Cloud Computing ISO Security and Privacy Standards: 27017, 27018, Mike Edwards (Chair UK Cloud Standards Committee)

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "Cloud Computing ISO Security and Privacy Standards: 27017, 27018, 27001 Mike Edwards (Chair UK Cloud Standards Committee)"

Transcription

1 Cloud Computing ISO Security and Privacy Standards: 27017, 27018, Mike Edwards (Chair UK Cloud Standards Committee)

2 Mike Edwards Senior Technical Staff Member, IBM Cloud Computing & SOA Standards, UK Chair UK ISO SC38 mirror committee (BSI IST 38)

3 Abstract and Agenda ISO 27001, ISO & ISO This talk describes the ISO Security & Privacy specifications & certifications which apply to cloud services Security & Privacy concerns of cloud service customers Standards and certifications ISO series of security & privacy standards ISO & ISO the foundations for IT security Cloud Computing impact on security & privacy ISO security for cloud services ISO data protection for cloud services (i.e. privacy)

4 The Cloud Standards Customer Council THE Customer s Voice for Cloud Standards! Provide customer-lead guidance to multiple cloud standards-defining bodies 2011/2012 Deliverables Practical Guide to Cloud Computing Practical Guide to Cloud SLAs Security for Cloud Computing Impact of Cloud Computing on Healthcare Establishing criteria for open standards based cloud computing 500+ Organizations participating 2013/2014 Deliverables Convergence of SoMoClo Analysis of Public Cloud SLAs Cloud Security Standards Migrating Apps to Public Cloud Social Business in the Cloud Big Data in the Cloud PGCC Version 2 Migrating Apps: Performance Rqmnts Cloud Interoperability/Portability 2015 Projects (partial) Update to Security for Cloud Computing whitepaper Update to Practical Guide to Cloud Service Agreements Practical Guide to Privacy for the Public Sector Practical Guide to PaaS

5 Three Takeaways Security & Privacy are key concerns for Cloud Service Customers many demand proof in relation to cloud services Customers & Providers need a public and open way of declaring the Security & Privacy capabilities of cloud services International standards such as ISO 27001, & provide an open, worldwide and customer-accepted approach 5

6 Top concerns about cloud computing Security & Privacy: number one inhibitor to customers adopting cloud services What, if anything, do you perceive as actual or potential barriers to acquiring public cloud services? Security/privacy of company data 69 % Service quality Doubts about true cost savings Performance / Insufficient responsiveness over network Difficulty integrating with in-house IT Percent rating the factor as a significant barrier (4 or 5) Respondents could select multiple items 47 % 54 % 53 % 52 % Source: IBM Market Insights, Cloud Computing Research, July n=1,090 Source: Oliver Wyman Interviews

7 Security matters

8 Standards making organizations International Regional / national Fora & consortia

9 Other Open technology organizations Customer / User organizations CSCC, ODCA (cloud computing) CSA (cloud computing security) Certification organizations e.g. ISACA Code first specifications HTML5 Open source projects e.g. OpenStack, Cloud Foundry, Docker Open source implementations pressure for availability before ratification of a standard

10 Types of Standards High level Governance & Management Architectures ISO SOA Reference Architecture ISO Cloud Computing Reference Architecture ISO Data Protection for Cloud Services ISO Information Security Controls for Cloud Services ISO Privacy Architecture Framework PCI-DSS Controls for Card Data ISO ID Management Architecture 10 Technology specific GB/T Security capability req of cloud services China GB-T Security guide of cloud computing services GB/T Security Requirements for DBMS RSA AES Kerberos ID and Access Management Triple-DES X.509 Encryption Certificates SHA Hashing Security Assertions ISO Cloud SLAs ISO Biometric Interchange Formats KMIP Key Management

11 Standards: Certification Certification: providing assurance of an organization ( we are following the process correctly ) of an individual ( I understand and I can implement ) Established through Audit or Examination May be directly associated with standard ISO certification May be defined separately from standards CSA Star; ISACA CISM

12 Why use International Standards? Applicable anywhere in the world implement once generally accepted valid according to WTO rules avoid balkanization caused by varying national & regional requirements Well accepted by customers ISO one of the best known plenty of skills & knowledge available well developed ecosystem of auditors & certification authorities 12

13 ISO Cloud Computing standards 17788: Cloud computing Overview and Vocabulary* 17789: Cloud computing Reference Architecture* 19086: Cloud computing SLAs 19941: Cloud computing Interoperability & Portability 19944: Cloud computing Data Flow across devices & cloud services 27001: Information security management systems Requirements 27002: Code of practice for information security controls 27017: Guidelines on Information security controls for the use of cloud computing services based on ISO/IEC 27002* 27018: Code of practice for data protection controls for public cloud computing services 27036: Information security for supplier relationships 29101: Privacy architecture framework * = Joint standard with ITUT Black = Complete, published Red = In preparation, draft

14 Only available as a priced publication

15 ISO specification Code of practice for information security controls Based on ISO requirements for information security management systems control sets for: Security Policy Organization of Information Security Asset Management Human Resources Physical & Environmental Supplier Relationship Management Communications & Operations Management of Application Services Access Control System Acquisition, Development & Maintenance Security Incident Management Business Continuity Management Compliance

16 ISO specification (cont) Code of practice for information security controls Sample controls: All information security responsibilities should be defined and allocated Assets associated with information and information processing facilities should be identified and an inventory of these assets should be drawn up and maintained Conflicting duties and areas of responsibility should be segregated to reduce opportunities for unauthorized or unintentional modification or misuse of the organization s assets Security perimeters should be defined and used to protect areas that contain either sensitive or critical information and information processing facilities Agreements with suppliers should include requirements to address the information security risks associated with Information and Communications Technology services and product supply chain The use of resources should be monitored, tuned, and projections made of future capacity requirements to ensure the required system performance

17 ISO specification (cont) Code of practice for information security controls Sample controls (cont): Information involved in application service transactions should be protected to prevent incomplete transmission, mis-routing, unauthorized message alteration, unauthorized disclosure, unauthorized message duplication or replay A formal user registration and de-registration procedure should be implemented for granting and revoking access for all user types to all systems and services The implementation of changes should be controlled by the use of formal change control procedures Information security incidents should be responded to in accordance with the documented procedures Plans should be developed and implemented to maintain or restore operations and ensure availability of information at the required level and in the required time scales following interruption to, or failure of, critical business processes Records should be protected from loss, destruction, falsification, unauthorized access and unauthorized release, in accordance with statutory, regulatory, contractual, and business requirements

18 Softlayer Certification 18

19 Security Components Cloud Computing: Impact on Security & Privacy End Users DevOps In-house Applications & Systems Functional interfaces Admin interfaces Cloud Service App code App environment Administrators Business Managers In-house data Business interfaces Derived data Customer data Cloud service customer Cloud service provider Split of Security Responsibilities

20 ISO specification Information security controls for the use of cloud computing services Based on ISO security control specification added information for Cloud Service Customers & Cloud Service Providers extended control sets for cloud computing: extra management control & coordination due to security responsibility split control of risks due to shared facilities when using cloud computing impact on end users of customer organization if they use cloud computing services acceptance testing for provided services & for upgrades / new versions handling of mobile code authentication methods for cloud service use application level controls including input/output data validation, message integrity audit requirement higher impact extended controls audit logs required, with specified data non-disclosure of communications monitoring use of cloud services protection of audit tools

21 Privacy & Data Protection: Roles Data Subject Data Controller Data Processor Person Identified by Personal Data Cloud Service Customer Cloud Service Provider Regulatory focus 21

22 ISO specification Code of practice for data protection controls for public cloud computing services Data protection of PII to meet regulatory requirements e.g. European data protection regulations Based on ISO additional controls for handling of PII separation of test environment no PII in test environment authorization & tracking of removable media containing PII where logs contain PII data, special control of logs required procedures to address corruption / compromise of passwords continuity of data processing within specified documented period confidentiality obligation for people with access to PII disclosure of PII must be logged ensure erasure of temporary files within specified period Each individual with access to PII must have unique ID Record of authorized users required

23 ISO specification Code of practice for data protection controls for public cloud computing services Higher impact additional controls for handling of PII PII only processed in accordance with instructions of PII controller (per contract) monitoring event log with specific details in event log where PII changed recording of security breaches intended destination of target (organization/individual) for transmitted PII PII transmitted over public networks must be encrypted Documented policy about geographical area for PII storage

24 Customers will only use services that they trust 24

25 Questions? 25

26 Read the CSCC whitepapers free downloads Practical Guide to Cloud Service Agreements, V2 Public Cloud Service Agreements: What to Expect & What to Negotiate Practical Guide to Cloud Computing, V2 Security for Cloud Computing: 10 Steps to Ensure Success, V2 Cloud Security Standards: What to Expect & What to Negotiate Interoperability and Portability for Cloud Computing: A Guide Migrating Applications to Public Cloud Services: Roadmap for Success Web Application Hosting Cloud Solution Architecture Convergence of Social, Mobile & Cloud: 7 Steps to Ensure Success Impact of Cloud Computing on Healthcare

27 Call to Action Join the CSCC Now! To have an impact on customer use case based standards requirements To learn about all Cloud Standards within one organization To help define the CSCC s future roadmap Membership is free & easy: Get Involved! Join one or more of the CSCC Working Groups

28 Useful links ISO ITU-T OASIS https://www.oasis-open.org/ https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=id-cloud https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=kmip IETF (OAuth 2.0) DMTF (CADF) BSI

29 More useful links CSCC ODCA CSA https://cloudsecurityalliance.org/ ISACA https://www.isaca.org/pages/default.aspx PCI https://www.pcisecuritystandards.org/security_standards/ (PCI-DSS) Cloud Foundry Docker https://www.docker.com/

Interoperability & Portability for Cloud Computing: A Guide. http://www.cloud-council.org/cscc-cloud-interoperability-and-portability.

Interoperability & Portability for Cloud Computing: A Guide. http://www.cloud-council.org/cscc-cloud-interoperability-and-portability. Interoperability & Portability for Computing: A Guide http://www.cloud-council.org/cscc--interoperability-and-portability.pdf December, 2014 The Standards Customer Council THE Customer s Voice for Standards!

More information

ISO 27001 Controls and Objectives

ISO 27001 Controls and Objectives ISO 27001 s and Objectives A.5 Security policy A.5.1 Information security policy Objective: To provide management direction and support for information security in accordance with business requirements

More information

ISO27001 Controls and Objectives

ISO27001 Controls and Objectives Introduction This reference document for the University of Birmingham lists the control objectives, specific controls and background information, as given in Annex A to ISO/IEC 27001:2005. As such, the

More information

Cloud Security Standards. Aziza Al Rashdi Director, Cyber Security Professional Services Oman National CERT Information Technology Authority

Cloud Security Standards. Aziza Al Rashdi Director, Cyber Security Professional Services Oman National CERT Information Technology Authority Cloud Security Standards Aziza Al Rashdi Director, Cyber Security Professional Services Oman National CERT Information Technology Authority Introduction Sign Off December 2012 Information Technology Authority

More information

Practical Guide to Platform as a Service. http://cloud-council.org/resource-hub.htm#practical-guide-to-paas

Practical Guide to Platform as a Service. http://cloud-council.org/resource-hub.htm#practical-guide-to-paas Practical Guide to Platform as a Service http://cloud-council.org/resource-hub.htm#practical-guide-to-paas October, 2015 The Cloud Standards Customer Council THE Customer s Voice for Cloud Standards! Provide

More information

Web Application Hosting Cloud Solution Architecture. http://www.cloud-council.org/web-app-hosting-wp/index.htm

Web Application Hosting Cloud Solution Architecture. http://www.cloud-council.org/web-app-hosting-wp/index.htm Web Application Hosting Cloud Solution Architecture http://www.cloud-council.org/web-app-hosting-wp/index.htm February, 2015 Presenters Heather Kreger CTO International Standards, IBM US kreger@us.ibm.com

More information

INFORMATION TECHNOLOGY SECURITY STANDARDS

INFORMATION TECHNOLOGY SECURITY STANDARDS INFORMATION TECHNOLOGY SECURITY STANDARDS Version 2.0 December 2013 Table of Contents 1 OVERVIEW 3 2 SCOPE 4 3 STRUCTURE 5 4 ASSET MANAGEMENT 6 5 HUMAN RESOURCES SECURITY 7 6 PHYSICAL AND ENVIRONMENTAL

More information

INFORMATION SECURITY PROCEDURES

INFORMATION SECURITY PROCEDURES INFORMATION AN INFORMATION SECURITY PROCEURES Parent Policy Title Information Security Policy Associated ocuments Use of Computer Facilities Statute 2009 Risk Management Policy Risk Management Procedures

More information

Cloud Computing Governance & Security. Security Risks in the Cloud

Cloud Computing Governance & Security. Security Risks in the Cloud Cloud Computing Governance & Security The top ten questions you have to ask Mike Small CEng, FBCS, CITP Fellow Analyst, KuppingerCole This Webinar is supported by Agenda What is the Problem? Ten Cloud

More information

HIPAA CRITICAL AREAS TECHNICAL SECURITY FOCUS FOR CLOUD DEPLOYMENT

HIPAA CRITICAL AREAS TECHNICAL SECURITY FOCUS FOR CLOUD DEPLOYMENT HIPAA CRITICAL AREAS TECHNICAL SECURITY FOCUS FOR CLOUD DEPLOYMENT A Review List This paper was put together with Security in mind, ISO, and HIPAA, for guidance as you move into a cloud deployment Dr.

More information

Practical Overview on responsibilities of Data Protection Officers. Security measures

Practical Overview on responsibilities of Data Protection Officers. Security measures Practical Overview on responsibilities of Data Protection Officers Security measures Manuel Villaseca Spanish Data Protection Agency mvl@agpd.es Security measures Agenda: The rol of DPO on security measures

More information

IT Audit in the Cloud

IT Audit in the Cloud IT Audit in the Cloud Pavlina Ivanova, CISM ISACA-Sofia Chapter Content: o 1. Introduction o 2. Cloud Computing o 3. IT Audit in the Cloud o 4. Residual Risks o Used Resources o Questions 1. ISACA Trust

More information

Working Group on. First Working Group Meeting 29.5.2012

Working Group on. First Working Group Meeting 29.5.2012 Working Group on Cloud Security and Privacy (WGCSP) First Working Group Meeting 29.5.2012 1 Review of fexisting i Standards d and Best Practices on Cloud Security Security Standards and Status List of

More information

Third Party Security Requirements Policy

Third Party Security Requirements Policy Overview This policy sets out the requirements expected of third parties to effectively protect BBC information. Audience Owner Contacts This policy applies to all third parties and staff, including contractors,

More information

ISO/IEC 27002:2013 WHITEPAPER. When Recognition Matters

ISO/IEC 27002:2013 WHITEPAPER. When Recognition Matters When Recognition Matters WHITEPAPER ISO/IEC 27002:2013 INFORMATION TECHNOLOGY - SECURITY TECHNIQUES CODE OF PRACTICE FOR INFORMATION SECURITY CONTROLS www.pecb.com CONTENT 3 4 5 6 6 7 7 7 7 8 8 8 9 9 9

More information

Cloud Security Alliance and Standards. Jim Reavis Executive Director March 2012

Cloud Security Alliance and Standards. Jim Reavis Executive Director March 2012 Cloud Security Alliance and Standards Jim Reavis Executive Director March 2012 About the CSA Global, not for profit, 501(c)6 organization Over 32,000 individual members, 120 corporate members, 60 chapters

More information

ISO 27001 COMPLIANCE WITH OBSERVEIT

ISO 27001 COMPLIANCE WITH OBSERVEIT ISO 27001 COMPLIANCE WITH OBSERVEIT OVERVIEW ISO/IEC 27001 is a framework of policies and procedures that include all legal, physical and technical controls involved in an organization s information risk

More information

Cloud up to business processes

Cloud up to business processes Chris Francis IBM Technical Relations and Regulatory Affairs Cloud up to business processes Chris Francis Existing state of play Conventional solutions Software as a Service Platform as a Service Infrastructure

More information

TELEFÓNICA UK LTD. Introduction to Security Policy

TELEFÓNICA UK LTD. Introduction to Security Policy TELEFÓNICA UK LTD Introduction to Security Policy Page 1 of 7 CHANGE HISTORY Version No Date Details Authors/Editor 7.0 1/11/14 Annual review including change control added. Julian Jeffery 8.0 1/11/15

More information

Public Cloud Service Agreements: What to Expect & What to Negotiate. April 2013

Public Cloud Service Agreements: What to Expect & What to Negotiate. April 2013 Public Cloud Service Agreements: What to Expect & What to Negotiate April 2013 The Cloud Standards Customer Council THE Customer s Voice for Cloud Standards! Provide customer-led guidance to the multiple

More information

Global Efforts to Secure Cloud Computing

Global Efforts to Secure Cloud Computing April 2012 Global Efforts to Secure Cloud Computing Jim Reavis Executive Director Cloud: ushering in IT Spring Technology consumerization and its offspring Cloud: Compute as a utility Smart Mobility: Compute

More information

Information Security Policy September 2009 Newman University IT Services. Information Security Policy

Information Security Policy September 2009 Newman University IT Services. Information Security Policy Contents 1. Statement 1.1 Introduction 1.2 Objectives 1.3 Scope and Policy Structure 1.4 Risk Assessment and Management 1.5 Responsibilities for Information Security 2. Compliance 3. HR Security 3.1 Terms

More information

Customer Cloud Architecture for Mobile. http://cloud-council.org/resource-hub.htm#customer-cloud-architecture-for-mobile

Customer Cloud Architecture for Mobile. http://cloud-council.org/resource-hub.htm#customer-cloud-architecture-for-mobile Customer Cloud Architecture for Mobile http://cloud-council.org/resource-hub.htm#customer-cloud-architecture-for-mobile June, 2015 1 Presenters Heather Kreger CTO International Standards, IBM US SC38 mirror

More information

SECURITY INFRASTRUCTURE Standards and implementation practices for protecting the privacy and security of shared genomic and clinical data

SECURITY INFRASTRUCTURE Standards and implementation practices for protecting the privacy and security of shared genomic and clinical data Global Alliance for Genomics and Health SECURITY INFRASTRUCTURE Standards and implementation practices for protecting the privacy and security of shared genomic and clinical data VERSION 1.1 March 12,

More information

University of Pittsburgh Security Assessment Questionnaire (v1.5)

University of Pittsburgh Security Assessment Questionnaire (v1.5) Technology Help Desk 412 624-HELP [4357] technology.pitt.edu University of Pittsburgh Security Assessment Questionnaire (v1.5) Directions and Instructions for completing this assessment The answers provided

More information

Data Processing Agreement for Oracle Cloud Services

Data Processing Agreement for Oracle Cloud Services Data Processing Agreement for Oracle Cloud Services Version November 3, 2015 1. Scope and order of precedence This agreement (the Data Processing Agreement ) applies to Oracle s Processing of Personal

More information

ISO 27002:2013 Version Change Summary

ISO 27002:2013 Version Change Summary Information Shield www.informationshield.com 888.641.0500 sales@informationshield.com Information Security Policies Made Easy ISO 27002:2013 Version Change Summary This table highlights the control category

More information

Certified Information Systems Auditor (CISA)

Certified Information Systems Auditor (CISA) Certified Information Systems Auditor (CISA) Course Introduction Course Introduction Module 01 - The Process of Auditing Information Systems Lesson 1: Management of the Audit Function Organization of the

More information

Cloud Computing. Cloud Computing An insight in the Governance & Security aspects

Cloud Computing. Cloud Computing An insight in the Governance & Security aspects Cloud Computing An insight in the Governance & Security aspects AGENDA Introduction Security Governance Risks Compliance Recommendations References 1 Cloud Computing Peter Hinssen, The New Normal, 2010

More information

Cloud Security and Managing Use Risks

Cloud Security and Managing Use Risks Carl F. Allen, CISM, CRISC, MBA Director, Information Systems Security Intermountain Healthcare Regulatory Compliance External Audit Legal and ediscovery Information Security Architecture Models Access

More information

Article 29 Working Party Issues Opinion on Cloud Computing

Article 29 Working Party Issues Opinion on Cloud Computing Client Alert Global Regulatory Enforcement If you have questions or would like additional information on the material covered in this Alert, please contact one of the authors: Cynthia O Donoghue Partner,

More information

Cloud Security considerations for business adoption. Ricci IEONG CSA-HK&M Chapter

Cloud Security considerations for business adoption. Ricci IEONG CSA-HK&M Chapter Cloud Security considerations for business adoption Ricci IEONG CSA-HK&M Chapter What is Cloud Computing? Slide 2 What is Cloud Computing? My Cloud @ Internet Pogoplug What is Cloud Computing? Compute

More information

IT General Controls Domain COBIT Domain Control Objective Control Activity Test Plan Test of Controls Results

IT General Controls Domain COBIT Domain Control Objective Control Activity Test Plan Test of Controls Results Acquire or develop application systems software Controls provide reasonable assurance that application and system software is acquired or developed that effectively supports financial reporting requirements.

More information

Customer Cloud Architecture for Big Data Analytics. http://cloud-council.org/resource-hub.htm#customer-cloud-architecture-for-big-data-analytics

Customer Cloud Architecture for Big Data Analytics. http://cloud-council.org/resource-hub.htm#customer-cloud-architecture-for-big-data-analytics Customer Cloud Architecture for Big Data Analytics http://cloud-council.org/resource-hub.htm#customer-cloud-architecture-for-big-data-analytics July, 2015 1 Presenters Technical Architect, IBM Business

More information

Spillemyndigheden s Certification Programme Information Security Management System

Spillemyndigheden s Certification Programme Information Security Management System SCP.03.00.EN.1.0 Table of contents Table of contents... 2 1 Objectives of the... 3 1.1 Scope of this document... 3 1.2 Version... 3 2 Certification... 3 2.1 Certification frequency... 3 2.1.1 Initial certification...

More information

Data Processing Agreement for Oracle Cloud Services

Data Processing Agreement for Oracle Cloud Services Data Processing Agreement for Oracle Cloud Services Version December 1, 2013 1. Scope and order of precedence This is an agreement concerning the Processing of Personal Data as part of Oracle s Cloud Services

More information

Delphi Information 3 rd Party Security Requirements Summary. Classified: Public 5/17/2012. Page 1 of 11

Delphi Information 3 rd Party Security Requirements Summary. Classified: Public 5/17/2012. Page 1 of 11 Delphi Information 3 rd Party Security Requirements Summary Classified: Public 5/17/2012 Page 1 of 11 Contents Introduction... 3 Summary for All Users... 4 Vendor Assessment Considerations... 7 Page 2

More information

micros MICROS Systems, Inc. Enterprise Information Security Policy (MEIP) August, 2013 Revision 8.0 MICROS Systems, Inc. Version 8.

micros MICROS Systems, Inc. Enterprise Information Security Policy (MEIP) August, 2013 Revision 8.0 MICROS Systems, Inc. Version 8. micros MICROS Systems, Inc. Enterprise Information Security Policy (MEIP) Revision 8.0 August, 2013 1 Table of Contents Overview /Standards: I. Information Security Policy/Standards Preface...5 I.1 Purpose....5

More information

Standards for Big Data in the Cloud

Standards for Big Data in the Cloud Standards for Big Data in the Cloud James Kobielus Chair, CSCC Big Data Working Group Big Data Evangelist, Senior Program Director, Product Marketing, Big Data Analytics, IBM jgkobiel@us.ibm.com 15 October

More information

About the Presenter About the Cloud Security Alliance Guidance 1.0 Getting Involved Call to Action

About the Presenter About the Cloud Security Alliance Guidance 1.0 Getting Involved Call to Action Governance, Risk Management, Compliance, & Audit An Overview of Cloud Security Alliance s Security Guidance for Critical Areas of Focus in Cloud Computing July 23, 2009 Agenda About the Presenter About

More information

Newcastle University Information Security Procedures Version 3

Newcastle University Information Security Procedures Version 3 Newcastle University Information Security Procedures Version 3 A Information Security Procedures 2 B Business Continuity 3 C Compliance 4 D Outsourcing and Third Party Access 5 E Personnel 6 F Operations

More information

Safeguards Frameworks and Controls. Security Functions Parker, D. B. (1984). The Many Faces of Data Vulnerability. IEEE Spectrum, 21(5), 46-49.

Safeguards Frameworks and Controls. Security Functions Parker, D. B. (1984). The Many Faces of Data Vulnerability. IEEE Spectrum, 21(5), 46-49. Safeguards Frameworks and Controls Theory of Secure Information Systems Features: Safeguards and Controls Richard Baskerville T 1 F 1 O 1 T 2 F 2 O 2 T 3 F 3 O 3 T 4... T n...... F l O m T F O Security

More information

Using Data Encryption to Achieve HIPAA Safe Harbor in the Cloud

Using Data Encryption to Achieve HIPAA Safe Harbor in the Cloud Using Data Encryption to Achieve HIPAA Safe Harbor in the Cloud 1 Contents The Obligation to Protect Patient Data in the Cloud................................................... Complying with the HIPAA

More information

Security for Cloud Computing 10 Steps to Ensure Success

Security for Cloud Computing 10 Steps to Ensure Success Security for Cloud Computing 10 Steps to Ensure Success August, 2012 Contents Acknowledgements....4 Workgroup Leaders....4 Key Contributors...4 Reviewers....4 Introduction...5 Cloud Security Landscape...5

More information

Information Security Policy. Chapter 13. Information Systems Acquisition Development and Maintenance Policy

Information Security Policy. Chapter 13. Information Systems Acquisition Development and Maintenance Policy Information Security Policy Chapter 13 Information Systems Acquisition Development and Maintenance Policy Author: Policy & Strategy Team Version: 0.3 Date: June 2008 Document Control Information Document

More information

Ensuring Cloud Security Using Cloud Control Matrix

Ensuring Cloud Security Using Cloud Control Matrix International Journal of Information and Computation Technology. ISSN 0974-2239 Volume 3, Number 9 (2013), pp. 933-938 International Research Publications House http://www. irphouse.com /ijict.htm Ensuring

More information

Why Cloud Standards Matter

Why Cloud Standards Matter Storm in the Cloud - the OASIS weather report Why Cloud Standards Matter You Fang, Huawei, OASIS Board of Directors 1 5000 多 名 专 家 参 与, 来 自 600 家 公 司, 政 府 和 个 人 OASIS Open is a global standards organization

More information

Top Ten Technology Risks Facing Colleges and Universities

Top Ten Technology Risks Facing Colleges and Universities Top Ten Technology Risks Facing Colleges and Universities Chris Watson, MBA, CISA, CRISC Manager, Internal Audit and Risk Advisory Services cwatson@schneiderdowns.com April 23, 2012 Overview Technology

More information

Cloud Security: The Grand Challenge

Cloud Security: The Grand Challenge Dr. Paul Ashley IBM Software Group pashley@au1.ibm.com Cloud Security: The Grand Challenge Outline Cloud computing: the pros, the cons, the blind spots Security in the cloud - what are the risks now and

More information

Latest in Cloud Computing Standards. Eric A. Hibbard, CISSP, ISSAP, ISSEP, ISSMP, CISA CTO Security & Privacy Hitachi Data systems

Latest in Cloud Computing Standards. Eric A. Hibbard, CISSP, ISSAP, ISSEP, ISSMP, CISA CTO Security & Privacy Hitachi Data systems Latest in Cloud Computing Standards Eric A. Hibbard, CISSP, ISSAP, ISSEP, ISSMP, CISA CTO Security & Privacy Hitachi Data systems 1 Short Introduction CTO Security & Privacy, Hitachi Data Systems Involved

More information

Estate Agents Authority

Estate Agents Authority INFORMATION SECURITY AND PRIVACY PROTECTION POLICY AND GUIDELINES FOR ESTATE AGENTS Estate Agents Authority The contents of this document remain the property of, and may not be reproduced in whole or in

More information

Attacking the roadblocks preventing aggressive adoption of Cloud Standards:

Attacking the roadblocks preventing aggressive adoption of Cloud Standards: Attacking the roadblocks preventing aggressive adoption of Cloud Standards: How SNIA and other standards orgs are developing standards that benefit high priority use cases. John Eastman, CTO, Presented

More information

Cloud Security Introduction and Overview

Cloud Security Introduction and Overview Introduction and Overview Klaus Gribi Senior Security Consultant klaus.gribi@swisscom.com May 6, 2015 Agenda 2 1. Cloud Security Cloud Evolution, Service and Deployment models Overview and the Notorious

More information

Adopting Cloud Computing with a RISK Mitigation Strategy

Adopting Cloud Computing with a RISK Mitigation Strategy Adopting Cloud Computing with a RISK Mitigation Strategy TS Yu, OGCIO 21 March 2013 1. Introduction 2. Security Challenges Agenda 3. Risk Mitigation Strategy Before start using When using 4. Policy & Guidelines

More information

The role of standards in driving cloud computing adoption

The role of standards in driving cloud computing adoption The role of standards in driving cloud computing adoption The emerging era of cloud computing The world of computing is undergoing a radical shift, from a product focus to a service orientation, as companies

More information

Memeo C1 Secure File Transfer and Compliance

Memeo C1 Secure File Transfer and Compliance Overview and analysis of Memeo C1 and SSAE16 & SOX Compliance Requirements Memeo C1 Secure File Transfer and Compliance Comply360, Inc Contents Executive Summary... 2 Overview... 2 Scope of Evaluation...

More information

Information Security Handbook

Information Security Handbook Information Security Handbook Adopted 6/4/14 Page 0 Page 1 1. Introduction... 5 1.1. Executive Summary... 5 1.2. Governance... 5 1.3. Scope and Application... 5 1.4. Biennial Review... 5 2. Definitions...

More information

A Flexible and Comprehensive Approach to a Cloud Compliance Program

A Flexible and Comprehensive Approach to a Cloud Compliance Program A Flexible and Comprehensive Approach to a Cloud Compliance Program Stuart Aston Microsoft UK Session ID: SPO-201 Session Classification: General Interest Compliance in the cloud Transparency Responsibility

More information

Office 365 Data Processing Agreement with Model Clauses

Office 365 Data Processing Agreement with Model Clauses Enrollment for Education Solutions Office 365 Data Processing Agreement (with EU Standard Contractual Clauses) Amendment ID Enrollment for Education Solutions number Microsoft to complete 7392924 GOLDS03081

More information

WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY

WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY DATA LABEL: PUBLIC INFORMATION SECURITY POLICY CONTENTS 1. INTRODUCTION... 3 2. MAIN OBJECTIVES... 3 3. LEGISLATION... 4 4. SCOPE... 4 5. STANDARDS... 4

More information

Cloud Computing and Security Risk Analysis Qing Liu Technology Architect STREAM Technology Lab Qing.Liu@chi.frb.org

Cloud Computing and Security Risk Analysis Qing Liu Technology Architect STREAM Technology Lab Qing.Liu@chi.frb.org Cloud Computing and Security Risk Analysis Qing Liu Technology Architect STREAM Technology Lab Qing.Liu@chi.frb.org 1 Disclaimers This presentation provides education on Cloud Computing and its security

More information

Build (develop) and document Acceptance Transition to production (installation) Operations and maintenance support (postinstallation)

Build (develop) and document Acceptance Transition to production (installation) Operations and maintenance support (postinstallation) It is a well-known fact in computer security that security problems are very often a direct result of software bugs. That leads security researches to pay lots of attention to software engineering. The

More information

Information Security Management System (ISMS) Overview. Arhnel Klyde S. Terroza

Information Security Management System (ISMS) Overview. Arhnel Klyde S. Terroza Information Security Management System (ISMS) Overview Arhnel Klyde S. Terroza May 12, 2015 1 Arhnel Klyde S. Terroza CPA, CISA, CISM, CRISC, ISO 27001 Provisional Auditor Internal Auditor at Clarien Bank

More information

Cloud Standardization, Compliance and Certification. Class 2012 event 25.rd of October 2012 Dalibor Baskovc, CEO Zavod e-oblak

Cloud Standardization, Compliance and Certification. Class 2012 event 25.rd of October 2012 Dalibor Baskovc, CEO Zavod e-oblak Cloud Standardization, Compliance and Certification Class 2012 event 25.rd of October 2012 Dalibor Baskovc, CEO Zavod e-oblak Todays Agenda IT Resourcing with Cloud Computing and related challenges Landscape

More information

Information Security Policies. Version 6.1

Information Security Policies. Version 6.1 Information Security Policies Version 6.1 Information Security Policies Contents: 1. Information Security page 3 2. Business Continuity page 5 3. Compliance page 6 4. Outsourcing and Third Party Access

More information

New Risks in the New World of Emerging Technologies

New Risks in the New World of Emerging Technologies New Risks in the New World of Emerging Technologies Victor Chu Client Technical Professional Identity, Security, and Compliance Management Software Group IBM Malaysia Risk it s NOT a four simple letter

More information

Security Issues in Cloud Computing

Security Issues in Cloud Computing Security Issues in Computing CSCI 454/554 Computing w Definition based on NIST: A model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources

More information

WHITEPAPER XMEDIUSFAX CLOUD FOR HEALTHCARE AND HIPAA COMPLIANCE

WHITEPAPER XMEDIUSFAX CLOUD FOR HEALTHCARE AND HIPAA COMPLIANCE WHITEPAPER XMEDIUSFAX CLOUD FOR HEALTHCARE AND HIPAA COMPLIANCE INTRODUCTION The healthcare industry is driven by many specialized documents. Each day, volumes of critical information are sent to and from

More information

Addendum Windows Azure Data Processing Agreement Amendment ID M129

<Choose> Addendum Windows Azure Data Processing Agreement Amendment ID M129 Addendum Amendment ID Proposal ID Enrollment number Microsoft to complete This addendum ( Windows Azure Addendum ) is entered into between the parties identified on the signature form for the

More information

Standardising privacy and security for the cloud

Standardising privacy and security for the cloud Standardising privacy and security for the cloud Chris Mitchell Royal Holloway, University of London www.chrismitchell.net 1 Acknowledgements Like to thank organisers of event for inviting me to contribute.

More information

Wellesley College Written Information Security Program

Wellesley College Written Information Security Program Wellesley College Written Information Security Program Introduction and Purpose Wellesley College developed this Written Information Security Program (the Program ) to protect Personal Information, as

More information

Security and Cloud Computing

Security and Cloud Computing Security and Cloud Computing Martin Borrett, Lead Security Architect NE Europe, WW Service Management Tiger Team IBM Software Optimising the World s Infrastructure 27th May - London Agenda Brief Introduction

More information

CLOUD STORAGE SECURITY INTRODUCTION. Gordon Arnold, IBM

CLOUD STORAGE SECURITY INTRODUCTION. Gordon Arnold, IBM CLOUD STORAGE SECURITY INTRODUCTION Gordon Arnold, IBM SNIA Legal Notice The material contained in this tutorial is copyrighted by the SNIA. Member companies and individual members may use this material

More information

Auditing Cloud Computing and Outsourced Operations

Auditing Cloud Computing and Outsourced Operations Session 136 Auditing Cloud Computing and Outsourced Operations Monday, May 7, 2012 3:30 PM 5:00 PM Mike Schiller Director of Sales & Marketing IT, Texas Instruments Co Author, IT Auditing: Using Controls

More information

Cyber-Ark Software and the PCI Data Security Standard

Cyber-Ark Software and the PCI Data Security Standard Cyber-Ark Software and the PCI Data Security Standard INTER-BUSINESS VAULT (IBV) The PCI DSS Cyber-Ark s View The Payment Card Industry Data Security Standard (PCI DSS) defines security measures to protect

More information

Cloud Security Alliance: Industry Efforts to Secure Cloud Computing

Cloud Security Alliance: Industry Efforts to Secure Cloud Computing Cloud Security Alliance: Industry Efforts to Secure Cloud Computing Jim Reavis, Executive Director September, 2010 Cloud: Dawn of a New Age Art Coviello - the most overhyped, underestimated phenomenon

More information

Spillemyndigheden s Certification Programme Information Security Management System

Spillemyndigheden s Certification Programme Information Security Management System SCP.03.00.EN.1.0 Table of contents Table of contents... 2 1 Introduction... 3 1.1 Spillemyndigheden s certification programme... 3 1.2 Objectives of the... 3 1.3 Scope of this document... 4 1.4 Definitions...

More information

Maintaining Herd Communication - Standards Used In IT And Cyber Security. Laura Kuiper

Maintaining Herd Communication - Standards Used In IT And Cyber Security. Laura Kuiper Maintaining Herd Communication - Standards Used In IT And Cyber Security Laura Kuiper So what is Cyber Security? According to ITU-T X.1205 Cybersecurity is the collection of tools, policies, security concepts,

More information

Privacy Level Agreement Outline for the Sale of Cloud Services in the European Union

Privacy Level Agreement Outline for the Sale of Cloud Services in the European Union Privacy Level Agreement Working Group Privacy Level Agreement Outline for the Sale of Cloud Services in the European Union February 2013 The PLA Outline has been developed within CSA by an expert working

More information

Securely Outsourcing to the Cloud: Five Key Questions to Ask

Securely Outsourcing to the Cloud: Five Key Questions to Ask WHITE PAPER JULY 2014 Securely Outsourcing to the Cloud: Five Key Questions to Ask Russell Miller Tyson Whitten CA Technologies, Security Management 2 WHITE PAPER: SECURELY OUTSOURCING TO THE CLOUD: FIVE

More information

HIPAA Privacy & Security White Paper

HIPAA Privacy & Security White Paper HIPAA Privacy & Security White Paper Sabrina Patel, JD +1.718.683.6577 sabrina@captureproof.com Compliance TABLE OF CONTENTS Overview 2 Security Frameworks & Standards 3 Key Security & Privacy Elements

More information

Identity & Access Management The Cloud Perspective. Andrea Themistou 08 October 2015

Identity & Access Management The Cloud Perspective. Andrea Themistou 08 October 2015 Identity & Management The Cloud Perspective Andrea Themistou 08 October 2015 Agenda Cloud Adoption Benefits & Risks Security Evolution for Cloud Adoption Securing Cloud Applications with IAM Securing Cloud

More information

HIPAA Compliance Evaluation Report

HIPAA Compliance Evaluation Report Jun29,2016 HIPAA Compliance Evaluation Report Custom HIPAA Risk Evaluation provided for: OF Date of Report 10/13/2014 Findings Each section of the pie chart represents the HIPAA compliance risk determinations

More information

Welcome & Introductions

Welcome & Introductions Addressing Data Privacy and Security Compliance in Cloud Computing Benjamin Hayes, Director of Legal Services, Data Privacy Compliance North America Accenture Copyright 2011 Accenture All Rights Reserved.

More information

UNIVERSITY OF MAINE SYSTEM STANDARDS FOR SAFEGUARDING INFORMATION ATTACHMENT C

UNIVERSITY OF MAINE SYSTEM STANDARDS FOR SAFEGUARDING INFORMATION ATTACHMENT C UNIVERSITY OF MAINE SYSTEM STANDARDS FOR SAFEGUARDING INFORMATION ATTACHMENT C This Attachment addresses the Contractor s responsibility for safeguarding Compliant Data and Business Sensitive Information

More information

Assessing, Evaluating and Managing Cloud Computing Security

Assessing, Evaluating and Managing Cloud Computing Security Assessing, Evaluating and Managing Cloud Computing Security S.SENTHIL KUMAR 1, R.KANAKARAJ 2 1,2 ASSISTANT PROESSOR, DEPARTMENT OF COMMERCE WITH COMPUTER APPLICATIONS Dr.SNS RAJALAKSHMI COLLEGE OF ARTS

More information

Anatomy of a Cloud Computing Data Breach

Anatomy of a Cloud Computing Data Breach Anatomy of a Cloud Computing Data Breach Sheryl Falk Mike Olive ACC Houston Chapter ITPEC Practice Group September 18, 2014 1 Agenda Ø Cloud 101 Welcome to Cloud Computing Ø Cloud Agreement Considerations

More information

Information Security Team

Information Security Team Title Document number Add document Document status number Draft Owner Approver(s) CISO Information Security Team Version Version history Version date 0.01-0.05 Initial drafts of handbook 26 Oct 2015 Preface

More information

Using AWS in the context of Australian Privacy Considerations October 2015

Using AWS in the context of Australian Privacy Considerations October 2015 Using AWS in the context of Australian Privacy Considerations October 2015 (Please consult https://aws.amazon.com/compliance/aws-whitepapers/for the latest version of this paper) Page 1 of 13 Overview

More information

BOARD OF DIRECTORS PAPER COVER SHEET. Meeting date: 22 February 2006. Title: Information Security Policy

BOARD OF DIRECTORS PAPER COVER SHEET. Meeting date: 22 February 2006. Title: Information Security Policy BOARD OF DIRECTORS PAPER COVER SHEET Meeting date: 22 February 2006 Agenda item:7 Title: Purpose: The Trust Board to approve the updated Summary: The Trust is required to have and update each year a policy

More information

CLOUD SECURITY: THE GRAND CHALLENGE

CLOUD SECURITY: THE GRAND CHALLENGE Government Ware: GovWare Singapore September 29, 2010 CLOUD SECURITY: THE GRAND CHALLENGE Glen Gooding Asia Pacific Security Leader IBM Corporation ggooding@au1.ibm.com Rest safe: Google saves the day

More information

NIST Cloud Computing Reference Architecture

NIST Cloud Computing Reference Architecture NIST Cloud Computing Reference Architecture Version 1 March 30, 2011 2 Acknowledgements This reference architecture was developed and prepared by Dr. Fang Liu, Jin Tong, Dr. Jian Mao, Knowcean Consulting

More information

White Paper How Noah Mobile uses Microsoft Azure Core Services

White Paper How Noah Mobile uses Microsoft Azure Core Services NoahMobile Documentation White Paper How Noah Mobile uses Microsoft Azure Core Services The Noah Mobile Cloud service is built for the Microsoft Azure platform. The solutions that are part of the Noah

More information

ISO/IEC 27018 Safeguarding Personal Information in the Cloud. Whitepaper

ISO/IEC 27018 Safeguarding Personal Information in the Cloud. Whitepaper ISO/IEC 27018 Safeguarding Personal Information in the Cloud Whitepaper Summary The protection of private information has never been a higher priority. Many national and international bodies, including

More information

Enrollment for Education Solutions Addendum Microsoft Online Services Agreement Amendment 10 EES17 --------------

Enrollment for Education Solutions Addendum Microsoft Online Services Agreement Amendment 10 EES17 -------------- w Microsoft Volume Licensing Enrollment for Education Solutions Addendum Microsoft Online Services Agreement Amendment 10 Enrollment for Education Solutions number Microsoft to complete --------------

More information

Cloud Services and Business Process Outsourcing

Cloud Services and Business Process Outsourcing Cloud Services and Business Process Outsourcing What security concerns surround Cloud Services and Outsourcing? Prepared for the Western NY ISACA Conference April 28 2015 Presenter Kevin Wilkins, CISSP

More information

ISSeG Integrated Site Security for Grids

ISSeG Integrated Site Security for Grids Project No: 06745 ISSeG Integrated Site Security for Grids Specific Support Action Information Society and Media METHODOLOGY FOR SECURITY AUDITING OF NEW SITES EU DELIVERABLE: D3. Document identifier:

More information

Big Data, Big Risk, Big Rewards. Hussein Syed

Big Data, Big Risk, Big Rewards. Hussein Syed Big Data, Big Risk, Big Rewards Hussein Syed Discussion Topics Information Security in healthcare Cyber Security Big Data Security Security and Privacy concerns Security and Privacy Governance Big Data

More information

Music Recording Studio Security Program Security Assessment Version 1.1

Music Recording Studio Security Program Security Assessment Version 1.1 Music Recording Studio Security Program Security Assessment Version 1.1 DOCUMENTATION, RISK MANAGEMENT AND COMPLIANCE PERSONNEL AND RESOURCES ASSET MANAGEMENT PHYSICAL SECURITY IT SECURITY TRAINING AND

More information