iso/iec 27018 redesigning privacy in the cloud7.2.2 information security awareness, education and...
TRANSCRIPT
Copyright © 2015 BSI. All rights reserved.
ISO/IEC 27018 – Redesigning Privacy in the Cloud
John A. DiMaria; CSSBB, HISP, MHISP, AMBCI Sr. Product Manager, Systems Certification; BSI Americas
2 Copyright © 2015 BSI. All rights reserved.
• Introduction
• Overview of 27018
• Principles
• Methodology
• Context
• Requirements
• Structure
• Connection between privacy and security
• Q&A
Copyright © 2015 BSI. All rights reserved.
3 Copyright © 2015 BSI. All rights reserved.
ISO/IEC 27018:2014
• Title
• Information technology — Security techniques — Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors
Copyright © 2015 BSI. All rights reserved.
Source: BSI ISO/IEC 27018
4 Copyright © 2015 BSI. All rights reserved.
Scope
• Objective
• To create a common set of security categories and controls that apply to a public cloud computing service provider
• To meet the requirements for the protection of PII
• ISO 27018 establishes commonly accepted control objectives, controls and guidelines for implementing measures to protect Personally Identifiable Information (PII) in accordance with the privacy principles in ISO/IEC 29100 for the public cloud computing environment.
• In particular, the standard specifies guidelines based on ISO/IEC 27002, taking into consideration the regulatory requirements for the protection of PII which might be applicable within the context of the information security risk environment(s) of a provider of public cloud services.
~Source: ISO/IEC 27018~
Copyright © 2015 BSI. All rights reserved.
5 Copyright © 2015 BSI. All rights reserved.
The privacy principles of ISO/IEC 29100 – Table 3
ISO/IEC 27018 Annex A (normative) Public cloud PII processor extended control set for PII protection
6 Copyright © 2015 BSI. All rights reserved.
Specific Examples
Source: ISO/IEC 29100
Copyright © 2015 BSI. All rights reserved.
7 Copyright © 2015 BSI. All rights reserved.
Sector Specific Privacy Issues
Financial Services • Multiple layers of regulation • Demands for increased
transparency by customers and shareholders
• Online banking and trading • Information security
Healthcare • HIPAA • Medical records • PMI (personal medical information) • Digitalization of records • Records management
Technology • Digitalization impact on the
business • Cloud computing • XX as a service • Virtualization • Data security • Social networking • Software releases • Regulations
Copyright © 2015 BSI. All rights reserved.
8 Copyright © 2015 BSI. All rights reserved.
1. PII (Personally Identifiable Information)
PII principal
Natural person to whom the personally identifiable information (PII) relates
PII
a) can be used to identify b) directly or indirectly linked to
ID
• social security number • passport number • account number • precise geographical
location • telephone number
PII controller
Privacy stakeholder (or privacy stakeholders) that determines the purposes and means for PII other than natural persons who use data for personal purposes.
PII processor
sometimes instructs others to process PII on its behalf while the responsibility for the processing remains with the PII controller
Privacy stakeholder that processes PII on behalf of and in accordance with the instructions of a PII controller.
• Sensitive PII • Privacy
Third party
Processing of PII
Operation or set of
operations performed
upon PII
Privacy stakeholder other than the PII principal, the PII controller and the PII processor, and the natural persons who are authorized to process the data under the direct authority of the PII controller or the PII processor.
establish the link between a PII principal and PII or a set of PII
9 Copyright © 2015 BSI. All rights reserved.
Actors and Roles – ISO/IEC 29100:2011 – Table 1
10 Copyright © 2015 BSI. All rights reserved.
Example of attributes that can be used to identify natural persons – ISO/IEC 29100:2011 – Table 2
11 Copyright © 2015 BSI. All rights reserved.
Methodology
• Establishes commonly accepted control objectives, controls and guidelines for implementing measures to protect Personally Identifiable Information (PII) in accordance with the privacy principles in ISO/IEC 29100 for the public cloud computing environment
• Specifies guidelines based on ISO/IEC 27002
• Takes into consideration regulatory requirements for the protection of PII which might be applicable within the context of a provider of public cloud service provider’s business environment
• Applicable to organizations of all sizes
Copyright © 2015 BSI. All rights reserved.
Source: BSI ISO/IEC 27018
12 Copyright © 2015 BSI. All rights reserved.
Context
ISO/IEC 27018:2014
• 0.1 Cloud service providers (CSP) who process Personally Identifiable Information (PII) under contract to their customers have to operate their services in ways that allow both parties to meet the requirements of applicable legislation and regulations covering the protection of PII.
• A CSP is a PII “Processor” when it processes PII according to instructions by and/ or contractual/SLA agreements with the customers.
• There maybe shared roles of responsibility when it comes to certain aspects of the cloud service and in some cases (as in ID management) the customer may actually be responsible for all aspects
Source: BSI ISO/IEC 27018
13 Copyright © 2015 BSI. All rights reserved.
Requirements
• Three main sources
• Legal, statutory, regulatory and contractual requirements
• Risks
• Corporate policies
Source: BSI ISO/IEC 27018
14 Copyright © 2015 BSI. All rights reserved.
Control Categories
In line with ISO/IEC 27002, each main control category contains: a) a control objective stating what is to be achieved; and b) one or more controls that can be applied to achieve the control objective Sector-specific implementation guidance is provided, together with a cross-reference to control(s) in Annex A of ISO/IEC 27018
Copyright © 2015 BSI. All rights reserved.
15 Copyright © 2015 BSI. All rights reserved.
Public cloud PII protection implementation guidance: Provides more detailed information to support the implementation of the control and meeting the control objectives. May not be applicable or sufficient in all situations, and may not fulfil the organization’s specific control requirements. Alternative or additional controls, or other forms of risk treatment may therefore be appropriate.
Control Descriptions Structure
Other information for public cloud PII protection Provides further information that may need to be considered, such as legal considerations and references to other standards.
Control: Defines the specific control statement to satisfy the control objective.
Copyright © 2015 BSI. All rights reserved.
Source: BSI ISO/IEC 27018
16 Copyright © 2015 BSI. All rights reserved.
ISO/IEC 27018:2014 + Annex A
16 Copyright © 2015 BSI. All rights reserved.
17 Copyright © 2015 BSI. All rights reserved.
ISO/IEC 27002 Controls
17 Copyright © 2015 BSI. All rights reserved.
18 Copyright © 2015 BSI. All rights reserved.
ISO/IEC 27002:2013 (Annex A of ISO/IEC 27001)
14 Information Security Domains
5 Information security policies
6 Organization of information security
7 Human resources security
8 Asset Management
9 Access Control
10 Cryptography
11 Physical and Environmental Security
12 Operations Security
18 Copyright © 2015 BSI. All rights reserved.
19 Copyright © 2015 BSI. All rights reserved.
ISO/IEC 27001:2013 Annex A
14 Information Security Domains
13 Communications Security
14 System acquisition, development and maintenance
15 Supplier relationships
16 Information security incident management
17 Information security aspects of business continuity management
18 Compliance
19 Copyright © 2015 BSI. All rights reserved.
20 Copyright © 2015 BSI. All rights reserved.
1. Sector-specific guidance – Table 1
Internal distribution only
Additional Guidance to enforce ISO/IEC 27002 to protect cloud-based PII
21 Copyright © 2015 BSI. All rights reserved.
7.2.2 Information security awareness, education and training Control 7.2.2 and the associated implementation guidance and other information specified in ISO/IEC 27002 apply. The following sector-specific guidance also applies.
7 Human resource security
Public cloud PII protection implementation guidance Measures should be put in place to make relevant staff aware of the possible consequences on the public cloud PII processor (e.g. legal consequences, loss of business and brand or reputational damage), on the staff member (e.g. disciplinary consequences) and on the PII principal (e.g. physical, material and emotional consequences) of breaching privacy or security rules and procedures, especially those addressing the handling of PII.
Other information for public cloud PII protection In some jurisdictions, the public cloud PII processor may be subject to legal sanctions, including substantial fines directly from the local PII protection authority. In other jurisdictions the use of International Standards such as this in setting up the contract between the public cloud PII processor and the cloud service customer should help establish a basis for contractual sanctions for a breach of security rules and procedures.
Copyright © 2015 BSI. All rights reserved.
Source: BSI ISO/IEC 27018
22 Copyright © 2015 BSI. All rights reserved.
ISO/IEC 27018:2014 Annex A Domains
• A.1 Consent and choice
• A.2 Purpose legitimacy and specification
• A.3 Collection limitation
• A.4 Data minimization
• A.5 Use, retention and disclosure limitation
• A.6 Accuracy and quality
• A.7 Openness, transparency and notice
• A.8 Individual participation and access
• A.9 Accountability
• A.10 Information security
• A.11 Privacy compliance
Copyright © 2015 BSI. All rights reserved.
Source: BSI ISO 27018
23 Copyright © 2015 BSI. All rights reserved.
ISO/IEC 27018:2014 – Annex A Controls
• A.1 Consent and choice
• A.1.1 Obligation to co-operate regarding PII principals’ rights
• A.2 Purpose legitimacy and specification
• A.2.1 Public cloud PII processor’s purpose
• A.2.2 Public cloud PII processor’s commercial use
• A.3 Collection limitation
• A.4 Data minimization
• A.4.1 Secure erasure of temporary files
• A.5 Use, retention and disclosure limitation
• A.5.1 PII disclosure notification
• A.5.2 Recording of PII disclosures
• A.6 Accuracy and quality
• A.7 Openness, transparency and notice
• A.7.1 Disclosure of sub-contracted PII processing
• A.8 Individual participation and access
• A.9 Accountability
• A.9.1 Notification of a data breach involving PII
• A.9.2 Retention period for administrative security policies and guidelines
• A.9.3 PII return, transfer and disposal
• A.10 Information security
• A.10.1 Confidentiality or non-disclosure agreements
• A.10.2 Restriction of the creation of hardcopy material
• A.10.3 Control and logging of data restoration
• A.10.4 Protecting data on storage media leaving the premises
• A.10.5 Use of unencrypted portable storage media and devices
• A.10.6 Encryption of PII transmitted over public data-transmission networks
• A.10.7 Secure disposal of hardcopy materials
• A.10.8 Unique use of user IDs
• A.10.9 Records of authorized users
• A.10.10 User ID management
• A.10.11 Contract measures
• A.10.12 Sub-contracted PII processing
• A.10.13 Access to data on pre-used data storage space
• A.11 Privacy compliance
• A.11.1 Geographical location of PII
• A.11.2 Intended destination of PII
Copyright © 2015 BSI. All rights reserved.
Source: BSI ISO/IEC 27018
24 Copyright © 2015 BSI. All rights reserved.
Statement of Applicability
A.1 Consent and choice A.2 Purpose legitimacy and specification A.3 Collection limitation A.4 Data minimization A.5 Use, retention and disclosure limitation A.6 Accuracy and quality A.7 Openness, transparency and notice A.8 Individual participation and access A.9 Accountability A.10 Information security A.11 Privacy compliance
ISO/IEC 27018
Guidance for 27001
Copyright © 2015 BSI. All rights reserved.
25 Copyright © 2015 BSI. All rights reserved.
Scope of ISO/IEC 27001
Audit process
08/12/2015
Scope of ISO/IEC 27018
PII protection environment
Legal Requirement
Contractual Requirement
Corporate policies
Risks
Risk Assessment
Provider’s actual role
Statement of Applicability
Selecting and implementing controls in a cloud computing environment
ISO/IEC 27018:2014
Developing additional controls
Addition
26 Copyright © 2015 BSI. All rights reserved.
Audit process
• Applicable guidance for existing ISO/IEC 27002 controls and additional controls for protection of cloud-based PII in ISO/IEC 27018 are selected and implemented.
• Scope reflects services or activities of cloud-based PII provider properly
• Risk assessment, risk acceptance and risk treatment : taking into consideration specific risk environment arising from PII protection requirements
• Controls in ISO/IEC 27002 should be augmented by applicable implementation guidance and additional controls in ISO/IEC 27018
• The selection and implementation of controls is :
• based on the legal/statutory/regulatory/contractual requirements, risks and corporate policies.
• dependent on the public cloud provider’s actual role (service of IaaS, PaaS, SaaS etc.).
• It is also applicable to be selected from other control sets or new controls, if required.
• SoA : contains necessary additional controls addressing to specific risk for PII protection and its justification for inclusion and exclusion
08/12/2015
27 Copyright © 2015 BSI. All rights reserved.
ISO/IEC 27017:2015
Information technology — Security techniques — Code of practice for information security controls based on ISO/ IEC 27002 for cloud services
• Additional implementation guidance for relevant controls specified in ISO/IEC 27002;
• Additional controls with
implementation guidance that specifically relate to cloud service
Copyright © 2015 BSI. All rights reserved.
Source: BSI ISO/IEC 27017
28 Copyright © 2015 BSI. All rights reserved.
Type 1 is used when there is separate guidance for the cloud service customer and the cloud service provider.
Type 2 is used when the guidance is the same for both the cloud service customer and cloud service provider.
Copyright © 2015 BSI. All rights reserved.
Source: BSI ISO/IEC 27017
29 Copyright © 2015 BSI. All rights reserved.
6.1.1 Information security roles and responsibilities Type 1
Copyright © 2015 BSI. All rights reserved.
Source: BSI ISO/IEC 27017
30 Copyright © 2015 BSI. All rights reserved.
16.1.7 Collection of evidence Type 2
Copyright © 2015 BSI. All rights reserved.
31 Copyright © 2015 BSI. All rights reserved.
ISO/IEC 27017 Annex A Controls
• CLD.6.3 Relationship between cloud service customer and cloud service provider
• CLD.6.3.1 Shared responsibility within a cloud computing environment
• CLD.8.1 Responsibility for assets
• CLD.8.1.5 Removal of cloud service customer assets
• CLD.9.5 Access control of cloud service customer’s data in shared virtual environment
• CLD.9.5.1 Segregation in virtual computing environments
• CLD.9.5.2 Virtual Machine Hardening
• CLD.12.1 Operational procedures and responsibilities
• CLD.12.1.5 Administrator’s
operational security • CLD.12.4 Logging and monitoring
• CLD.13.1 Network security management
• CLD.12.4.5 Monitoring of Cloud Services
• CLD.13.1 Network security management
• CLD.13.1.4 Consistency
between virtual and physical networks
Copyright © 2015 BSI. All rights reserved.
Source: BSI ISO/IEC 27017
32 Copyright © 2015 BSI. All rights reserved.
Example Control Type 1
CLD.6.3.1 Shared responsibility within a cloud computing environment Control • Shared responsibility for information security in the use of
cloud service should be documented, announced, communicated and implemented by both the cloud service customer and the cloud service provider
Implementation guidance for cloud services
Copyright © 2015 BSI. All rights reserved.
Source: BSI ISO/IEC 27017
33 Copyright © 2015 BSI. All rights reserved.
Example Control Type 2
CLD.9.5.2 Virtual Machine Hardening Control • Virtual machines in a cloud computing environment should be
hardened to meet business needs. Implementation guidance for cloud services
Copyright © 2015 BSI. All rights reserved.
Source: BSI ISO/IEC 27017
34 Copyright © 2015 BSI. All rights reserved. 24/09/2015
Copyright © 2015 BSI. All rights reserved.
35 Copyright © 2015 BSI. All rights reserved.
MANAGEMENT CAPABILITY / MATURITY: CONTROL AREAS
CONTROL AREAS 3.0.1
There are 16 control areas on the CCM v3.0.1. that will each be awarded a management capability score on a scale of 1-15.
Copyright © 2015 BSI. All rights reserved.
36 Copyright © 2015 BSI. All rights reserved.
Approach to an ISMS Certification
ISO/IEC 27001:2013 • Management System
Requirements • Annex A Controls (27002)
Sector Specific Control Set
Statement of Applicability (SOA)
ISO/IEC 27006 Accredited
Certified Body
System assessed for compliance and effectiveness
• Clear any NCRs • Receive certification • Undergo continuing
survillance audits
Copyright © 2015 BSI. All rights reserved.
37 Copyright © 2015 BSI. All rights reserved.
Conclusion
• Use the holistic approach in order to comply with and manage applicable obligations
• Increase transparency as a CSP
• Live up to your responsibilities as a cloud customer
• Demonstrate effective implementation of PII protection
• ISO/IEC 27018 does not replace applicable legislation and regulations, but can assist
• Use the standards approach as a business improvement tool
Copyright © 2015 BSI. All rights reserved.
38 Copyright © 2015 BSI. All rights reserved.
Contact Us
Address: BSI Group America Inc.
12950 Worldgate Dr. Ste 800
Herndon, VA 20170
Main Office Telephone: 800-862-4977
Fax: 703 437 9001
Email: [email protected]
Links: http://www.bsiamerica.com
Copyright © 2015 BSI. All rights reserved.