scope:

The standard applies to all cloud based services and data owned by TfL or operated and supported by third parties for or on behalf of TfL, unless otherwise stated in contracts or covered by business unit specific operational policies or standards.

Any IT or Operational Technology which is built on or hosted using infrastructure, platform or software as a service (see 3.1) offering is defined as being cloud based.

Responsibility for security controls on cloud services is split between the TfL system owner and the service provider, depending on the level of control which has been procured. All contracts with suppliers for cloud services must clearly outline the boundary of responsibilities for security patching and include a security schedule.

Purpose

This standard details the cyber security requirements for all cloud deployment and how they must be implemented in line with TfL's cyber security policies.