Data security continues to
attract the attention of organisations worldwide, at least if the uptake of the
Information Security Management System standard ISO27001 is anything to go by.
The proper identification of information assets (and the supporting assets such
as premises, hardware, software, etc. upon which they rely) is essential if a
proper assessment of vulnerabilities and threats is to be undertaken, and
appropriate actions taken to manage identified risks.
Whilst ISO27001 provides a
framework of 114 controls to help manage, reduce or remove risks, until
recently these needed to be carefully implemented to provide specific
protection to data in cloud environments. An additional standard,
ISO27018:2014, is being widely welcomed by the risk community as it provides an
extended control set specifically designed to highlight and address a range of
risks and issues associated with personally identifiable information (PII) in
the cloud.
Commercial and public sector ICT
cloud systems seek to take advantage of the removal of dedicated
infrastructure, reduction in operational costs and increase in flexibility and
scalability, but must also remain focussed on managing data risks. Media
reported issues about iCloud, Snapchat and Dropbox have not gone unnoticed by
the public, and ongoing debates around off-shoring and the relevance of
country-specific data protection legislation do little to build their
confidence.
So how can ISO27018 help?
Responsible cloud providers and application developers should be studying its
contents and working out how they can implement the additional controls and
provide the associated assurance that consumers seek. Whether it’s
understanding the geographic location of PII data, having processes for
reporting PII breaches and disclosures, or managing the printing or copying of
PII data by a provider, there’s a family of more than 20 focused controls to
choose from.
InfoSaaS already provides cloud
based IT risk management software which helps organisations to establish an
effective Information Security Management System, from which many proceed to
successfully gain formal ISO27001 certification. The next InfoSaaS update in
early June will include “PII Data in the Cloud” as a risk assessment type,
presenting organisations with a relevant range of cloud security risks and
summaries of the ISO27018 controls which may address them.
For those organisations which
manage cloud environments or develop cloud applications, being proactive in
managing associated risks not only protects their business from significant
issues (data loss, legislative fines, brand damage etc.) but also builds
customer confidence which in turn will increase the pace of cloud adoption.
InfoSaaS can help - providing one of the most effective toolsets for managing
today’s ICT risks. Visit www.infosaas.uk
for more information.