I mentioned in my post yesterday, that a 2-page Boardroom Briefing on Privacy in the Cloud has now been released, and which looks at the value of the recently published ISO/IEC 27018 Standard. Please take a look and send me any feedback.
In this and the next couple of posts, I want to go in to a little more detail of the themes covered in last Friday’s roundtable. Today, I want to explain a little more about the recent ISO/IEC 27018 Standard. But first a little background:
It is rare for international standards to reach the average boardroom – but when they do, it is often not as part of thoughtful planned governance but in reaction to a major problem or disaster. Think of the fallout after Enron and the desire to beef up financial reporting standards. Many standards had been widely available but not so widely used. So when major disaster struck, government regulation was favoured over voluntary conformance using available standards.
Now consider the growing complexity of handling personal information as businesses make ever greater use of cloud computing services: A similar pattern of interventionist regulation may emerge in the area of protection of personal information in the cloud if business is not able to demonstrate that it can, and will, use standards available to it; conform with existing legislation where appropriate; and take the effort to follow good business practices.
Do organizations even know what personal information flows through their systems and services? Who is responsible for personal information? How it is managed, stored, backed-up, audited? To what risk is the organization exposed if there are issues with a cloud service provider? Who is liable? For what? To what extent?
We need look no further than today’s further news of the agonies that Sony must be undergoing in response to the latest wave of attacks on their information systems: there’s an interesting short article over at Forbes Can You Guess Who Benefits The Most From Sony’s Data Breach? that starts to highlight their plight.
Thankfully, there is help at hand.
The ISO/IEC 27018 Standard is the first global standard concerned specifically with privacy issues in cloud computing. It’s relatively new (published at the end of July 2014) and represents the result of work by a leading group of standards professionals specializing in problems related to cloud computing, information security, and privacy questions.
The standards world is no stranger to information security. Already since 2005, the ISO 27001 standard has provided a framework for identifying and classifying information security risks and choosing appropriate controls to address them. It was largely geared to the needs – prevalent at the time – of information systems managed within the clearly defined boundaries of an enterprise. This was before cloud computing really took off. The new ISO 27018 Standard recognizes that as cloud computing services have become more common, organizations are looking to understand how the increased use of such services are impacting their exposure to potential risk, none more so than in the delicate and difficult are of personal information and privacy.
ISO 27018 builds on ISO 27001, itself a comprehensive standard for implementing and maintaining an information security management system; and ISO 27002, which provides a set of policies and controls against which an organization can be certified as compliant. ISO 27001 defines an information security management process and basic requirements which aim to address an organization’s overall business risks by selecting adequate and proportionate security controls.
ISO 27018 enhances existing, more general ISO security standards in two important ways:
- Firstly, it extends the original set of controls to provide implementation guidance for the protection of PII in cloud services; and
- Secondly, it integrates key requirements for data processors under the European Union data protection legislation.
ISO 27018 provides additional guidance or specific criteria to ISO 27001; it also adds controls that reflect PII considerations specifically for cloud services. Customers will be able to verify compliance with the ISO 27018 controls by examining documents from a third-party ISO 27001 audit or by reviewing a publically available letter from the certifier stating that all 27018 controls were included in the scope of the 27001 certification. I will return to the issue of certification in my blog tomorrow.
So what exactly are the benefits of using and following this particular Standard?
It provides guidance to cloud service providers about how they should go about the processing of personally identifiable information of their customers. It is based on six main areas:
- Consent: cloud providers must not use the data they receive for purposes of their own advertising and marketing unless expressly instructed to do so by the customer. Moreover, it must be possible for a customer to use the service without submitting to such use of its personal data for advertising or marketing.
- Transparency: Cloud providers must inform customers where their data resides and make clear commitments about how that data is handled.
- Accountability: The standard asserts that any breach of information security should trigger a review by the service provider to determine if there was any loss, disclosure, or alteration of PII.
- Communication: In case of a breach, cloud providers should notify customers and regulators, and keep clear records about the incident and the response to it.
- Independent Audit: A successful third-party audit of a cloud service’s compliance with 27018 documents the service’s conformance with the standard, and can then be relied upon by the customer to support their own regulatory obligations.
- Control: Customers have explicit control of how their information is used.
No Standard on its own is a panacea. It has to be part of a comprehensive, Board-level led business strategy. As a Director and a Board Chair, I have always seen it as a central part of my function, and that of my peers, to ask questions. So it seems appropriate to leave the last word for today to one of the participants in last Friday’s roundtable:
Common agreed Standards help the conversation by at the very least providing the right questions that should be asked by fiduciaries.