iso/iec 27018 redesigning privacy in the cloud7.2.2 information security awareness, education and...

Copyright © 2015 BSI. All rights reserved.

ISO/IEC 27018 – Redesigning Privacy in the Cloud

John A. DiMaria; CSSBB, HISP, MHISP, AMBCI Sr. Product Manager, Systems Certification; BSI Americas

2 Copyright © 2015 BSI. All rights reserved.

• Introduction

• Overview of 27018

• Principles

• Methodology

• Context

• Requirements

• Structure

• Connection between privacy and security

• Q&A



ISO/IEC 27018:2014

• Title

• Information technology — Security techniques — Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors


Source: BSI ISO/IEC 27018


Scope

• Objective

• To create a common set of security categories and controls that apply to a public cloud computing service provider

• To meet the requirements for the protection of PII

• ISO 27018 establishes commonly accepted control objectives, controls and guidelines for implementing measures to protect Personally Identifiable Information (PII) in accordance with the privacy principles in ISO/IEC 29100 for the public cloud computing environment.

• In particular, the standard specifies guidelines based on ISO/IEC 27002, taking into consideration the regulatory requirements for the protection of PII which might be applicable within the context of the information security risk environment(s) of a provider of public cloud services.

~Source: ISO/IEC 27018~



The privacy principles of ISO/IEC 29100 – Table 3

ISO/IEC 27018 Annex A (normative) Public cloud PII processor extended control set for PII protection


Specific Examples

Source: ISO/IEC 29100



Sector Specific Privacy Issues

Financial Services • Multiple layers of regulation • Demands for increased

transparency by customers and shareholders

• Online banking and trading • Information security

Healthcare • HIPAA • Medical records • PMI (personal medical information) • Digitalization of records • Records management

Technology • Digitalization impact on the

business • Cloud computing • XX as a service • Virtualization • Data security • Social networking • Software releases • Regulations



1. PII (Personally Identifiable Information)

PII principal

Natural person to whom the personally identifiable information (PII) relates

PII

a) can be used to identify b) directly or indirectly linked to

ID

• social security number • passport number • account number • precise geographical

location • telephone number

PII controller

Privacy stakeholder (or privacy stakeholders) that determines the purposes and means for PII other than natural persons who use data for personal purposes.

PII processor

sometimes instructs others to process PII on its behalf while the responsibility for the processing remains with the PII controller

Privacy stakeholder that processes PII on behalf of and in accordance with the instructions of a PII controller.

• Sensitive PII • Privacy

Third party

Processing of PII

Operation or set of

operations performed

upon PII

Privacy stakeholder other than the PII principal, the PII controller and the PII processor, and the natural persons who are authorized to process the data under the direct authority of the PII controller or the PII processor.

establish the link between a PII principal and PII or a set of PII


Actors and Roles – ISO/IEC 29100:2011 – Table 1


Example of attributes that can be used to identify natural persons – ISO/IEC 29100:2011 – Table 2


Methodology

• Establishes commonly accepted control objectives, controls and guidelines for implementing measures to protect Personally Identifiable Information (PII) in accordance with the privacy principles in ISO/IEC 29100 for the public cloud computing environment

• Specifies guidelines based on ISO/IEC 27002

• Takes into consideration regulatory requirements for the protection of PII which might be applicable within the context of a provider of public cloud service provider’s business environment

• Applicable to organizations of all sizes




Context

ISO/IEC 27018:2014

• 0.1 Cloud service providers (CSP) who process Personally Identifiable Information (PII) under contract to their customers have to operate their services in ways that allow both parties to meet the requirements of applicable legislation and regulations covering the protection of PII.

• A CSP is a PII “Processor” when it processes PII according to instructions by and/ or contractual/SLA agreements with the customers.

• There maybe shared roles of responsibility when it comes to certain aspects of the cloud service and in some cases (as in ID management) the customer may actually be responsible for all aspects



Requirements

• Three main sources

• Legal, statutory, regulatory and contractual requirements

• Risks

• Corporate policies



Control Categories

In line with ISO/IEC 27002, each main control category contains: a) a control objective stating what is to be achieved; and b) one or more controls that can be applied to achieve the control objective Sector-specific implementation guidance is provided, together with a cross-reference to control(s) in Annex A of ISO/IEC 27018



Public cloud PII protection implementation guidance: Provides more detailed information to support the implementation of the control and meeting the control objectives. May not be applicable or sufficient in all situations, and may not fulfil the organization’s specific control requirements. Alternative or additional controls, or other forms of risk treatment may therefore be appropriate.

Control Descriptions Structure

Other information for public cloud PII protection Provides further information that may need to be considered, such as legal considerations and references to other standards.

Control: Defines the specific control statement to satisfy the control objective.




ISO/IEC 27018:2014 + Annex A



ISO/IEC 27002 Controls



ISO/IEC 27002:2013 (Annex A of ISO/IEC 27001)

14 Information Security Domains

5 Information security policies

6 Organization of information security

7 Human resources security

8 Asset Management

9 Access Control

10 Cryptography

11 Physical and Environmental Security

12 Operations Security



ISO/IEC 27001:2013 Annex A

14 Information Security Domains

13 Communications Security

14 System acquisition, development and maintenance

15 Supplier relationships

16 Information security incident management

17 Information security aspects of business continuity management

18 Compliance



1. Sector-specific guidance – Table 1

Internal distribution only

Additional Guidance to enforce ISO/IEC 27002 to protect cloud-based PII


7.2.2 Information security awareness, education and training Control 7.2.2 and the associated implementation guidance and other information specified in ISO/IEC 27002 apply. The following sector-specific guidance also applies.

7 Human resource security

Public cloud PII protection implementation guidance Measures should be put in place to make relevant staff aware of the possible consequences on the public cloud PII processor (e.g. legal consequences, loss of business and brand or reputational damage), on the staff member (e.g. disciplinary consequences) and on the PII principal (e.g. physical, material and emotional consequences) of breaching privacy or security rules and procedures, especially those addressing the handling of PII.

Other information for public cloud PII protection In some jurisdictions, the public cloud PII processor may be subject to legal sanctions, including substantial fines directly from the local PII protection authority. In other jurisdictions the use of International Standards such as this in setting up the contract between the public cloud PII processor and the cloud service customer should help establish a basis for contractual sanctions for a breach of security rules and procedures.




ISO/IEC 27018:2014 Annex A Domains

• A.1 Consent and choice

• A.2 Purpose legitimacy and specification

• A.3 Collection limitation

• A.4 Data minimization

• A.5 Use, retention and disclosure limitation

• A.6 Accuracy and quality

• A.7 Openness, transparency and notice

• A.8 Individual participation and access

• A.9 Accountability

• A.10 Information security

• A.11 Privacy compliance


Source: BSI ISO 27018


ISO/IEC 27018:2014 – Annex A Controls

• A.1 Consent and choice

• A.1.1 Obligation to co-operate regarding PII principals’ rights

• A.2 Purpose legitimacy and specification

• A.2.1 Public cloud PII processor’s purpose

• A.2.2 Public cloud PII processor’s commercial use

• A.3 Collection limitation

• A.4 Data minimization

• A.4.1 Secure erasure of temporary files

• A.5 Use, retention and disclosure limitation

• A.5.1 PII disclosure notification

• A.5.2 Recording of PII disclosures

• A.6 Accuracy and quality

• A.7 Openness, transparency and notice

• A.7.1 Disclosure of sub-contracted PII processing

• A.8 Individual participation and access

• A.9 Accountability

• A.9.1 Notification of a data breach involving PII

• A.9.2 Retention period for administrative security policies and guidelines

• A.9.3 PII return, transfer and disposal

• A.10 Information security

• A.10.1 Confidentiality or non-disclosure agreements

• A.10.2 Restriction of the creation of hardcopy material

• A.10.3 Control and logging of data restoration

• A.10.4 Protecting data on storage media leaving the premises

• A.10.5 Use of unencrypted portable storage media and devices

• A.10.6 Encryption of PII transmitted over public data-transmission networks

• A.10.7 Secure disposal of hardcopy materials

• A.10.8 Unique use of user IDs

• A.10.9 Records of authorized users

• A.10.10 User ID management

• A.10.11 Contract measures

• A.10.12 Sub-contracted PII processing

• A.10.13 Access to data on pre-used data storage space

• A.11 Privacy compliance

• A.11.1 Geographical location of PII

• A.11.2 Intended destination of PII




Statement of Applicability

A.1 Consent and choice A.2 Purpose legitimacy and specification A.3 Collection limitation A.4 Data minimization A.5 Use, retention and disclosure limitation A.6 Accuracy and quality A.7 Openness, transparency and notice A.8 Individual participation and access A.9 Accountability A.10 Information security A.11 Privacy compliance

ISO/IEC 27018

Guidance for 27001



Scope of ISO/IEC 27001

Audit process

08/12/2015

Scope of ISO/IEC 27018

PII protection environment

Legal Requirement

Contractual Requirement

Corporate policies

Risks

Risk Assessment

Provider’s actual role

Statement of Applicability

Selecting and implementing controls in a cloud computing environment

ISO/IEC 27018:2014

Developing additional controls

Addition


Audit process

• Applicable guidance for existing ISO/IEC 27002 controls and additional controls for protection of cloud-based PII in ISO/IEC 27018 are selected and implemented.

• Scope reflects services or activities of cloud-based PII provider properly

• Risk assessment, risk acceptance and risk treatment : taking into consideration specific risk environment arising from PII protection requirements

• Controls in ISO/IEC 27002 should be augmented by applicable implementation guidance and additional controls in ISO/IEC 27018

• The selection and implementation of controls is :

• based on the legal/statutory/regulatory/contractual requirements, risks and corporate policies.

• dependent on the public cloud provider’s actual role (service of IaaS, PaaS, SaaS etc.).

• It is also applicable to be selected from other control sets or new controls, if required.

• SoA : contains necessary additional controls addressing to specific risk for PII protection and its justification for inclusion and exclusion

08/12/2015


ISO/IEC 27017:2015

Information technology — Security techniques — Code of practice for information security controls based on ISO/ IEC 27002 for cloud services

• Additional implementation guidance for relevant controls specified in ISO/IEC 27002;

• Additional controls with

implementation guidance that specifically relate to cloud service




Type 1 is used when there is separate guidance for the cloud service customer and the cloud service provider.

Type 2 is used when the guidance is the same for both the cloud service customer and cloud service provider.




6.1.1 Information security roles and responsibilities Type 1




16.1.7 Collection of evidence Type 2



ISO/IEC 27017 Annex A Controls

• CLD.6.3 Relationship between cloud service customer and cloud service provider

• CLD.6.3.1 Shared responsibility within a cloud computing environment

• CLD.8.1 Responsibility for assets

• CLD.8.1.5 Removal of cloud service customer assets

• CLD.9.5 Access control of cloud service customer’s data in shared virtual environment

• CLD.9.5.1 Segregation in virtual computing environments

• CLD.9.5.2 Virtual Machine Hardening

• CLD.12.1 Operational procedures and responsibilities

• CLD.12.1.5 Administrator’s

operational security • CLD.12.4 Logging and monitoring

• CLD.13.1 Network security management

• CLD.12.4.5 Monitoring of Cloud Services

• CLD.13.1 Network security management

• CLD.13.1.4 Consistency

between virtual and physical networks




Example Control Type 1

CLD.6.3.1 Shared responsibility within a cloud computing environment Control • Shared responsibility for information security in the use of

cloud service should be documented, announced, communicated and implemented by both the cloud service customer and the cloud service provider

Implementation guidance for cloud services




Example Control Type 2

CLD.9.5.2 Virtual Machine Hardening Control • Virtual machines in a cloud computing environment should be

hardened to meet business needs. Implementation guidance for cloud services




MANAGEMENT CAPABILITY / MATURITY: CONTROL AREAS

CONTROL AREAS 3.0.1

There are 16 control areas on the CCM v3.0.1. that will each be awarded a management capability score on a scale of 1-15.



Approach to an ISMS Certification

ISO/IEC 27001:2013 • Management System

Requirements • Annex A Controls (27002)

Sector Specific Control Set

Statement of Applicability (SOA)

ISO/IEC 27006 Accredited

Certified Body

System assessed for compliance and effectiveness

• Clear any NCRs • Receive certification • Undergo continuing

survillance audits



Conclusion

• Use the holistic approach in order to comply with and manage applicable obligations

• Increase transparency as a CSP

• Live up to your responsibilities as a cloud customer

• Demonstrate effective implementation of PII protection

• ISO/IEC 27018 does not replace applicable legislation and regulations, but can assist

• Use the standards approach as a business improvement tool



Contact Us

Address: BSI Group America Inc.

12950 Worldgate Dr. Ste 800

Herndon, VA 20170

Main Office Telephone: 800-862-4977

Fax: 703 437 9001

Email: [email protected]

[email protected]

Links: http://www.bsiamerica.com


http://www.bsi-global.com/

iso/iec 27018 redesigning privacy in the cloud7.2.2 information security awareness, education and...

Documents