1 / 14

Code of Practice for Protecting PII in Public Clouds

This workshop summary from the .ITU workshop on Cloud Computing Standards discusses ISO/IEC 27018, a standard for protecting Personally Identifiable Information in public cloud environments. The agenda covers the scope, methodology, requirements, and principles of the standard, along with sector-specific examples and conclusions. The objectives include creating a common set of security categories and controls for public cloud service providers and meeting PII protection requirements. The session emphasizes the importance of privacy considerations, information security risk environments, and complying with legal, statutory, and regulatory obligations.

dianacooper
Download Presentation

Code of Practice for Protecting PII in Public Clouds

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. ITU Workshop on “Cloud Computing Standards – Today and the Future” (Geneva, Switzerland 14 November 2014) Data Protection for Public Cloud (International Standard ISO 27018) Stéphane Guilloteau Engineer Expert, Orange Labs stephane.guilloteau@orange.com

  2. Agenda • Introduction • Scope of 27018 • Methodology • Context • Requirements • Structure • Principles • Sector-specific examples • Conclusion

  3. ISO/IEC 27018 published in 2014/08 • Title • Code of practice for PII protection in public clouds acting as PII processors • PII=Personally Identifiable Information • ISO/IEC JTC1 SC27 WG5 • Information technology, Security techniques, Identity management and privacy technologies

  4. SC 27 Figure by Jan Schallaböck, Vice-Convenor WG5

  5. WG5 Figure by Jan Schallaböck, Vice-Convenor WG5

  6. Scope • Objective • To create a common set of security categories and controls that apply to a public cloud computing service provider • To meet the requirements for the protection of PII

  7. Methodology • Collecting together PII protection requirements according to ISO/IEC 29100 and the guidance for implementing controls given in ISO/IEC 27002 • Designed for • All types and sizes of organizations

  8. Context • A public cloud service provider is a “PII processor” when it processes PII for and according to the instructions of a cloud service customer (controller) • “Privacy by Design” • “PII lyfecycle consideration” • Information security risk environment

  9. Ecosystem Figure by Chris Mitchell, 27018 Editor

  10. Requirements • Three main sources • legal, statutory, regulatory and contractual requirements • risks • corporate policies

  11. 27002 structure Security policies Organization of information security Human resource security Asset management Access control Cryptography Physical and environmental security Operations security Communications security System acquisition, development and maintenance Supplier relationships Information security incident management Information security aspects of business continuity management Compliance

  12. 29100 principles Consent and choice Purpose legitimacy and specification Collection limitation Data minimization Use, retention and disclosure limitation Accuracy and quality Openness, transparency and notice Individual participation and access Accountability Information security Privacy compliance

  13. sector-specific examples • clearly allocate responsibilities between the public cloud PII processor, its sub-contractors and the cloud service customer • facilitate the exercise of PII principals’ rights • ensure purpose specification and limitation principles • notify data breach • specify PII geographical location

  14. Conclusion • comply with applicable obligations • be transparent • enter into contractual agreement • demonstrate effective implementation of PII protection • do not replace applicable legislation and regulations, but can assist • complete with standards in progress (29151, 29134…)

More Related