ISO/IEC 27018 - BSI

2y ago
193 Views
35 Downloads
1.67 MB
6 Pages
Last View : 16d ago
Last Download : 2m ago
Upload by : Ronan Garica
Transcription

ISO/IEC 27018Safeguarding PersonalInformation in the CloudWhitepaper

SummaryThe protection of private information has never been a higher priority. Manynational and international bodies, including the International Organizationfor Standardization (ISO), the US government and the European Union, are alltaking steps to address this issue. One initiative they share in common is theinternational standard ISO/IEC 27018.The scale of data breaches13,046,4562,116– every day– every minute126,93635– every hourISO/IEC 27018 is a code of practice for protectingpersonally identifiable information in public cloud services.It’s structured as an extension to the widely used andrespected ISO/IEC 27002 code of practice for informationsecurity controls. So what specifically does ISO/IEC 27018offer customers of cloud services and why is it important?Potential exposure of personal data is at the top of theinternational agenda. The overwhelming number of highprofile security breaches has focused people’s attention onhow their individual details need to be protected. If you lookat the list of breaches and the number of people affected,you can see the scale of the problem: the US Office ofPersonnel Management had data on over 21m governmentemployees stolen and the attack on Carphone Warehousein the UK affected more than 2m of their customers. Theserepresent just the tip of the iceberg of attacks over a threemonth period in 2015. In fact, according to Breach LevelIndex 707.5 million data records were breached in 20151.Yet companies are spending even more on security.According to figures from IDC, global IT security spending isset to reach 101.6 billion by 20202.While the image of the socially misfit hacker resonateswith many people, most attacks from outsiders are carriedout by sophisticated criminal gangs or state-sponsored– every secondorganizations, making it particularly difficult to takeaction against them. There’s a more insidious risk, that ofthe insider who, deliberately or unintentionally, leaves acompany open to attack.Internal threats are often more dangerous as they often gounreported or are covered up. According to research fromPricewaterhouseCoopers3, 75% of organizations who sufferfrom security compromises committed by employees do notinvolve law enforcement nor bring any legal charges. Thismeans that those organizations’ customers are vulnerable,and any companies who hire those individuals in the futurewould be unaware of their past, opening themselves up forattack.With identify theft accounting for 64% of data breachesin the first half of 20161, it’s little wonder that there’s somuch anxiety about how personal data is protected and, inparticular, why there is so much fear about the use of cloudcomputing and entrusting data to Cloud Service Providers(CSPs).It’s for these reasons that the European Union, for examplehas implemented new regulations on Data Protection (theGeneral Data Protection Regulation or GDPR) in an attemptto harmonize the legal situation across the continent. Whenit comes to Europe, there are a variety of -security-survey-2015.pdf12

data protection laws, making it especially difficult for cloudservice providers to operate. Cloud computing crossesinternational borders, while the laws governing data securityare primarily country specific.Part of the issue has also been the way that organizationshold data – there’s a legal separation when it comes tocloud service providers. They hold data on behalf of theircustomers, yet the customer has the legal responsibility forwhat happens to that data.This is where the fears about CSPs are really centred: allCSPs are happy to talk about their security expertise, theamount they spend on data protection and the physicalbarriers they put in place to prevent breaches, but there’san underlying anxiety as to whether the CSPs are going totreat personal and confidential data in the same way theircustomers would.While the European Union is introducing some coherenceinto the data protection arena, the US has to contend with adifferent situation.In the US, there’s no national law regulating how personaldata is handled. The different polices of the individual statescan cause a degree of confusion. This is exacerbated byvarious regulatory demands across different industries. Allthese factors combine to make formulating a coherentdata policy rather difficult. In an effort to start to addressthis deficiency, in August 2015, the National Institute ofStandards Technology advised Federal agencies to “userelevant international standards for cybersecurity, whereeffective and appropriate, in their mission and policy makingactivities.”4 As agencies for the US government implementthese standards, they will demand their contractors andsupply chains also conform.ISO/IEC 27000From an international perspective,ISO has developed a family of standardsfor information security which providesa framework for organizations todevelop processes and procedures toaddress information security concerns.The leading standard in this groupis ISO/IEC 27001, which is the mostwidely-recognized standard forprotecting sensitive information4against unintentional distributionand unauthorized access. With its114 controls, ISO/IEC 27001 and theclosely related ISO/IEC 27002 canmitigate the risks involved with thecollection, storage and dissemination ofinformation by: Providing the requirements foran effective information securitymanagement tir-8074/nistir 8074 vol1 draft report.pdf Allowing organizations to complywith increased governmentregulation and tough industryspecific requirements Letting organizations growknowing that all their confidentialinformation will stay confidential

The ISO/IEC 27018 standardISO/IEC 27001 only goes so far. To deal with the additionalconcerns associated with the processing of personal datausing cloud computing, ISO created a new standard,ISO/IEC 27018, in the autumn of 2014. CSPs are adoptingthis standard to help reassure their customers aboutthe security of their data. An extension of ISO/IEC 27001and ISO/IEC 27002, ISO/IEC 27018 provides guidance toorganizations concerned about how their cloud providersare handing personally identifiable information (PII).It’s a bit of a legal minefield for organizations and one of thereasons that the EU GDPR took so long to agree, howeversome definitions needed to be established first.Key among them is PII itself; this is the definition onwhich all discussions hang. PII has been defined as anyinformation that (a) can be used to identify the PII principalto whom such information relates, or (b) might be directly orindirectly linked to a PII principal.That, of course, raises another question: What is meant by aPII principal? This is a little trickier as some countries referto this entity as the data subject. Likewise, there’s somevagueness about the term PII controller, sometimes called adata controller, but the central point is that the PII controlleris the person or organization who determines the purposesfor which the personal data is collected and processed.What does ISO/IEC 27018 contain?There are several objectives within thestandard. According to the ISO text,these are: To help the public cloud service providercomply with applicable obligationswhen acting as a PII processor,whether such obligations fall on the PIIprocessor directly or through contract To enable the public cloud PII processorto be transparent in relevant mattersso that cloud service customers canselect well-governed, cloud-based PIIprocessing services To assist the cloud service customerand the public cloud PII processor inentering into a contractual agreement To provide cloud service customers witha mechanism for exercising audit andcompliance rights and responsibilitiesin cases where individual cloud servicecustomer audits of data hosted in amulti-party, virtualized server (cloud)environment might be impracticaltechnically and might increase risksto those physical and logical networksecurity controls in placeWhile these are the bare principles, ifwe look at the ramifications of whatthese mean and how they can helpcustomers, then we can see that, forthe first time, there’s a real frameworkfor handling personal data in publiccloud services.ISO/IEC 27018 takes the extensiveset of security controls described inISO/IEC 27002 as a base and thenextends them in two ways. First,existing security controls are extendedin a number of areas to deal withdividing responsibilities between thecloud service customer and the cloudservice provider. Second, a new set ofsecurity controls are added, to reflectthe privacy principles defined in theISO/IEC 29100 privacy frameworkstandard.Examples of extended security controlsinclude: Requirements for the encryption of PII in motion, when stored and also on anyremovable physical media The deletion of PII within a specifiedperiod once the data is no longerrequired That PII is processed only for thepurposes expressly stated in the cloudservice agreement To cooperate in dealing with the rightsof PII principals in inspecting andcorrecting their PII, something that ismandated by many regulationsISO/IEC 27018 ensures that a cloudservice provider has appropriateprocedures in place for handlingPII. It can also assist in drawing upstronger cloud service agreements. Thestandard sets out how CSPs can trainstaff about PII, what documentationprocedures are required and providesguidelines to follow.ISO/IEC 27018 aims to provide realtransparency for the cloud servicecustomer so that the customer has aclear understanding of what the cloudservice provider is doing with respectto the security and protection ofpersonal data.There are three areas where anorganization needs to pay particularattention when implementing thestandard: Are there existing legal and statutoryrequirements that an organization mustfollow, including any industry-specificrules and regulations Does adherence of ISO/IEC 27018 entailadditional risks to the organization Will the adoption of the standardrequire changes to the organization’scorporate policies and business culture

ConclusionThere is little doubt that the cloud industry is in needof standardization to provide adequate and effectiveinformation security. According to a 2015 survey fromTrustE, 92% of British online users were worried abouttheir privacy6. The biggest concern is users not knowinghow the personal information collected about them onlineis used and the possibility of companies sharing personalinformation. Increasingly, consumers are demandingcompanies become more transparent about the collection,use and protection of their online data.ISO/IEC 27018 helps to concentrate the industry’s focus onproviding increased security to protect PII. The standard isalready being supported by some major cloud providers:Microsoft Azure, IBM Softlayer, Google Apps for Work,Amazon Web Services and Dropbox have all achievedcertification to ISO/IEC 27018. Many more CSPs areexpected to follow. Organizations will increasingly moveinformation and processing to cloud services to benefitfrom the greater flexibility of technology as well as thedecreased demand on resources, but there will only be ahigh level of adoption when security, specifically privacyconcerns, are addressed.The European GDPR ensures that a new approach to privacywill be the order of the SO/IEC 27018 helps to provide a set of guidelines forachieving appropriate protection of PII for customers andcloud service providers alike.ISO/IEC 27018 isn’t a substitute for national andinternational regulations, and its wide-scale adoption won’tmean that providers would automatically follow legaldemands, but it is an important step along the way.To find out moreabout BSI’s solutionsto help your businesswith data protectionvisit: bsigroup.com

Why BSI?BSI has been at the forefront of information security standards since 1995, havingproduced the world’s first standard standard, BS 7799, now ISO/IEC 27001, the world’smost popular information security standard. And we haven’t stopped there, addressingthe new emerging issues such as cyber and cloud security. That’s why we’re best placedto help you.At BSI we create excellence by driving the success of our clients through standards.We help organizations to embed resilience, helping them to grow sustainably, adapt tochange, and prosper for the long term. We make excellence a habit.For over a century our experts have been challenging mediocrity and complacency tohelp embed excellence into the way people and products work. With 80,000 clientsin 182 countries, BSI is an organization whose standards inspire excellence across theglobe.Our products and servicesThe core of our business centres on the knowledge that wecreate and impart to our clients. In the standards arena wecontinue to build our reputation as an expert body, bringingtogether experts from industry to shape standards at local,regional and international levels. In fact, BSI originally createdeight of the world’s top ten management system standards.AssuranceIndependent assessment of the conformity of a process orproduct to a particular standard ensures that our clients performto a high level of excellence. We train our clients in worldclass implementation and auditing techniques to ensure theymaximize the benefits of our standards.ComplianceTo experience real, long-term benefits, our clients need to ensureongoing compliance to a regulation, market need or standardso that it becomes an embedded habit. We provide a rangeof services and differentiated management tools which helpfacilitate this process.To find out morevisit: bsigroup.combsigroup.com BSI GroupKnowledgeBSI/UK/751/SC/1015/EN/BLDWe provide a unique combination of complementary products and services, managedthrough our three business streams; Knowledge, Assurance and Compliance.

international standard ISO/IEC 27018. Summary ISO/IEC 27018 is a code of practice for protecting personally identifiable information in public cloud services. It’s structured as an extension to the widely used and respected ISO/IEC 27002 code of practice for information security controls. So what specifically does ISO/IEC 27018

Related Documents:

IEC 61215 IEC 61730 PV Modules Manufacturer IEC 62941 IEC 62093 IEC 62109 Solar TrackerIEC 62817 PV Modules PV inverters IEC 62548 or IEC/TS 62738 Applicable Standard IEC 62446-1 IEC 61724-1 IEC 61724-2 IEC 62548 or IEC/TS 62738 IEC 62548 or IEC/TS 62738 IEC 62548 or IEC/TS 62738 IEC 62548 or IEC/

ISO/IEC 27018 Introduction ISO/IEC 27017 Update Dale Johnstone . 26 January 2015. Australia Day is the official national day of Australia. Celebrated annually on 26 January, it marks the anniversary of the 17\സ8 arrival of the First Fleet of British Ships at Port Jackson, New South Wales, and raising of the Flag of Great Britain at tha對t site by Governor Arthur Phillip.

The current version of ISO/IEC 27001 was released in 2013. Apart from the most mentioned ISO/IEC 27001, ISO/IEC 27002 and ISO/IEC 27018, some other standards in the ISO/IEC 27000 family are also being widely referenced. Some examples are:

IEC has formed IECRE for Renewable Energy System verification - Component quality (IEC 61215, IEC 61730, IEC 62891, IEC 62109, IEC 62093, IEC 61439, IEC 60947, IEC 60269, new?) - System: - Design (IEC TS 62548, IEC 60364-7-712, IEC 61634-9-1, IEC 62738) - Installation (IEC 62548, IEC 60364-7-712)

ISO/IEC 27011:2008 . Information security management guidelines for tele-communications organizations based on ISO/IEC 27002. ISO/IEC 27013:2015 . Guidance on the integrated implementation of ISO/IEC 27001 . and ISO/IEC 20000-1. ISO/IEC 27014:2013includes nearly 20 standards. The . Governance of information security. ISO/IEC 27015:2012

ISO/IEC 27018 is a code of practice for protecting personally identifiable information in public cloud service

IEC 61869-9, IEC 62351 (all parts), IEC 62439-1:2010, IEC 62439-3:2010, IEC 81346 (all parts), IEC TS 62351- 1, IEC TS 62351- 2, IEC TS 62351- 4, IEC TS 62351- 5, Cigre JWG 34./35.11, IEC 60044 (all parts), IEC 60050 (all parts), IEC 60270:2000, IEC 60654-4:1987, IEC 60694:1

business,insurance risk transformationor activities directly arising frominsurance risk transformation(for example,general insurance businessoraccepting deposits) thefirmmay choose to comply with Principles6, 7, 8 and 9 as if all itsclientswerecustomers. Alternatively, it may choose to distinguish betweeneligible counterpartiesandcustomersin complying with thosePrinciples. If it chooses to .