Presentation is loading. Please wait.

Presentation is loading. Please wait.

Geneva, Switzerland, 14 November 2014 Data Protection for Public Cloud (International Standard ISO 27018) Stéphane Guilloteau Engineer Expert, Orange Labs.

Published byAmelia Stokes Modified over 9 years ago

Similar presentations

Presentation on theme: "Geneva, Switzerland, 14 November 2014 Data Protection for Public Cloud (International Standard ISO 27018) Stéphane Guilloteau Engineer Expert, Orange Labs."— Presentation transcript:

1 Geneva, Switzerland, 14 November 2014 Data Protection for Public Cloud (International Standard ISO 27018) Stéphane Guilloteau Engineer Expert, Orange Labs stephane.guilloteau@orange.com ITU Workshop on “Cloud Computing Standards – Today and the Future” (Geneva, Switzerland 14 November 2014)

2 Geneva, Switzerland, 14 November 2014 2 Agenda Introduction Scope of 27018 Methodology Context Requirements Structure Principles Sector-specific examples Conclusion

3 Geneva, Switzerland, 14 November 2014 3 ISO/IEC 27018 Title Code of practice for PII protection in public clouds acting as PII processors PII=Personally Identifiable Information ISO/IEC JTC1 SC27 WG5 Information technology, Security techniques, Identity management and privacy technologies published in 2014/08

4 Geneva, Switzerland, 14 November 2014 4 SC 27 Figure by Jan Schallaböck, Vice-Convenor WG5

5 Geneva, Switzerland, 14 November 2014 5 WG5 Figure by Jan Schallaböck, Vice-Convenor WG5

6 Geneva, Switzerland, 14 November 2014 6 Scope Objective To create a common set of security categories and controls that apply to a public cloud computing service provider To meet the requirements for the protection of PII

7 Geneva, Switzerland, 14 November 2014 7 Methodology Collecting together PII protection requirements according to ISO/IEC 29100 and the guidance for implementing controls given in ISO/IEC 27002 Designed for All types and sizes of organizations

8 Geneva, Switzerland, 14 November 2014 8 Context A public cloud service provider is a “PII processor” when it processes PII for and according to the instructions of a cloud service customer (controller) “Privacy by Design” “PII lyfecycle consideration” Information security risk environment

9 Geneva, Switzerland, 14 November 2014 9 Ecosystem Figure by Chris Mitchell, 27018 Editor

10 Geneva, Switzerland, 14 November 2014 10 Requirements Three main sources legal, statutory, regulatory and contractual requirements risks corporate policies

11 Geneva, Switzerland, 14 November 2014 11 27002 structure Security policies Organization of information security Human resource security Asset management Access control Cryptography Physical and environmental security Operations security Communications security System acquisition, development and maintenance Supplier relationships Information security incident management Information security aspects of business continuity management Compliance

12 Geneva, Switzerland, 14 November 2014 12 29100 principles Consent and choice Purpose legitimacy and specification Collection limitation Data minimization Use, retention and disclosure limitation Accuracy and quality Openness, transparency and notice Individual participation and access Accountability Information security Privacy compliance

13 Geneva, Switzerland, 14 November 2014 13 sector-specific examples clearly allocate responsibilities between the public cloud PII processor, its sub-contractors and the cloud service customer facilitate the exercise of PII principals’ rights ensure purpose specification and limitation principles notify data breach specify PII geographical location

14 Geneva, Switzerland, 14 November 2014 14 Conclusion comply with applicable obligations be transparent enter into contractual agreement demonstrate effective implementation of PII protection do not replace applicable legislation and regulations, but can assist complete with standards in progress (29151, 29134…)

Download ppt "Geneva, Switzerland, 14 November 2014 Data Protection for Public Cloud (International Standard ISO 27018) Stéphane Guilloteau Engineer Expert, Orange Labs."

Similar presentations

Tunis, Tunisia, 18-19 June 2012 Privacy in Cloud Computing Vijay Mauree, Programme Coordinator, TSB, ITU ITU Workshop on Cloud Computing.

Tunis, Tunisia, June 2012 Privacy in Cloud Computing Vijay Mauree, Programme Coordinator, TSB, ITU ITU Workshop on Cloud Computing.
Regulators’ Code July 2014. Regulators’ Code A statutory Code Came into effect in April 2014, replacing the Regulators’ Compliance Code All local authorities.

Regulators’ Code July Regulators’ Code A statutory Code Came into effect in April 2014, replacing the Regulators’ Compliance Code All local authorities.
Geneva, Switzerland, 25-26 September 2012 m-Cloud for Homecare - Policy & Regulatory Challenges - Francesca Fontana, Associate at ICT Legal Consulting.

Geneva, Switzerland, September 2012 m-Cloud for Homecare - Policy & Regulatory Challenges - Francesca Fontana, Associate at ICT Legal Consulting.
Auditing, Assurance and Governance in Local Government

Auditing, Assurance and Governance in Local Government
Cloud computing security related works in ITU-T SG17

Cloud computing security related works in ITU-T SG17
Auditor General’s Office One key audit focus area – Compliance with Laws and Regulations.

Auditor General’s Office One key audit focus area – Compliance with Laws and Regulations.
What’s Next What We believe Who We Are Cloud Computing Big data Mobility Social Enterprise.

What’s Next What We believe Who We Are Cloud Computing Big data Mobility Social Enterprise.
Dr. Julian Lo Consulting Director ITIL v3 Expert

Dr. Julian Lo Consulting Director ITIL v3 Expert
Security Controls – What Works

Security Controls – What Works
Insights on the Legal Landscape for Data Privacy in Higher Education Rodney Petersen, J.D. Government Relations Officer and Security Task Force Coordinator.

Insights on the Legal Landscape for Data Privacy in Higher Education Rodney Petersen, J.D. Government Relations Officer and Security Task Force Coordinator.
Geneva, Switzerland, 14 November 2014 Cloud computing reference architecture Olivier Le Grand, Standardization Senior Manager on Future Networks, Orange.

Geneva, Switzerland, 14 November 2014 Cloud computing reference architecture Olivier Le Grand, Standardization Senior Manager on Future Networks, Orange.
P3P: Platform for Privacy Preferences Charlin Lu Sensitive Information in a Wired World November 11, 2003.

P3P: Platform for Privacy Preferences Charlin Lu Sensitive Information in a Wired World November 11, 2003.
Geneva, Switzerland, 14 November 2014 Cloud Computing - Overview and Vocabulary (Y.3500) Eric A. Hibbard, CISSP, CISA CTO Security & Privacy Hitachi Data.

Geneva, Switzerland, 14 November 2014 Cloud Computing - Overview and Vocabulary (Y.3500) Eric A. Hibbard, CISSP, CISA CTO Security & Privacy Hitachi Data.
Code of Conduct for Mobile Money Providers 6 November 2014 All material © GSMA 2014. The policy advocacy and regulatory work of the GSMA Mobile Money team.

Code of Conduct for Mobile Money Providers 6 November 2014 All material © GSMA The policy advocacy and regulatory work of the GSMA Mobile Money team.
SOX & ISO 27001 Protect your data and be ready to be audited!!!

SOX & ISO Protect your data and be ready to be audited!!!
Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.

Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.
INFORMATION SECURITY GOVERNANCE (ISG) Relates to the security of information systems Is an element of corporate governance.

INFORMATION SECURITY GOVERNANCE (ISG) Relates to the security of information systems Is an element of corporate governance.
Evolving IT Framework Standards (Compliance and IT)

Evolving IT Framework Standards (Compliance and IT)
Roles and Responsibilities

Roles and Responsibilities
Chapter 8 8-1 © 2009 Pearson Education, Inc. Publishing as Prentice Hall.

Chapter © 2009 Pearson Education, Inc. Publishing as Prentice Hall.

Similar presentations

Ads by Google