In the previous posts, I covered the key issues covered by the new ISO/IEC 27018 Standard; and how an organization would go about complying with it and proving that.
Today I want to look at the issue of privacy and personal information from the point of view of risk.
Business is no stranger to risk and there is no such thing as “zero risk”. Corporate governance involves assessing what, and how much, risk is considered acceptable for the enterprise in pursuit of its objectives; what controls and safeguards are in place to ensure that defined risk boundaries are not crossed; and what remedies are available if things go wrong. There should be no room in boardroom discussions for ostrich-like views that blithely assert that bad things “are just not going to happen” and that preparation is unnecessary timewasting.
Standards can help boards and C-suite executives by providing guidance to help reduce risk and exposure. The areas of personal data protection, information security, and the increased reliance on cloud computing solutions are no exception. The value of standards is that they provide widely accepted guidance on the best ways to tackle problems and reduce risk: to be able to assert that you conform to important standards – and better, to back that assertion with proof – is as good as it gets in terms of exercising mature fiduciary responsibility.
“Cloud computing” as a term is surrounded with a lot of inevitable marketing hype which itself can lead to confusion and lack of clarity at the level of a Board. The US National Institute for Technology and Standards (NIST) has the most succinct and widely adopted definition of cloud computing:
“Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.”
Those configurable resources can range from the complete “solutions-in-a-box” (think of the vast array of directly user-accessible services online today) to bare-bones infrastructure of servers, memory, and storage that a client (such as an enterprise) configures and deploys in line with their existing and future computing requirements).
What this means for an organization’s leadership is that different types of cloud service deployment require very different approaches to risk mitigation and problem resolution. It is not one-size-fits-all. A couple of examples highlight the possible differences:
Company A procures a cloud-based solution to manage its payroll. All the relevant company and personnel data is held by the cloud service provider and accessed by authorized staff in Company A.
Company B procures a cloud-based solution to archive encrypted historical personnel records. All the data is again held by the cloud service provider but as it is encrypted, it can only be accessed by authorized staff in Company A in possession on the appropriate decryption keys.
It would be a common sense judgment that Company A has more to consider and worry about in terms of potential privacy risks than Company B. But this doesn’t means that Company B faces no risk – they are just different risks with different potential impacts on the company. Understanding the different sorts of cloud service that are being or could be used – as well as the types of data involved – are both important in assessing which risks and privacy controls are most relevant.
The combination of different types of cloud computing infrastructure; the sheer scale of computational power and storage; the increasingly complex flows of data; and the greater use of a dizzying range of devices – together they present privacy challenges that simply did not exist even a decade ago.
An example helps illustrate this. ISO 27002 already requires information security awareness, education and training as a necessary control. ISO 27018 extends this to cover the specific privacy issues in cloud services, adding that measures are needed to make staff aware of:
“…the possible consequences on the public cloud PII processor (e.g., legal consequences, loss of business and brand or reputational damage), on the staff member (e.g., disciplinary consequences) and on the PII principal (e.g., physical, material and emotional consequences) of breaching privacy or security rules and procedures…”
A few minutes sober reflection by any fiduciary should be enough to consider the import of such measures – but also the value to the organization of complying with it and promoting such compliance as a business virtue. These are not “IT issues”. They go to the heart of good corporate governance and fiduciary responsibility. If you are on a Board or report to one, this affects you.
Tomorrow, I will look in more detail at what the ISO/IEC 27018 Standard has to offer you and those who rely on you.