered via https://selfcert.cloudindustryforum.org for specific templates

2 Read:Doc.1: Executive BriefingDoc.2: Conducting the Self-CertificationDoc.3: Guidance for Self-CertificationCloud Service Provider Code of PracticeTerms and Conditions (available on-line)

3 Register https://selfcert.cloudindustryforum.org

4 Identify Team Leader/Project Manager

5 Identify the Executive Sponsor

6 Download / Review Additional Templates

7 Establish detailed plan with assigned responsibilities, estimated timeline and estimated costs

8 Review plan with APMG and clarify what additional help/guidance may be available

Contact APMG via [email protected]

4

“Prepare” Guidance Preparation Checklist

The following Preparation Checklist has been created to aid Self-

Certification registrants in the initial ‘set-up” activities involved in

the Self-Certification process.

A version of this table can also be found in the Assessment

Spreadsheet (see “Assess and Improve” section). Preparation

tasks do not have to be done in this precise sequence, but all

should be done.


“Assess”, “Improve” and “Declare” Guidance Assessment Spreadsheet (MS Excel Spreadsheet)

The Assessment Spreadsheet is provided in Excel format and

is for preparatory work during an assessment. It is particularly

suited for use as a control tool to track corrective actions

needed to achieve conformance with the Code but can also be

used to collect information.

The final results demonstrating full conformance as entered

into or tracked via the Assessment Spreadsheet must be

transferred into the required presentation formats (webpage,

documentation and entered or uploaded via the online system)

prior to submitting an application for validation of Self-

Certification.

The Excel file includes the following tabs/worksheets:

■ Overview

■ Preparation Checklist

■ Registration (ID and Scop)

■ Transparency

■ Capability

■ Other Information

■ Notes

■ FAQs

■ Feedback

To access and download the Assessment spreadsheet log into

the Self-Certification website

Guidance for Presentation of Information for sections A and B of the CodeFormat for Public Disclosure Requirements (Section A.1) To meet the requirements of section A.1 of the Code, applicant

organizations must disclose information publically via means of

a published, online webpage.

In addition to including all relevant information and evidence

required by section A.1 of the Code, the online Public

Disclosure content should conform to certain requirements

in terms of format and, in some cases content to facilitate

comparison by end users between different organizations.

Requirements for Online Presentation of Information

To comply with section A.1, information must be presented in

the following way:-

■ The information must be available on a free-standing web

page or web pages where more than one website is used to

support provision of services covered by the Code.

■ The link to the free-standing web page must be called ‘CIF

Code of Practice Disclosures’.

■ The link must be hyperlinked at a minimum from the home

page of the organization’s website and should be situated

on the home page in a similar location to legal-type notices,

disclaimers or site terms and conditions (usually found in

menus which appear at the very bottom or top of standard

web page designs).

■ POST CERTIFICATION ONLY: The link must be displayed

alongside the Certification Mark after the Mark has been

granted.

Organization of Page Content

All information shall be presented sequentially on the web page

and should be identifiable by the relevant code sub section e.g.

A.1.1, A.1.2 etc.

Information can be presented on the webpage in free text or

table format.

5


Mandatory Content for Section A.1.1.Post registration Content (Pre-application)The following text must be included against section A1.1 on the

disclosure web page (where ‘Xxx’ is the organization’s name)

at the time that an application has been submitted but prior to

award of certification:

The Certification Mark may also be shown in other places, as

specified in the Logo Pack supplied when the organization is

formally informed that it is authorized to display it.

NOTICE: While Xxx has made the commitment to the

Code, customers/ third parties shall note that information

or certification provided by the Cloud Industry Forum does

not constitute advice from or endorsement by the Cloud

Industry Forum.

The Cloud Industry Forum disclaims any and all liability

arising out of the use of services or otherwise of certified

organizations. Where disclosed information or capabilities

as specified by the Code of Practice are essential in

purchasing cloud services from

a certified organization, it/these should be cited

contractually. Professional advice appropriate to specific

circumstances should always be obtained.

Xxx has completed the Self-Certification against the ‘Code

of Practice for Cloud Service Providers’ (the ‘Code’) of the

Cloud Industry Forum (‘CIF’, at www.cloudindustryforum.

org), which the mark above demonstrates. Clicking on the

mark will take you to the CIF website where supporting

information for this Certification is available.

Xxx is committed to the Code. One of the main objectives

of the Code is to help ensure disclosure of essential

information so that consumers of Cloud Services can make

better business decisions based on this information. The

information on this page addresses the public disclosure

requirements of the Code.

NOTICE: While Xxx has made the commitment to the

Code and has been self-certified as compliant with the

Code, customers/ third parties shall note that information

or certification provided by the Cloud Industry Forum

does not constitute advice from or endorsement by

the Cloud Industry Forum. The Cloud Industry Forum

disclaims any and all liability arising out of the use of

services or otherwise of certified organizations. Where

disclosed information or capabilities as specified by the

Code of Practice are essential in purchasing cloud services

from a certified organization, it/these should be cited

contractually. Professional advice appropriate to specific

circumstances should always be obtained.

Post Self-Certification Content

(NOTE: this section is repeated in the “Publish” guidance within

this document)

Once the organization has had its Self-Certification recognized by

the CIF, i.e. once the organization has received formal notification

that it is authorized to display the Code Certification Mark, the

following text shall be added to the web page in place of the text

above (Post Registration text):

6


A.1.1. Compliance with Code Cloud Service Provider Example Limited is committed to the

principles of Transparency, Capability and Accountability

which are embodied in the Cloud Industry Forum’s Code of

Practice, because these help create a more trustworthy business

environment for cloud-based processing.

Cloud Service Provider Example Limited is committed to complying with the specific

requirements of the Cloud Industry Forum’s Code of Practice for the period of

Certification, for the scope defined below in A.1.3.The CLOUD INDUSTRY FORUM and

Cloud Service Provider Example Limited has completed the Self-Certification against

the ‘Code of Practice for Cloud Service Providers’ (the ‘Code’) of the Cloud Industry

Forum (‘CIF’, at www.cloudindustryforum.org), which the Self-Certification mark

demonstrates. Clicking on the mark will take you to the CIF website where supporting

information for this Certification is available.

Cloud Service Provider Example Limited is committed to the Code. One of the main

objectives of the Code is to help ensure disclosure of essential information so that

consumers of Cloud Services can make better business decisions based on this

information. The information on this page addresses the public disclosure requirements

of the Code.

NOTICE: While Cloud Service Provider Example Limited has made the commitment

to the Code and has been self-certified as compliant with the Code, customers/third

parties shall note that information or certification provided by the Cloud Industry Forum

does not constitute advice from or endorsement by the Cloud Industry Forum. The

Cloud Industry Forum disclaims any and all liability arising out of the use of services

or otherwise of certified organizations. Where disclosed information or capabilities

as specified by the Code of Practice are essential in purchasing cloud services from

a certified organization, it/these should be cited contractually. Professional advice

appropriate to specific circumstances should always be obtained.

Cloud Service Provider Example Limited’s website page where publicly disclosed

information is available is at

www.CloudServiceProvider ExampleLimited.com/CIF-Code-of-Practice-Disclosures

Example Public Disclosure Contentthe following is an example public disclosure for a self-certified organization ‘Cloud service provider example Limited’ using the required structure.

A.1.2. Corporate Identity and Responsibilities

A.1.3. Scope Covered by the Code

A.1.4. Public Branding

A.1.5. Third-Party Coverage Transparency

Corporate name: Cloud Service Provider Example LimitedLegal status: Private Limited CompanyDate of formation: 01 January 2012Location of registration: EnglandRegistration number: 1234567

Ownership (major shareholders):Cloud Service Provider Venture Capital Investments

John Henry AdamsLuke Howard

Members of board of directorsJohn Henry AdamsLuke HowardCharles Thomson Wilson

Executive management Luke Howard (CEO)Charles Thomson Wilson (CFO)Corporate fixed address:123 High Street, Anycity, Anycounty, UK XX1 2YY

Scope of services: web archiving services

Geographical scope: Countries with local sales and/or support: UK

Countries where customer data may be held or processed: UK

Customer data will only be held in the UK. No other options are available.

Alternative trading name(s): Storage Rainbows Unlimited

Website address(es): www.CloudServiceProviderExampleLimited.com

www.StorageRainbowsUnlimitedLimited.com

Cloud Service Provider Example Limited does not accept any indirect responsibility for our suppliers.

Cloud Service Provider Example Limited’s suppliers do not accept indirect responsibility to Cloud Service Provider Example Limited’s customers.

Cloud Service Provider Example Limited does not accepts indirect responsibility to customers of customers

7


Format and Naming Conventions for Supporting DocumentationCSPs are required to provide documented evidence that they meet the specific

requirements of the Code.

CIF require documentation to be submitted in specific formats and according to

specific filename conventions to:-

■ Be assured that requirements are being met by applicant

CSPs specifically and not broadly; and

■ To enable information to be sourced easily for the purposes

of audit or complaint resolution.

Documentation uploaded to the online system as part of a CSP’s application

is likely to include:

In addition to the files uploaded as part of the application, a self-certified organization

shall maintain auditable records of its disclosure information as specified in

the ‘Accountability’ section of the Code. Such records shall be accessible both

chronologically, and also by potential customer, when provided to potential customers

on an individual basis.

Documentation requirements for all Applications

General ■ The documentation shall be created exclusively using PDFs.

■ The documentation shall be supplied to CIF via the online application system.

■ The documentation shall be electronically signed using Adobe Acrobat.

■ For information and instructions on electronically signing documentation,

see the – “Signing Documents Electronically” section of this document.

Code of Practice Requirement

SECTION A A.1. Information for public disclosure (a print screen of the online web page)A.2. Information for contracting disclosure

SECTION B Management system documentation for required capability areas OREvidence of existing certification including a document outlining the scope of the certification

OTHER INFORMATION

Professional Reference

Cloud Service Provider Example Limited has not completed the Consensus Assessments Initiative Questionnaire from the Cloud Security Alliance

A.1.6. Security Control Transparency with the Cloud Security Alliance

Cloud Service Provider Example Limited does not commit to any additional transparency, capability, or accountability requirements in addition to those contained directly in this Code of Practice.

A.1.7. Other Extended Commitments to Code of Practice Principles

Cloud Service Provider Example Limited does not publicly commit to supporting any specific technologies, standards, or inter-operabilities. Any such support must be separately negotiated.

A.1.8. Technological Commitments*

Cloud Service Provider Example Limited does not have any other certifications.

A.1.9. Existing Certifications*

Cloud Service Provider Example Limited is a member of the Cloud Industry Forum, in addition to being self-certified under its Code of Practice.

A.1.10. Industry Association Memberships (Optional) **

*In this example, the disclosure of information relating to sections A.1.8 and A.1.9 has been included on the pubic web page. If an organization chooses instead to disclose this information under section A.2, this information does not need to appear on the web page.

** information has been disclosed against section A.10, which is fully optional e.g. it does not need to be disclosed.

8


File Naming Conventions

All files shall include the prefix reference issued by the CIF at the

time of registration. This prefix can be found on confirmation

of registration or payment details issued by the CIF and is a

combination of alpha-numeric characters e.g. CFW100000.

Document references (when entered into online system) When entered into the online system all references to supporting

documentation shall include a filename and an explicit reference

within the file to a page or paragraph number, or a clause

reference where the information can be found. A file name alone

is not acceptable.

If the amount of information to be put into an online reference

field exceeds the character limit, which may be the case if

multiple files are used in support of one Code requirement

or area, it is acceptable for an applicant to do either of the

following:

■ Remove the prefix reference from the filename when entering

the name into the online form field for a particular requirement;

or,

■ Create and submit an additional supporting document or

page which contains all references mapping Code areas to

submitted documentation. In this case, the online field can be

completed with a reference to this new document/page

instead.

Demonstrating Capability (Section B)

There are two ways of demonstrating capability at the time of

application for Self-Certification:

■ Using Existing Certifications: Providing evidence of

appropriate existing certifications against relevant standards

covering the same capability requirements; or,

■ Using Primary Documentation: Providing primary

documentation of required capabilities, including key policy

and procedure-type documentation.

Using Existing Certifications

There are two types of certifications upon which reliance may

be placed for demonstrating capability:

■ International and national standards with prefixes like ISO,

ISO/IEC, BS, ANSI, etc.

■ The CIF Code of Practice Self-Certification, relevant if a CSP

is relying in its application on another CSP which is already

self-certified, e.g. for the provision of infrastructure services.

■ Scope. The organizational scope and scope of services of

the existing certification must be directly relevant to the

scope covered by the intended CIF Code of Practice Self-

Certification. In order to use an existing certification to meet

100% of the requirements of any specific Code of Practice

capability area, the scope of the existing certification must

include 100% of the scope being self-certified under the CIF

Code of Practice. If this is not the case, then there are two

other alternatives that may be considered:

o Alternative one is that it is possible to use the certificate

for the part of scope which is relevant, and provide primary

documentation for the rest of scope. In this case the

application needs to clearly differentiate between the two

sub-scopes. For applicants relying on the Self-Certification

of another CSP, this would typically be the case, as there

will almost always be some internal capability requirement

which cannot be outsourced or subcontracted.

o Alternative two is that it should be possible to use

supporting materials for the existing certification as part of

primary documentation, but not cite the certification itself.

Examples of Acceptable Document filenames

■ PROFESSIONAL REFERENCE CFW0000_ProfRef.pdf

■ STANDARD TERMS AND CONDITIONS

CFW0000CloudOrgT&Cs2012.pdf

■ ORGANIZATION CHART CFW0000_CloudOrg_

OrgChart_2012.pdf

Examples of acceptable online references

■ CFW0000DocFile p17

■ CFW0000DocFile 17-19,36

■ DocFile p17 para 5

■ DocFile1 pp17-19; TsAndCs clause 14

9


■ Period of Validity. The certification must be valid on the date

of the application. In the event that the period of validity

for the certification does not include the entire period, i.e.

in the event that the certification will end during the Code

of Practice Self-Certification period, no further supporting

documentation is required during the period of the CIF Code

of Practice Self-Certification. Nonetheless, the self-certified

CSP is committed to complying with the Code of Practice’s

capability requirements for the entire period, regardless of

what supporting documentation was supplied at the time of

application

■ Internationally Recognized Certification. For certifications

other than the CIF Code of Practice Self-Certification, the

certification must have been performed by an organization

which is accredited for that standard by an accreditation

body which is a signatory to the Multilateral Recognition

Arrangement (MLA) of the International Accreditation Forum.

This includes most of the major certification companies in the

world, but may not include smaller companies, or companies

whose primary business is not certifications.

The following should be submitted to the CIF as supporting

documentation for any capabilities to be demonstrated through

such certifications:

■ For certifications against international and national standards: a scanned copy of the certification certificate

including scope and validity dates, and clarification of the

accreditation body if it is not shown on the certificate.

■ For reliance on other CIF Self-Certifications: a letter from

the self-certified CSP which states the scope of their Self-

Certification, the validity dates, and an acknowledgement

that they know the applicant CSP is placing reliance on their

capabilities and that a contract is in place between them to

justify this reliance.

■ A statement from the applicant CSP affirming that all criteria

required for the acceptance of the certification are met.

Furthermore, if a reseller CSP seeking Self-Certification is relying

on a supplier CSP’s Code of Practice Self-Certification (e.g. if a

reseller is relying on an infrastructure provider CSP, such as for

IT security management capability), then the reseller’s Self-

Certification scope statement must clearly state that it is for

services provided by the named supplier CSP.

If the reseller changes its supplier for these services to another

supplier, then the reseller cannot continue to claim to be

certified itself. It may therefore be more practical for the reseller

simply to market the fact that it is reselling services from a

Code of Practice self- certified CSP, rather than to have its own

Self-Certification under these circumstances. However, this is a

business decision and not one driven by the Code of Practice

itself. See also ‘Leveraging Considerations for Subcontracted

Cloud Service Providers’.

The following are examples of international and national

standards for which certifications could provide all necessary

support for the CIF Code of Practice capability requirements,

assuming that the scopes cover the relevant CIF capabilities:

Using Primary Documentation In principle it should be relatively straightforward to demonstrate

capability as required by section B of the Code by using primary

documentation, except for the first capability area, which is

Information Security Management.

Primary documentation must be documentation actually in use

within the CSP, and not something that exists solely for the Code

of Practice Self-Certification application. One of the benefits

cited by CSPs that have been self-certified to the Code is that

it has helped them to identify gaps in their existing policies and

procedures and to fill them, strengthening the business in the

process. It is therefore expected, especially in smaller or younger

organizations which may not have any existing certifications, that

it will be necessary to improve or at least document some existing

informal practices. Copies of this documentation, reflecting

actual implemented practices, should then be included as primary

supporting documentation for the Self-Certification application.

Primary documentation does not need to be extensive, but it

must exist even if limited in detail. For example, the complaint

handling capability for a very small CSP could be supported with

two documents; one could be a half-page long, consisting of a

policy statement (e.g. a requirement to respond to all complaints

within x time, and to track and analyze for underlying root

causes) and a procedure with assigned responsibilities (e.g. all

complaints are handled initially by x, with appeals to be handled

by y). The second document could be evidence of a course

attended – external or internal – which includes this area to

demonstrate the provision for competence/training.

The general requirements for primary documentation are as

follows, which may be covered in multiple ways, in individual or

combined documents:

■ Policy

■ Procedures (or work instructions)

■ Assignment of responsibilities

■ Competence (or training)

Capability Standard

Information Security Management (Including Data Protection)

ISO/IEC 27001

Service Continuity Management BS 25999

Service Level Management ISO/IEC 20000-1

Supplier Management ISO/IEC 20000-1; ISO 9001

Software License Compliance ISO/IEC 19770-1

Complaint Handling ISO 9001

Environmental Impact Management ISO 14001

10


Signing Documents ElectronicallyAlthough the CIF Code of Practice scheme is based on Self-Certification, it needs to be enforceable, and therefore the supporting documentation on which it is based needs to be verifiable.

The CIF has chosen, as its preferred method of achieving this, to use features of Adobe Standard/Professional (version 8 or later), which provide strong authentication capabilities. The screenshots in this HowTo guide have been produced using Adobe Professional v8.

All materials should be saved as Adobe PDF documents, including the Professional Reference, and the full Documentation File of supporting documentation.

The documents should be signed and certified with no fields being left as modifiable.

The signature used should be for the person officially signing.

Additionally, the CIF reserves the right to require the following, which are not shown in this “HowTo” guide:

■ The signature used should be certified by a major publicly recognized certification authority.

■ ‘Long-Term Validation’ (LTV) should be used, which ensures the ability to validate a document’s authenticity in the future in spite of whether the certificate has expired or has been revoked, or even if the issuing authority has gone out of business.

■ A secure time stamp should be added to the digital signature, to confirm the time of the original signing.

■ Fonts should be embedded and the RGB color scheme used when the documents are created, to avoid possible incompatibilities between originator and recipient systems. (The PDF/A option does this.)

The remainder of this document is a ‘how-to’ for digitally signing documents as required for the CIF Code of Practice scheme.

In order to digitally sign a document using Adobe®, a digital signature must already exist. There are various desktop applications that can be used to create a digital signature, including Adobe Professional. Irrespective of the application used to create a digital signature, for the purpose of this HowTo guide, the format of the resulting signature must be compatible with Adobe applications.

Adobe, the Adobe logo, Acrobat, the Adobe PDF logo, Distiller and Reader are

either registered trademarks or trademarks of Adobe Systems Incorporated in the

United States and/or other countries.

There is also a requirement for ‘Awareness’ for people besides those directly responsible for task execution, e.g. for awareness about security issues. In a CSP with a small number of employees (5 or less) it may not be realistic to expect documentation for awareness building, but for larger CSPs it is considered realistic.

Awareness building can be accomplished In many ways, but one of the easiest to document is via an internal annual training session to ensure that everyone is aware of overall policies, procedures, and assigned responsibilities. It can also provide an excellent opportunity for feedback and self-improvement.

As indicated above, additional guidance is appropriate for the capability area of ‘Information Security Management (Including Data Protection)’. It is recommended that primary documentation be provided to demonstrate that the CSP is competently addressing the following areas:

■ Security policy/data protection policy

■ Responsibility for security management within the organization

■ How security is built into the personnel processes (joining checks in terms of experience/qualifications/right to work, leaving procedures including revoking permissions/access)

■ Guidance provided to staff on security best practice including training and awareness

■ Examples of security methods in use in relation to premises, equipment, network and backups

■ Approach to information classification to reduce risk of information slipping into the wrong hands

■ How the above are monitored and reported on (could be internal audits, spot checks, monthly reports and analysis etc)

■ Data Protection Act Registration (or the equivalent requirement in different jurisdictions) and/or processes implemented to ensure compliance.

Leveraging Considerations for Subcontracted CSPs The guidance above addresses one way that CSPs working together can leverage the benefits of a self-certified supplier CSP helping a reseller CSP become self-certified.

There are two further ways for a reseller CSP to obtain significant benefits from working together with a self-certified supplier CSP.

Mentoring Partnership If the reseller CSP wants to obtain its own Code of Practice Self-Certification, it may be possible for the reseller CSP to be mentored by the supplier CSP, including through the sharing of policy and procedure documentation which the reseller CSP can adopt with suitable modifications. This will expedite the process of the reseller developing its own internal capabilities which can then be self-certified on a freestanding basis without reference to the supplier CSP’s Self-Certification.

Marketing Partnership Instead of obtaining its own Code of Practice Self-Certification, the reseller CSP can simply market the fact that it is reselling services from a self-certified supplier CSP. This should already provide a significant level of reassurance to the reseller CSP’s potential customers.

Note, however, that the supplier CSP must formally accept responsibility towards the customers of its own customers (i.e. towards the customers of the reseller CSP) for there to be any clear basis on which the ultimate customers can place reliance. This type of responsibility information should be available in the supplier CSP’s public disclosures in the third sub-point of section A.1.5 of the Code

11


Creating a Digital Signature

A digital signature is used to approve a document much like a hand-written signature does. A digital signature can, optionally, include an image of your hand-written signature (and computer text setting out your contact details). This HowTo guide includes details about encapsulating an image of your hand-written signature. For the purpose of this HowTo guide, a fictitious signature has been created for ‘TestSample’.

The CLOUD INDUSTRY FORUM and CIF words and associated logos are trade marks. © Cloud Forum IP Limited 2010. All rights reservedNOTICE: This document is intended to provide general information in relation to the Cloud Industry Forum’s Code of Practice journey for Certification. It is not intended to be comprehensive and should not be acted or relied upon as being so. Professional advice appropriate to specific circumstances should always be obtained.

2AP11-v6.1

create a digital signature, including Adobe Professional. Irrespective of the application used to create a digital signature, for the purpose of this HowTo guide, the format of the resulting signature must be compatible with Adobe applications.

Creating a digital signatureA digital signature is used to approve a document much like a hand-written signature does.

A digital signature can, optionally, include an image of your hand-written signature (and computer text setting out your contact details). This HowTo guide includes details about encapsulating an image of your hand-written signature. For the purpose of this HowTo guide, a fictitious signature has been created for ‘TestSample’ (pictured right).

Hand-written signatureThis section assumes that you have the technical knowledge to scan, crop, tidy up and publish an image of your signature in the format of either a .JPG or .TIFF file.

If you wish to include an image of your handwritten signature in the digital signature, then please do so by:

Sign on a blank sheet of paper

Scan the paper

Save the resulting image as a .JPG or .TIFF image file

Crop and tidy the image as necessary The image that you have created will need to be converted into a .PDF format. There are several ways to do this.

As this HowTo guide makes use of Adobe Professional, it is logical to use the same application to perform the conversion.

Converting a .JPE or .TIFF image to a .PDF fileWith Adobe Professional open in the foreground, open Windows Explorer.

Hand-written signature This section assumes that you have the technical knowledge to scan, crop, tidy up and publish an image of your signature in the format of either a .JPG or .TIFF file.

If you wish to include an image of your handwritten signature in the digital signature, then please do so by:

■ Sign on a blank sheet of paper

■ Scan the paper

■ Save the resulting image as a .JPG or .TIFF image file

■ Crop and tidy the image as necessary

The image that you have created will need to be converted into a .PDF format.

There are several ways to do this.

As this HowTo guide makes use of Adobe Professional, it is logical to use the same application to perform the conversion.

Converting a .JPEG or .TIFF image to a .PDF file

With Adobe Professional open in the foreground, open

Windows Explorer.

With Windows Explorer open in the foreground and Adobe

Professional immediately behind, navigate to the location where

your image file is stored. With relevant the file name highlighted,

simply click and drag the image file into the (currently empty)

work area of the Adobe application.

When the left-button on the mouse is released, the image file

will appear in Adobe, and the Adobe Professional will appear as

the foreground application.

With the Adobe application in the foreground, select the

following from the pull down menu: File/Save As… Shift+Ctrl+S,

and save the file as a .PDF format.

12



3AP11-v6.1

With Windows Explorer open in the foreground and Adobe Professional immediately behind, navigate to the location where your image file is stored. With relevant the file name highlighted, simply click and drag the image file into the (currently empty) work area of the Adobe application.

When the left-button on the mouse is released, the image file will appear in Adobe, and the Adobe Professional will appear as the foreground application.

With the Adobe application in the foreground, select the following from the pull down menu: File/Save As… Shift+Ctrl+S, and save the file as a .PDF format.

Adding Time/Date stamp and other attributesIn order to make your digital signature fit for purpose, it will need to be capable of capturing adequate metadata for the purpose of future validation. Adobe Professional can be used to add additional functionality to your digital signature file as described below:

With the .PDF signature image file open, open the Preferences window by choosing Edit/Preferences… Ctrl+K from the pull down menu.

Once the Preferences window has opened, using the left pane, scroll down and highlight [Security]. Next, click the [New…] button.


3AP11-v6.1

With Windows Explorer open in the foreground and Adobe Professional immediately behind, navigate to the location where your image file is stored. With relevant the file name highlighted, simply click and drag the image file into the (currently empty) work area of the Adobe application.

When the left-button on the mouse is released, the image file will appear in Adobe, and the Adobe Professional will appear as the foreground application.

With the Adobe application in the foreground, select the following from the pull down menu: File/Save As… Shift+Ctrl+S, and save the file as a .PDF format.

Adding Time/Date stamp and other attributesIn order to make your digital signature fit for purpose, it will need to be capable of capturing adequate metadata for the purpose of future validation. Adobe Professional can be used to add additional functionality to your digital signature file as described below:

With the .PDF signature image file open, open the Preferences window by choosing Edit/Preferences… Ctrl+K from the pull down menu.

Once the Preferences window has opened, using the left pane, scroll down and highlight [Security]. Next, click the [New…] button.

Adding Time/Date stamp and other attributes

In order to make your digital signature fit for purpose, it will need

to be capable of capturing adequate metadata for the purpose of

future validation. Adobe Professional can be used to add additional

functionality to your digital signature file as described below:

With the .PDF signature image file open, open the Preferences

window by choosing Edit/Preferences… Ctrl+K from the pull

down menu.

Once the Preferences window has opened, using the left pane,

scroll down and highlight [Security]. Next, click the [New…]

button.

13



4AP11-v6.1

Configure Graphic section[1] Click the radio button [Imported graphic]

[2] Click the [File…] button and navigate to the .PDF image file with your signature in it.

Configure Text section[3] Leaving the ‘Name’, and ‘Date’ options,

remove all of the other checkmarks.

[4] Click [OK] to finish.

Click [OK] to commit your selection

Click [OK] to finish

Digitally signing a documentOpen the .PDF file that you want to digitally sign.

From the pull down options, select:Sign/Certify with Visible Signature

Click [OK] to continue.

Configure Text section[3] Leaving the ‘Name’, and ‘Date’ options, remove all of the

other checkmarks.

[4] Click [OK] to finish.Click [OK] to commit your selection


Configure Graphic section[1] Click the radio button

[Imported graphic]

[2] Click the [File…] button and

navigate to the .PDF image

file with your signature in it.


4AP11-v6.1












4AP11-v6.1











14


Digitally signing a documentOpen the .PDF file that you want to digitally sign. From the pull

down options, select: Sign/Certify with Visible Signature


4AP11-v6.1












4AP11-v6.1











Click [OK] to continue.Please

read the notes in this dialogue

box, and then click [OK] to

continue


5AP11-v6.1

Please read the notes in this dialogue box, and then click [OK] to continue.

Once you have clicked [OK] above, the mouse pointer will change to a crosshair.

Click and drag out an area on the page to indicate where the image of your signature will appear.

Once you release the left mouse button, another dialogue box, ‘Certify Document’, will appear.

If the area that you indicate is quite small, then an alternative dialogue will appear, inviting you to start over. In either case, please follow the onscreen prompt. In the Certify Document dialogue box, you will see many of the details that you elected in the ‘Configure Signature Appearance’ section.

In the Appearance pull down menu, select the file name that features a scanned copy of your signature and Time/Date stamp details, as selected in the ‘Configure Signature Appearance’ section.

When selected, you will note that a copy of your scanned hand written signature will appear here Next, click on [Sign]

You will be prompted to save the resulting file. Enter the new file name as required.


5AP11-v6.1

Please read the notes in this dialogue box, and then click [OK] to continue.

Once you have clicked [OK] above, the mouse pointer will change to a crosshair.

Click and drag out an area on the page to indicate where the image of your signature will appear.

Once you release the left mouse button, another dialogue box, ‘Certify Document’, will appear.

If the area that you indicate is quite small, then an alternative dialogue will appear, inviting you to start over. In either case, please follow the onscreen prompt. In the Certify Document dialogue box, you will see many of the details that you elected in the ‘Configure Signature Appearance’ section.

In the Appearance pull down menu, select the file name that features a scanned copy of your signature and Time/Date stamp details, as selected in the ‘Configure Signature Appearance’ section.

When selected, you will note that a copy of your scanned hand written signature will appear here Next, click on [Sign]

You will be prompted to save the resulting file. Enter the new file name as required.

Once you have clicked [OK] above, the mouse pointer will change

to a crosshair.

Click and drag out an area on the page to indicate where the image of

your signature will appear.

Once you release the left mouse button, another dialogue box,

‘Certify Document’, will appear.

If the area that you indicate is quite small, then an alternative dialogue

will appear, inviting you to start over. In either case, please follow the

onscreen prompt.

15


In the Certify Document dialogue box, you will see many of the

details that you elected

In the Certify Document dialogue box, you will see many of the

details that you elected in the ‘Configure Signature Appearance’

section.

In the Appearance pull down menu, select the file name that

features a scanned copy of your signature and Time/Date stamp

details, as selected in the ‘Configure Signature Appearance’

section.

When selected, you will note that a copy of your scanned hand

written signature will appear here

Next, click on [Sign]

You will be prompted to save the resulting file. Enter the new file

name as required.

When the digitally signed file is saved, notice the additional

security marks

16


Creating the FDF documentIn order for the recipient to authenticate the digitally signed

document, you will need to export and send (via email) the key

(Adobe FDF file) associated with the document that you have

created. To export and email the Adobe FDF file, please follow the

steps below:

With the relevant document open, click on the Signature Properties

button.

When the Signature Properties dialogue box appears, select (from

the Summary or Signer tab) ‘Show Certificate’.

When the Certificate Viewer dialogue box

appears, select [Export...]

In the Data Exchange File dialogue box, note

the ‘Destination’ section.

Change the selection to ‘Email the exported

data’, and click [Next >]

And click [Next >] again in the next window.

Next, click [Sign...] to sign the outgoing

message, and select [Sign...] again in the

dialogue box that follows

17


Clicking [Next >] will prompt you to

enter the email address of the intended

recipient.

In the next dialogue box, please enter

the following email address into the

[To:] field

[email protected]

18


Click [Next >] to proceed.

Click [Finish] to accept and

continue.

Adobe will now automatically

send the FDF file associated with

you digital signature to the Cloud

Industry Forum email address that

you have entered.

When the Finish button is clicked,

the first of the ‘Certificate

Viewer’ dialogue boxes will

re-appear. Click [OK], and then

[Close] on the screen that follows

to conclude this process.

NOTE: this is just a test sample

email address

19


Guidance for Other Information Required for Application

Professional Reference Guidance and Template The following is the letter template to be provide on professional

advisor letterhead to accompany all Self-Certification

applications, which must be reproduced as presented below.

The signed Professional Reference must come from your

registered accountant, solicitor, certification body auditor,

or similar individual from an organization which provides

professional services to you on an on-going basis.

on the professional services organizations letter headed paper

I hereby:

1. acknowledge that this Declaration will be submitted

together with our client’s application for the Cloud Industry

Forum’s Self-Certification, and in so doing,

2. declare:

a. My organization’s details are as follows:

i. Name, address and contact of firm/practice

ii. These details may be found in public at [URL].

b. My professional qualifications may be validated as follows:

i. Name of accrediting organization

ii. These details may be found in public at [URL].

c. The capacity of the professional relationship is [state].

d. We have advised the organization for [state time] in this

firm’s professional capacity as stated above.

Signed by:

duly authorized for

and on behalf of:

Date:

The Professional Reference should also be electronically

signed and provided in pdf, electronically signed with all other

documentation.

To access and download a Word version of the Professional

Reference, log into the Self-Certification website.

When the on-line application is formally submitted, an email will be sent to the named senior executive to confirm the Management Declaration which has been recorded in his/her name, and a confirming response is required to complete the application. The confirming response should include sufficient information to identify the individual, including name and position.

The Management Declaration will be available on the CIF website together with other publicly available information about the certified organization, showing the executive’s name and position, but not the email.

The on-line Management Declaration contains the following wording:

I declare that:

a. [Organization Name] is committed to the principles of

Transparency, Capability and Accountability which are embodied in the Cloud Industry Forum’s Code of Practice, because these help create a more trustworthy business environment for cloud-based processing.

b. [Organization Name] is committed to complying with the

specific requirements of the Cloud Industry Forum’s Code of Practice for the period of Certification, for the scope defined in the application.

c. [Organization Name] is willing to submit any customer disputes to formal external dispute resolution.

d. The information provided in this application for Self- Certification is a true and accurate reflection of the business and practices of [Organization Name]

e. I am authorized to commit [Organization Name] to the contents of this Management Declaration.

I also acknowledge that:

a. This Management Declaration is a part of the full application for Self-Certification

b. The Cloud Industry Forum’s Terms and Conditions (IP14) apply to this application for Self-Certification

c. An audit may be conducted by the CIF to ensure compliance with the Code of Practice

d. Any non-conformance with the Code of Practice, at the sole determination of the CIF, as confirmed after the conclusion of appeal procedures, will result in the withdrawal of the Code of Practice certification in accordance with the General Cloud Industry Forum Terms and Conditions.

e. Any withdrawal of the Code of Practice certification may be publicized including on the CIF web site, and other ways in the press.

To access and download a pdf copy of the Management

Declaration to circulate to the named senior executive, log into

the Self-Certification website.

Management Declaration Guidance and Template The Management Declaration is made on-line, as part of the application process.

Because it is not realistic to expect a senior executive to physically perform part of an on-line application process, reliance is placed on the organization’s internal procedures and communications to ensure that the relevant member of management has properly approved the Management Declaration.

20


“Publish” Guidance Updating Public Disclosure Information Once APMG has validated and authorized the Self-Certification, an organization will be issued with a Certificate stating the date of award, and will be required to add the following text to their website, to replace the Post Registration (Pre-Certification) text.

Using the CIF Certified Logo Once a Self-Certification has been recognized, an organization will be supplied with the CIF logo pack, which includes:

■ LP01 Guidelines for Self Certification Mark Use-

■ CIF Self-Certified Logo / Mark (in a number of formats and colours)

The LP01 document issued upon certification authorization provides guidance on the use of the mark, as well as the expectations for its use which includes instructions on inclusion of the mark on Public Disclosures web pages.

Post Self-Certification Text

Xxx has completed the Self-Certification against the ‘Code of Practice for Cloud Service Providers’ (the ‘Code’) of the Cloud Industry Forum (‘CIF’, at www.cloudindustryforum.org), which the mark above demonstrates. Clicking on the mark will take you to the CIF website where supporting information for this Certification is available.

Xxx is committed to the Code. One of the main objectives of the Code is to help ensure disclosure of essential information so that consumers of Cloud Services can make better business

decisions based on this information. The information on this page addresses the public disclosure requirements of the Code.

NOTICE: While Xxx has made the commitment to the Code and has been self-certified as compliant with the Code, customers/ third parties shall note that information or certification provided by the Cloud Industry Forum does not constitute advice from or endorsement by the Cloud Industry Forum. The Cloud Industry Forum disclaims any and all liability arising out of the use of services or otherwise of certified organizations. Where disclosed information or capabilities as specified by the Code of Practice are essential in purchasing cloud services from a certified organization, it/these should be cited contractually. Professional advice appropriate to specific circumstances should always be obtained.

Further information

About the Cloud Industry Forum (CIF) The CIF was established in direct response to the evolving supply models for the delivery of software and IT services. Our aim is to provide much needed clarity for end users when assessing and selecting Cloud Service Providers based upon the clear, consistent and relevant provision of key information about the organization, its capabilities and its operational commitments.

We achieve this through a process of Self-Certification of vendors to a Cloud Service Provider Code of Practice requiring executive commitment and operational actions to ensure the provision of critical information through the contracting process. This Code of Practice, and the use of the related Certification Mark on participants’ websites, is intended to promote trust to businesses and individuals wishing to leverage the commercial, financial and agile operations capabilities that Cloud-based and hosted solutions can provide.

For further information about the Cloud Industry Forum, please refer to www.cloudindustryforum.org

Governance of The Code Of Practice The Cloud Industry Forum has set up a governance board to be responsible for the stewardship of the Code of Practice, and full details of the board composition and committees can be found on the CIF website.

This operates independently of the CIF Management Board of the not-for-profit member body, and includes representatives from outside CIF membership, including end user representatives, industry advisors and IT legal practices to ensure a balanced and transparent approach to governance.

21


Code of Practice Governance Board The Code Governance of Practice Board is chaired by an elected representative from the governance board members, and is responsible for the following:

■ Approving the CIF Code of Practice’s goals, objectives and strategies in relation to the Code of Practice

■ Reviewing the requirements of the Code of Practice on an annual basis and approving any changes

■ Identifying the principal risks of the Code of Practice CIF CoP operations and scope and overseeing the implementation of appropriate risk assessment systems to manage these risks.

■ Reviewing and approving changes the CIF Code of Practice financial performance to ensure it operates viably.

■ Monitoring participant appeals, third party complaints and operational standards and consistency associated to the operation of the CIF Code of PracticeCoP

■ Assessing its own effectiveness in fulfilling its responsibilities, including monitoring the effectiveness of individual representatives

■ Ensuring the integrity of the CIF Code of Practice’s internal control system and management information systems.

The Board can set up committees to delegate specific responsibilities from time to time as required and the composition of such committees will be set out on the CIF website.

Audit and Appeal In order for the Code Self-Certification process to be credible and trusted it needs to have an appropriate enforcement model to challenge any false submissions.

These validations will be based upon either a random audit, external complaint or a whistle blower alert. As such the CIF will manage an audit process (directly or through accredited 3rd parties) and will have the capability and authority to enforce

removal of the Certification Mark from organizations deemed not to have complied with the Code. Independent Certification will only be enabled through bodies approved and accredited by the CIF and as such the process of carrying out an Independent Certification will automatically imbue the participant with a higher degree of trust than is achieved through Self-Certification.

If an external complaint or whistle blower statement is made about a self-certified participant that questions the validity of their declaration, the participant will be allowed to know the nature of the complaint and to provide any evidence to uphold their position as self-certified to the Code. The CIF will operate a Compliance Committee to oversee complaints and decide on their validity. In the event that the Compliance Committee upholds the complaint, the self- certified participant shall have the ability to challenge the findings by appeal to the Code Governance Board. The opinion of the Code Governance Board is final and no further route of appeal is available.

The CIF Compliance Committee will acknowledge all complaints and reserve the right to publish opinions publicly. Only the Code Governance Board or its nominated representative/s will approve

any public comment on complaints.

Collaboration with Standards organizations and related Bodies By nature of the industry, the CIF will need to operate on an international stage as the Cloud has no geographic boundary (though our legal remit will focus initially on the UK). The CIF will collaborate and endorse appropriate security and technical interoperability standards that are outside of, but complement, the Code.

The CIF participates in the activities of ISO/IEC JTC1 SC38, which includes cloud computing via participation in the corresponding committee of the British Standards Institution.

22


Contact Us

Mail: The Cloud Industry Forum, Sword House, Totteridge Road, High Wycombe, HP13 6DG

www.cloudindustryforum.org

https://selfcert.cloudindustryforum.org

Email: [email protected] / [email protected]

Telephone: +44 (0)844 583 2521 / +44 (0)1494 459 559

The Role of The APM Group Limited (APMG) in Supporting Certification

APMG was established in 1993 and is a global business

providing accreditation and certification services. APMG

has a worldwide presence, with offices in Australia, China,

Denmark, Germany, India, Italy, Malaysia, the Netherlands,

the UK and the US. APMG has been working with the CIF

to provide the administration behind the Code of Practice

scheme.

APMG have been appointed as the CIF’s independent

certification partner. APMG will use its independence to

ensure those organizations which sign up to the Code

of Practice are confident of an impartial, reasonable,

consistent and professional approach to the processing of

their information and assessments.

APMG will also attend the Code Governance Board to

provide a direct route for feedback from applicants working

through the scheme into this monitoring body.

APMG does not provide any commercial services within

the Cloud and so are able to complete the assessments of

organizations without any conflict of interest, protecting

the integrity and confidentiality of the information provided

as part of the application process

For further information about the APM Group Limited, please refer to www.apmgroupltd.com

23