Build confidence in the cloud Best practice frameworks for cloud security

Similar documents
ISO/IEC Safeguarding Personal Information in the Cloud. Whitepaper

Accelerate Your Enterprise Private Cloud Initiative

New International Health and Safety Standard ISO 45001

IMPLEMENTING SECURITY, PRIVACY, AND FAIR DATA USE PRINCIPLES

Perfect Balance of Public and Private Cloud

Level Access Information Security Policy

SECURING THE UK S DIGITAL PROSPERITY. Enabling the joint delivery of the National Cyber Security Strategy's objectives

Best Practices in Securing a Multicloud World

Cloud First: Policy Not Aspiration. A techuk Paper April 2017

Modern Database Architectures Demand Modern Data Security Measures

Gain Control Over Your Cloud Use with Cisco Cloud Consumption Professional Services

Security and Privacy Governance Program Guidelines

Accelerating Cloud Adoption

Evolution For Enterprises In A Cloud World

Securing Your Digital Transformation

A Global Look at IT Audit Best Practices

NCSF Foundation Certification

ISO/ IEC (ITSM) Certification Roadmap

SOC for cybersecurity

Swedish bank overcomes regulatory hurdles and embraces the cloud to foster innovation

Google Cloud & the General Data Protection Regulation (GDPR)

TEL2813/IS2820 Security Management

Keeping the lid on storage

ProDeploy Suite. Accelerate enterprise technology adoption with expert deployment designed for you

HITRUST ON THE CLOUD. Navigating Healthcare Compliance

BRING EXPERT TRAINING TO YOUR WORKPLACE.

Making hybrid IT simple with Capgemini and Microsoft Azure Stack

Security Management Models And Practices Feb 5, 2008

SOLUTION BRIEF RSA ARCHER IT & SECURITY RISK MANAGEMENT

Implementing ITIL v3 Service Lifecycle

Why Converged Infrastructure?

Mapping Your Requirements to the NIST Cybersecurity Framework. Industry Perspective

DIGITAL TRANSFORMATION IN FINANCIAL SERVICES

Introduction to ISO/IEC 27001:2005

Citation for published version (APA): Berthing, H. H. (2014). Vision for IT Audit Abstract from Nordic ISACA Conference 2014, Oslo, Norway.

CESG:10 Steps to Cyber Security WORKING WITH GOVERNMENT, INDUSTRY AND ACADEMIA TO MANAGE INFORMATION RISK

EU General Data Protection Regulation (GDPR) Achieving compliance

Cloud Services. Infrastructure-as-a-Service

What is ISO ISMS? Business Beam

IT Governance ISO/IEC 27001:2013 ISMS Implementation. Service description. Protect Comply Thrive

SOC 2 examinations and SOC for Cybersecurity examinations: Understanding the key distinctions

ISO 9001 Auditing Practices Group Guidance on:

CONNECTING THE CLOUD WITH ON DEMAND INFRASTRUCTURE

Key Findings from the Global State of Information Security Survey 2017 Indonesian Insights

Business Continuity Management: How to get started. Presented by: Tony Drewitt, Managing Director IT Governance Ltd 19 April 2018

Services for Smart Solutions: Delivering Innovations & Efficiency Surendran Vangadasalam

Cyber Risk Program Maturity Assessment UNDERSTAND AND MANAGE YOUR ORGANIZATION S CYBER RISK.

Presented by Ingrid Fredeen and Pamela Passman. Copyright 2017NAVEXGlobal,Inc. AllRightsReserved. Page 0

THALES DATA THREAT REPORT

the steps that IS Services should take to ensure that this document is aligned with the SNH s KIMS and SNH s Change Requirement;

A company built on security

Achieving effective risk management and continuous compliance with Deloitte and SAP

Canada Highlights. Cybersecurity: Do you know which protective measures will make your company cyber resilient?

An Overview of ISO/IEC family of Information Security Management System Standards

Securing Digital Applications

BHConsulting. Your trusted cybersecurity partner

Cybersecurity. Securely enabling transformation and change

Top Priority for Hybrid IT

Oracle Buys Automated Applications Controls Leader LogicalApps

State of Cloud Survey GERMANY FINDINGS

THALES DATA THREAT REPORT

THE JOURNEY OVERVIEW THREE PHASES TO A SUCCESSFUL MIGRATION ADOPTION ACCENTURE IS 80% IN THE CLOUD

BCI Global Research Summary Key Trends, Influences and Conclusions Affecting the Profession

REALIZE YOUR. DIGITAL VISION with Digital Private Cloud from Atos and VMware

BUSINESS CONTINUITY MANAGEMENT

ICT Mentors e-learning portfolio provides our delegates with materials for study at the comfort of their homes, work place etc.

Securing intelligent networks: a guide for CISO and CIOs

PREPARE FOR TAKE OFF. Accelerate your organisation s journey to the Cloud.

Invest in. ISACA-certified professionals, see the. rewards.

Aon Service Corporation Law Global Privacy Office. Aon Client Data Privacy Summary

BENEFITS of MEMBERSHIP FOR YOUR INSTITUTION

The Windstream Enterprise Advantage for Banking

ENABLING SECURE CLOUD CONNECTIVITY. Create a Successful Cloud Strategy with Reliable Connectivity Solutions

THE POWER OF TECH-SAVVY BOARDS:

CenturyLink for Microsoft

Angela McKay Director, Government Security Policy and Strategy Microsoft

Symantec Enterprise Support Services Manage IT Risk. Maximize IT Performance.

Building Trust in the Era of Cloud Computing

Professional Services for Cloud Management Solutions

SOFTWARE PLATFORM INFRASTRUCTURE. as a Service. as a Service. as a Service. Empower Users. Develop Apps. Manage Machines

RSA Solution Brief. The RSA Solution for Cloud Security and Compliance

ETNO Reflection Document on the EC Proposal for a Directive on Network and Information Security (NIS Directive)

Global Security Consulting Services, compliancy and risk asessment services

Helping shape your future

How icims Supports. Your Readiness for the European Union General Data Protection Regulation

Improving Data Governance in Your Organization. Faire Co Regional Manger, Information Management Software, ASEAN

Government IT Modernization and the Adoption of Hybrid Cloud

Drive Your Career Forward IIA Certifications and Qualifications

ISO 27001:2013 certification

Cyber Security Strategy

Why Converged Infrastructure?

Drive Your Career Forward IIA Certifications and Qualifications

Move Up to an OpenStack Private Cloud and Lose the Vendor Lock-in

RUAG Cyber Security Understand Cyber. Protect Values.

Clarity on Cyber Security. Media conference 29 May 2018

How Secure is Blockchain? June 6 th, 2017

ISO Professional Services Guide to Implementation and Certification AND

13.f Toronto Catholic District School Board's IT Strategic Review - Draft Executive Summary (Refer 8b)

ITG. Information Security Management System Manual

INVESTOR UPDATE SSH COMMUNICATIONS SECURITY Kaisa Olkkonen, CEO

Transcription:

Build confidence in the cloud Best practice frameworks for cloud security

Cloud services are rapidly growing and becoming more of a focus for business. It s predicted that more than $1 trillion in IT spending will be directly or indirectly affected by the shift to cloud during the next five years 1. This is no surprise as cloud is one of the main digital technologies developing in today s fast-moving world. It s encouraging that CEO s recognize that it s crucial for them to champion the use of digital technologies 2 to keep up with today s evolving business environment. There are however still concerns over using cloud services and the best approach for adoption. That s where BSI can help. We recognize that responding to emerging technologies can be difficult, especially with an ever-growing variety of products and services. As a business improvement partner we work with clients to understand key drivers and help select the best practice approaches that suit their organization and build greater resilience. This guide is designed to help you understand the different best practice frameworks to build a secure cloud environment that inspires confidence.

What influences cloud adoption? Choosing an approach Business strategy and objectives should help organizations decide the best approach to cloud computing. This may involve using public cloud services, a private cloud or a hybrid cloud solution. It will often be influenced by your resources and priorities. Public cloud Private cloud Hybrid cloud An internet based service where information from a number of different organizations may be stored together A service based on an organization s private network Where a combination of different cloud services is used by an organization Tackling the barriers Security concerns still top the list as a barrier to cloud adoption 1, particularly with public cloud provisions 73% of IT professionals say the biggest obstacle to cloud projects is the security of data 3 91% of organizations are very or moderately concerned about public cloud security 4 This isn t just within IT departments, 61% of IT professionals believe the security of data residing in the cloud is an executive concern 3. This is critical considering the variety of cloud services that support the wider business operations such as CRM systems, HR self-service portals and business complaint systems to name a few. Getting executive buy-in can help align cloud service offerings and improve delivery. Plus it can support instilling a best practice approach to security throughout the business, ensuring all employees are trained on how to recognize information security threats and the action they need to take to support the business. The benefits Cloud services can provide a number of benefits including: Agility: you can respond more quickly and adapt to business changes Scalable: cloud platforms are less restrictive on storage, size, number of users Cost savings: no physical infrastructure costs or charges for extra storage, exceeding quotas etc. Enhanced security: standards and certification can show robust security controls are in place Adaptability: you can easily adjust cloud services to make sure they best suit your business needs Continuity: organizations are using cloud services as a back-up internal solution 1. Gartner July 2016 2. PWC Digital IQ report 2015 3. Cloud Security Alliance: Cloud Adoption Practices and Priorities Survey Report 2015 4. Information Security Community LinkedIn, Cloud-Security-Report-2016

Solutions to help you manage cloud security We have a range of products and services that focus on putting appropriate frameworks and controls in place to manage cloud security. ISO/IEC 27001 The international standard for an Information Security Management System (ISMS). ISO/IEC 27001 is the foundation of all our cloud security solutions. It describes the requirements for a best practice system to manage information security including understanding the context of an organization, the responsibilities of top management, resource requirements, how to approach risk, and how to monitor and improve the system. It also provides a generic set of controls required to manage information and ensures you assess your information risks and control them appropriately. It s relevant to all types of organization regardless of whether they are involved with cloud services or not, to help with managing information security against recognized best practice. BSI provides top quality training to ensure you maximize the benefits of ISO/IEC 27001 and we also provide certification services. ISO/IEC 27002 A code of practice for security controls. It provides more detail on the generic security controls, which organizations might wish to apply when implementing a management system such as ISO/IEC 27001, ISO/IEC 27017 and ISO/IEC 27018. ISO/IEC 27017 An international code of practice for cloud security controls. It outlines cloud specific controls to manage security, building on the generic controls described in ISO/IEC 27002. It s applicable to both Cloud Service Providers (CSPs) and organizations procuring cloud services. It provides support by outlining roles and responsibilities for both parties, ensuring all cloud security concerns are addressed and clearly owned. Having ISO/IEC 27017 controls in place is especially important when you procure cloud services that form part of a service you sell to clients. BSI provides top quality training to ensure you maximize the benefits of ISO/IEC 27017 and we also provide certification* services. Top tip Do you know your responsibilities when providing or procuring cloud services? It is likely all providers using ISO/IEC 27017 will have outlined and communicated responsibilities of both parties. Make sure you are aware of what you have committed to so you can take full accountability.

ISO/IEC 27018 An international code of practice for Personally Identifiable Information (PII) on public clouds. It builds on the general controls described in ISO/IEC 27002 and is appropriate for any organization that processes PII. This is particularly important considering the changing privacy landscape and focus on protecting sensitive personal data. BSI provides top quality training to ensure you maximize the benefits of ISO/IEC 27018 and we also provide certification* services. CSA STAR This is a framework based on a control set owned and created by the Cloud Security Alliance (CSA), a global industry body pioneering research and development in cloud security. It contains a management capability (maturity model) to help organizations drive continual improvement. The controls are mapped to a number of other standards making it a useful tool for organizations to review their compliance against a wide range of cloud-based standards and industry best practices. It s regularly reviewed by the CSA to ensure it remains up-to-date with industry best practice. It s appropriate for organizations using or offering cloud services who want to demonstrate they are up-to-date with emerging best practice and gain the internal benefits of being audited against a maturity model to help steer improvements. It s widely adopted by industry leading cloud providers and other organizations that have a dedicated focus on cloud services, enabling greater agility and resources to regularly adapt. BSI provides top quality training to ensure you maximize the benefits of CSA STAR and we also provide certification* services. What is a maturity model? A benchmark model for managing and analyzing the performance of the cloud services you deliver. This model is regularly updated to reflect changing industry bestpractice. *You will need certification to ISO/IEC 27001 to be able to get certification to this product.

Where should I start with cloud security? This decision tree will help you determine which solution will best meet your organizational needs. Our training courses can help you learn about the standards and obtain the knowledge to implement and audit a system. With certification you can demonstrate your commitment to cloud security and on-going improvements. Are you a cloud service provider (CSP)? YES Do you process personally identifiable information (PII)? Are you looking for, or currently working with, a cloud service provider? YES YES Do you have the focus and resource to maintain a system that regularly adapts to industry best practice? YES ISO/IEC 27001 as your information security foundation framework ISO/IEC 27018 to protect PII CSA STAR to manage cloud security and regularly adapt Do you have the focus and resource to maintain a system that regularly adapts to industry best practice? ISO/IEC 27001 as your information security foundation framework ISO/IEC 27018 to protect PII ISO/IEC 27017 to define your responsibilities and protect security as a CSP Will the services you use with your chosen provider involve personally identifiable information (PII) being given to your CSP? YES ISO/IEC 27001 as your information security foundation framework Consider ISO/IEC 27001 as your information security foundation framework Familiarize yourself with other solutions for the future e.g. to support private cloud set-up the ISO/IEC 27017 controls will still be applicable ISO/IEC 27001 as your information security foundation framework YES ISO/IEC 27001 as your information security foundation framework CSA STAR to manage cloud security and regularly adapt to evolving best-practice ISO/IEC 27001 as your information security foundation framework ISO/IEC 27017 to define your responsibilities and protect security as a CSP Consider: ISO/IEC 27018 to protect PII ISO/IEC 27017 to define your responsibilities as a user of cloud services Make sure your CSP has ISO/IEC 27017 or CSA STAR, as well as ISO/IEC 27018 certification Consider: ISO/IEC 27017 to define your responsibilities as a user of cloud services Make sure your CSP has ISO/IEC 27017 or CSA STAR certification

Whilst our decision tree gives you a good indication into what to consider, we are seeing clients certify to the full suite of standards to embed a culture of best practice that reassures users and builds confidence in their cloud security. Here are some of the great benefits experienced by clients: With CSA STAR Certification, customers can gain confidence that Microsoft Azure is meeting customer needs and relevant regulatory requirements, as well as actively monitoring, measuring and continually improving the effectiveness of our management system. Alice Rison, Trust and Transparency Senior Director of Microsoft ISO/IEC 27001 and CSA STAR certifications enable Cirrity to better compete with the world s largest cloud service providers. You are not going to find companies with a business model like ours that have invested this much in security and compliance, so that is a very big differentiator. Dan Timko, President and Chief Technical Officer, Cirrity We work exclusively with BSI, the undisputed global leader in cloud security certification, on our full suite of security standards, including CSA STAR Certification, ISO/IEC 27001, ISO/IEC 27017, ISO/IEC 27018 and Kitemark for Secure Digital Transactions. While BSI s superior reputation already delivers immense confidence to our customers, their true value lies in having the best expert auditors in industry who can push us to the limits, allowing us to discover our own weaknesses and continuously improve our protection of customer data. Ronald Tse, Founder of Ribose the world s only CSA triple-assured cloud service provider

Why BSI? BSI has been at the forefront of information security standards since 1995, having produced the world s first standard standard, BS 7799, now ISO/IEC 27001, the world s most popular information security standard. And we haven t stopped there, addressing the new emerging issues such as cyber and cloud security. That s why we re best placed to help you. At BSI we create excellence by driving the success of our clients through standards. We help organizations to embed resilience, helping them to grow sustainably, adapt to change, and prosper for the long term. We make excellence a habit. For over a century our experts have been challenging mediocrity and complacency to help embed excellence into the way people and products work. With 80,000 clients in 182 countries, BSI is an organization whose standards inspire excellence across the globe. Our products and services We provide a unique combination of complementary products and services, managed through our three business streams; Knowledge, Assurance and Compliance. Knowledge The core of our business centres on the knowledge that we create and impart to our clients. In the standards arena we continue to build our reputation as an expert body, bringing together experts from industry to shape standards at local, regional and international levels. In fact, BSI originally created eight of the world s top ten management system standards. Assurance Independent assessment of the conformity of a process or product to a particular standard ensures that our clients perform to a high level of excellence. We train our clients in world-class implementation and auditing techniques to ensure they maximize the benefits of standards. Compliance To experience real, long-term benefits, our clients need to ensure ongoing compliance to a regulation, market need or standard so that it becomes an embedded habit. We provide a range of services and differentiated management tools which help facilitate this process. To find out more visit: bsigroup.com/en-au bsigroup.com/en-au BSI Group BSI/AU/751/SC/0117/EN/BLD

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback