Understanding ISO 27018 and Preparing for the Modern Era of Cloud Security

Similar documents
Hans Bos Microsoft Nederland.

A Flexible and Comprehensive Approach to a Cloud Compliance Program

Service Organization Control (SOC) Reports Focus on SOC 2 Reporting Standard

Orchestrating the New Paradigm Cloud Assurance

Cloud Computing: Contracting and Compliance Issues for In-House Counsel

Information Technology: This Year s Hot Issue - Cloud Computing

Service Organization Control Reports

Cloud Security Trust Cisco to Protect Your Data

Transparency. Privacy. Compliance. Security. What does privacy at Microsoft mean? Are you using my data to build advertising products?

Whitepaper. Canopy Security. Simplicity, Agility, Transparency. An Atos company. Powered by EMC 2 and VMware

Cloud Computing An Auditor s Perspective

3 rd Party Vendor Risk Management

Protecting Data and Privacy in the Cloud

Third party assurance services

Contracting with a Cloud Service Provider DATA PROTECTION WORKSHOP NJERI OLWENY, MICROSOFT

Goodbye, SAS 70! Hello, SSAE 16!

Securing the Microsoft Cloud

SOC on Amazon Web Services (AWS) What You Need To Know Understanding the regulatory roadmap for SOC on AWS

With Eversync s cloud data tiering, the customer can tier data protection as follows:

Licensing Guide for Partners. Leveraging Data Center Providers and Software Services Resellers

Microsoft s Compliance Framework for Online Services

SSAE 16 for Transportation & Logistics Companies. Chris Kradjan Kim Koch

Daren Kinser Auditor, UCSD Jennifer McDonald Auditor, UCSD

Privacy in the Cloud A Microsoft Perspective

Effectively using SOC 1, SOC 2, and SOC 3 reports for increased assurance over outsourced operations. kpmg.com

Service Organization Controls. Managing Risks by Obtaining a Service Auditor s Report

White Paper How Noah Mobile uses Microsoft Azure Core Services

Information Security Management System for Microsoft s Cloud Infrastructure

(a) the kind of data and the harm that could result if any of those things should occur;

Global Privacy and Data Security in the Cloud September 14, 2011 Miriam Wugmeister

OFFICE OF AUDITS & ADVISORY SERVICES CLOUD COMPUTING AUDIT FINAL REPORT

Isaac Willett April 5, 2011

CSA Position Paper on AICPA Service Organization Control Reports

10 Considerations for a Cloud Procurement. Anthony Kelly Erick Trombley David DeBrandt Carina Veksler January 2015

Briefly summarised, SURFmarket has submitted the following questions to the Dutch DPA:

Managing data security and privacy risk of third-party vendors

FAQs New Service Organization Standards and Implementation Guidance

HIPAA in the Cloud. How to Effectively Collaborate with Cloud Providers

SOC 3 for Security and Availability

Security Considerations

SERVICE ORGANIZATION CONTROL REPORTS SM. Formerly SAS 70 Reports

Information Security ISO Standards. Feb 11, Glen Bruce Director, Enterprise Risk Security & Privacy

Personal data and cloud computing, the cloud now has a standard. by Luca Bolognini

SSAE 16 & SAS 70 A Primer on Changes to Service Organization Audit Standards

{Moving to the cloud}

Managing Cloud Computing Risk

Securing the Microsoft Cloud

9/14/2015. Before we begin. Learning Objectives. Kevin Secrest IT Audit Manager, University of Pennsylvania

Microsoft Azure. White Paper Security, Privacy, and Compliance in

SECURITY AND REGULATORY COMPLIANCE OVERVIEW

Contracting for Cloud Computing

Service Organization Control (SOC) Reports

Cloud Computing in a Regulated Environment

Qualification Guideline

Risky Business. Is Your Cybersecurity in Cruise Control? ISACA Austin Chapter Meeting May 5, 2015

Open Certification Framework. Vision Statement

Securing Oracle E-Business Suite in the Cloud

Assessing Risks in the Cloud

Speakers. Michael R. Overly, Partner, Yusuf Cassim, Senior Corporate Counsel & VP,Charles Schwab & Co., Inc. Foley & Lardner LLP

Cloud Security and Managing Use Risks

Annex 1. Contract Checklist for Cloud-Based Genomic Research Version 1.0, 21 July 2015

Summary of responses to the public consultation on Cloud computing run by CNIL from October to December 2011 and analysis by CNIL

NSW Government. Data Centre & Cloud Readiness Assessment Services Standard. v1.0. June 2015

Securing the Microsoft Cloud Infrastructure. Reto Häni Chief Security Officer Microsoft Western Europe MEET SWISS INFOSEC!

SOC Readiness Assessments. SOC Report - Type 1. SOC Report - Type 2. Building Trust and Confidence in Third-Party Relationships

SAS No. 70, Service Organizations

Appendix D-1 to Aproove Saas Contract : Security and solution hosting provider specs.

Transcription:

Understanding ISO 27018 and Preparing for the Modern Era of Cloud Security Presented by Microsoft and Foley Hoag LLP s Privacy and Data Security Practice Group May 14, 2015 Proposal or event name (optional) 2015 Foley Hoag LLP. All Rights Reserved. 1

Speakers Sharon Gillett, Principal Networking Policy Strategist, Microsoft Research Deborah Hurley, Founder and Principal, Hurley, and Fellow, Institute for Quantitative Social Science, Harvard University Colin Zick, Partner, Co-Chair and Co-Founder, Privacy & Data Security Practice, Foley Hoag LLP 2015 Foley Hoag LLP. All Rights Reserved. 2

Overview What are the key data privacy and data protection issues companies should consider before moving to cloud computing technologies? What are the key substantive requirements of ISO 27018 for handling customer data? How does ISO 27018 adoption benefit customers in regulated industries such as healthcare and financial services? How do the ISO 27018 requirements map against existing sectorbased data privacy and security standards (e.g., HIPAA, SOC 2)? What value is provided by third party verification (through accreditation) of ISO 27018 and other data privacy and security practices in cloud computing? 2015 Foley Hoag LLP. All Rights Reserved. 3

What is ISO 27018? On July 30 2014, the International Organization for Standardization (ISO) adopted ISO 27018 as a voluntary international standard. - ISO 27018 governs the processing of personal information by public Cloud Service Providers (CSPs). Even though this standard is voluntary, it is widely expected to become the benchmark for CSPs going forward. As the first and only international privacy standard for the cloud, ISO 27018 incorporates controls for personally identifiable information (PII). ISO 27018 establishes control objectives, controls and guidelines for implementing measures to protect PII. 2015 Foley Hoag LLP. All Rights Reserved. 4

Meet the ISO 27000 Family The ISO 27000 family of standards addresses privacy, confidentiality and technical security issues and have: "established guidelines and general principles for initiating, implementing, maintaining, and improving information security management within an organization." The standards outline hundreds of potential controls and control mechanisms. ISO 27001: - one of the most widely recognized certifications for a cloud service - defines how to implement, monitor, maintain, and continually improve the information security management system (ISMS). An organization may obtain an ISO 27001 certification on its ISMS, which is typically based on the ISO 27002 Information Security Standards. 2015 Foley Hoag LLP. All Rights Reserved. 5

What are the key data privacy and data protection issues companies should Cover option 2 consider before moving to Subtitle or Company Name cloud computing Month Day, Year technologies? Proposal or event name (optional) 2015 Foley Hoag LLP. All Rights Reserved. 6

What privacy and data protection issues should be considered before moving to the cloud? Are we dealing with PII, or data that we or our customers would consider sensitive even if not formally classified as PII? Does my organization have the resources and know-how to comply on its own? Even if it does, is cloud compliance the highest and best use of my organization s resources? Will a cloud provider follow best practices to ensure the security of our data, both in terms of physical security and information access? Will the data need to cross borders? Many jurisdictions have stronger data protection laws than the U.S. can moving our data to the cloud help us with compliance? How much transparency and control will we get over what the cloud provider does with our data? Will we be able to verify the data protection assurances and contractual commitments we receive from a cloud provider? 2015 Foley Hoag LLP. All Rights Reserved. 7

Is it statutorily protected data of any type? - Financial - Consumer - Health care - Defense IP/Trade Secrets Contractually protected: What kind of data is it? - Are the contractual limitations on where data can go or how it is to be protected? 2015 Foley Hoag LLP. All Rights Reserved. 8

Where is the data? It is easy to wind up with data all around the world. The rules protecting that data are different: - United States - EU - The rest of the world. If dealing with PII or PHI, there may be a need to avoid having data crossing borders. 2015 Foley Hoag LLP. All Rights Reserved. 9

What kind of expertise is necessary? Evaluate your security procedures against your needs. Does my organization have the resources and knowhow to comply on its own? Is compliance the highest and best use of my organization s resources? 2015 Foley Hoag LLP. All Rights Reserved. 10

What type of cloud service categories: are you considering? Public Cloud Customers access cloud services and store documents in large datacenters equipped with hundreds of virtualized servers that house data from multiple organizations. Private Cloud A single organization uses a dedicated cloud infrastructure. Community Cloud A private cloud is shared by a group of organizations with common missions, interests, or concerns. For example, a cloud provider may offer an instance of their services in a cloud dedicated for only government customers. Hybrid Cloud A private cloud is extended to the public cloud to extend an organization s datacenter; or two or more cloud types are linked to enable data and applications to flow between them in a controlled way. 2015 Foley Hoag LLP. All Rights Reserved. 11

What type of cloud infrastructure are you considering? Cloud Service Categories: Software as a Service (SaaS) The cloud provider hosts a single application, or a suite of programs which includes a mix of products. Platform as a Service (PaaS) Users create and run their own software applications while relying on the cloud provider for software development tools as well as the underlying infrastructure and operating system. Infrastructure as a Service (IaaS) Users rent computing power either actual hardware or virtual machines to deploy and run their own operating systems and software applications. 2015 Foley Hoag LLP. All Rights Reserved. 12

What are the key substantive requirements of ISO 27018 for handling customer data? Cover option 2 Subtitle or Company Name Month Day, Year Proposal or event name (optional) 2015 Foley Hoag LLP. All Rights Reserved. 13

Key Elements of ISO 27018 What does it cover? What is the concerns? What are the key elements of ISO 27018? All elements of PII/PHI are covered by ISO 27018 All types of industries fall within the scope of ISO 27018 ISO 27018 applies to any size company 2015 Foley Hoag LLP. All Rights Reserved. 14

Key Elements of ISO 27018 (cont.) What does it cover? What is the concerns? What are the key elements of ISO 27018? Need for clarity and simplicity Extensive time and expense of complying with different standards Lack of uniformity across industries, jurisdictions Worldwide recognition of security standards Standards that hold up against audits, customer inquiries and government reviews 2015 Foley Hoag LLP. All Rights Reserved. 15

Key Elements of ISO 27018 What does it cover? What is the concerns? What are the key elements of ISO 27018? Specifies guidelines for the protection of PII. - These protections are based on ISO 27002, taking into consideration the regulatory requirements that might be applicable within the context of the information security risk environment(s) of a provider of public cloud services. Commonly accepted control objectives, controls and guidelines. - This includes guidelines for implementing measures to protect public cloud computing in accordance with the privacy principles in ISO 29100. Under ISO 27018, compliant CSPs will not use customer data for their own independent purposes (such as advertising and marketing) without the customer s express consent, and not tie the agreement to use the services to the CSP s use of personal data for advertising and marketing. 2015 Foley Hoag LLP. All Rights Reserved. 16

Key Elements of ISO 27018 What does it cover? What is the concerns? What are the key elements of ISO 27018? Establishes clear and transparent parameters for the return, transfer and secure disposal of personal information. Requires CSPs to disclose the identities of any sub-processor they engage to help with data processing before customers enter into a contract. - And if any of the CSP changes subprocessors, the CSP is required to inform customers promptly to give them an opportunity to object or terminate their agreement. 2015 Foley Hoag LLP. All Rights Reserved. 17

How does ISO 27018 adoption benefit customers in regulated industries such as healthcare Cover and option financial 2 Subtitle or Company services? Name Month Day, Year Proposal or event name (optional) 2015 Foley Hoag LLP. All Rights Reserved. 18

Benefits of ISO 27018 Adoption The standard covers a wide range of subjects. It removes needs for negotiations over privacy and security standards. Demonstrated adherence to ISO 27018 allows a CSP to show that its cloud privacy policies and practices are consistent with the industry s best practices. Regulators like it, because they see it as assurance of compliance with their own country s data protection rules. 2015 Foley Hoag LLP. All Rights Reserved. 19

How do the ISO 27018 requirements map against existing sector-based data privacy and security Cover standards option 2 (e.g., HIPAA, Subtitle SSAE/SOC or Company Name 2)? Month Day, Year Proposal or event name (optional) 2015 Foley Hoag LLP. All Rights Reserved. 20

ISO 27018 is applicable to all types and sizes of organizations This includes: public and private companies, government entities, not-for-profit organizations, If they provide information processing services as PII processors via cloud computing under contract to other organizations. 2015 Foley Hoag LLP. All Rights Reserved. 21

ISO v. SSAE SSAE 16 (Statement on Standards for Attestation Engagements No. 16), the successor to SAS 70, and ISAE 3402 (International Standards for Attestation Engagement No. 3402), are audit standards established by the American Institute of Certified Public Accountants (AICPA) and the International Auditing and Assurance Standards Board of the International Federation of Accountants. SSAE 16 and ISAE 3402 are geared towards service organizations (entities that provide outsourcing services that impact the control environment of their customers, e.g., insurance and medical claims processors, hosted data centers, application service providers and managed security providers). 2015 Foley Hoag LLP. All Rights Reserved. 22

ISO v. SSAE (cont.) SSAE 16 and ISAE 3402 audits are independent verifications of compliance with security controls and effectiveness of security controls. At the conclusion of an SSAE 16/ISAE 3402 service auditor's examination, the service auditor renders an opinion on the following information: 1. Whether or not the service organization's description of controls is presented fairly. 2. Whether or not the service organization's controls are designed effectively. 3. Whether or not the service organization's controls are placed in operation as of a specified date. 4. Whether or not the service organization's controls are operating effectively over a specified period of time. (SSAE 16 (SOC 1) Type II and (SOC2) Type II only). 2015 Foley Hoag LLP. All Rights Reserved. 23

ISO v. SSAE (cont.) SSAE 16 has been predominantly used in the United States to provide a standard for audits of the design and effectiveness of controls. ISO 27001 is an international standard geared towards security practices of an organization. ISO 27001 is common in Europe, Japan and some other Asian countries, but is gaining popularity in the United States. 2015 Foley Hoag LLP. All Rights Reserved. 24

ISO v. SSAE (cont.) ISO 27001 stipulates a set of security controls and certifies against those controls; it is more comprehensive in coverage than SSAE 16. Organizations may be certified as compliant with ISO 27001 by a number of Accredited Registrars worldwide. 2015 Foley Hoag LLP. All Rights Reserved. 25

ISO v. HIPAA ISO 27018 mirrors some of HIPAA while also providing a third-party review mechanism. ISO 27018 focuses on PII, but can serve as a guide for a technology service provider handling PHI. ISO 27018 and HIPAA overlap significantly. It bridges the gap HIPAA leaves for those entities that touch health information, but are not HIPAA covered entities or HIPAA business associates. Technology service providers that have successfully undergone a successful audit for the controls under ISO 27018 demonstrates a commitment to using security and privacy controls that is applicable under HIPAA. However, ISO 27018 does not eliminate the need for HIPAA business associate agreements. See Commentary: Healthcare must embrace new ISO cloud privacy standard, April 27, 2015, Julie Anderson, SafeGov, http://www.govhealthit.com/news/commentaryhealthcare-must-embrace-new-iso-cloud-privacy-standard 2015 Foley Hoag LLP. All Rights Reserved. 26

What value is provided by third party verification (through accreditation) of ISO 27018 and other data privacy Cover and option security 2 practices Subtitle in cloud or Company computing? Name Month Day, Year Proposal or event name (optional) 2015 Foley Hoag LLP. All Rights Reserved. 27

The Value of ISO 27018 Compliance: Look to work with CSPs that are verified as ISO 27018 compliant. Accreditation: In order to be so certified, a CSP must go through a rigorous process, under the auspices of an accredited and independent certification body. Regular Reviews: And to remain compliant, a CSP must subject itself to regular third-party reviews of its adherence to ISO 27018. 2015 Foley Hoag LLP. All Rights Reserved. 28

Next Steps Review your company s existing CSP agreements, to see what they say about compliance with existing cloud standards, including ISO 27018. Cloud users should ask their current CSPs if they are now (or are planning to be) ISO 27018 compliant. Consider amendments to CSP agreements to add ISO 27018 compliance. 2015 Foley Hoag LLP. All Rights Reserved. 29

For follow-up, please contact: Colin J. Zick, Esq. Thank you! Partner and Co-Chair, Privacy and Data Security Practice Group Foley Hoag LLP czick@foleyhoag.com (617) 832-1275 2015 Foley Hoag LLP. All Rights Reserved. 30 30

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information