Cloud Security Assessment

Organizations are increasingly moving infrastructure, services, applications, and other critical data stores from on-premise networks to public or private cloud environments. Cloud platforms can offer an increase in scalability, flexibility, and availability with more predictable costs by converting capital expenditures (CapEx) to operating expenditures (OpEx). The differences that can result in these benefits make some of the models and approaches used for traditional cybersecurity less applicable, but it is crucial not to assume that transition to cloud platforms is automatically secure with the default configuration. Organizations should also consider that not all legacy cybersecurity tools can transition seamlessly into virtualized Cloud environments.

Cloud Security Assessment examines cloud and cloud-related elements to identify that organizations are not relying on default or typical security settings to protect critical data, and instead aligning with best practice and striking the best possible balance between operation and security.

This Statement of Work identifies the objectives, scope, methodology, deliverables, client requirements, and assumptions for all work to be completed by DeepSeas.

The objectives of this initiative are as follows:

1. Examine the cloud environment for technical and administrative security gaps.
2. Identify improvements to cloud environment security based on recognized best practice standards.
3. Support the protection of critical assets.
4. Support compliance with regulatory requirements.

The methodology consists of the following activities:

1. INITIALIZATION MEETING – DeepSeas will host an initialization meeting to review the objectives, methodology, scope, and deliverables in the Statement of Work.
2. PLANNING – Preparation necessary to conduct an effective assessment, including:
   1. Scope Validation – Validating the scope aligns with all parties.
   2. Schedule Development – Scheduling, project plan creation, and resource identification.
3. ASSESSMENT – perform an evaluation of cybersecurity controls by conducting the following:
   1. Technical and administrative control assessment – Direct inspection of security controls applied within the cloud environment, compared against industry-accepted best practice standards from organizations such as the Center for Internet Security (CIS) and the National Institute for Standards and Technology (NIST), by Subject Matter Experts.
4. FINDINGS – Actions required to formalize the findings, including:
   1. Documentation – Documentation of the findings summary and detailed assessment findings.
   2. Presentation – Presentation of findings to Client.

DeepSeas will produce the following deliverables:

1. SUMMARY FINDINGS – DeepSeas will deliver a report summarizing the findings of the initiative and associated recommendations.
2. DETAILED FINDINGS – DeepSeas will deliver a report clearly identifying all gaps for in-scope controls.
3. FINDINGS PRESENTATION – DeepSeas will conduct a meeting, onsite or virtual, to review the results of the initiative.

The client is responsible for the completion of the following tasks, in accordance with agreed-upon timelines established as part of the project plan.

1. Provisioning and providing cloud environment accounts with the appropriate levels of privilege and access to enable assessment. Accounts typically require full administrative permissions; read-only accounts often do not have access to all relevant features and setting information.
2. The client must provide feedback for the findings report and presentation material and schedule the meeting with internal client resources.