Privacy in the Cloud- Introduction to ISO 27018
-
Upload
schellman-company -
Category
Technology
-
view
541 -
download
0
Transcript of Privacy in the Cloud- Introduction to ISO 27018
PRIVACY IN
THE CLOUD
An Introduction to ISO/IEC 27018
• Introduction
• Framing out the Purpose
• What is ISO 27018
• What is the Approach to ISO 27018
• How can ISO 27018 be Applied to an ISMS
• Market Acceptance of ISO 27018
• Q&A
Agenda
1
Framing out the Purpose
• Prospects or customers need assurance
• No access to data but the data, though encrypted, resides
in your cloud
• Concern that there may be a breach, disclosure, violation of
regulation / compliance (HIPAA, GDPR, Privacy Shield)
• Maintain SOC 2 and ISO 27001
Purpose – Scenario
• Enter ISO 27018
• Specifically crafted for cloud providers and how they
handle PII in the cloud
• Additional control implementation guidance on ISO 27002
controls
• Extended control considerations from ISO 29100 (Privacy
Framework)
Purpose – Solution
2
What is ISO 27018?
• Code of practice for protection of personally identifiable
information (PII) in public clouds acting as PII processors
• Issued August 1, 2014
• Commonly accepted control objectives, controls and
guidelines for implementing measures to protect PII in
accordance with the privacy principles in ISO/IEC 29100 for
the public cloud computing environment.
ISO 27018 Overview
• Alignment to ISO 27001 Annex A / ISO 27002
• Public cloud PII protection control implementation guidance
• Not intended to be a unique control set
• e.g. A6.1.2 – segregation of duties
(nothing unique from 27018 to meet this control requirement)
• Recommendations not Requirements
• Should v Shall
27018 Design
• 14 ISO 27001 Annex A controls included with additional
implementation guidance applicable to protecting PII in the
public cloud
• A5 (1), A6 (1), A7 (1), A9 (2), A10 (1), A11 (1), A12 (4), A13 (1), A16
(1), A18 (1)
• 25 extended controls (based on 11 privacy principles of ISO/IEC 29100)
• Act as additional control to complement that of Annex A
27018 – The Numbers
27018 Control Association
ISO 27001 Annex A control domains with
supplement guidance from ISO 27018
Domain Title Comment
5 Information Security Policies Sector-specific implementation guidance and other information provided
7 Human Resources Security Sector-specific implementation guidance and other information provided
Domain Title Comment
6 Organization of Information Security Sector-specific implementation guidance is provided
10 Cryptography Sector-specific implementation guidance is provided
12 Operation Security Sector-specific implementation guidance is provided
16 Information Security Incident Management Sector-specific implementation guidance is provided
Domain Title Comment
9 Access Control Sector-specific implementation guidance is provided with a cross reference to controls in Annex A
11 Physical and Environmental Security Sector-specific implementation guidance is provided with a cross reference to controls in Annex A
13 Communications Security Sector-specific implementation guidance is provided with a cross reference to controls in Annex A
18 Compliance Sector-specific implementation guidance is provided with a cross reference to controls in Annex A
27018 Depth – Supplemental Controls
ISO 27001 Annex A control domains with
supplement guidance from ISO 27018
Domain Title Comment
8 Asset Management No additional sector-specific guidance or other information provided
14 System Acquisition, Dev, and Maintenance No additional sector-specific guidance or other information provided
15 Supplier Relationships No additional sector-specific guidance or other information provided
17 Information Security Aspects of BCM No additional sector-specific guidance or other information provided
27018 Depth – Supplemental Controls
ISO 27001 Annex A control domains not
impacted by ISO 27018
Domain Title Comment
1 Consent and choice 1 Control – Obligation to cooperating regarding PII principal’s rights
2 Purpose legitimacy and specification 2 Controls – (1) Public cloud PII Processor’s purpose; (2) Public cloud PII processor’s commercial use
3 Collection limitation No extended controls applicable
4 Data minimization 1 Control – Secure erasure of temporary files
5 Use, retention, and disclosure limitation 2 Controls – (1) PII disclosure notification; (2) Recording of PII disclosures
6 Accuracy and quality No extended controls applicable
7 Openness, transparency, and notice 1 Control – Disclosure of subcontracted PII processing
8 Individual participation and access No extended controls applicable
27018 Depth – Extended Controls
ISO 29100 control domains included as
extended controls in ISO 27018
Domain Title Comment
9 Accountability 3 Controls – (1) Notification of a data breach involving PII; (2) Retention period for administrative security policies and guidelines; (3) PII return, transfer and disposal
10 Information security 13 Controls – (1) Confidentiality or non-disclosure agreements; (2) Restriction on the creation of hardcopy material; (3) Control and logging of data restoration; (4) Protecting data on storage media leaving the premises; (5) Use of unencrypted portable storage media and devices; (6) Encryption of PII transmitted over public data-transmission networks; (7) Secure disposal of hardcopy materials; (8) Unique use of user IDs; (9) Records of authorized users; (10) User ID management; (11) Contract measures; (12) sub-contracted PII processing; (13) Access to data on pre-used data storage space
11 Privacy compliance 2 Controls – (1) Geographical location of PII; (2) Intended destination of PII
27018 Depth – Extended Controls
ISO 29100 control domains included as
extended controls in ISO 27018
3
What is the Approach for ISO 27018?
• Inclusion into a certified ISMS
• Unaccredited certificate
• Attestation report
• Benchmark assessment
Options
• Initial Certification
• Stage 2 incorporation of ISO 27018
• Statement of applicability acts as a audit road map
• Surveillance / Recertification
• Perform regular maintenance review to ensure continued
conformance and operating effectiveness of the ISMS
• Apply heavier focus on inclusion of ISO 27018
ISMS Option – Initial Certification
• Specifically focus on inclusion of ISO 27018
• Assess relevant elements of ISMS and supplemental /
extended controls
ISMS Option – Scope Expansion
• Included as a part of the scope statement, related to SOA
based on ISO 27018, on accredited 27001 certificate
• Demonstrates active management system that supports
those controls from 27018 (risk assessment, internal audit,
measurement and monitoring, etc.)
• Available on certificate directory
• No unique mark or accredited certificate issued for ISO
ISMS Option – Certificate
• Assessment against controls in ISO 27002 and ISO
27018 (full control assessment)
• Does not require ISO 27001 certification as prerequisite
• Can be performed by any organization at any time
• Deliverable of certificate
• Would not include accreditation body mark (i.e. ANAB or UKAS)
Unaccredited Certificate
• Assessment against controls in ISO 27002 and ISO
27018 (full control assessment – like unaccredited
certificate)
• Does not require ISO 27001 certification as prerequisite
• Can be performed by CPA firm at any time
• Deliverable of attestation report including opinion letter
and assertion letter, system description, and identification
Attestation Report
• Assessment against controls in ISO 27002 and ISO
27018 (full control assessment – like unaccredited
certificate)
• Does not require ISO 27001 certification as prerequisite
• Can be performed by any organization at any time
• Deliverable of assessment report including description of
audit performed and identification of controls in place
Benchmark Assessment
4
How can ISO 27018 be Applied to an ISMS?
• Modify the scope statement as applicable
• Ensure appropriate inclusion through identification of:
• Internal and external issues
• Needs and expectations of interested parties
• Interfaces and dependencies performed by the organization and
those performed by other organization
Design – Scope (Clause 4)
• Identification of supplemental and extended controls
through the risk assessment process
• Controls should be necessary to mitigate risk applicable
to scope
• Apply appropriate treatment if necessary
Design – Risk Assessment (Clause 6)
• Incorporate supplemental / extended controls into the SOA
• Justification of inclusion / exclusion still apply (for entire
related standard)
• Determine if the supplemental / extended control is in place
Design – Statement of Applicability (Clause 6)
• Modify the information security objectives as appropriate
• Ensure to measure any modification to the information
security objectives
Design – Objectives (Clause 6)
• Measure key supplemental / extended controls to ensure
effectiveness
• Ensure appropriate and proper criteria is applied
• Include relevant personnel
Monitoring – Measurement (Clause 9.1)
• Incorporation into audit plan / program
• Assessment of results
• Planned remediation
Monitoring – Internal Audit (Clause 9.2)
5
Market Acceptance of ISO 27018
• Major cloud providers (AWS, Azure, Salesforce, GE
Digital etc.) early adopters
• ISMS inclusion and separate certificates
• CSA incorporation into their Cloud Control Matrix
(CCM)
• General Data Protection Regulation (GDPR)
Market Driven
• Likely to be proportionate to the 27001 growth
(relative to cloud providers)
• 20% globally and 78% in North America from 2014-
2015
• Not market differentiator but market denomitator
ISO 27018 Growth
STAY UP-TO-DATE
www.schellmanco.com