The Impact Of EU Cyber- Security Act On Cloud

2y ago
6.52 MB
21 Pages
Last View : 2m ago
Last Download : 1y ago
Upload by : Elise Ammons

The impact of EU CyberSecurity Act on CloudDaniele Catteddu, CSA Chief Technology Officer

200990,000 75 INDIVIDUALMEMBERSCHAPTERS300 30 CORPORATEMEMBERSACTIVE WORKINGGROUPSCSA FOUNDEDOUR CommunitySEATTLE/Bellingham, WA //US HEADQUARTERSEDINBURGH //UK HEADQUARTERSStrategic partnerships withgovernments, research institutions,professional associations and industryActive role in the standardizationcommunity: Liaison with ISO SC 27and SC38CSA research is FREE!SINGAPORE //ASIA PACIFICHEADQUARTERS

CSA’s activities in Cloud Assurance andCertification

BackgroundThe EU Cybersecurity Act (EUCA) sets the ground to establish an EUframework for cybersecurity certification of ICT product and servicesOne of the objectives of the EUCA is to increase the level of trust in ICTservices and products by introducing an EU-wide security certificationproviding for common cybersecurity requirements and evaluationcriteria across national markets and sectors.ENISA will play a key role. It has been tasked with developing andmaintaining a cybersecurity certification framework, building onexisting best practices, with a view to increasing the transparency ofthe cybersecurity assurance of ICT products, ICT services and ICT

Certification Scheme: the Process

Proliferation of Schemes

Lack of Clarity

Uneven Landscape

Levels of Assurance – Art. 52 Basic: “a level which aims tominimise the known basicrisks for cyber incidents andcyber attacks.” Substantial: “a level whichaims to minimise knowncyber risks, cyber incidentsand cyber attacks carried outby actors with limited skillsand resources.” High: “level which aims tominimise the risk of state-ofthe-art cyber attacks carriedout by actors with significantskills and resources”BasicSubstantialHigh

CSPCERT WGThe Cloud Service Provider Certifications Workinggroup (CSPCERT WG) was created on December 12th2017 to provide expert recommendations to theEuropean Commission for a scheme on cybersecuritycertification of cloud services.The objective of the CSPCERT WG is to explore thepossibility of developing a European CloudCertification Scheme in the context of theCybersecurity Act and come up with arecommendation that will be presented to theEuropean Commission and ENISA.

Assurance Dimensions

Recommendations: Assurance LevelsThe assurance level shall be commensurate with the level of the riskassociated with the intended use of the cloud service.ENISA should provide a clear guidance on: tailored description of what the basic/substantial/high assurance levelindicate, and examples of which level of assurance should be associated to whichservices.

Recommendations: Evaluation CriteriaThe evaluation criteria (AKA security controls/requirements) should bebased on a taxonomy so to allow the mapping between existinginternational standards and certifications (SecNumCloud, C5, ISO 27017,ISO 27018, CSA CCM, and NIST 800-53).ENISA should create EU taxonomy so as to remain flexible for futureupdates, modifications or additions to new or existing internationalstandards and certifications.

Recommendations: Evaluation CriteriaA baseline certification that could optionally be enhanced with furtherregulatory requirements coming from regulators, supervisors or theindustry such as: GDPR certifications, Outsourcing requirements from the EBA, e-evidence, eIDAS, e-privacy ETC

Recommendations: Conformity AssessmentThe CSPCERT WG proposes 3 suitable conformity assessment approaches: Evidence Based Conformity Assessment ISO-based ISAE-based (assurance-based)The objective is to: reduce the level of auditor bias ensure that the level of trust provided by conformity assessment bodiesand individual auditors is within acceptable ranges everywhere.

Recommendations:Assessment For Assurance levels High andConformitySubstantial an annualaudit is a min.requirement. For High level it is recommended to adopt a continuous auditing approach soto increase the frequency of the evaluations and ensures a level of assurancethat goes beyond “point in time” or “over-a-period-of-time”. Audit must measure operational effectiveness, and not merely controlexistence. ENISA should clarify what would trigger a new out-of-cycle review.

Conclusions The current cloud certification landscape suffers of issues, such us: proliferation of schemes,lack of clarify, difficulties to compare existing schemes, lack of guidance of which scheme issuitable for what level of assurance.The cloud certification framework under the CyberSec Act should: Foster simplification and clarity Guide private and public companies to obtain the right level of assurance Increase user’s trust in cloud services Facilitate free flow of data and support competitivenessLikely the new cloud framework: Wont increase the compliance effort of mature CSP Will force less mature CPS to improve their security posture Increase the level of transparency and accountability across the cloud supply chain


Helpful LinksV I A W W W. C L O U D S E C U R I T YA L L I A N C E . O R GCloud Controls MatrixCSA ps/cloud-controlsmatrix/# downloads overviewOpen Certification FrameworkGDPR Center of g-groups/opencertification/# ource-center/EU-SEC Project 2019 CLOUD SECURITY ALLIANCE

Contactdcatteddu@cloudsecurityalliance.orgSeattle Bellingham Berlin SingaporeVisit us on the web atwww.cloudsecurityalliance.orgFollow and like us @cloudsa 2019 CLOUD SECURITY ALLIANCE

Resources CLOUD CONTROL MATRIX: rolsmatrix/# overview STAR PROGRAM OVERVIEW: overview CSA STAR REGISTRY: registry EU-SEC Project: CSA Code of Conduct for GDPR public-registry/ CSA GDPR Center of Excellence:

risks for cyber incidents and cyber attacks.” Substantial: “a level which aims to minimise known cyber risks, cyber incidents and cyber attacks carried out by actors with limited skills and resources.” High: “level which aims to minimise the risk of state-of-the-art cyber attacks carried out by actors with significant skills and .

Related Documents:

May 02, 2018 · D. Program Evaluation ͟The organization has provided a description of the framework for how each program will be evaluated. The framework should include all the elements below: ͟The evaluation methods are cost-effective for the organization ͟Quantitative and qualitative data is being collected (at Basics tier, data collection must have begun)

̶The leading indicator of employee engagement is based on the quality of the relationship between employee and supervisor Empower your managers! ̶Help them understand the impact on the organization ̶Share important changes, plan options, tasks, and deadlines ̶Provide key messages and talking points ̶Prepare them to answer employee questions

On an exceptional basis, Member States may request UNESCO to provide thé candidates with access to thé platform so they can complète thé form by themselves. Thèse requests must be addressed to esd rize unesco. or by 15 A ril 2021 UNESCO will provide thé nomineewith accessto thé platform via their émail address.

Chính Văn.- Còn đức Thế tôn thì tuệ giác cực kỳ trong sạch 8: hiện hành bất nhị 9, đạt đến vô tướng 10, đứng vào chỗ đứng của các đức Thế tôn 11, thể hiện tính bình đẳng của các Ngài, đến chỗ không còn chướng ngại 12, giáo pháp không thể khuynh đảo, tâm thức không bị cản trở, cái được

Cyber Vigilance Cyber Security Cyber Strategy Foreword Next Three fundamental drivers that drive growth and create cyber risks: Managing cyber risk to grow and protect business value The Deloitte CSF is a business-driven, threat-based approach to conducting cyber assessments based on an organization's specific business, threats, and capabilities.

Food outlets which focused on food quality, Service quality, environment and price factors, are thè valuable factors for food outlets to increase thè satisfaction level of customers and it will create a positive impact through word ofmouth. Keyword : Customer satisfaction, food quality, Service quality, physical environment off ood outlets .

Le genou de Lucy. Odile Jacob. 1999. Coppens Y. Pré-textes. L’homme préhistorique en morceaux. Eds Odile Jacob. 2011. Costentin J., Delaveau P. Café, thé, chocolat, les bons effets sur le cerveau et pour le corps. Editions Odile Jacob. 2010. Crawford M., Marsh D. The driving force : food in human evolution and the future.

Le genou de Lucy. Odile Jacob. 1999. Coppens Y. Pré-textes. L’homme préhistorique en morceaux. Eds Odile Jacob. 2011. Costentin J., Delaveau P. Café, thé, chocolat, les bons effets sur le cerveau et pour le corps. Editions Odile Jacob. 2010. 3 Crawford M., Marsh D. The driving force : food in human evolution and the future.