CLOUD QUALITY AND CLOUD CERTIFICATION

Transcription

1 CLOUD QUALITY AND CLOUD CERTIFICATION 8th EuroCloud Congress Cloud, Trust & Security 25th October 2017 / Brussels, Belgium Ivana Tepčević Project Manager and Lead Auditor, SGS Belgrade

2 AGENDA SGS in brief EuroCloud Europe SGS Belgrade relationship StarAudit certification scheme Cloud service certification process 2

3 SGS IN BRIEF Established in 1878, in Europe With more than 90,000 employees, we operate a network of more than 2,000 offices and laboratories around the world Our core services can be divided into four categories: Certification Inspection Verification Testing 3

4 CERTIFICATION AND BUSINESS ENGANCEMENT Besides many others certification schemes CBE department provides certification services based on the following criteria: ISO 9001 ISO OHSAS ISO ISO/IEC ISO/IEC ISO/IEC ISO/IEC ISO/IEC ISO STAR AUDIT 4

5 ECE AND SGS SGS Belgrade signed the Contracts with EuroCloud Europe in June 2015 and became a partner of ECE as Auditing and Training Organization 5

6 WHAT IS COMMON ISSUE RELATED TO SELECTION OF CLOUD SERVICE? Procurement process Technological complexity of cloud service delivery model in conjunction with compliance, security or data privacy Lack of knowledge and experience to select right cloud service provider considering SLA management, contractual clauses or data privacy legislation 6

7 STARAUDIT Mature certification scheme designed to assess cloud services Ensures transparent and reliable certification process. Covers all participants in the specific supply chain of a cloud service Features a modular structure Offers three quality levels Suitable for all types of organisations 7

8 CLOUD CERTIFICATION Based on StarAudit scheme Performed by recognised certification body Provided by qualified auditors Applied uniform audit procedure 8

9 STARAUDIT CRITERIA Defined within StarAudit Catalogue StarAudit requirements are grouped into the six areas: Area 1: CSP Profile Area 2: Contract and Compliance Area 3: Security and Data Privacy Area 4: DC Operations and Infrastructure Area 5: Operations Processes Area 6: Cloud Service assessment 9

10 AUDIT PROCEDURE Designed in accordance with: ISO 19011:2011 standard Framework Conditions for Conducting of StarAudit Certification Processes. Instructions for Accredited StarAudit Organisations StarAudit Catalogue of criteria 3rd party audit types: Certification (initial) Surveillance (visit 2 or visit 3) Recertification 10

11 SURVEILLANCE AUDITS Refresh certification audit StarAudit Certificate is valid for 3 years with obligation of annual surveillance audit resulting in positive reports Extent of surveillance audit is at least 1/3 of the extent of the certification audit depending on changes in cloud service, StarAudit criteria and/or legal environment as well as findings of the previous audit After each successful surveillance a new certificate will be issued 11

12 HOW DOES A CLOUD AUDIT WORK? 1.Self Assessment Report provided by customer 1.Audit process planning designed by SGS and agreed with a customer 1.Review of documented information performed by SGS 1.On site audit a and off site audit performed by SGS 1.Reporting provided by SGS and Certificate issued by ECE 12

13 SELF-ASSESSMENT TOOL USED BY AUDITORS Self-Assessment tool Online service providing checklist Catalogue of StarAudit criteria could be used by both CSPs and auditors. generates assessment report at the end of each 3rd party audit, which shows the maturity and compliance levels of a service. 13

14 SGS RESULTS IN CLOUD CERTIFICATION SERVICE IN THE LAST 12 MONTHS SaaS Certificate level 4 star 1st Government Cloud certified in Europe The Austrian Federal Ministry of Agriculture, Forestry, Environment and Water Management, November 2016 StarAudit Approved DC Certificate level 3 star 1st DC Ready certificate in Croatia Croatian Post Inc., August 2017 StarAudit Approved DC Certificate level 3 star 1st DC Ready certificate in Serbia Orion Telekom d.o.o., October

15 MOST IMPORTANT 1. Certification criteria publicly available. 2. Impartiality and independence of the audit process 3. Strict separation between the work of the certification body and consulting organization 4. ECE authorized for the final review of audit process results, issuing the StarAudit certificate and publication on 15

16 FURTHER STEPS Reflecting to the flexibility, dynamics and on demand nature of cloud services it shall be: designed dynamic (continuous) certification process of cloud services revised and enhanced StarAudit criteria constantly 16

17 REFERENCES Material used for the purpose of making this presentation: Höllwarth, Tobias et al. (2015) Cloud by Default (Draft 5.2) StarAudit Training material given by EuroCloud Europe, November 2015, Belgrade StarAudit Catalogue ver 3.0, rev 16b Website content ISO 27006:2015 and ISO 19011:2011 standards 17

18 Ivana Tepčević Project Manager & ISO Lead Auditor SGS Beograd Ltd Jurija Gagarina 7 b RS Belgrade Serbia phone: mobile: ivana.tepcevic@sgs.com Skype: Tepcevic, Ivana (Beograd) 18