Cloud Security and Compliance Standards

Cloud processing of information affects existing information processing flows, controls and compliance standards. Cloud service providers show the level to which they support diverse compliance standards that are specific to verticals such as payments, health, finance, enterprise. A reference is https://aws.amazon.com/compliance/ .

CSA-CCM Cloud Security Alliance Cloud-Controls Matrix. The foundations of the Cloud Security Alliance Controls Matrix rest on its customized relationship to other industry-accepted security standards, regulations, and controls frameworks such as the ISO 27001/27002, ISACA COBIT, PCI, NIST, Jericho Forum and NERC CIP. Part of Governance, Risk Management and Compliance (GRC) stack – CloudAudit, CCM, CAIQ, CTP.

PCI-DSS Payments Card Industry-Data Security Standards released guidelines for storing credit card data in the cloud. See https://www.pcisecuritystandards.org/pdfs/PCI_DSS_v2_Cloud_Guidelines.pdf

SSAE16 Statement on Standards for Attestation Engagements (SSAE) 16. SSAE 16 reporting can help service organizations comply with Sarbanes Oxley‘s requirement. It is not limited to financial reporting; it can also be applied to other sectors, and is useful for datacentres. SSAE 16 is one of the most widely known tools for providing assurances to data center customers. See discussion at http://www.datacenterknowledge.com/archives/2012/01/19/aicpa-fumbles-audit-standards-at-the-5-yard-line/ and related SOC1, SOC2.

ISO27001 Specification for an information security management system, released 2013.

FedRAMP U.S. federal agencies have been directed use a process called FedRAMP (Federal Risk and Authorization Management Program) to assess and authorize federal cloud computing products and services. See https://aws.amazon.com/compliance/fedramp/

UK G-Cloud Framework for faster procurement of IT Services over the cloud. See also CESG Communications-Electronics Security Group

IRAP Information Security Registered Assessors Program is an Australian Signals Directorate initiative to provide high-quality information and communications technology services to government in support of Australia’s security. A list of certified clouds – http://www.asd.gov.au/infosec/irap/certified_clouds.htm

HIPAA Health Insurance Portability and Accountability Act. The privacy rule ensures patients access to their health information and Protected Heath Information data (PHI) and de-identification of such data before health information being shared publicly. The security rule covers physical and technical safeguards such as control and monitoring of information against intrusions, encryption over networks etc.

DIACAP DoD Information Assurance Certification and Accreditation Process.  United States Department of Defense (DoD) process to ensure that companies and organizations apply risk management to information systems. Aligns with NIST Risk Management Framework (RMF).

GLBA Financial Services Modernization act of 1999. Removed barriers in the market among banking companies, securities companies and insurance companies acting as one,  allowing them consolidate. GLBA compliance is mandatory; whether a financial institution discloses nonpublic information or not, there must be a policy in place to protect the information from foreseeable threats in security and data integrity.

NIST-SP800 30 NIST Risk Management Guide for Information Technology Systems

FISMA Federal Information Security Management Act of 2002. The act requires each federal agency to develop, document, and implement an agency-wide program to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source.[

UK Data Protection Act Governs the protection of personal data in the UK

EU Data Privacy Directive Officially officially Directive 95/46/EC. European Union directive adopted in 1995 which regulates the processing of personal data within the European Union. It is an important component of EU privacy and human rights law. On 25 January 2012, the European Commission unveiled a draft European General Data Protection Regulation that will supersede the Data Protection Directive.

FIPS 140-2  Federal Information Processing Standard  Publication 140-2 is a U.S. government computer security standard used to accredit cryptographic modules.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s