Could the Outsourcing of Incident Response Management provide a Blueprint for Managing Other Cloud Security Requirements? Bob Duncan 1 , Mark Whittington 2 , Martin Gilje Jaatun 3 , and Alfredo Ramiro Reyes Z´ u˜ niga 4 1 Computing Science, University of Aberdeen, UK 2 Business School, University of Aberdeen, UK 3 Department of Software Engineering, Safety and Security SINTEF ICT, Trondheim, Norway 4 Department of Telematics, NTNU, Trondheim, Norway Abstract. In this chapter, we consider whether the outsourcing of inci- dent management is a viable technological approach that may be trans- ferable to other cloud security management requirements. We review a viable approach to outsourcing incident response management and con- sider whether this can be applied to other cloud security approaches, starting with the concept of using proper measurement for a cloud secu- rity assurance model. We demonstrate how this approach can be applied, not only to the approach under review, but how it may be applied to address other cloud security requirements. Keywords: Cloud; Requirements; Measurement; Assurance; Outsourcing; In- cident Response; Security 1 Introduction The cloud has been referred to as “outsourcing on steroids”(Jaatun et al., 2011), and in the following we review a proposed approach to outsourcing incident re- sponse management (Reyes and Jaatun, 2015), and consider whether this ap- proach might be transferable to other cloud security requirements, starting in this case with a particular approach to cloud security addressing the importance of proper measurement for a cloud security assurance model (Duncan and Whit- tington, 2015e). Reyes and Jaatun (2015) indicate that outsourcing of incident management is a viable security approach for many organizations, but that tran- sitioning between providers frequently is a challenge. Duncan and Whittington (2015e) suggest that defining proper measures for evaluating the effectiveness of an assurance model, which they have developed to ensure cloud security, is vital to ensure the successful implementation and continued running of the model. The authors recognise that responsibility must lie with the board. However, in this work, we consider the viability of outsourcing these requirements to deliver an independent assurance of delivered security.