Add to collection(s) Add to saved
  1. Business

Data Protection for Public Cloud (International Standard ISO 27018)

advertisement 
ITU Workshop on “Cloud Computing Standards –
Today and the Future”
(Geneva, Switzerland 14 November 2014)
Data Protection for Public Cloud
(International Standard ISO 27018)
Stéphane Guilloteau
Engineer Expert, Orange Labs
stephane.guilloteau@orange.com
Geneva, Switzerland, 14 November 2014
Agenda
Introduction
Scope of 27018
Methodology
Context
Requirements
Structure
Principles
Sector-specific examples
Conclusion
Geneva, Switzerland, 14 November 2014
2
ISO/IEC 27018
published in
2014/08
Title
Code of practice for PII protection in
public clouds acting as PII processors
PII=Personally Identifiable Information
ISO/IEC JTC1 SC27 WG5
Information technology, Security
techniques, Identity management and
privacy technologies
Geneva, Switzerland, 14 November 2014
3
SC 27
Figure by Jan Schallaböck, Vice-Convenor WG5
Geneva, Switzerland, 14 November 2014
4
WG5
Figure by Jan Schallaböck,
Vice-Convenor WG5
Geneva, Switzerland, 14 November 2014
5
Scope
Objective
To create a common set of security
categories and controls that apply to a
public cloud computing service provider
To meet the requirements for the
protection of PII
Geneva, Switzerland, 14 November 2014
6
Methodology
Collecting together PII protection
requirements according to ISO/IEC
29100 and the guidance for
implementing controls given in
ISO/IEC 27002
Designed for
All types and sizes of organizations
Geneva, Switzerland, 14 November 2014
7
Context
A public cloud service provider is a
“PII processor” when it processes PII
for and according to the instructions
of a cloud service customer
(controller)
“Privacy by Design”
“PII lyfecycle consideration”
Information security risk environment
Geneva, Switzerland, 14 November 2014
8
Ecosystem
Figure by Chris Mitchell, 27018 Editor
Geneva, Switzerland, 14 November 2014
9
Requirements
Three main sources
legal, statutory, regulatory and
contractual requirements
risks
corporate policies
Geneva, Switzerland, 14 November 2014
10
27002 structure
Security policies
Organization of
information security
Human resource
security
Asset management
Access control
Cryptography
Physical and
environmental
security
Operations security
Geneva, Switzerland, 14 November 2014
Communications
security
System acquisition,
development and
maintenance
Supplier relationships
Information security
incident management
Information security
aspects of business
continuity
management
Compliance
11
29100 principles
Consent and choice
Purpose legitimacy
and specification
Collection limitation
Data minimization
Use, retention and
disclosure limitation
Accuracy and quality
Geneva, Switzerland, 14 November 2014
Openness,
transparency and
notice
Individual
participation and
access
Accountability
Information security
Privacy compliance
12
sector-specific examples
clearly allocate responsibilities
between the public cloud PII
processor, its sub-contractors and
the cloud service customer
facilitate the exercise of PII
principals’ rights
ensure purpose specification and
limitation principles
notify data breach
specify PII geographical location
Geneva, Switzerland, 14 November 2014
13
Conclusion
comply with applicable obligations
be transparent
enter into contractual agreement
demonstrate effective
implementation of PII protection
do not replace applicable legislation
and regulations, but can assist
complete with standards in progress
(29151, 29134…)
Geneva, Switzerland, 14 November 2014
14
Related documents
ITU-T Workshop “Opportunities and Challenges in Home Networking” CV
ITU-T Workshop “Opportunities and Challenges in Home Networking” CV
Study Abroad in Switzerland School/ Program
Study Abroad in Switzerland School/ Program
Forum on Internet of Things: Empowering the New Urban Agenda
Forum on Internet of Things: Empowering the New Urban Agenda
Information Security, PII and Big Data
Information Security, PII and Big Data
Download
advertisement