Geneva, Switzerland, 14 November 2014 Data Protection for Public Cloud (International Standard ISO 27018) Stéphane Guilloteau Engineer Expert, Orange Labs.

Slides:

Advertisements

Similar presentations

Tunis, Tunisia, June 2012 Privacy in Cloud Computing Vijay Mauree, Programme Coordinator, TSB, ITU ITU Workshop on Cloud Computing.

Advertisements

Regulators’ Code July Regulators’ Code A statutory Code Came into effect in April 2014, replacing the Regulators’ Compliance Code All local authorities.

Geneva, Switzerland, September 2012 m-Cloud for Homecare - Policy & Regulatory Challenges - Francesca Fontana, Associate at ICT Legal Consulting.

Auditing, Assurance and Governance in Local Government

Cloud computing security related works in ITU-T SG17

Auditor General’s Office One key audit focus area – Compliance with Laws and Regulations.

What’s Next What We believe Who We Are Cloud Computing Big data Mobility Social Enterprise.

Dr. Julian Lo Consulting Director ITIL v3 Expert

Security Controls – What Works

Insights on the Legal Landscape for Data Privacy in Higher Education Rodney Petersen, J.D. Government Relations Officer and Security Task Force Coordinator.

Geneva, Switzerland, 14 November 2014 Cloud computing reference architecture Olivier Le Grand, Standardization Senior Manager on Future Networks, Orange.

P3P: Platform for Privacy Preferences Charlin Lu Sensitive Information in a Wired World November 11, 2003.

Geneva, Switzerland, 14 November 2014 Cloud Computing - Overview and Vocabulary (Y.3500) Eric A. Hibbard, CISSP, CISA CTO Security & Privacy Hitachi Data.

Code of Conduct for Mobile Money Providers 6 November 2014 All material © GSMA The policy advocacy and regulatory work of the GSMA Mobile Money team.

SOX & ISO Protect your data and be ready to be audited!!!

Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.

INFORMATION SECURITY GOVERNANCE (ISG) Relates to the security of information systems Is an element of corporate governance.

Evolving IT Framework Standards (Compliance and IT)

Roles and Responsibilities

Chapter © 2009 Pearson Education, Inc. Publishing as Prentice Hall.

Presented by : Miss Vrindah Chaundee

Introduction to the ISO series ISO – principles and vocabulary (in development) ISO – ISMS requirements (BS7799 – Part 2) ISO –

Information Security 14 October 2005 IT Security Unit Ministry of IT & Telecommunications.

Implementation and follow up Critically important but relatively neglected stages of EIA process Surveillance, monitoring, auditing, evaluation and other.

Twelve Guiding Principles for the Regulation of Surveillance Camera Systems Presented by: Alastair Thomas Date: 23 rd October 2013.

Human Resource Security ISO/IEC 27001:2013

Data protection and compliance in context 19 November 2007 Stewart Room Partner.

International Security Management Standards. BS ISO/IEC 17799:2005 BS ISO/IEC 27001:2005 First edition – ISO/IEC 17799:2000 Second edition ISO/IEC 17799:2005.

Privacy and Data Protection III Annual Latin American Telecommunications, Technology, and Internet Public Policy Forum Geff Brown, Assistant General Counsel.

Cloud Computing and Standards - A Regulator’s View OASIS International Cloud Symposium 11 October 2011 Steven Johnston, CISSP Senior Security and Technology.

1 Copyright © International Security, Trust & Privacy Alliance -All Rights Reserved Making Privacy Operational International Security, Trust.

Fred Carter Senior Policy & Technology Advisor Information and Privacy Commissioner Ontario, Canada MISA Ontario Cloud Computing Transformation Workshop.

Tunis, Tunisia, 28 April 2014 Cloud Computing Standardization Includes Security Ruan HE, Senior Expert, Orange, Verdana 24 2 nd SG 13.

Module N° 6 – SMS regulation

Session 12 Information management and security. 1 Contents Part 1: Introduction Part 2: Legal and regulatory responsibilities Part 3: Our Procedures Part.

APEC Privacy Framework “The lack of consumer trust and confidence in the privacy and security of online transactions and information networks is one element.

1 TAIEX JHA Workshop on data protection and cloud computing Data transfers to third countries and standard contractual clauses Skopje, 29 May 2014.

Data protection—training materials [Name and details of speaker]

Key Points for a Privacy Programme for Multinationals Steve Coope.

Protection of Personal Information Act An Analysis on the impact.

Models of Security Management Matt Cupp. Overview What is Security Management? What is Security Management? ISO/IEC ISO/IEC NIST Special Publication.

Department of Computer Science Introduction to Information Security Chapter 8 ISO/IEC Semester 1.

What is ISO Certification? Information is a valuable asset that can make or break your business. When properly managed it allows you to operate.

ITU-T SG17 Q.3 Telecommunication information security management An overview Miho Naganuma Q.3/17 Rapporteur 17 March 2016.

An Information Security Management System

Data Protection Officer’s Overview of the GDPR

What Is ISO ISO 27001, titled "Information Security Management - Specification With Guidance for Use", is the replacement for BS It is intended.

Understanding EU GDPR from an Office 365 perspective

GDPR – Legal Aspects Desislava Krusteva, Attorney-at-Law, CIPP/E

Data protection reform:

Bob Siegel President Privacy Ref, Inc.

General Data Protection Regulation

The General Data Protection Regulation (GDPR)

Data protection certification and cloud computing

GDPR – Practical Implementation Managing contracts, procurement and relationships with suppliers Terry Brewer Chief Executive.

The National Working Group

Security and business continuity in ICT : a case study by Orange

Cloud Computing Standardization Includes Security

Data Mapping On the Journey to Accountability

Data Protection and Audit

ITU-T SG17 Q.3 Telecommunication information security management

How to conduct Effective Stage-1 Audit

GDPR PERSONDATAFORORDNINGEN I PRAKSIS

General Data Protection Regulation “11 months in”

Is your medico-legal practice GDPR compliant?

DRAFT ISO 10008:2013 Overview Customer satisfaction — Guidelines for business-to-consumer electronic commerce transactions ISO/TC176 TG 01.

CEng progression through the IOM3

Getting Ready For GDPR Simon Marks Director

Presentation transcript:

Geneva, Switzerland, 14 November 2014 Data Protection for Public Cloud (International Standard ISO 27018) Stéphane Guilloteau Engineer Expert, Orange Labs ITU Workshop on “Cloud Computing Standards – Today and the Future” (Geneva, Switzerland 14 November 2014)

Geneva, Switzerland, 14 November Agenda Introduction Scope of Methodology Context Requirements Structure Principles Sector-specific examples Conclusion

Geneva, Switzerland, 14 November ISO/IEC Title Code of practice for PII protection in public clouds acting as PII processors PII=Personally Identifiable Information ISO/IEC JTC1 SC27 WG5 Information technology, Security techniques, Identity management and privacy technologies published in 2014/08

Geneva, Switzerland, 14 November SC 27 Figure by Jan Schallaböck, Vice-Convenor WG5

Geneva, Switzerland, 14 November WG5 Figure by Jan Schallaböck, Vice-Convenor WG5

Geneva, Switzerland, 14 November Scope Objective To create a common set of security categories and controls that apply to a public cloud computing service provider To meet the requirements for the protection of PII

Geneva, Switzerland, 14 November Methodology Collecting together PII protection requirements according to ISO/IEC and the guidance for implementing controls given in ISO/IEC Designed for All types and sizes of organizations

Geneva, Switzerland, 14 November Context A public cloud service provider is a “PII processor” when it processes PII for and according to the instructions of a cloud service customer (controller) “Privacy by Design” “PII lyfecycle consideration” Information security risk environment

Geneva, Switzerland, 14 November Ecosystem Figure by Chris Mitchell, Editor

Geneva, Switzerland, 14 November Requirements Three main sources legal, statutory, regulatory and contractual requirements risks corporate policies

Geneva, Switzerland, 14 November structure Security policies Organization of information security Human resource security Asset management Access control Cryptography Physical and environmental security Operations security Communications security System acquisition, development and maintenance Supplier relationships Information security incident management Information security aspects of business continuity management Compliance

Geneva, Switzerland, 14 November principles Consent and choice Purpose legitimacy and specification Collection limitation Data minimization Use, retention and disclosure limitation Accuracy and quality Openness, transparency and notice Individual participation and access Accountability Information security Privacy compliance

Geneva, Switzerland, 14 November sector-specific examples clearly allocate responsibilities between the public cloud PII processor, its sub-contractors and the cloud service customer facilitate the exercise of PII principals’ rights ensure purpose specification and limitation principles notify data breach specify PII geographical location

Geneva, Switzerland, 14 November Conclusion comply with applicable obligations be transparent enter into contractual agreement demonstrate effective implementation of PII protection do not replace applicable legislation and regulations, but can assist complete with standards in progress (29151, 29134…)