SlideShare a Scribd company logo

ISO 27017 – What are the Business Advantages of Cloud Security?

Alvin Integrated Services [AIS]
Alvin Integrated Services [AIS]

Ramkumar Ramachandran, Principal Consultant, Ascentant Corporation, Chennai, India

Education
1 of 42
Download to read offline
Contact us: info@alvinintegrated.com | +91 8802 505619, +91 8287509289 | www.alvinintegrated.com Platinum Sponsor OUR SPONSORS & PARTNERS Event Partner www.alvinintegrated.com Knowledge Partners 27th FEB 2021 (SATURDAY) 09:00 AM - 17:30 PM IST
ISO 27017 - WHAT ARE THE BUSINESS ADVANTAGES OF CLOUD SECURITY? 27th February 2021 (Saturday) Time: 09:30 am - 09:55 am IST ISO 27017:2015 By Ramkumar Ramachandran, Principal Consultant, Ascentant Corporation, Chennai, India
SPEAKER INTRODUCTION Ramkumar Ramachandran Principal Consultant, Ascentant Corporation, Chennai, India • Expertise – ISMS / Data Privacy / CMMI / Agile / GDPR • IIMC Alumni - SMP • US / UK / France / China / Singapore / Taiwan / Thailand / Malaysia / Indonesia / Bahrain / Kuwait / Qatar / Saudi Arabia / Srilanka / New Zealand • Aeronautical Engineer / IIMC Alumni / MIT Sloan Systems Thinking • CSQA, CISA, PMP, CDPSE • Systems Thinking – MIT Sloan School of Management • LA QMS/ISMS/SMS/BCMS, SAFe Agilist • ram@ascentantcorp.biz Ramkumar Ramachandran (c) 3
ISO 27017 OVERVIEW SESSION
CONTENT • History of ISO 27001 • Cloud Infrastructure Evolution • Need for Cloud Security • ISO 27017 – Additional guidance for Cloud Security to ISO 27002 controls • ISO 27017 – Additional Controls • Implementing ISO 27017 Insert Footer Here 5
EVOLUTION OFISMS 1995 1998 Initiative from Department of Trade and Industry BS 7799 Part 1 BS 7799 Part 2 1999 New issue of BS 7799 Part 1 & 2 2000 ISO/IEC 17799:2000 2001 BS 7799-2:2002 (drafted) Sep 2002 BS 7799-2:2002 Passed and accepted Jun 2005 ISO 17799:2005 ISO/IEC 27001:2005 Oct 2005  Sep 2013 ISO/IEC 27001:2013
ISO 27001 STRUCTURE CLAUSES ANNEX A - CONTROLS 7 Context of the Organization Leadership Planning Support Operations Performance Evaluation Improvement Information Security Policies Organization of Information Security Human Resource Security Asset Management Access Control Cryptography Physical and Environmental Security Operations Security Communications Security Software Acquisition Development Maintenance Supplier Management Incident Management Security in BCM Compliance
ISO 27002 – CODE OF PRACTICE – CONTROLSHIERARCHY Group Control Objective Controls Controls Control Objective Control Copyright © 2018 8 14 of them 35 of them 114 of them
ISO 27017 - STRUCTURE 9 ISO 27001 Requirements ISO 27002 Code of Practice Additional Controls for ISO 27017
CLOUD – DEFINITION BY NIST Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction (from NIST) Insert Footer Here 10
CLOUD INFRASTRUCTUREEVOLUTION Insert Footer Here 11 Mainframe Desktop /Laptop Client Server Thin Client Cloud Infrastructure
VISUAL CLOUD INFRASTRUCTUREDEPICTION Insert Footer Here 12 SaaS PaaS IaaS
CLOUD SECURITY – BASIC SECURITY RISK CONSIDERATIONS Organizational Security Risks Resource Planning / Change Management / Malicious Insiders Physical Security Risks Data Location / Server, Storage & Network Technological Security Risks Application Development / Portability / Lack of Interoperability standards Compliance and Audit Risks Legal Challenges / Compliance & Audit / Business Continuity & Disaster Recovery Data Security Risks Identity & Access Management / Multi-tenancy risks / Backup / Data Privacy 13
CLOUD SECURITY – DATA SECURITYCONSIDERATIONS Privacy Safeguarding personal data as per privacy commitments Confidentiality Ensuring data is accessed only on need to know basis Integrity Confidence that the data stored in the cloud is not altered in any way by unauthorized parties Availability This property ensures that the CSC has access to their data, and are not denied access 14
CLOUD SECURITY – DATA STAGES Data-in-transit This is when data is in the process of being transmitted either to the cloud infrastructure or to the computing device used by the CSC. Here, data is most at risk of being intercepted, hence violating confidentiality Data-at-rest This is when data has been stored in the cloud infrastructure. The main issue with this stage for the CSC is their loss of control over the data. The onus of defending against attacks at this stage hence fall on the CSP Data-in-use This is when data is being processed into information. Here, the issues might lie with the corruption of data while it is being processed 15
ISO 27017 HIGHLIGHTS • Guidelines for information security controls applicable to the provision and use of cloud services • Additional implementation guidance for relevant controls specified in ISO/IEC 27002 • Provides controls and implementation guidance for both cloud service providers and cloud service customers • Structured similar to ISO/IEC 27002 • Includes clauses 5 to 18 of ISO/IEC 27002 by stating the applicability of its texts at each clause and paragraph • When controls are needed in addition to ISO/IEC 27002, they are given in Annex A: Cloud Service Extended Control Set 16
NEW CONTROLS FOR CLOUD SECURITY IN ISO 27017 17 Control Ref Seven New Controls 6.3.1 Shared roles and responsibilities within a cloud computing environment 8.1.5 Removal of cloud service customer assets 9.5.1 Segregation in virtual computing environments 9.5.2 Virtual machine hardening 12.1.5 Administrator’s operational security 12.4.5 Monitoring of cloud services 13.1.4 Alignment of security management for virtual and physical networks
ISO 27017 APPROACH Insert Footer Here 18 Cloud service customer Cloud service provider Guideline for the Cloud Service Subscriber / Customer Guideline for the Cloud service hosting company
4 CLOUD SECTORSPECIFIC CONCEPTS 19 As per A 15 Supplier Management CSC should meet its ISMS goals CSP should provide services to enable CSC to meet their ISMS Goals Where CSP cannot meet CSC ISMS requirements, CSC should implement additional controls Both CSC and CSP should have strong risk management practices in place
6 ORGANISATIONOF INFORMATIONSECURITY – ROLES& RESPONSIBILITIES Activity Cloud Service Customer Cloud Service Provider Request to create User Ids Primary IT Lead Creation of User Ids Primary Lead Access Provisioning for Users Primary IT Lead Access Control Review Primary Department Heads Backup Plan Creation Primary IT Lead Backup Execution Primary Backup Executive End Point Security Primary Security Team Data Encryption Primary Security Team Insert Footer Here 20
8 ASSET MANAGEMENT– INVENTORY OFASSETS Insert Footer Here 21 Data Storage Location Customer Master Details Cloud Employee Salary On-Prem Helpdesk Tickets Cloud Internal Data Client A Client B Client C
8 ASSET MANAGEMENT– ASSET LABELLING Example:  CLD/S/I/001 Label Code can be a Bar Code, QR Code etc. as well Insert Footer Here 22 <Location / Type of Asset / Criticality / Serial Number> Serial Number Soft Copy Internal Cloud
9 ACCESS CONTROL– USER REGISTRATION /DE-REGISTRATION/ ACCESS Insert Footer Here 23 Registration Provisioning Details De-Registration Details Access Provisioning Details Confirmation
9 ACCESSCONTROL– AUTHENTICATION TECHNIQUES 24 Standard User Validation Access Enabling Admin User Validation 1 Validation 2 Access Enabling
9 ACCESSCONTROL– INFORMATIONACCESS RESTRICTION Cloud Service Cloud Service Function Cloud Customer Data Read Write Delete Read Write Delete Read Write Delete Developer X X X Tester X X X Lead X X X X PM X X X X X X Admin X X X X X X X X X Insert Footer Here 25
10 CRYPTOGRAPHY – ENCRYPTION CYCLE 26 GENERATION STORAGE ACTIVATION DISTRIBUTION ROTATION EXPIRATION REVOCATION DESTRUCTION
12 OPERATIONSSECURITY – CHANGEMANAGEMENT Cloud Service Customer Cloud Service Provider Insert Footer Here 27 Change Management of CSC Should consider Changes done by CSP Any change done by CSP Should be communicated to CSC
12 OPERATIONSSECURITY – CAPACITYMANAGEMENT Insert Footer Here 28
12 OPERATIONSSECURITY– TECHNICALVULNERABILITY MANAGEMENT Insert Footer Here 29
Insert Footer Here 30 13 COMMUNICATIONSSECURITY– SEGREGATIONOF NETWORK Tenant 1 Tenant 2 Tenant 3
15 SUPPLIER RELATIONSHIPS – SECURITYIN CONTRACTS The roles and responsibilities in the agreement should address the following, but not limited to it: - Insert Footer Here 31 • Malware protection • Backup • Cryptographic controls • Vulnerability management • Incident management • Technical compliance checking • Security testing • Auditing • Collection, maintenance and protection of evidence, including logs and audit trails • Protection of information upon termination of the service agreement • Authentication and access control • Identity and access management
15 SUPPLIER RELATIONSHIPS – TECHNOLOGYSUPPLY CHAIN Insert Footer Here 32 Contract Terms apply to the entire technology supply chain
16 INFORMATIONSECURITYINCIDENTMANAGEMENT Insert Footer Here 33 Incidents Reported Incidents / Incident Status CSP
ANNEXA – CLOUD SERVICEEXTENDEDCONTROLSET CLD.6.3 Relationship between cloud service customer and cloud service provider CLD.6.3.1 Shared roles and responsibilities within a cloud computing environment Responsibilities for shared information security roles in the use of the cloud service should be allocated to identified parties, documented, communicated and implemented by both the cloud service customer and the cloud service provider. 34 Cloud service customer Cloud service provider The cloud service customer should define or extend its existing policies and procedures in accordance with its use of cloud services and make cloud service users aware of their roles and responsibilities in the use of the cloud service. The cloud service provider should document and communicate its information security capabilities, roles, and responsibilities for the use of its cloud service. This is along with the information security roles and responsibilities for which the cloud service customer would need to implement and manage as part of its use of the cloud service.
ANNEXA – CLOUD SERVICEEXTENDEDCONTROLSET CLD.8.1 Responsibility for assets CLD.8.1.5 Removal of cloud service customer assets Assets of the cloud service customer that are on the cloud service provider's premises should be removed, and returned if necessary, in a timely manner upon termination of the cloud service agreement. 35 Cloud service customer Cloud service provider The cloud service customer should request a documented description of the termination of service process. This process should cover the return and removal of cloud service customer's assets followed by the deletion of all copies of those assets from the cloud service provider's systems. The cloud service provider should provide information about the arrangements for the return and removal of any cloud service customer's assets upon termination of the agreement for the use of a cloud service
ANNEXA – CLOUD SERVICEEXTENDEDCONTROLSET CLD.9.5 Access control of cloud service customer data in shared virtual environment CLD.9.5.1 Segregation in virtual computing environments A cloud service customer's virtual environment running on a cloud service should be protected from other cloud service customers and unauthorized persons 36 Cloud service customer Cloud service provider (no additional implementation guidance) The cloud service provider should enforce appropriate logical segregation of cloud service customer data, virtualized applications, operating systems, storage, and network for: • The separation of resources used by cloud service customers in multi-tenant environments; • The separation of the cloud service provider's internal administration from resources used by cloud service customers. Objective: To mitigate information security risks when using the shared virtual environment of cloud computing
ANNEXA – CLOUD SERVICEEXTENDEDCONTROLSET CLD.9.5 Access control of cloud service customer data in shared virtual environment CLD.9.5.2 Virtual machine hardening Virtual machines in a cloud computing environment should be hardened to meet business needs. 37 Cloud service customer Cloud service provider When configuring virtual machines, cloud service customers and cloud service providers should ensure that appropriate aspects are hardened (e.g., only those ports, protocols and services that are needed), and that the appropriate technical measures are in place (e.g., anti-malware, logging) for each virtual machine used. Objective: To mitigate information security risks when using the shared virtual environment of cloud computing
ANNEXA – CLOUD SERVICEEXTENDEDCONTROLSET CLD.12.1 Operational procedures and responsibilities CLD.12.1.5 Administrator's operational security Procedures for administrative operations of a cloud computing environment should be defined, documented and monitored. 38 Cloud service customer Cloud service provider The cloud service customer should document procedures for critical operations where a failure can cause unrecoverable damage to assets in the cloud computing environment. Examples of the critical operations are: • Installation, changes, and deletion of virtualized devices such as servers, networks and storage; • Termination procedures for cloud service usage; • Backup and restoration. The cloud service provider should provide documentation about the critical operations and procedures to cloud service customers who require it.
ANNEXA – CLOUD SERVICEEXTENDEDCONTROLSET CLD.12.4 Logging and monitoring CLD.12.4.5 Monitoring of Cloud Services The cloud service customer should have the capability to monitor specified aspects of the operation of the cloud services that the cloud service customer uses 39 Cloud service customer Cloud service provider The cloud service customer should request information from the cloud service provider of the service monitoring capabilities available for each cloud service. The cloud service provider should provide capabilities that enable the cloud service customer to monitor specified aspects, relevant to the cloud service customer, of the operation of the cloud services. For example, to monitor and detect if the cloud service is being used as a platform to attack others, or if sensitive data is being leaked from the cloud service. Appropriate access controls should secure the use of the monitoring capabilities
ANNEXA – CLOUD SERVICEEXTENDEDCONTROLSET CLD.13.1 Network security management CLD.13.1.4 Alignment of security management for virtual and physical networks Upon configuration of virtual networks, consistency of configurations between virtual and physical networks should be verified based on the cloud service provider's network security policy. 40 Cloud service customer Cloud service provider (no additional implementation guidance) The cloud service provider should define and document an information security policy for the configuration of the virtual network consistent with the information security policy for the physical network. The cloud service provider should ensure that the virtual network configuration matches the information security policy regardless of the means used to create the configuration.
Questions are Welcome!
Please give your feedbacks in the chat box about the session!!

Recommended

Locking Up Your Cloud Environment: An Introduction to ISO/IEC 27017 and 27018
Locking Up Your Cloud Environment: An Introduction to ISO/IEC 27017 and 27018Locking Up Your Cloud Environment: An Introduction to ISO/IEC 27017 and 27018
Locking Up Your Cloud Environment: An Introduction to ISO/IEC 27017 and 27018Schellman & Company
 
How can the ISO 27701 help to design, implement, operate and improve a privac...
How can the ISO 27701 help to design, implement, operate and improve a privac...How can the ISO 27701 help to design, implement, operate and improve a privac...
How can the ISO 27701 help to design, implement, operate and improve a privac...Hernan Huwyler, MBA CPA
 
ISO 27001_2022 What has changed 2.0 for ISACA.pdf
ISO 27001_2022 What has changed 2.0 for ISACA.pdfISO 27001_2022 What has changed 2.0 for ISACA.pdf
ISO 27001_2022 What has changed 2.0 for ISACA.pdfAndrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
27001 awareness Training
27001 awareness Training27001 awareness Training
27001 awareness TrainingDr Madhu Aman Sharma
 
Iso iec 27001 foundation training course by interprom
Iso iec 27001 foundation training course by interpromIso iec 27001 foundation training course by interprom
Iso iec 27001 foundation training course by interpromMart Rovers
 
ISO 27001 How to use the ISMS Implementation Toolkit.pdf
ISO 27001 How to use the ISMS Implementation Toolkit.pdfISO 27001 How to use the ISMS Implementation Toolkit.pdf
ISO 27001 How to use the ISMS Implementation Toolkit.pdfAndrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
NQA ISO 27701 Implementation Guide
NQA ISO 27701 Implementation GuideNQA ISO 27701 Implementation Guide
NQA ISO 27701 Implementation GuideNA Putra
 
Lessons Learned from the NIST CSF
Lessons Learned from the NIST CSFLessons Learned from the NIST CSF
Lessons Learned from the NIST CSFDigital Bond
 

Recommended

Locking Up Your Cloud Environment: An Introduction to ISO/IEC 27017 and 27018
Locking Up Your Cloud Environment: An Introduction to ISO/IEC 27017 and 27018Locking Up Your Cloud Environment: An Introduction to ISO/IEC 27017 and 27018
Locking Up Your Cloud Environment: An Introduction to ISO/IEC 27017 and 27018Schellman & Company
 
How can the ISO 27701 help to design, implement, operate and improve a privac...
How can the ISO 27701 help to design, implement, operate and improve a privac...How can the ISO 27701 help to design, implement, operate and improve a privac...
How can the ISO 27701 help to design, implement, operate and improve a privac...Hernan Huwyler, MBA CPA
 
ISO 27001_2022 What has changed 2.0 for ISACA.pdf
ISO 27001_2022 What has changed 2.0 for ISACA.pdfISO 27001_2022 What has changed 2.0 for ISACA.pdf
ISO 27001_2022 What has changed 2.0 for ISACA.pdfAndrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
27001 awareness Training
27001 awareness Training27001 awareness Training
27001 awareness TrainingDr Madhu Aman Sharma
 
Iso iec 27001 foundation training course by interprom
Iso iec 27001 foundation training course by interpromIso iec 27001 foundation training course by interprom
Iso iec 27001 foundation training course by interpromMart Rovers
 
ISO 27001 How to use the ISMS Implementation Toolkit.pdf
ISO 27001 How to use the ISMS Implementation Toolkit.pdfISO 27001 How to use the ISMS Implementation Toolkit.pdf
ISO 27001 How to use the ISMS Implementation Toolkit.pdfAndrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
NQA ISO 27701 Implementation Guide
NQA ISO 27701 Implementation GuideNQA ISO 27701 Implementation Guide
NQA ISO 27701 Implementation GuideNA Putra
 
Lessons Learned from the NIST CSF
Lessons Learned from the NIST CSFLessons Learned from the NIST CSF
Lessons Learned from the NIST CSFDigital Bond
 
ISO 27001 Implementation_Documentation_Mandatory_List
ISO 27001 Implementation_Documentation_Mandatory_ListISO 27001 Implementation_Documentation_Mandatory_List
ISO 27001 Implementation_Documentation_Mandatory_ListSriramITISConsultant
 
ISO 27001_2022 Standard_Presentation.pdf
ISO 27001_2022 Standard_Presentation.pdfISO 27001_2022 Standard_Presentation.pdf
ISO 27001_2022 Standard_Presentation.pdfSerkanRafetHalil1
 
Data Center Security
Data Center SecurityData Center Security
Data Center Securitydevalnaik
 
NQA - ISO 27001 Implementation Guide
NQA - ISO 27001 Implementation GuideNQA - ISO 27001 Implementation Guide
NQA - ISO 27001 Implementation GuideNA Putra
 
Mikrotik RouterOS Security Audit Checklist by Akbar Azwir
Mikrotik RouterOS Security Audit Checklist by Akbar AzwirMikrotik RouterOS Security Audit Checklist by Akbar Azwir
Mikrotik RouterOS Security Audit Checklist by Akbar AzwirAkbar Azwir, MM, PMP, PMI-SP, PSM I, CISSP
 
ISO/IEC 27001:2013
ISO/IEC 27001:2013ISO/IEC 27001:2013
ISO/IEC 27001:2013Ramiro Cid
 
Improve Cybersecurity posture by using ISO/IEC 27032
Improve Cybersecurity posture by using ISO/IEC 27032Improve Cybersecurity posture by using ISO/IEC 27032
Improve Cybersecurity posture by using ISO/IEC 27032PECB
 
IBM Security Services Overview
IBM Security Services OverviewIBM Security Services Overview
IBM Security Services OverviewCasey Lucas
 
ISO 27001 2002 Update Webinar.pdf
ISO 27001 2002 Update Webinar.pdfISO 27001 2002 Update Webinar.pdf
ISO 27001 2002 Update Webinar.pdfControlCase
 
Enterprise Cybersecurity: From Strategy to Operating Model
Enterprise Cybersecurity: From Strategy to Operating ModelEnterprise Cybersecurity: From Strategy to Operating Model
Enterprise Cybersecurity: From Strategy to Operating ModelEryk Budi Pratama
 
PCI-DSS_Overview
PCI-DSS_OverviewPCI-DSS_Overview
PCI-DSS_Overviewsameh Abulfotooh
 
ISO 27001 - Information Security Management System
ISO 27001 - Information Security Management SystemISO 27001 - Information Security Management System
ISO 27001 - Information Security Management SystemMuhammad Faisal Naqvi, CISSP, CISA, AMBCI, ITIL, ISMS LA n Master
 
What is iso 27001 isms
What is iso 27001 ismsWhat is iso 27001 isms
What is iso 27001 ismsCraig Willetts ISO Expert
 
ISO 27001:2013 Mandatory documents and records
ISO 27001:2013 Mandatory documents and recordsISO 27001:2013 Mandatory documents and records
ISO 27001:2013 Mandatory documents and recordsManoj Vakekattil
 
ISO/IEC 27701 vs GDPR: What you need to know
ISO/IEC 27701 vs GDPR: What you need to knowISO/IEC 27701 vs GDPR: What you need to know
ISO/IEC 27701 vs GDPR: What you need to knowPECB
 
ISO 27001 Benefits
ISO 27001 BenefitsISO 27001 Benefits
ISO 27001 BenefitsDejan Kosutic
 
What is ISO 27001 ISMS
What is ISO 27001 ISMSWhat is ISO 27001 ISMS
What is ISO 27001 ISMSBusiness Beam
 
Introduction: CISSP Certification
Introduction: CISSP CertificationIntroduction: CISSP Certification
Introduction: CISSP CertificationSam Bowne
 
ISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to Know
ISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to KnowISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to Know
ISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to KnowPECB
 
NIST Cybersecurity Framework (CSF) 2.0: What has changed?
NIST Cybersecurity Framework (CSF) 2.0: What has changed?NIST Cybersecurity Framework (CSF) 2.0: What has changed?
NIST Cybersecurity Framework (CSF) 2.0: What has changed?Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
Cloud Security By Dr. Anton Ravindran
Cloud Security By Dr. Anton RavindranCloud Security By Dr. Anton Ravindran
Cloud Security By Dr. Anton RavindranGSTF
 
Cloud Security Standards: What to Expect and What to Negotiate V2.0
Cloud Security Standards: What to Expect and What to Negotiate V2.0Cloud Security Standards: What to Expect and What to Negotiate V2.0
Cloud Security Standards: What to Expect and What to Negotiate V2.0Cloud Standards Customer Council
 

More Related Content

What's hot

ISO 27001 Implementation_Documentation_Mandatory_List
ISO 27001 Implementation_Documentation_Mandatory_ListISO 27001 Implementation_Documentation_Mandatory_List
ISO 27001 Implementation_Documentation_Mandatory_ListSriramITISConsultant
 
ISO 27001_2022 Standard_Presentation.pdf
ISO 27001_2022 Standard_Presentation.pdfISO 27001_2022 Standard_Presentation.pdf
ISO 27001_2022 Standard_Presentation.pdfSerkanRafetHalil1
 
Data Center Security
Data Center SecurityData Center Security
Data Center Securitydevalnaik
 
NQA - ISO 27001 Implementation Guide
NQA - ISO 27001 Implementation GuideNQA - ISO 27001 Implementation Guide
NQA - ISO 27001 Implementation GuideNA Putra
 
ISO/IEC 27001:2013
ISO/IEC 27001:2013ISO/IEC 27001:2013
ISO/IEC 27001:2013Ramiro Cid
 
Improve Cybersecurity posture by using ISO/IEC 27032
Improve Cybersecurity posture by using ISO/IEC 27032Improve Cybersecurity posture by using ISO/IEC 27032
Improve Cybersecurity posture by using ISO/IEC 27032PECB
 
IBM Security Services Overview
IBM Security Services OverviewIBM Security Services Overview
IBM Security Services OverviewCasey Lucas
 
ISO 27001 2002 Update Webinar.pdf
ISO 27001 2002 Update Webinar.pdfISO 27001 2002 Update Webinar.pdf
ISO 27001 2002 Update Webinar.pdfControlCase
 
Enterprise Cybersecurity: From Strategy to Operating Model
Enterprise Cybersecurity: From Strategy to Operating ModelEnterprise Cybersecurity: From Strategy to Operating Model
Enterprise Cybersecurity: From Strategy to Operating ModelEryk Budi Pratama
 
ISO 27001:2013 Mandatory documents and records
ISO 27001:2013 Mandatory documents and recordsISO 27001:2013 Mandatory documents and records
ISO 27001:2013 Mandatory documents and recordsManoj Vakekattil
 
ISO/IEC 27701 vs GDPR: What you need to know
ISO/IEC 27701 vs GDPR: What you need to knowISO/IEC 27701 vs GDPR: What you need to know
ISO/IEC 27701 vs GDPR: What you need to knowPECB
 
What is ISO 27001 ISMS
What is ISO 27001 ISMSWhat is ISO 27001 ISMS
What is ISO 27001 ISMSBusiness Beam
 
Introduction: CISSP Certification
Introduction: CISSP CertificationIntroduction: CISSP Certification
Introduction: CISSP CertificationSam Bowne
 
ISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to Know
ISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to KnowISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to Know
ISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to KnowPECB
 

What's hot (20)

ISO 27001 Implementation_Documentation_Mandatory_List
ISO 27001 Implementation_Documentation_Mandatory_ListISO 27001 Implementation_Documentation_Mandatory_List
ISO 27001 Implementation_Documentation_Mandatory_List
 
ISO 27001_2022 Standard_Presentation.pdf
ISO 27001_2022 Standard_Presentation.pdfISO 27001_2022 Standard_Presentation.pdf
ISO 27001_2022 Standard_Presentation.pdf
 
Data Center Security
Data Center SecurityData Center Security
Data Center Security
 
NQA - ISO 27001 Implementation Guide
NQA - ISO 27001 Implementation GuideNQA - ISO 27001 Implementation Guide
NQA - ISO 27001 Implementation Guide
 
Mikrotik RouterOS Security Audit Checklist by Akbar Azwir
Mikrotik RouterOS Security Audit Checklist by Akbar AzwirMikrotik RouterOS Security Audit Checklist by Akbar Azwir
Mikrotik RouterOS Security Audit Checklist by Akbar Azwir
 
ISO/IEC 27001:2013
ISO/IEC 27001:2013ISO/IEC 27001:2013
ISO/IEC 27001:2013
 
Improve Cybersecurity posture by using ISO/IEC 27032
Improve Cybersecurity posture by using ISO/IEC 27032Improve Cybersecurity posture by using ISO/IEC 27032
Improve Cybersecurity posture by using ISO/IEC 27032
 
IBM Security Services Overview
IBM Security Services OverviewIBM Security Services Overview
IBM Security Services Overview
 
ISO 27001 2002 Update Webinar.pdf
ISO 27001 2002 Update Webinar.pdfISO 27001 2002 Update Webinar.pdf
ISO 27001 2002 Update Webinar.pdf
 
Enterprise Cybersecurity: From Strategy to Operating Model
Enterprise Cybersecurity: From Strategy to Operating ModelEnterprise Cybersecurity: From Strategy to Operating Model
Enterprise Cybersecurity: From Strategy to Operating Model
 
PCI-DSS_Overview
PCI-DSS_OverviewPCI-DSS_Overview
PCI-DSS_Overview
 
ISO 27001 - Information Security Management System
ISO 27001 - Information Security Management SystemISO 27001 - Information Security Management System
ISO 27001 - Information Security Management System
 
What is iso 27001 isms
What is iso 27001 ismsWhat is iso 27001 isms
What is iso 27001 isms
 
ISO 27001:2013 Mandatory documents and records
ISO 27001:2013 Mandatory documents and recordsISO 27001:2013 Mandatory documents and records
ISO 27001:2013 Mandatory documents and records
 
ISO/IEC 27701 vs GDPR: What you need to know
ISO/IEC 27701 vs GDPR: What you need to knowISO/IEC 27701 vs GDPR: What you need to know
ISO/IEC 27701 vs GDPR: What you need to know
 
ISO 27001 Benefits
ISO 27001 BenefitsISO 27001 Benefits
ISO 27001 Benefits
 
What is ISO 27001 ISMS
What is ISO 27001 ISMSWhat is ISO 27001 ISMS
What is ISO 27001 ISMS
 
Introduction: CISSP Certification
Introduction: CISSP CertificationIntroduction: CISSP Certification
Introduction: CISSP Certification
 
ISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to Know
ISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to KnowISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to Know
ISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to Know
 
NIST Cybersecurity Framework (CSF) 2.0: What has changed?
NIST Cybersecurity Framework (CSF) 2.0: What has changed?NIST Cybersecurity Framework (CSF) 2.0: What has changed?
NIST Cybersecurity Framework (CSF) 2.0: What has changed?
 

Similar to ISO 27017 – What are the Business Advantages of Cloud Security?

Cloud Security By Dr. Anton Ravindran
Cloud Security By Dr. Anton RavindranCloud Security By Dr. Anton Ravindran
Cloud Security By Dr. Anton RavindranGSTF
 
Cloud Security Standards: What to Expect and What to Negotiate V2.0
Cloud Security Standards: What to Expect and What to Negotiate V2.0Cloud Security Standards: What to Expect and What to Negotiate V2.0
Cloud Security Standards: What to Expect and What to Negotiate V2.0Cloud Standards Customer Council
 
Security for Cloud Computing: 10 Steps to Ensure Success V3.0
Security for Cloud Computing: 10 Steps to Ensure Success V3.0Security for Cloud Computing: 10 Steps to Ensure Success V3.0
Security for Cloud Computing: 10 Steps to Ensure Success V3.0Cloud Standards Customer Council
 
Legal And Regulatory Issues Cloud Computing...V2.0
Legal And Regulatory Issues Cloud Computing...V2.0Legal And Regulatory Issues Cloud Computing...V2.0
Legal And Regulatory Issues Cloud Computing...V2.0David Spinks
 
Risk management for cloud computing hb final
Risk management for cloud computing hb finalRisk management for cloud computing hb final
Risk management for cloud computing hb finalChristophe Monnier
 
Latest Developments in Cloud Security Standards and Privacy
Latest Developments in Cloud Security Standards and PrivacyLatest Developments in Cloud Security Standards and Privacy
Latest Developments in Cloud Security Standards and PrivacyCloud Standards Customer Council
 
AWS re:Invent 2016: Chalk Talk: Applying Security-by-Design to Drive Complian...
AWS re:Invent 2016: Chalk Talk: Applying Security-by-Design to Drive Complian...AWS re:Invent 2016: Chalk Talk: Applying Security-by-Design to Drive Complian...
AWS re:Invent 2016: Chalk Talk: Applying Security-by-Design to Drive Complian...Amazon Web Services
 
The Art of Cloud Auditing - ISACA ID
The Art of Cloud Auditing - ISACA IDThe Art of Cloud Auditing - ISACA ID
The Art of Cloud Auditing - ISACA IDEryk Budi Pratama
 
PTC Cloud Services Datasheet: Security Primer
PTC Cloud Services Datasheet: Security PrimerPTC Cloud Services Datasheet: Security Primer
PTC Cloud Services Datasheet: Security PrimerPTC
 
Cloud Security using NIST guidelines
Cloud Security using NIST guidelinesCloud Security using NIST guidelines
Cloud Security using NIST guidelinesSrishti Ahuja
 
Cloud Security using NIST guidelines
Cloud Security using NIST guidelinesCloud Security using NIST guidelines
Cloud Security using NIST guidelinesSrishti Ahuja
 
IRJET- Authentication and Access Control for Cloud Computing Comparing Proble...
IRJET- Authentication and Access Control for Cloud Computing Comparing Proble...IRJET- Authentication and Access Control for Cloud Computing Comparing Proble...
IRJET- Authentication and Access Control for Cloud Computing Comparing Proble...IRJET Journal
 
IRJET- SAAS Attacks Defense Mechanisms and Digital Forensic
IRJET- SAAS Attacks Defense Mechanisms and Digital ForensicIRJET- SAAS Attacks Defense Mechanisms and Digital Forensic
IRJET- SAAS Attacks Defense Mechanisms and Digital ForensicIRJET Journal
 
Cloud is not an option, but is security?
Cloud is not an option, but is security?Cloud is not an option, but is security?
Cloud is not an option, but is security?Jody Keyser
 
PCI DSS Compliance in the Cloud
PCI DSS Compliance in the CloudPCI DSS Compliance in the Cloud
PCI DSS Compliance in the CloudControlCase
 
CSA Introduction 2013 David Ross
CSA Introduction 2013 David RossCSA Introduction 2013 David Ross
CSA Introduction 2013 David RossGraeme Wood
 

Similar to ISO 27017 – What are the Business Advantages of Cloud Security? (20)

Cloud Security By Dr. Anton Ravindran
Cloud Security By Dr. Anton RavindranCloud Security By Dr. Anton Ravindran
Cloud Security By Dr. Anton Ravindran
 
Cloud Security Standards: What to Expect and What to Negotiate V2.0
Cloud Security Standards: What to Expect and What to Negotiate V2.0Cloud Security Standards: What to Expect and What to Negotiate V2.0
Cloud Security Standards: What to Expect and What to Negotiate V2.0
 
Security for Cloud Computing: 10 Steps to Ensure Success V3.0
Security for Cloud Computing: 10 Steps to Ensure Success V3.0Security for Cloud Computing: 10 Steps to Ensure Success V3.0
Security for Cloud Computing: 10 Steps to Ensure Success V3.0
 
Legal And Regulatory Issues Cloud Computing...V2.0
Legal And Regulatory Issues Cloud Computing...V2.0Legal And Regulatory Issues Cloud Computing...V2.0
Legal And Regulatory Issues Cloud Computing...V2.0
 
Risk management for cloud computing hb final
Risk management for cloud computing hb finalRisk management for cloud computing hb final
Risk management for cloud computing hb final
 
Latest Developments in Cloud Security Standards and Privacy
Latest Developments in Cloud Security Standards and PrivacyLatest Developments in Cloud Security Standards and Privacy
Latest Developments in Cloud Security Standards and Privacy
 
AWS re:Invent 2016: Chalk Talk: Applying Security-by-Design to Drive Complian...
AWS re:Invent 2016: Chalk Talk: Applying Security-by-Design to Drive Complian...AWS re:Invent 2016: Chalk Talk: Applying Security-by-Design to Drive Complian...
AWS re:Invent 2016: Chalk Talk: Applying Security-by-Design to Drive Complian...
 
The Art of Cloud Auditing - ISACA ID
The Art of Cloud Auditing - ISACA IDThe Art of Cloud Auditing - ISACA ID
The Art of Cloud Auditing - ISACA ID
 
PTC Cloud Services Datasheet: Security Primer
PTC Cloud Services Datasheet: Security PrimerPTC Cloud Services Datasheet: Security Primer
PTC Cloud Services Datasheet: Security Primer
 
Cloud Security Solution Overview
Cloud Security Solution OverviewCloud Security Solution Overview
Cloud Security Solution Overview
 
Cloud services and it security
Cloud services and it securityCloud services and it security
Cloud services and it security
 
Cloud Security using NIST guidelines
Cloud Security using NIST guidelinesCloud Security using NIST guidelines
Cloud Security using NIST guidelines
 
Cloud Security using NIST guidelines
Cloud Security using NIST guidelinesCloud Security using NIST guidelines
Cloud Security using NIST guidelines
 
IRJET- Authentication and Access Control for Cloud Computing Comparing Proble...
IRJET- Authentication and Access Control for Cloud Computing Comparing Proble...IRJET- Authentication and Access Control for Cloud Computing Comparing Proble...
IRJET- Authentication and Access Control for Cloud Computing Comparing Proble...
 
IRJET- SAAS Attacks Defense Mechanisms and Digital Forensic
IRJET- SAAS Attacks Defense Mechanisms and Digital ForensicIRJET- SAAS Attacks Defense Mechanisms and Digital Forensic
IRJET- SAAS Attacks Defense Mechanisms and Digital Forensic
 
Cloud is not an option, but is security?
Cloud is not an option, but is security?Cloud is not an option, but is security?
Cloud is not an option, but is security?
 
PCI DSS Compliance in the Cloud
PCI DSS Compliance in the CloudPCI DSS Compliance in the Cloud
PCI DSS Compliance in the Cloud
 
CSA Introduction 2013 David Ross
CSA Introduction 2013 David RossCSA Introduction 2013 David Ross
CSA Introduction 2013 David Ross
 
Introduction to CSA Australia 2013 by David Ross
Introduction to CSA Australia 2013 by David RossIntroduction to CSA Australia 2013 by David Ross
Introduction to CSA Australia 2013 by David Ross
 
Compliance in Public Cloud & CSA Framework
Compliance in Public Cloud & CSA FrameworkCompliance in Public Cloud & CSA Framework
Compliance in Public Cloud & CSA Framework
 

More from Alvin Integrated Services [AIS]

Pandemic: Crisis or Opportunity? ISO 22301 best practice Implementation tips ...
Pandemic: Crisis or Opportunity? ISO 22301 best practice Implementation tips ...Pandemic: Crisis or Opportunity? ISO 22301 best practice Implementation tips ...
Pandemic: Crisis or Opportunity? ISO 22301 best practice Implementation tips ...Alvin Integrated Services [AIS]
 
Digital Maturity – Business as Usual & Integration of multiple ISO Management...
Digital Maturity – Business as Usual & Integration of multiple ISO Management...Digital Maturity – Business as Usual & Integration of multiple ISO Management...
Digital Maturity – Business as Usual & Integration of multiple ISO Management...Alvin Integrated Services [AIS]
 
Thinking beyond “Conventional” Crisis Communication.
Thinking beyond “Conventional” Crisis Communication.Thinking beyond “Conventional” Crisis Communication.
Thinking beyond “Conventional” Crisis Communication.Alvin Integrated Services [AIS]
 
Effective Leadership – The Cornerstone – applied study on ISO 22000:2018 Food...
Effective Leadership – The Cornerstone – applied study on ISO 22000:2018 Food...Effective Leadership – The Cornerstone – applied study on ISO 22000:2018 Food...
Effective Leadership – The Cornerstone – applied study on ISO 22000:2018 Food...Alvin Integrated Services [AIS]
 
COVID – 19 and Resilience: Has ISO 22316 standard been responsive?
COVID – 19 and Resilience: Has ISO 22316 standard been responsive?COVID – 19 and Resilience: Has ISO 22316 standard been responsive?
COVID – 19 and Resilience: Has ISO 22316 standard been responsive?Alvin Integrated Services [AIS]
 
Business Continuity Management System: How, Why and for What?
Business Continuity Management System: How, Why and for What?Business Continuity Management System: How, Why and for What?
Business Continuity Management System: How, Why and for What?Alvin Integrated Services [AIS]
 
ISO 31000:2018 Risk Management System, Framework and Implementation
ISO 31000:2018 Risk Management System, Framework and ImplementationISO 31000:2018 Risk Management System, Framework and Implementation
ISO 31000:2018 Risk Management System, Framework and ImplementationAlvin Integrated Services [AIS]
 

More from Alvin Integrated Services [AIS] (9)

Designing an effective Crisis Management Framework
Designing an effective Crisis Management FrameworkDesigning an effective Crisis Management Framework
Designing an effective Crisis Management Framework
 
Pandemic: Crisis or Opportunity? ISO 22301 best practice Implementation tips ...
Pandemic: Crisis or Opportunity? ISO 22301 best practice Implementation tips ...Pandemic: Crisis or Opportunity? ISO 22301 best practice Implementation tips ...
Pandemic: Crisis or Opportunity? ISO 22301 best practice Implementation tips ...
 
Digital Maturity – Business as Usual & Integration of multiple ISO Management...
Digital Maturity – Business as Usual & Integration of multiple ISO Management...Digital Maturity – Business as Usual & Integration of multiple ISO Management...
Digital Maturity – Business as Usual & Integration of multiple ISO Management...
 
ISO 31000: Culture vs Documentation, the way forward
ISO 31000: Culture vs Documentation, the way forwardISO 31000: Culture vs Documentation, the way forward
ISO 31000: Culture vs Documentation, the way forward
 
Thinking beyond “Conventional” Crisis Communication.
Thinking beyond “Conventional” Crisis Communication.Thinking beyond “Conventional” Crisis Communication.
Thinking beyond “Conventional” Crisis Communication.
 
Effective Leadership – The Cornerstone – applied study on ISO 22000:2018 Food...
Effective Leadership – The Cornerstone – applied study on ISO 22000:2018 Food...Effective Leadership – The Cornerstone – applied study on ISO 22000:2018 Food...
Effective Leadership – The Cornerstone – applied study on ISO 22000:2018 Food...
 
COVID – 19 and Resilience: Has ISO 22316 standard been responsive?
COVID – 19 and Resilience: Has ISO 22316 standard been responsive?COVID – 19 and Resilience: Has ISO 22316 standard been responsive?
COVID – 19 and Resilience: Has ISO 22316 standard been responsive?
 
Business Continuity Management System: How, Why and for What?
Business Continuity Management System: How, Why and for What?Business Continuity Management System: How, Why and for What?
Business Continuity Management System: How, Why and for What?
 
ISO 31000:2018 Risk Management System, Framework and Implementation
ISO 31000:2018 Risk Management System, Framework and ImplementationISO 31000:2018 Risk Management System, Framework and Implementation
ISO 31000:2018 Risk Management System, Framework and Implementation
 

Recently uploaded

Sanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdfSanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdfsanyamsingh5019
 
Interactive Powerpoint_How to Master effective communication
Interactive Powerpoint_How to Master effective communicationInteractive Powerpoint_How to Master effective communication
Interactive Powerpoint_How to Master effective communicationnomboosow
 
Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111Sapana Sha
 
1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdfQucHHunhnh
 
Grant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy ConsultingGrant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy ConsultingTechSoup
 
Beyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactBeyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactPECB
 
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...Krashi Coaching
 
Web & Social Media Analytics Previous Year Question Paper.pdf
Web & Social Media Analytics Previous Year Question Paper.pdfWeb & Social Media Analytics Previous Year Question Paper.pdf
Web & Social Media Analytics Previous Year Question Paper.pdfJayanti Pande
 
The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13Steve Thomason
 
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdfBASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdfSoniaTolstoy
 
Disha NEET Physics Guide for classes 11 and 12.pdf
Disha NEET Physics Guide for classes 11 and 12.pdfDisha NEET Physics Guide for classes 11 and 12.pdf
Disha NEET Physics Guide for classes 11 and 12.pdfchloefrazer622
 
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...fonyou31
 
Unit-IV- Pharma. Marketing Channels.pptx
Unit-IV- Pharma. Marketing Channels.pptxUnit-IV- Pharma. Marketing Channels.pptx
Unit-IV- Pharma. Marketing Channels.pptxVishalSingh1417
 
APM Welcome, APM North West Network Conference, Synergies Across Sectors
APM Welcome, APM North West Network Conference, Synergies Across SectorsAPM Welcome, APM North West Network Conference, Synergies Across Sectors
APM Welcome, APM North West Network Conference, Synergies Across SectorsAssociation for Project Management
 
Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)eniolaolutunde
 
Introduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The BasicsIntroduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The BasicsTechSoup
 
Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3JemimahLaneBuaron
 
Key note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdfKey note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdfAdmir Softic
 

Recently uploaded (20)

INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptxINDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
 
Sanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdfSanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdf
 
Interactive Powerpoint_How to Master effective communication
Interactive Powerpoint_How to Master effective communicationInteractive Powerpoint_How to Master effective communication
Interactive Powerpoint_How to Master effective communication
 
Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111
 
1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf
 
Grant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy ConsultingGrant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy Consulting
 
Beyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactBeyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global Impact
 
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
 
Web & Social Media Analytics Previous Year Question Paper.pdf
Web & Social Media Analytics Previous Year Question Paper.pdfWeb & Social Media Analytics Previous Year Question Paper.pdf
Web & Social Media Analytics Previous Year Question Paper.pdf
 
The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13
 
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdfBASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
 
Disha NEET Physics Guide for classes 11 and 12.pdf
Disha NEET Physics Guide for classes 11 and 12.pdfDisha NEET Physics Guide for classes 11 and 12.pdf
Disha NEET Physics Guide for classes 11 and 12.pdf
 
Código Creativo y Arte de Software | Unidad 1
Código Creativo y Arte de Software | Unidad 1Código Creativo y Arte de Software | Unidad 1
Código Creativo y Arte de Software | Unidad 1
 
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
 
Unit-IV- Pharma. Marketing Channels.pptx
Unit-IV- Pharma. Marketing Channels.pptxUnit-IV- Pharma. Marketing Channels.pptx
Unit-IV- Pharma. Marketing Channels.pptx
 
APM Welcome, APM North West Network Conference, Synergies Across Sectors
APM Welcome, APM North West Network Conference, Synergies Across SectorsAPM Welcome, APM North West Network Conference, Synergies Across Sectors
APM Welcome, APM North West Network Conference, Synergies Across Sectors
 
Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)
 
Introduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The BasicsIntroduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The Basics
 
Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3
 
Key note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdfKey note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdf
 

ISO 27017 – What are the Business Advantages of Cloud Security?

  • 1. Contact us: info@alvinintegrated.com | +91 8802 505619, +91 8287509289 | www.alvinintegrated.com Platinum Sponsor OUR SPONSORS & PARTNERS Event Partner www.alvinintegrated.com Knowledge Partners 27th FEB 2021 (SATURDAY) 09:00 AM - 17:30 PM IST
  • 2. ISO 27017 - WHAT ARE THE BUSINESS ADVANTAGES OF CLOUD SECURITY? 27th February 2021 (Saturday) Time: 09:30 am - 09:55 am IST ISO 27017:2015 By Ramkumar Ramachandran, Principal Consultant, Ascentant Corporation, Chennai, India
  • 3. SPEAKER INTRODUCTION Ramkumar Ramachandran Principal Consultant, Ascentant Corporation, Chennai, India • Expertise – ISMS / Data Privacy / CMMI / Agile / GDPR • IIMC Alumni - SMP • US / UK / France / China / Singapore / Taiwan / Thailand / Malaysia / Indonesia / Bahrain / Kuwait / Qatar / Saudi Arabia / Srilanka / New Zealand • Aeronautical Engineer / IIMC Alumni / MIT Sloan Systems Thinking • CSQA, CISA, PMP, CDPSE • Systems Thinking – MIT Sloan School of Management • LA QMS/ISMS/SMS/BCMS, SAFe Agilist • ram@ascentantcorp.biz Ramkumar Ramachandran (c) 3
  • 5. CONTENT • History of ISO 27001 • Cloud Infrastructure Evolution • Need for Cloud Security • ISO 27017 – Additional guidance for Cloud Security to ISO 27002 controls • ISO 27017 – Additional Controls • Implementing ISO 27017 Insert Footer Here 5
  • 6. EVOLUTION OFISMS 1995 1998 Initiative from Department of Trade and Industry BS 7799 Part 1 BS 7799 Part 2 1999 New issue of BS 7799 Part 1 & 2 2000 ISO/IEC 17799:2000 2001 BS 7799-2:2002 (drafted) Sep 2002 BS 7799-2:2002 Passed and accepted Jun 2005 ISO 17799:2005 ISO/IEC 27001:2005 Oct 2005  Sep 2013 ISO/IEC 27001:2013
  • 7. ISO 27001 STRUCTURE CLAUSES ANNEX A - CONTROLS 7 Context of the Organization Leadership Planning Support Operations Performance Evaluation Improvement Information Security Policies Organization of Information Security Human Resource Security Asset Management Access Control Cryptography Physical and Environmental Security Operations Security Communications Security Software Acquisition Development Maintenance Supplier Management Incident Management Security in BCM Compliance
  • 8. ISO 27002 – CODE OF PRACTICE – CONTROLSHIERARCHY Group Control Objective Controls Controls Control Objective Control Copyright © 2018 8 14 of them 35 of them 114 of them
  • 9. ISO 27017 - STRUCTURE 9 ISO 27001 Requirements ISO 27002 Code of Practice Additional Controls for ISO 27017
  • 10. CLOUD – DEFINITION BY NIST Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction (from NIST) Insert Footer Here 10
  • 11. CLOUD INFRASTRUCTUREEVOLUTION Insert Footer Here 11 Mainframe Desktop /Laptop Client Server Thin Client Cloud Infrastructure
  • 12. VISUAL CLOUD INFRASTRUCTUREDEPICTION Insert Footer Here 12 SaaS PaaS IaaS
  • 13. CLOUD SECURITY – BASIC SECURITY RISK CONSIDERATIONS Organizational Security Risks Resource Planning / Change Management / Malicious Insiders Physical Security Risks Data Location / Server, Storage & Network Technological Security Risks Application Development / Portability / Lack of Interoperability standards Compliance and Audit Risks Legal Challenges / Compliance & Audit / Business Continuity & Disaster Recovery Data Security Risks Identity & Access Management / Multi-tenancy risks / Backup / Data Privacy 13
  • 14. CLOUD SECURITY – DATA SECURITYCONSIDERATIONS Privacy Safeguarding personal data as per privacy commitments Confidentiality Ensuring data is accessed only on need to know basis Integrity Confidence that the data stored in the cloud is not altered in any way by unauthorized parties Availability This property ensures that the CSC has access to their data, and are not denied access 14
  • 15. CLOUD SECURITY – DATA STAGES Data-in-transit This is when data is in the process of being transmitted either to the cloud infrastructure or to the computing device used by the CSC. Here, data is most at risk of being intercepted, hence violating confidentiality Data-at-rest This is when data has been stored in the cloud infrastructure. The main issue with this stage for the CSC is their loss of control over the data. The onus of defending against attacks at this stage hence fall on the CSP Data-in-use This is when data is being processed into information. Here, the issues might lie with the corruption of data while it is being processed 15
  • 16. ISO 27017 HIGHLIGHTS • Guidelines for information security controls applicable to the provision and use of cloud services • Additional implementation guidance for relevant controls specified in ISO/IEC 27002 • Provides controls and implementation guidance for both cloud service providers and cloud service customers • Structured similar to ISO/IEC 27002 • Includes clauses 5 to 18 of ISO/IEC 27002 by stating the applicability of its texts at each clause and paragraph • When controls are needed in addition to ISO/IEC 27002, they are given in Annex A: Cloud Service Extended Control Set 16
  • 17. NEW CONTROLS FOR CLOUD SECURITY IN ISO 27017 17 Control Ref Seven New Controls 6.3.1 Shared roles and responsibilities within a cloud computing environment 8.1.5 Removal of cloud service customer assets 9.5.1 Segregation in virtual computing environments 9.5.2 Virtual machine hardening 12.1.5 Administrator’s operational security 12.4.5 Monitoring of cloud services 13.1.4 Alignment of security management for virtual and physical networks
  • 18. ISO 27017 APPROACH Insert Footer Here 18 Cloud service customer Cloud service provider Guideline for the Cloud Service Subscriber / Customer Guideline for the Cloud service hosting company
  • 19. 4 CLOUD SECTORSPECIFIC CONCEPTS 19 As per A 15 Supplier Management CSC should meet its ISMS goals CSP should provide services to enable CSC to meet their ISMS Goals Where CSP cannot meet CSC ISMS requirements, CSC should implement additional controls Both CSC and CSP should have strong risk management practices in place
  • 20. 6 ORGANISATIONOF INFORMATIONSECURITY – ROLES& RESPONSIBILITIES Activity Cloud Service Customer Cloud Service Provider Request to create User Ids Primary IT Lead Creation of User Ids Primary Lead Access Provisioning for Users Primary IT Lead Access Control Review Primary Department Heads Backup Plan Creation Primary IT Lead Backup Execution Primary Backup Executive End Point Security Primary Security Team Data Encryption Primary Security Team Insert Footer Here 20
  • 21. 8 ASSET MANAGEMENT– INVENTORY OFASSETS Insert Footer Here 21 Data Storage Location Customer Master Details Cloud Employee Salary On-Prem Helpdesk Tickets Cloud Internal Data Client A Client B Client C
  • 22. 8 ASSET MANAGEMENT– ASSET LABELLING Example:  CLD/S/I/001 Label Code can be a Bar Code, QR Code etc. as well Insert Footer Here 22 <Location / Type of Asset / Criticality / Serial Number> Serial Number Soft Copy Internal Cloud
  • 23. 9 ACCESS CONTROL– USER REGISTRATION /DE-REGISTRATION/ ACCESS Insert Footer Here 23 Registration Provisioning Details De-Registration Details Access Provisioning Details Confirmation
  • 24. 9 ACCESSCONTROL– AUTHENTICATION TECHNIQUES 24 Standard User Validation Access Enabling Admin User Validation 1 Validation 2 Access Enabling
  • 25. 9 ACCESSCONTROL– INFORMATIONACCESS RESTRICTION Cloud Service Cloud Service Function Cloud Customer Data Read Write Delete Read Write Delete Read Write Delete Developer X X X Tester X X X Lead X X X X PM X X X X X X Admin X X X X X X X X X Insert Footer Here 25
  • 26. 10 CRYPTOGRAPHY – ENCRYPTION CYCLE 26 GENERATION STORAGE ACTIVATION DISTRIBUTION ROTATION EXPIRATION REVOCATION DESTRUCTION
  • 27. 12 OPERATIONSSECURITY – CHANGEMANAGEMENT Cloud Service Customer Cloud Service Provider Insert Footer Here 27 Change Management of CSC Should consider Changes done by CSP Any change done by CSP Should be communicated to CSC
  • 28. 12 OPERATIONSSECURITY – CAPACITYMANAGEMENT Insert Footer Here 28
  • 29. 12 OPERATIONSSECURITY– TECHNICALVULNERABILITY MANAGEMENT Insert Footer Here 29
  • 30. Insert Footer Here 30 13 COMMUNICATIONSSECURITY– SEGREGATIONOF NETWORK Tenant 1 Tenant 2 Tenant 3
  • 31. 15 SUPPLIER RELATIONSHIPS – SECURITYIN CONTRACTS The roles and responsibilities in the agreement should address the following, but not limited to it: - Insert Footer Here 31 • Malware protection • Backup • Cryptographic controls • Vulnerability management • Incident management • Technical compliance checking • Security testing • Auditing • Collection, maintenance and protection of evidence, including logs and audit trails • Protection of information upon termination of the service agreement • Authentication and access control • Identity and access management
  • 32. 15 SUPPLIER RELATIONSHIPS – TECHNOLOGYSUPPLY CHAIN Insert Footer Here 32 Contract Terms apply to the entire technology supply chain
  • 33. 16 INFORMATIONSECURITYINCIDENTMANAGEMENT Insert Footer Here 33 Incidents Reported Incidents / Incident Status CSP
  • 34. ANNEXA – CLOUD SERVICEEXTENDEDCONTROLSET CLD.6.3 Relationship between cloud service customer and cloud service provider CLD.6.3.1 Shared roles and responsibilities within a cloud computing environment Responsibilities for shared information security roles in the use of the cloud service should be allocated to identified parties, documented, communicated and implemented by both the cloud service customer and the cloud service provider. 34 Cloud service customer Cloud service provider The cloud service customer should define or extend its existing policies and procedures in accordance with its use of cloud services and make cloud service users aware of their roles and responsibilities in the use of the cloud service. The cloud service provider should document and communicate its information security capabilities, roles, and responsibilities for the use of its cloud service. This is along with the information security roles and responsibilities for which the cloud service customer would need to implement and manage as part of its use of the cloud service.
  • 35. ANNEXA – CLOUD SERVICEEXTENDEDCONTROLSET CLD.8.1 Responsibility for assets CLD.8.1.5 Removal of cloud service customer assets Assets of the cloud service customer that are on the cloud service provider's premises should be removed, and returned if necessary, in a timely manner upon termination of the cloud service agreement. 35 Cloud service customer Cloud service provider The cloud service customer should request a documented description of the termination of service process. This process should cover the return and removal of cloud service customer's assets followed by the deletion of all copies of those assets from the cloud service provider's systems. The cloud service provider should provide information about the arrangements for the return and removal of any cloud service customer's assets upon termination of the agreement for the use of a cloud service
  • 36. ANNEXA – CLOUD SERVICEEXTENDEDCONTROLSET CLD.9.5 Access control of cloud service customer data in shared virtual environment CLD.9.5.1 Segregation in virtual computing environments A cloud service customer's virtual environment running on a cloud service should be protected from other cloud service customers and unauthorized persons 36 Cloud service customer Cloud service provider (no additional implementation guidance) The cloud service provider should enforce appropriate logical segregation of cloud service customer data, virtualized applications, operating systems, storage, and network for: • The separation of resources used by cloud service customers in multi-tenant environments; • The separation of the cloud service provider's internal administration from resources used by cloud service customers. Objective: To mitigate information security risks when using the shared virtual environment of cloud computing
  • 37. ANNEXA – CLOUD SERVICEEXTENDEDCONTROLSET CLD.9.5 Access control of cloud service customer data in shared virtual environment CLD.9.5.2 Virtual machine hardening Virtual machines in a cloud computing environment should be hardened to meet business needs. 37 Cloud service customer Cloud service provider When configuring virtual machines, cloud service customers and cloud service providers should ensure that appropriate aspects are hardened (e.g., only those ports, protocols and services that are needed), and that the appropriate technical measures are in place (e.g., anti-malware, logging) for each virtual machine used. Objective: To mitigate information security risks when using the shared virtual environment of cloud computing
  • 38. ANNEXA – CLOUD SERVICEEXTENDEDCONTROLSET CLD.12.1 Operational procedures and responsibilities CLD.12.1.5 Administrator's operational security Procedures for administrative operations of a cloud computing environment should be defined, documented and monitored. 38 Cloud service customer Cloud service provider The cloud service customer should document procedures for critical operations where a failure can cause unrecoverable damage to assets in the cloud computing environment. Examples of the critical operations are: • Installation, changes, and deletion of virtualized devices such as servers, networks and storage; • Termination procedures for cloud service usage; • Backup and restoration. The cloud service provider should provide documentation about the critical operations and procedures to cloud service customers who require it.
  • 39. ANNEXA – CLOUD SERVICEEXTENDEDCONTROLSET CLD.12.4 Logging and monitoring CLD.12.4.5 Monitoring of Cloud Services The cloud service customer should have the capability to monitor specified aspects of the operation of the cloud services that the cloud service customer uses 39 Cloud service customer Cloud service provider The cloud service customer should request information from the cloud service provider of the service monitoring capabilities available for each cloud service. The cloud service provider should provide capabilities that enable the cloud service customer to monitor specified aspects, relevant to the cloud service customer, of the operation of the cloud services. For example, to monitor and detect if the cloud service is being used as a platform to attack others, or if sensitive data is being leaked from the cloud service. Appropriate access controls should secure the use of the monitoring capabilities
  • 40. ANNEXA – CLOUD SERVICEEXTENDEDCONTROLSET CLD.13.1 Network security management CLD.13.1.4 Alignment of security management for virtual and physical networks Upon configuration of virtual networks, consistency of configurations between virtual and physical networks should be verified based on the cloud service provider's network security policy. 40 Cloud service customer Cloud service provider (no additional implementation guidance) The cloud service provider should define and document an information security policy for the configuration of the virtual network consistent with the information security policy for the physical network. The cloud service provider should ensure that the virtual network configuration matches the information security policy regardless of the means used to create the configuration.
  • 42. Please give your feedbacks in the chat box about the session!!