• 個人隱私資料保護的國際認證 ISO 27018

    這篇文章主要說明對於雲端使用者或是雲端服務提供廠商來說,

    什麼才是一個安全的雲端環境? 資料放在雲端會不會有隱私外洩的問題?

    針對這兩個問題, ISO分別推出兩個認證標準

    • ISO 27017 — 安全的雲端環境建置
    • ISO 27018 –個人隱私資料保護

    ISO 27001與ISO27001的起源

    兩個標準都是基於 ISO 27001延伸, 基於ISO 27017,

    •  ISO27017提出比較多的改變安全控制.
    • ISO 27018則是提出比較多新增安全控制

    那麼這兩個規範的重點為何? ISO 27017/27018與現有的 ISO 27001有什麼不同的地方?

    將在本篇文章做摘要性的說明。

    什麼是 ISO 27017

    http://www.iso.org/iso/catalogue_detail?csnumber=43757

    ISO 27017是基於 ISO 27002延伸的標準。主要目的在於提供雲端服務廠商一個雲端建置與維運的安全規範。

    (ISO 27001與ISO27002原則上大致相同,差異在於 ISO27001規範較為詳細。)

    ISO 27017與 ISO27002主要的差異在於, ISO27017額外規範雲端安全的建置與維護。

    ISO 27017於2015-12-15官方正式公布。

    ISO 27018/27017認證的方式有可能會與 ISO27001認證稽核一併進行。

     

    ISO 27017與 ISO27001比較

    ISO 27001/ISO 27002  ISO 27017額外增加差異
    5 Information security policies
    6 Organization of information security
    7 Human resource security 中低
    8 Asset management 中低
    9 Access control
    10 Cryptography
    11 Physical and environmental security 中低
    12 Operations security 中高
    13 Communications security 中高
    14 System acquisition, development and maintenance
    15 Supplier relationships 中高
    16 Information security incident management
    17 Information security aspects of business continuity management
    18 Compliance 中高

    可以看得出來主要的差異在於 Access Control例如:

    •  9.2.1 User registration and deregistration,
    • 9.2.2 User access provisioning,
    • 9.2.3 Management of privileged access rights,
    • 9.4.1 Information access restriction,
    • 9.4.4 Use of privileged utility programs.

    ISO 27017新增哪些雲端服務的安全控制呢?

    基於目前 ISO 27001/ISO 27002, ISO 27017 建議七個新增的安全控制,分別列舉如下:

    這些都是基於雲端服務的基本安全要求

    • 3.1 Shared roles and responsibilities within a cloud computing environment
    • 1.5 Removal of cloud service customer assets
    • 5.1 Segregation in virtual computing environments
    • 5.2 Virtual machine hardening
    • 1.5 Administrator’s operational security
    • 4.5 Monitoring of cloud services
    • 1.4 Alignment of security management for virtual and physical networks

     

    什麼是ISO 27018?

     http://www.iso.org/iso/home/store/catalogue_tc/catalogue_detail.htm?csnumber=61498

    ISO 27018 於 2014-8-1正式公布

    ISO 27018更著重於個人隱私資料保護, 基於 ISO 27002的基礎上,延伸定義新增個人資料的隱私保護。

    ISO 27018 與ISO27001/27002比較

    ISO 27001/ISO 27002  ISO 27018新增控制
    5 Information security policies
    6 Organization of information security
    7 Human resource security
    8 Asset management
    9 Access control
    10 Cryptography
    11 Physical and environmental security
    12 Operations security
    13 Communications security
    14 System acquisition, development and maintenance
    15 Supplier relationships
    16 Information security incident management
    17 Information security aspects of business continuity management
    18 Compliance

    ISO 27018主要在於 Operation Security,也就是雲端服務的維運

    • 12.1.4 Separation of development, testing and operational environments (when personal data is used for testing);
    • 12.3.1 Information backup (multiple copies of data; procedures for the backup, recovery and erasure; providing information to the customer);
    •  12.4.1 Event logging (process for reviewing logs; recording changed privacy information; providing information to the customer).

    ISO 27018其他部分的修改就很少。

    ISO 27018雲端個人隱私重點控制

    針對ISO 27018對於個人隱私資料安全控制,主要的重點

    • Rights of the customer to access and delete the data
    • Processing the data only for the purpose for which the customer has provided this data
    • Not using the data for marketing and advertising
    • Deletion of temporary files
    • Notification to the customer in case of a request for data disclosure
    • Recording all the disclosures of personal data
    • Disclosing the information about all the sub-contractors used for processing the personal data
    • Notification to the customer in case of a data breach
    • Document management for cloud policies and procedures
    • Policy for return, transfer and disposal of personal data
    • Confidentiality agreements for individuals who can access personal data
    • Restriction of printing the personal data
    • Procedure for data restoration
    • Authorization for taking the physical media off-site
    • Restriction of usage of media that does not have encryption capability
    • Encrypting data that is transmitted over public networks
    • Destruction of printed media with personal data
    • Usage of unique IDs for cloud customers
    • Records of user access to the cloud
    • Disabling the usage of expired user IDs
    • Specifying the minimum security controls in contracts with customers and subcontractors
    • Deletion of data in storage assigned to other customers
    • Disclosing to the cloud customer in which countries will the data be stored
    • Ensuring the data reaches the destination

     

     

    ISO 27001 or ISO 27018 or ISO 27017?

    ISO 27001因為是最基礎的規範,所以在進行 ISO 27018 or ISO 27017之前,必須先經過基本的認證 ISO 27001

    基於ISO27001 認證基礎下,可以思考額外包含

    • ISO 27018 : 如果公司預計提供雲端服務,相關雲端維運的安全控制措施
    • ISO 27017: 雲端對於個人隱私資料的產生、儲存、管理、通知、消除、加密、傳輸等處理。

    從市場行銷的觀點來看,ISO 27001是可以獲得一個認證,因此容易得到客戶的認可。

    從資訊安全來看,ISO 27018 or ISO 27017 更偏重於資訊安全管制措施,該認證的稽核過程可能為 ISO 27001 的一部分。

    ISO 27001 提供基礎的前提下,可以額外對於雲端安全進行自我評估 ISO 27018/27017

    雲端廠商安全認證

    AWS vendors security Compliance

    資料來源:  Forrester Research 2014. Nov

     

    Posted by Tony @ 8:43 am

  • Leave a Reply

    Your email address will not be published.