Skip to main content

Network/Cloud

What we mean by “network/cloud” and how to satisfy the related evidence

Cayla Marshall avatar
Written by Cayla Marshall
Updated over 2 years ago

What networks or cloud environments should I include evidence for?

If your company hosts an application or SaaS tool, you should generally focus on your production environment when designing controls and collecting evidence. If your production environment is entirely cloud hosted, then we will treat your “network” as the production cloud environment. Usually, there is no need to include a corporate office environment if your production environment is cloud hosted, but if you feel that your organization may be an exception feel free to contact your CSM with any questions.

If your company does not host a specific platform or application for customers, then deciding which networks or cloud environments to include can be a little more tricky. In this case, you should still focus on the infrastructure that directly supports the service you are offering. A useful test is whether or not a given network or cloud environment is used to host or transmit customer information or PII on behalf of customers. If you are a services company that does not host a specific platform or application, it is more likely that you should include your corporate or office network in scope.

If you're unsure about which network or cloud environment to provide evidence for, you can always ask your CSM!

What should my network/cloud evidence items look like?

Within your evidence repository, there are a few evidence items related to your network or cloud environment. Below are some examples of what your auditor may be looking for:

Administrator Access to Network/Cloud

  • What your auditor is looking for: A screenshot or a system generated list of the administrative users to in-scope networks or cloud environments. If you’re using AWS, this could be an export of IAM roles and permissions for users. The screenshot or list must include a date/time stamp or other indication of when the screenshot was taken.

  • Related Control(s): Administrator Access

Network/Cloud User List

  • What your auditor is looking for: A system generated list (or series of screenshots) of all users with access to the production network or cloud environment. The screenshot or list must include a date/time stamp or other indication of when the screenshot was taken.

  • Related Control(s): Role Based Access, User Access Review, Termination of Access, and Onboarding

Password Settings - Network/Cloud

  • What your auditor is looking for: A screenshot of the network or cloud layer password settings. The screenshot must include a date/time stamp or other indication of when the screenshot was taken. The configurations should mirror the password policies within relevant security policies.

  • Related Control(s): Password Requirements, Workstation Lockout, Vendor Default Checklist

For more information on where to find evidence depending on your cloud provider, check out the “Where To Find Evidence” collection in our Help Center!

Did this answer your question?