Presentation is loading. Please wait.

Presentation is loading. Please wait.

Agenda Introduction ISO family of standards

Published byGrace Rich Modified over 9 years ago

Similar presentations

Presentation on theme: "Agenda Introduction ISO family of standards"— Presentation transcript:

0 Information Security ISO 27000 and Cloud Certification Standards October 27, 2015
Glen Bruce Director, Enterprise Risk Security & Privacy

1 Agenda Introduction ISO 27000 family of standards
Information security risks and requirements Information Security Management System ISO Directives for management system standards ISO family of standards Structure of the standards ISO standards available and under development ISO certification Certification approach and audit process Benefits of ISMS certification ISO standards involving service providers NIST Cyber Security Framework Cloud security service provider certifications Cloud security requirements Cloud service provider security certifications Questions

2 A formal system is required to meet the information security risks
Information Security has generally evolved into a collection of measures to counter identified threats but not into a cohesive system that can be easily managed. Why is it a problem? Information Security has traditionally grown up as a multiple technology responses to different threats leading to large and varied array of technology and vendors. Many times the technical response is reactive and not planned. Overall effectiveness of the security measures can be difficult to determine. The focus is increasingly on people as the weak point not the technology. Good security tends to be an opinion rather than a supportable fact Implications Increased cost due to multiple technical controls and/or duplication. Increased complexity to manage an ever increasing technology base. Susceptible to new threats Security can get in the way of the business Maintenance is challenging. It is easy to loose sight of the big picture. Click to edit Master text styles Second level Third level Fourth level

3 What does an organization need to effectively manage information security risk?
Corporate decisions on how risk must be managed (strategy, principles, policies, standards etc.); Knowing how much risk the organization is willing to accept (risk tolerance/appetite); An understanding of who accepts risk on behalf of the organization (understanding and adherence); A method or process to understand the risk and how to deal with it (risk assessments, risk treatment); Knowing what needs to be protected (inventory, information classification); A method to effectively communicate responsibilities and obligations (escalate risks and decisions); A comprehensive and balanced set of requirements; A method and process for managing everyone’s expectations (sign off); and A common framework to put it all together. Information security needs to be a continuously operating management system 3

4 Consolidated Supplement
The ISO/IEC Directives - define the basic procedures to be followed in the development of International Standards and other publications. ISO/IEC Directives Part 1 - Procedures Consolidated Supplement ISO 1400 ISO 1400 Annex SL ISO 1400 ISO 9000 ISO 27001 Appendix 3 Part 2 - Rules Management System - set of interrelated or interacting elements of an organization to establish policies and objectives and processes to achieve those objectives MSS - Management System Standard - Standard that provides requirements or guidelines for organizations to develop and systematically manage their policies, processes and procedures in order to achieve specific objectives. The ISO Directives provide guidance for the development of all ISO management system standards including; ISO 30301:2011, Information and documentation – Management systems for records ISO 22301:2012, Societal security – Business continuity ISO 20121:2012, Event sustainability management systems ISO 39001, Road-traffic safety (RTS) management systems ISO/IEC 27001– Information security management systems ISO 55001, Asset management ISO 16125, Fraud countermeasures and controls – Security management system 4

5 The “Plan-Do-Check-Act’ model guides all ISO Management System Standards
Implement the identified Improvements in ISMS Continuous feedback and improvement Communication with interested parties Ensure improvements achieve intended results Check Execute monitoring procedures and controls Undertake regular reviews of ISMS Review residual risk and acceptable risk Interested Parties Established ISMS Qualitative ROI Regulatory / Legislative Compliance Interested Parties Enterprise Security Architecture Requirements Business Strategy ISO Directives Do Formulate Risk Treatment Plan Implement Risk Treatment Plan Implement controls Implement training and awareness Manage Operations Manage Resources Implement detective and reactive controls for security incidents Plan Define Scope of ISMS Define ISMS Policy Define Systematic approach to risk assessment Identify and assess Risk Identify and evaluate risk treatment options Select controls for risk treatment Prepare Statement of Applicability 5

6 Elements of a management system according to ISO
Scope Normative References Terms and Definitions Context Understanding the organization and its context Understanding the needs and expectations of interested parties Determining the scope of the management system Security management system Leadership Leadership and commitment Policy Organization roles, responsibilities and authorities Planning Actions to address risks and opportunities Objectives and planning to achieve them Support Resources Competence Awareness Communication Documented information General Creating and Updating Control of documented information Operation Operational planning and control Performance Evaluation Monitoring, measurement, analysis and evaluation Internal audit Management review Improvement Nonconformity and corrective action Continual improvement 6

7 ISO/IEC 27000 Family Standards Process
International Organization for Standardization (ISO) International Electrotechnical Commission (IEC) Joint Technical Committee 1 (JTC1) Development and maintenance of the ISO/IEC ISMS standards family Identification of requirements for future ISMS standards and guidelines On-going maintenance of WG1 standing document SD WG1/1 (WG1 Roadmap) Collaboration with other working Groups in SC 27, in particular WG4 – Security Controls and Services Subcommittee 27 (SC 27) Security Techniques Working Group 1 (WG1) Information Security Management Systems ISO ISMS Family 7

8 Structure of ISO 27000 standards
27000 Overview & Vocabulary 27005 ISM Risk Management 27001:ISMS 27002 Code of Practice for ISM 27003 Implementation Guidance 27004 ISM Measurement 27006 Requirements for bodies providing certification 27007 Guidelines for ISMS auditing 27008 Guidance for auditors on ISM controls (TR) 27014 Governance of Information Security 8

9 The ISO 27000 Standards Available Today (34)
ISO 27000:2014 – ISM - Overview and vocabulary ISO 27001:2013 – ISMS - Requirements ISO 27002:2013 – Code of practice for information security controls ISO 27003:2010 – ISMS - Implementation guidance ISO 27004:2009 – Information security management - Measurement ISO 27005:2011 – Information security risk management ISO 27006:2011 – Requirements for bodies providing audit and certification of the ISMS ISO 27007:2011 – Guidelines for ISMS auditing ISO TR 27008:2011 – Guidelines for auditors on information security controls ISO 27010:2012 – ISM for inter-sector and inter-organisational communications ISO 27011:2008 – ISM Guidelines for telecommunications organizations based on ISO/IEC ISO 27013:2012 – Guidance on integrated implementation of ISO/IEC and ISO/IEC ISO 27014:2013 – Governance of information security ISO TR 27015:2012 – Information security management guidelines for financial services ISO TR 27016:2014 – ISM - Organizational economics ISO 27018:2014 – Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors ISO TR 27019:2013 – ISM Guidelines based on ISO/IEC for process control systems for the energy industry ISO 27031:2011 – Guidelines for ICT readiness for business continuity ISO 27032:2012 – Guidelines for cybersecurity

10 The ISO 27000 Standards Available Today
ISO :2015 – Network security – Part 1: Overview and concepts ISO :2012 – Network security – Part 2: Guidelines for the design and implementation of network security ISO :2010 – Network security – Part 3: Referencing network scenarios - threats, design techniques and control issues ISO :2014 – Network security – Part 4: Securing communication between networks using security gateways ISO :2013 – Network security – Part 5: Securing communication across networks using Virtual Private Networks (VPNs) ISO :2011 - Application security - Overview and concepts ISO :2015 - Application security – Organization normative framework ISO 27035:2011 – Information security incident management ISO :2014 – Information security for suppler relationships – Part 1: Overview and concepts ISO :2014 – Information security for suppler relationships – Part 2: Requirements ISO :2013 – Information security for suppler relationships – Part 3: Guidelines for ICT supply chain security ISO 27037:2012 – Guidelines for identification, collection, acquisition and preservation of digital evidence ISO 27038:2014 – Specification of digital redaction ISO 27039:2015 – Selection, deployment and operations of IPS ISO 27040:2015 – Storage security ISO 27043:2015 – Incident investigation principles and processes ISO 27799:2008 – Security management in health using ISO/IEC 27002

11 The Remaining ISO 27000 ISMS Family (in development)
ISO – Application of ISO/IEC Requirements ISO Security in cloud computing ISO TR – Competence requirements for information security management professionals ISO TR – Mapping the revised editions of ISO and ISO 27002 ISO Network Security – Part 6: Security wireless IP network access ISO (Parts 2-8) – Application Security ISO (Parts 1-3) – Information security incident management ISO – Information security for supplier relationships – Part 4: Guidelines for security of cloud services ISO – Specification for Digital Redaction ISO Selection, deployment and operations of Intrusion Detection [and Prevention] Systems (IDPS) ISO Guidance on assuring suitability and adequacy of incident investigative methods ISO Guidelines for the analysis and interpretation of digital evidence ISO – Guidelines for security incident and event management (SIEM) ISO (Parts 1-4) - Electronic discovery

12 Definitions Security Certification A statement by a recognized authority that a security evaluation has been undertaken competently and in accordance with appropriate regulations. The comprehensive assessment of the technical and non-technical security features and other safeguards of a system to establish the extent to which a particular system meets a set of specified security requirements for its use and environment. Security Accreditation Formal declaration by a Designated Approval Authority (DAA) that an information system is approved to operate in a particular security mode using a prescribed set of safeguards at an acceptable level of risk. Attestation The act of showing or evidence showing that something is true. Involves having a third party organization review the practices of the service provider and make a statement about the security posture of the organization.

13 Certification vs Attestation
Assessed against an externally governed framework and control standard. Assessed by a registrar from an accredited organization using a formal auditing standard Common framework and collection of controls Certification can be compared with other organizations Attestation Assessed against a framework and controls specific to the organization Could be self-assessed or by an independent/qualified third party From a service provider perspective, formal attestation reports such as a SOC 2 report may only be shared with existing customers. The assessment process is governed by standards but the object of the assessment is not. Attestations cannot be compared to other organizations. 13

14 ISO 27001:2013 ISMS Requirements
Standard High-Level Overview High-Level Limitations ISO 27001:2013 Built on the same premise of any quality management ISO standard -continually improving performance. Specifies the requirements for establishing, implementing and documenting an ISMS. Specifies requirements for security controls to be implemented according to the business requirements, risk, and legal and contractual obligations. Two Main Components of ISO: Clauses 4-10 and Annex A (Controls) Compliance with, or certification against ISO :2013 does not, itself, guarantee that an organization is secure. ISO 27001:2013 (clauses 4-10) 4. Context of the organization 5. Leadership 6. Planning 7. Support 8. Operation 9. Performance evaluation 10. Improvement ISO 27001:2013 (Annex A Controls) 5. Information security policies 6. Organisation of information security 7. Human resources security 8. Asset management 9. Access control 10. Cryptography 11. Physical and environmental security 12. Operations security 13. Communications security 14. Systems acquisition development & maintenance 15. Supplier relationships 16. Information security incident management 17. Information security aspects of business continuity management 18. Compliance

15 ISO 27001:2013 contents (aligned to ISO Directives)
15

16 ISO 27002:2013 – Code of practice for information security controls
Definition of control objectives, controls and implementation guidance under 14 security domains Included as Annex A in ISO 27001:2013 16

17 Example ISO 27001 Certification Implementation Approach
ISO 27001:2013 Certification Roadmap Phase Phase I Scoping & Planning Phase II Gap Assessment & Roadmap Phase III ISMS Implementation Phase IV Internal & External Audit Aim Determine scope, organisational objectives, interested parties, stakeholders Assess scope against current state compliance to ISO27001:2013 Clauses and Annex A Controls Develop and implement requirements in compliance to ISO27001:2013 Monitoring, Internal and External Audit of the ISMS for compliance to ISO27001:2013 mandatory requirements Activities Hi-level project plan ISMS Scoping workshop Approved ISMS Scope statement ISO27001: 2013 Clause 4 to 10 Conformance assessment ISO27001:2013 Annex A Gap assessment Develop ISMS Implementation Roadmap Review and update Information Security Policy Definition of role, responsibilities and authorities Risk Assessment Risk Treatment Plans Statement of Applicability Documentation Controls KPI’s, KRI’s and RACI Management Review Internal Audit Op. Readiness Assessment Stage 1 Certification Audit Stage 2 Certification Audit Risk Treatment Ongoing Streams Project Management Knowledge Transfer

18 Mandatory documented information required for certification
ISMS scope (as per clause 4.3) Information security policy (clause 5.2) Information security risk assessment process (clause 6.1.2) Information security risk treatment process (clause 6.1.3) Information security objectives (clause 6.2) Evidence of the competence of the people working in information security (clause 7.2) Other ISMS-related documents deemed necessary by the organization (clause 7.5.1b) Operational planning and control documents (clause 8.1) The results of the risk assessments (clause 8.2) The decisions regarding risk treatment (clause 8.3) Evidence of the monitoring and measurement of information security (clause 9.1) The ISMS internal audit program and the results of audits conducted (clause 9.2) Evidence of top management reviews of the ISMS (clause 9.3) Evidence of nonconformities identified and corrective actions arising (clause 10.1) Various others subject to specific control in Annex A. 

19 ISO27001 Certification Audit Process
Onsite pre-assessment that covers both Stage 1 and Stage 2 audits Results of pre-assessment are not "official" but are akin to gap analysis OPTIONAL: Readiness Assessment Desktop review of documentation (can be offsite) Objective: To provide focus for planning the audit by gaining and understanding the ISMS in the context of the organizations security policy, policy and preparedness for the audit Scope of ISMS Risk assessment report and risk treatment plan Documented procedures Records Statement of Applicability Stage 1: ISMS Documentation Review Determine that the ISMS is functioning effectively Interviews conducted with staff within the ISMS Stage 2: Complete On-site Audit Ongoing: Surveillance Audits Conducted on an ongoing (e.g. six months – one year) basis rotating through all ISMS and Annex A controls during a 2-year period Reassessed at year 3

20 Non-conformity examples
Non-conformities Condition adverse to the requirements of ISO 27001 Non-fulfilment of a specified requirement: Relating directly to the security policy Against the ISMS Against legal or regulatory requirements Definition Possible Causes Documented system (defined process) does not conform with the ISMS standard (intent) Practice is not in line with intent (implementation) Action is not achieving planned results (effectiveness) Observed non-compliance with clear desk policy Visitors not signed out of the building on one occasion Training record not available Observed non-compliance to policies Non-conformity examples

21 ISO 27001: ISMS Certificates (2014)
Information technology 4,933 Other Services 867 Construction 454 Transport, storage and communication 327 Electrical and optical equipment 287 Japan – 7,170 UK – 2,259 India – 2,170 China – 2,002 USA – 664 Canada – 77 Certificates – 23,972 in 109 countries

22 Benefits of certification
Requirements of the standard hold management accountable for committing (time, effort, funding, resources, etc.) to information security Management is accountable to select controls based on risk acceptance and enforce those controls within the organisation Management Commitment to Information Security Information Security Effectiveness Increase awareness of information security within the organisation Appropriate protection of organisational assets Effectiveness of controls are measured and reported Compliance and Legal Requirements Demonstrates pro-active compliance with regulators Can be used as the common framework for other standards, regulatory requirements Reduced liability risk Building and Maintaining Trust Used to validate security practices and provide confidence in the use of third parties Operational efficiencies gained through repeatable processes for compliance monitoring Continual Improvement Enables the development of an introspective, agile and resilient organization

23 ISO Standards Involving Suppliers and Service Providers
ISO/IEC 17788: Information technology -- Cloud computing -- Overview and vocabulary ISO/IEC 17789: Information technology -- Cloud computing -- Reference architecture ISO/IEC – Security in cloud computing (in development) ISO/IEC – Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors ISO/IEC – Information security for supplier relationships Part 1 – Overview and concepts (published) Part 2 – Requirements (published) Part 3 – Guidelines for ICT supply chain security (published) Part 4 – Guidelines for security of cloud services (in development) ISO/PAS Specification for security management systems for the supply chain ISO /IEC 37500:2014 – Guidance on outsourcing Click to edit Master text styles Second level Third level Fourth level

24 NIST Cyber Security Framework (CSF) for Critical Infrastructure Protection
The framework is a response to the U.S. President’s executive order Improving Critical Infrastructure Protection from 2013 Intended for U.S. companies that are considered part of critical infrastructure Voluntary framework Focuses on planning and implementation of a program to improve an organization’s cybersecurity posture. Consists of three primary framework components Framework Core – the set of activities to achieve specific cybersecurity outcomes and references guidance to achieve those outcomes Framework Profile – An alignment of the functions, categories and subcategories with the business requirements, risk tolerance and resources Framework Implementation Tiers – provides context on how the organization views cybersecurity risk and the processes in place to manage risk Click to edit Master text styles Second level Third level Fourth level

25 NIST CSF Framework Components
Functions Category Subcategory IDENTIFY (ID) Asset Management (ID.AM): ID.AM-1: ID.AM-2: Risk Management Strategy (ID.RM): ID.RM-1: ID.RM-3: PROTECT (PR) Access Control (PR.AC): PR.AC-1: PR.AC-3: DETECT (DE) Anomalies and Events (DE.AE): DE.AE-1: DE.AE-2: RESPOND (RS) Response Planning (RS.RP): RS.RP-1: Communications (RS.CO): RS.CO-1: RS.CO-2: RECOVER (RC) Recovery Planning (RC.RP): RC.RP-1: Improvements (RC.IM): RC.IM-1: RC.IM-2: Functions Definition IDENTIFY (ID) An understanding of how to manage cybersecurity risks to systems, assets, data, and capabilities PROTECT (PR) The controls and safeguards necessary to protect or deter cybersecurity threats DETECT (DE) Continuous monitoring to provide proactive and real-time alerts of cybersecurity-related events RESP{OND (RE) Incident-response activities RECOVER (RC) Business continuity plans to maintain resilience and recover capabilities after a cyber breach Framework Profile Framework Core Framework Implementation Tiers Tier 1 Partial Risk management is ad hoc, with limited awareness of risks and no collaboration with others Tier 2 Risk Informed Risk-management processes and program are in place but are not integrated enterprise-wide; collaboration is understood but organization lacks formal capabilities Tier 3 Repeatable Formal policies for risk-management processes and programs are in place enterprise-wide, with partial external collaboration Tier 4 Adaptive Risk-management processes and programs are based on lessons learned and embedded in culture, with proactive collaboration

26 NIST CSF Framework Core
5 Functions 22 Related Categories 98 Subcategories Function Category ID  Category Subcategories References Identify (ID) ID.AM Asset Management ID.BE Business Environment ID.GV Governance ID.RA Risk Assessment ID.RM Risk Management Strategy Protect (PR) PR.AC Access Control PR.AT Awareness and Training PR.DS Data Security PR.IP Information Protection Processes and Procedures PR.MA Maintenance PR.PT Protective Technology Detect (DE) DE.AE Anomalies and Events DE.CM Security Continuous Monitoring DE.DP Detection Processes Respond (RS) RS.RP Response Planning RS.CO Communications RS.AN Analysis RS.MI Mitigation RS.IM Improvements Recover (RC) RC.RP Recovery Planning RC.IM RC.CO What assets need protection? What safeguards are available? What techniques can identify incidents? What techniques can contain impacts of incidents? What techniques can restore capabilities?

27 NIST CSF Framework Core Categories
Function Category Description IDENTIFY (ID) Asset Management (ID.AM): The data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes are identified and managed consistent with their relative importance to business objectives and the organization’s risk strategy. Business Environment (ID.BE): The organization’s mission, objectives, stakeholders, and activities are understood and prioritized; this information is used to inform cybersecurity roles, responsibilities, and risk management decisions. Governance (ID.GV): The policies, procedures, and processes to manage and monitor the organization’s regulatory, legal, risk, environmental, and operational requirements are understood and inform the management of cybersecurity risk. Risk Assessment (ID.RA):. The organization understands the cybersecurity risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals. Risk Management Strategy (ID.RM): The organization’s priorities, constraints, risk tolerances, and assumptions are established and used to support operational risk decisions. PROTECT (PR) Access Control (PR.AC): Access to assets and associated facilities is limited to authorized users, processes, or devices, and to authorized activities and transactions. Awareness and Training (PR.AT): The organization’s personnel and partners are provided cybersecurity awareness education and are adequately trained to perform their information security-related duties and responsibilities consistent with related policies, procedures, and agreements. Data Security (PR.DS): Information and records (data) are managed consistent with the organization’s risk strategy to protect the confidentiality, integrity, and availability of information. Information Protection Processes and Procedures (PR.IP): Security policies (that address purpose, scope, roles, responsibilities, management commitment, and coordination among organizational entities), processes, and procedures are maintained and used to manage protection of information systems and assets. Maintenance (PR.MA): Maintenance and repairs of industrial control and information system components is performed consistent with policies and procedures. Protective Technology (PR.PT): Technical security solutions are managed to ensure the security and resilience of systems and assets, consistent with related policies, procedures, and agreements. DETECT (DE) Anomalies and Events (DE.AE): Anomalous activity is detected in a timely manner and the potential impact of events is understood. Security Continuous Monitoring (DE.CM): The information system and assets are monitored at discrete intervals to identify cybersecurity events and verify the effectiveness of protective measures. Detection Processes (DE.DP): Detection processes and procedures are maintained and tested to ensure timely and adequate awareness of anomalous events. RESPOND (RS) Response Planning (RS.RP): Response processes and procedures are executed and maintained, to ensure timely response to detected cybersecurity events. Communications (RS.CO): Response activities are coordinated with internal and external stakeholders, as appropriate, to include external support from law enforcement agencies. Analysis (RS.AN): Analysis is conducted to ensure adequate response and support recovery activities. Mitigation (RS.MI): Activities are performed to prevent expansion of an event, mitigate its effects, and eradicate the incident. Improvements (RS.IM): Organizational response activities are improved by incorporating lessons learned from current and previous detection/response activities. RECOVER (RC) Recovery Planning (RC.RP): Recovery processes and procedures are executed and maintained to ensure timely restoration of systems or assets affected by cybersecurity events. Improvements (RC.IM): Recovery planning and processes are improved by incorporating lessons learned into future activities. Communications (RC.CO): Restoration activities are coordinated with internal and external parties, such as coordinating centers, Internet Service Providers, owners of attacking systems, victims, other CSIRTs, and vendors. 27

28 NIST Cyber Security Framework VS ISO 27001
The NIST CSF provides a common taxonomy and mechanisms for organizations to:   Describe their current cybersecurity posture; Describe their target state for cybersecurity;  Identify and prioritize opportunities for improvement with the context of a continuous and repeatable process; Assess progress toward the target state; and Communicate among internal and external stakeholders about cybersecurity risk The NIST CSF does not fully address the requirements for a “security management system” – it does a fairly good job of organizing and identifying the controls that are needed but not the management system to support it. The cross-reference to ISO contained in the NIST CSF mainly identifies the controls in Annex A of ISO but not the actual clauses (4-10) that make up the management system standard. There are also a few clauses in ISO that are not in the NIST CSF.   NIST is in place to provide standards and guidance for US federal agencies – it is not intended to be a global or industry standard although it is generally accepted as such. The title of the NIST Cyber Security Framework is Framework for Improving Critical Infrastructure Cybersecurity. The title indicates the scope. The NIST CSF is the response to the US Government policy issued by presidential executive order on Feb 13, 2013 – “is the Policy of the United States to enhance the security and resilience of the Nation’s critical infrastructure and to maintain a cyber environment that encourages efficiency, innovation, and economic prosperity while promoting safety, security, business confidentiality, privacy, and civil liberties.”  Having a clear definition of cyber security is key. NIST defines cyber security ONLY in the scope of critical infrastructure protection. The NIST definition is not extended to an entire corporate security program.

29 Cloud security is a shared responsibility
Shared between the enterprise and the cloud provider, with varying responsibilities depending on the nature of the (X)aaS type Private Cloud IaaS PaaS SaaS Governance, Risk & Compliance Data Security Application Security Platform Security Infrastructure Security Physical Security Enterprise Responsibility Shared Responsibility Cloud Provider Responsibility 29

30 Cloud Service Provider (CSP) Risk Exposure
The nature of the CSP relationship determines the risk exposure Risk Attributes Financial stability Geography Capability / capacity / service-levels Corporate strategy and leadership Product / Service Profile Type of service / implementation Nature / extent of customer interaction Access to intellectual property Sensitivity to regulatory requirements Level of Integration Integration into end products Emerging technologies, and alignment of technology and processes Service Model affecting CSP Oversight Staff augmentation Managed service Potential Risk Exposures Strategic / CSP Selection Information Security Reputation Transaction / Operational Financial Legal / Compliance Credit Contractual Geopolitical Business Continuity Depending on the nature of the relationship with the CSP, the potential risk exposure can go well beyond direct financial loss and includes reputational damage, regulatory scrutiny and customer attrition. 30

31 Cloud Service Provider Certifications
Cloud Security Alliance (CSA) Security, Trust and Assurance Registry (STAR) Leading cloud security certifications based on the Open Certification Framework US FedRAMP - Secure Cloud Computing for Federal Government Cloud certification using a baseline of security controls to support low and moderate impact systems based NIST V4 UK GCloud Assertion-based using implementation guidance in support of 14 cloud security principles TRUSTed Cloud Privacy Certification Review of data privacy management practices. If practices are consistent with the TRUSTe Privacy Program Requirements will be granted the TRUSTe Certified Privacy Seal Service Organizational Control (SOC) 2 compliance. SOC 2 certification is designed for a technology and cloud computing organizations. It provides the assurance that a service provider delivers secure, reliable and effective systems for information storage, com 31

32 Cloud Service Provider Certifications – continued
ISO Certification Certification of the ISMS supporting the Cloud Services ISO/IEC : Application of ISO/IEC to the cloud. Currently being developed. To provide guidance on application of ISO/IEC Part 1 to the cloud. Hybrid Certification (externally certified and audited) Service Organization Controls 1 (SOC 1) Type II report Service Organization Controls 2 (SOC 2) Type II report ISO certification PCI DSS Level 1 US Federal Risk and Authorization Management Program (FedRamp) Audits including; ITAR, FIPS 140-2, FISMA/DIACAP, HIPAA … This approach is used by Amazon AWS, Rackspace and Microsoft Azure. CUMULUS - Certification infrastrUcture for MUlti-Layer cloUd Services EU-based project for development of certification models, processes and tools Geography Specific Hong Kong/Guangdong cloud security assessment and certification scheme Multi-Tier Cloud Security Standard for Singapore (MTCS SS 584:2013) Trusted Cloud Service Certification – China Cloud Computing Promotion and Policy Forum (CCCPPF) 32

33 CSA - Open Certification Framework
The STAR approach offers 3 different levels of certification that would align with different levels of required assurance. The 1st level, CSA STAR Self-Assessment level, is obtained by registering the results of the Consensus Assessments Initiative Questionnaire (CAIQ) completed by the Cloud Service Provider. The 2nd level can be CSA STAR Certification, obtained from an independent assessment from an accredited 3rd party or CSA STAR Attestation, obtained from a conducted SOC 2 report using the AICPA Trust Service Criteria and the CSA CCM. The 3rd level, CSA STAR Continuous Monitoring is under development. Certification is built upon the globally accepted standard for information security management systems (ISO 27001). 33

34 CSA - Open Certification Framework
Cloud Security Alliance (CSA) objective is to: Promote “best practices for providing security assurance within Cloud Computing” Inform consumers and providers on security issues Plays a role in addressing and implementing viable solutions for security challenges CSA will increase size and relevance as interest in implementing cloud solutions proliferate The Benefits of CSA Certification include: Broad acceptance of the controls used for security; A juried certification process using globally accepted criteria (ISO 27001); Alignment with a broad selection of frameworks and criteria; Transparent and available information to support certifications; and Certification levels that are appropriate for the assurance required by the cloud service requirements.

35 CSA STAR Certification
A STAR certification certificate cannot be issued unless the organization has passed their ISO assessment. The CSA maintains a registry of organizations that have completed one or more of the certification levels of the STAR certification framework. The STAR registry contains the information used for the CSA Open Certification Framework certifications. The self-assessment level will include the CSAQ self-assessment results The certification level includes the STAR certification registry entry and may include the STAR certificate. The attestation level includes the attestation from the 3rd party assessment organization.

36 Requirements for Bodies providing CSA STAR Certification
A certification body conducting a CCM assessment must comply with ISO Accreditation is governed by ISO 27006:2011 Requirements for bodies providing audit and certification for information security management systems (the same standard for accrediting bodies for ISO certification). Assessors need to pass an accredited Lead Auditor Course for ISO or be a qualified and experienced ISO assessor for an International Accreditation Forum (IAF) member accredited ISO certification body. All assessors must have complete a BSI/CSA CCM exam. The scope of the ISO certification must not be less than the scope of the STAR certification. The assessment cycle is the same as ISO – initial assessment followed by surveillance audits over a 3-year period.

37 Questions? 37

Download ppt "Agenda Introduction ISO family of standards"

Similar presentations

Module N° 4 – ICAO SSP framework

Module N° 4 – ICAO SSP framework
EMS Checklist (ISO model)

EMS Checklist (ISO model)
Dr Lami Kaya LamiKaya@gmail.com ISO 27001 Information Security Management System (ISMS) Certification Overview Dr Lami Kaya LamiKaya@gmail.com.

Dr Lami Kaya ISO Information Security Management System (ISMS) Certification Overview Dr Lami Kaya
Internal Control–Integrated Framework

Internal Control–Integrated Framework
Environmental Management System Implementation

Environmental Management System Implementation
[Organisation’s Title] Environmental Management System

[Organisation’s Title] Environmental Management System
NOTE: To change the image on this slide, select the picture and delete it. Then click the Pictures icon in the placeholde r to insert your own image. Cybersecurity.

NOTE: To change the image on this slide, select the picture and delete it. Then click the Pictures icon in the placeholde r to insert your own image. Cybersecurity.
Chapter 10 Accounting Information Systems and Internal Controls

Chapter 10 Accounting Information Systems and Internal Controls
Environmental Management System (EMS)

Environmental Management System (EMS)
ICS 417: The ethics of ICT 4.2 The Ethics of Information and Communication Technologies (ICT) in Business by Simon Rogerson IMIS Journal May 1998.

ICS 417: The ethics of ICT 4.2 The Ethics of Information and Communication Technologies (ICT) in Business by Simon Rogerson IMIS Journal May 1998.
Framework for Improving Critical Infrastructure Cybersecurity NIST Feb 2014.

Framework for Improving Critical Infrastructure Cybersecurity NIST Feb 2014.
Contractor Management and ISO 14001:2004

Contractor Management and ISO 14001:2004
Security Controls – What Works

Security Controls – What Works
ISO Current status of development

ISO Current status of development
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
ISO General Awareness Training

ISO General Awareness Training
IS Audit Function Knowledge

IS Audit Function Knowledge
NIST framework vs TENACE Protect Function (Sestriere, 21-23 Gennaio 2015)

NIST framework vs TENACE Protect Function (Sestriere, Gennaio 2015)
The NIST Framework for Cybersecurity

The NIST Framework for Cybersecurity
Quality Management Systems

Quality Management Systems

Similar presentations

Ads by Google