SlideShare a Scribd company logo

ISO 27017 – What are the Business Advantages of Cloud Security?

Alvin Integrated Services [AIS]
Alvin Integrated Services [AIS]

Ramkumar Ramachandran, Principal Consultant, Ascentant Corporation, Chennai, India

Education
1 of 42
Download to read offline
Contact us: info@alvinintegrated.com | +91 8802 505619, +91 8287509289 | www.alvinintegrated.com Platinum Sponsor OUR SPONSORS & PARTNERS Event Partner www.alvinintegrated.com Knowledge Partners 27th FEB 2021 (SATURDAY) 09:00 AM - 17:30 PM IST
ISO 27017 - WHAT ARE THE BUSINESS ADVANTAGES OF CLOUD SECURITY? 27th February 2021 (Saturday) Time: 09:30 am - 09:55 am IST ISO 27017:2015 By Ramkumar Ramachandran, Principal Consultant, Ascentant Corporation, Chennai, India
SPEAKER INTRODUCTION Ramkumar Ramachandran Principal Consultant, Ascentant Corporation, Chennai, India • Expertise – ISMS / Data Privacy / CMMI / Agile / GDPR • IIMC Alumni - SMP • US / UK / France / China / Singapore / Taiwan / Thailand / Malaysia / Indonesia / Bahrain / Kuwait / Qatar / Saudi Arabia / Srilanka / New Zealand • Aeronautical Engineer / IIMC Alumni / MIT Sloan Systems Thinking • CSQA, CISA, PMP, CDPSE • Systems Thinking – MIT Sloan School of Management • LA QMS/ISMS/SMS/BCMS, SAFe Agilist • ram@ascentantcorp.biz Ramkumar Ramachandran (c) 3
ISO 27017 OVERVIEW SESSION
CONTENT • History of ISO 27001 • Cloud Infrastructure Evolution • Need for Cloud Security • ISO 27017 – Additional guidance for Cloud Security to ISO 27002 controls • ISO 27017 – Additional Controls • Implementing ISO 27017 Insert Footer Here 5
EVOLUTION OFISMS 1995 1998 Initiative from Department of Trade and Industry BS 7799 Part 1 BS 7799 Part 2 1999 New issue of BS 7799 Part 1 & 2 2000 ISO/IEC 17799:2000 2001 BS 7799-2:2002 (drafted) Sep 2002 BS 7799-2:2002 Passed and accepted Jun 2005 ISO 17799:2005 ISO/IEC 27001:2005 Oct 2005  Sep 2013 ISO/IEC 27001:2013
ISO 27001 STRUCTURE CLAUSES ANNEX A - CONTROLS 7 Context of the Organization Leadership Planning Support Operations Performance Evaluation Improvement Information Security Policies Organization of Information Security Human Resource Security Asset Management Access Control Cryptography Physical and Environmental Security Operations Security Communications Security Software Acquisition Development Maintenance Supplier Management Incident Management Security in BCM Compliance
ISO 27002 – CODE OF PRACTICE – CONTROLSHIERARCHY Group Control Objective Controls Controls Control Objective Control Copyright © 2018 8 14 of them 35 of them 114 of them
ISO 27017 - STRUCTURE 9 ISO 27001 Requirements ISO 27002 Code of Practice Additional Controls for ISO 27017
CLOUD – DEFINITION BY NIST Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction (from NIST) Insert Footer Here 10
CLOUD INFRASTRUCTUREEVOLUTION Insert Footer Here 11 Mainframe Desktop /Laptop Client Server Thin Client Cloud Infrastructure
VISUAL CLOUD INFRASTRUCTUREDEPICTION Insert Footer Here 12 SaaS PaaS IaaS
CLOUD SECURITY – BASIC SECURITY RISK CONSIDERATIONS Organizational Security Risks Resource Planning / Change Management / Malicious Insiders Physical Security Risks Data Location / Server, Storage & Network Technological Security Risks Application Development / Portability / Lack of Interoperability standards Compliance and Audit Risks Legal Challenges / Compliance & Audit / Business Continuity & Disaster Recovery Data Security Risks Identity & Access Management / Multi-tenancy risks / Backup / Data Privacy 13
CLOUD SECURITY – DATA SECURITYCONSIDERATIONS Privacy Safeguarding personal data as per privacy commitments Confidentiality Ensuring data is accessed only on need to know basis Integrity Confidence that the data stored in the cloud is not altered in any way by unauthorized parties Availability This property ensures that the CSC has access to their data, and are not denied access 14
CLOUD SECURITY – DATA STAGES Data-in-transit This is when data is in the process of being transmitted either to the cloud infrastructure or to the computing device used by the CSC. Here, data is most at risk of being intercepted, hence violating confidentiality Data-at-rest This is when data has been stored in the cloud infrastructure. The main issue with this stage for the CSC is their loss of control over the data. The onus of defending against attacks at this stage hence fall on the CSP Data-in-use This is when data is being processed into information. Here, the issues might lie with the corruption of data while it is being processed 15
ISO 27017 HIGHLIGHTS • Guidelines for information security controls applicable to the provision and use of cloud services • Additional implementation guidance for relevant controls specified in ISO/IEC 27002 • Provides controls and implementation guidance for both cloud service providers and cloud service customers • Structured similar to ISO/IEC 27002 • Includes clauses 5 to 18 of ISO/IEC 27002 by stating the applicability of its texts at each clause and paragraph • When controls are needed in addition to ISO/IEC 27002, they are given in Annex A: Cloud Service Extended Control Set 16
NEW CONTROLS FOR CLOUD SECURITY IN ISO 27017 17 Control Ref Seven New Controls 6.3.1 Shared roles and responsibilities within a cloud computing environment 8.1.5 Removal of cloud service customer assets 9.5.1 Segregation in virtual computing environments 9.5.2 Virtual machine hardening 12.1.5 Administrator’s operational security 12.4.5 Monitoring of cloud services 13.1.4 Alignment of security management for virtual and physical networks
ISO 27017 APPROACH Insert Footer Here 18 Cloud service customer Cloud service provider Guideline for the Cloud Service Subscriber / Customer Guideline for the Cloud service hosting company
4 CLOUD SECTORSPECIFIC CONCEPTS 19 As per A 15 Supplier Management CSC should meet its ISMS goals CSP should provide services to enable CSC to meet their ISMS Goals Where CSP cannot meet CSC ISMS requirements, CSC should implement additional controls Both CSC and CSP should have strong risk management practices in place
6 ORGANISATIONOF INFORMATIONSECURITY – ROLES& RESPONSIBILITIES Activity Cloud Service Customer Cloud Service Provider Request to create User Ids Primary IT Lead Creation of User Ids Primary Lead Access Provisioning for Users Primary IT Lead Access Control Review Primary Department Heads Backup Plan Creation Primary IT Lead Backup Execution Primary Backup Executive End Point Security Primary Security Team Data Encryption Primary Security Team Insert Footer Here 20
8 ASSET MANAGEMENT– INVENTORY OFASSETS Insert Footer Here 21 Data Storage Location Customer Master Details Cloud Employee Salary On-Prem Helpdesk Tickets Cloud Internal Data Client A Client B Client C
8 ASSET MANAGEMENT– ASSET LABELLING Example:  CLD/S/I/001 Label Code can be a Bar Code, QR Code etc. as well Insert Footer Here 22 <Location / Type of Asset / Criticality / Serial Number> Serial Number Soft Copy Internal Cloud
9 ACCESS CONTROL– USER REGISTRATION /DE-REGISTRATION/ ACCESS Insert Footer Here 23 Registration Provisioning Details De-Registration Details Access Provisioning Details Confirmation
9 ACCESSCONTROL– AUTHENTICATION TECHNIQUES 24 Standard User Validation Access Enabling Admin User Validation 1 Validation 2 Access Enabling
9 ACCESSCONTROL– INFORMATIONACCESS RESTRICTION Cloud Service Cloud Service Function Cloud Customer Data Read Write Delete Read Write Delete Read Write Delete Developer X X X Tester X X X Lead X X X X PM X X X X X X Admin X X X X X X X X X Insert Footer Here 25
10 CRYPTOGRAPHY – ENCRYPTION CYCLE 26 GENERATION STORAGE ACTIVATION DISTRIBUTION ROTATION EXPIRATION REVOCATION DESTRUCTION
12 OPERATIONSSECURITY – CHANGEMANAGEMENT Cloud Service Customer Cloud Service Provider Insert Footer Here 27 Change Management of CSC Should consider Changes done by CSP Any change done by CSP Should be communicated to CSC
12 OPERATIONSSECURITY – CAPACITYMANAGEMENT Insert Footer Here 28
12 OPERATIONSSECURITY– TECHNICALVULNERABILITY MANAGEMENT Insert Footer Here 29
Insert Footer Here 30 13 COMMUNICATIONSSECURITY– SEGREGATIONOF NETWORK Tenant 1 Tenant 2 Tenant 3
15 SUPPLIER RELATIONSHIPS – SECURITYIN CONTRACTS The roles and responsibilities in the agreement should address the following, but not limited to it: - Insert Footer Here 31 • Malware protection • Backup • Cryptographic controls • Vulnerability management • Incident management • Technical compliance checking • Security testing • Auditing • Collection, maintenance and protection of evidence, including logs and audit trails • Protection of information upon termination of the service agreement • Authentication and access control • Identity and access management
15 SUPPLIER RELATIONSHIPS – TECHNOLOGYSUPPLY CHAIN Insert Footer Here 32 Contract Terms apply to the entire technology supply chain
16 INFORMATIONSECURITYINCIDENTMANAGEMENT Insert Footer Here 33 Incidents Reported Incidents / Incident Status CSP
ANNEXA – CLOUD SERVICEEXTENDEDCONTROLSET CLD.6.3 Relationship between cloud service customer and cloud service provider CLD.6.3.1 Shared roles and responsibilities within a cloud computing environment Responsibilities for shared information security roles in the use of the cloud service should be allocated to identified parties, documented, communicated and implemented by both the cloud service customer and the cloud service provider. 34 Cloud service customer Cloud service provider The cloud service customer should define or extend its existing policies and procedures in accordance with its use of cloud services and make cloud service users aware of their roles and responsibilities in the use of the cloud service. The cloud service provider should document and communicate its information security capabilities, roles, and responsibilities for the use of its cloud service. This is along with the information security roles and responsibilities for which the cloud service customer would need to implement and manage as part of its use of the cloud service.
ANNEXA – CLOUD SERVICEEXTENDEDCONTROLSET CLD.8.1 Responsibility for assets CLD.8.1.5 Removal of cloud service customer assets Assets of the cloud service customer that are on the cloud service provider's premises should be removed, and returned if necessary, in a timely manner upon termination of the cloud service agreement. 35 Cloud service customer Cloud service provider The cloud service customer should request a documented description of the termination of service process. This process should cover the return and removal of cloud service customer's assets followed by the deletion of all copies of those assets from the cloud service provider's systems. The cloud service provider should provide information about the arrangements for the return and removal of any cloud service customer's assets upon termination of the agreement for the use of a cloud service
ANNEXA – CLOUD SERVICEEXTENDEDCONTROLSET CLD.9.5 Access control of cloud service customer data in shared virtual environment CLD.9.5.1 Segregation in virtual computing environments A cloud service customer's virtual environment running on a cloud service should be protected from other cloud service customers and unauthorized persons 36 Cloud service customer Cloud service provider (no additional implementation guidance) The cloud service provider should enforce appropriate logical segregation of cloud service customer data, virtualized applications, operating systems, storage, and network for: • The separation of resources used by cloud service customers in multi-tenant environments; • The separation of the cloud service provider's internal administration from resources used by cloud service customers. Objective: To mitigate information security risks when using the shared virtual environment of cloud computing
ANNEXA – CLOUD SERVICEEXTENDEDCONTROLSET CLD.9.5 Access control of cloud service customer data in shared virtual environment CLD.9.5.2 Virtual machine hardening Virtual machines in a cloud computing environment should be hardened to meet business needs. 37 Cloud service customer Cloud service provider When configuring virtual machines, cloud service customers and cloud service providers should ensure that appropriate aspects are hardened (e.g., only those ports, protocols and services that are needed), and that the appropriate technical measures are in place (e.g., anti-malware, logging) for each virtual machine used. Objective: To mitigate information security risks when using the shared virtual environment of cloud computing
ANNEXA – CLOUD SERVICEEXTENDEDCONTROLSET CLD.12.1 Operational procedures and responsibilities CLD.12.1.5 Administrator's operational security Procedures for administrative operations of a cloud computing environment should be defined, documented and monitored. 38 Cloud service customer Cloud service provider The cloud service customer should document procedures for critical operations where a failure can cause unrecoverable damage to assets in the cloud computing environment. Examples of the critical operations are: • Installation, changes, and deletion of virtualized devices such as servers, networks and storage; • Termination procedures for cloud service usage; • Backup and restoration. The cloud service provider should provide documentation about the critical operations and procedures to cloud service customers who require it.
ANNEXA – CLOUD SERVICEEXTENDEDCONTROLSET CLD.12.4 Logging and monitoring CLD.12.4.5 Monitoring of Cloud Services The cloud service customer should have the capability to monitor specified aspects of the operation of the cloud services that the cloud service customer uses 39 Cloud service customer Cloud service provider The cloud service customer should request information from the cloud service provider of the service monitoring capabilities available for each cloud service. The cloud service provider should provide capabilities that enable the cloud service customer to monitor specified aspects, relevant to the cloud service customer, of the operation of the cloud services. For example, to monitor and detect if the cloud service is being used as a platform to attack others, or if sensitive data is being leaked from the cloud service. Appropriate access controls should secure the use of the monitoring capabilities
ANNEXA – CLOUD SERVICEEXTENDEDCONTROLSET CLD.13.1 Network security management CLD.13.1.4 Alignment of security management for virtual and physical networks Upon configuration of virtual networks, consistency of configurations between virtual and physical networks should be verified based on the cloud service provider's network security policy. 40 Cloud service customer Cloud service provider (no additional implementation guidance) The cloud service provider should define and document an information security policy for the configuration of the virtual network consistent with the information security policy for the physical network. The cloud service provider should ensure that the virtual network configuration matches the information security policy regardless of the means used to create the configuration.
Questions are Welcome!
Please give your feedbacks in the chat box about the session!!

Recommended

CMMC, ISO/IEC 27701, and ISO/IEC 27001 — Best Practices and Differences
CMMC, ISO/IEC 27701, and ISO/IEC 27001 — Best Practices and DifferencesCMMC, ISO/IEC 27701, and ISO/IEC 27001 — Best Practices and Differences
CMMC, ISO/IEC 27701, and ISO/IEC 27001 — Best Practices and DifferencesPECB
 
SOC 2 and You
SOC 2 and YouSOC 2 and You
SOC 2 and YouSchellman & Company
 
Locking Up Your Cloud Environment: An Introduction to ISO/IEC 27017 and 27018
Locking Up Your Cloud Environment: An Introduction to ISO/IEC 27017 and 27018Locking Up Your Cloud Environment: An Introduction to ISO/IEC 27017 and 27018
Locking Up Your Cloud Environment: An Introduction to ISO/IEC 27017 and 27018Schellman & Company
 
Information security management system (isms) overview
Information security management system (isms) overviewInformation security management system (isms) overview
Information security management system (isms) overviewJulia Urbina-Pineda
 
Soc 2 attestation or ISO 27001 certification - Which is better for organization
Soc 2 attestation or ISO 27001 certification - Which is better for organizationSoc 2 attestation or ISO 27001 certification - Which is better for organization
Soc 2 attestation or ISO 27001 certification - Which is better for organizationVISTA InfoSec
 
SOC 2 Compliance and Certification
SOC 2 Compliance and CertificationSOC 2 Compliance and Certification
SOC 2 Compliance and CertificationControlCase
 
ISO 27001 2002 Update Webinar.pdf
ISO 27001 2002 Update Webinar.pdfISO 27001 2002 Update Webinar.pdf
ISO 27001 2002 Update Webinar.pdfControlCase
 
ISO 27001 - Information Security Management System
ISO 27001 - Information Security Management SystemISO 27001 - Information Security Management System
ISO 27001 - Information Security Management SystemMuhammad Faisal Naqvi, CISSP, CISA, AMBCI, ITIL, ISMS LA n Master
 

Recommended

CMMC, ISO/IEC 27701, and ISO/IEC 27001 — Best Practices and Differences
CMMC, ISO/IEC 27701, and ISO/IEC 27001 — Best Practices and DifferencesCMMC, ISO/IEC 27701, and ISO/IEC 27001 — Best Practices and Differences
CMMC, ISO/IEC 27701, and ISO/IEC 27001 — Best Practices and DifferencesPECB
 
SOC 2 and You
SOC 2 and YouSOC 2 and You
SOC 2 and YouSchellman & Company
 
Locking Up Your Cloud Environment: An Introduction to ISO/IEC 27017 and 27018
Locking Up Your Cloud Environment: An Introduction to ISO/IEC 27017 and 27018Locking Up Your Cloud Environment: An Introduction to ISO/IEC 27017 and 27018
Locking Up Your Cloud Environment: An Introduction to ISO/IEC 27017 and 27018Schellman & Company
 
Information security management system (isms) overview
Information security management system (isms) overviewInformation security management system (isms) overview
Information security management system (isms) overviewJulia Urbina-Pineda
 
Soc 2 attestation or ISO 27001 certification - Which is better for organization
Soc 2 attestation or ISO 27001 certification - Which is better for organizationSoc 2 attestation or ISO 27001 certification - Which is better for organization
Soc 2 attestation or ISO 27001 certification - Which is better for organizationVISTA InfoSec
 
SOC 2 Compliance and Certification
SOC 2 Compliance and CertificationSOC 2 Compliance and Certification
SOC 2 Compliance and CertificationControlCase
 
ISO 27001 2002 Update Webinar.pdf
ISO 27001 2002 Update Webinar.pdfISO 27001 2002 Update Webinar.pdf
ISO 27001 2002 Update Webinar.pdfControlCase
 
ISO 27001 - Information Security Management System
ISO 27001 - Information Security Management SystemISO 27001 - Information Security Management System
ISO 27001 - Information Security Management SystemMuhammad Faisal Naqvi, CISSP, CISA, AMBCI, ITIL, ISMS LA n Master
 
ISO 27005:2022 Overview 221028.pdf
ISO 27005:2022 Overview 221028.pdfISO 27005:2022 Overview 221028.pdf
ISO 27005:2022 Overview 221028.pdfAndrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
Managing Personally Identifiable Information (PII)
Managing Personally Identifiable Information (PII)Managing Personally Identifiable Information (PII)
Managing Personally Identifiable Information (PII)KP Naidu
 
What is ISO 27001 ISMS
What is ISO 27001 ISMSWhat is ISO 27001 ISMS
What is ISO 27001 ISMSBusiness Beam
 
Guide to Risk Management Framework (RMF)
Guide to Risk Management Framework (RMF)Guide to Risk Management Framework (RMF)
Guide to Risk Management Framework (RMF)MetroStar
 
ISO 27005 Risk Assessment
ISO 27005 Risk AssessmentISO 27005 Risk Assessment
ISO 27005 Risk AssessmentSmart Assessment
 
Control Standards for Information Security
Control Standards for Information SecurityControl Standards for Information Security
Control Standards for Information SecurityJohnHPazEMCPMPITIL5G
 
Presentation on iso 27001-2013, Internal Auditing and BCM
Presentation on iso 27001-2013, Internal Auditing and BCMPresentation on iso 27001-2013, Internal Auditing and BCM
Presentation on iso 27001-2013, Internal Auditing and BCMShantanu Rai
 
ISO/IEC 27001:2022 – What are the changes?
ISO/IEC 27001:2022 – What are the changes?ISO/IEC 27001:2022 – What are the changes?
ISO/IEC 27001:2022 – What are the changes?PECB
 
NQA ISO 27001 A Guide to Annex A
NQA ISO 27001 A Guide to Annex ANQA ISO 27001 A Guide to Annex A
NQA ISO 27001 A Guide to Annex ANA Putra
 
ISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks Effectively
ISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks EffectivelyISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks Effectively
ISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks EffectivelyPECB
 
ISO 27001_2022 Standard_Presentation.pdf
ISO 27001_2022 Standard_Presentation.pdfISO 27001_2022 Standard_Presentation.pdf
ISO 27001_2022 Standard_Presentation.pdfSerkanRafetHalil1
 
NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewTandhy Simanjuntak
 
PCI-DSS_Overview
PCI-DSS_OverviewPCI-DSS_Overview
PCI-DSS_Overviewsameh Abulfotooh
 
Multi cloud security architecture
Multi cloud security architecture Multi cloud security architecture
Multi cloud security architecture Maganathin Veeraragaloo
 
GDPR and Security.pdf
GDPR and Security.pdfGDPR and Security.pdf
GDPR and Security.pdfAndrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023PECB
 
Steps to iso 27001 implementation
Steps to iso 27001 implementationSteps to iso 27001 implementation
Steps to iso 27001 implementationRalf Braga
 
Implémenter et gérer un projet iso 27001
Implémenter et gérer un projet iso 27001Implémenter et gérer un projet iso 27001
Implémenter et gérer un projet iso 27001Intellectus services and consulting
 
Iso 27001 Checklist
Iso 27001 ChecklistIso 27001 Checklist
Iso 27001 ChecklistCraig Willetts ISO Expert
 
isms-presentation.ppt
isms-presentation.pptisms-presentation.ppt
isms-presentation.pptHasnolAhmad2
 
Cloud Security By Dr. Anton Ravindran
Cloud Security By Dr. Anton RavindranCloud Security By Dr. Anton Ravindran
Cloud Security By Dr. Anton RavindranGSTF
 
Cloud Security Standards: What to Expect and What to Negotiate V2.0
Cloud Security Standards: What to Expect and What to Negotiate V2.0Cloud Security Standards: What to Expect and What to Negotiate V2.0
Cloud Security Standards: What to Expect and What to Negotiate V2.0Cloud Standards Customer Council
 

More Related Content

What's hot

Managing Personally Identifiable Information (PII)
Managing Personally Identifiable Information (PII)Managing Personally Identifiable Information (PII)
Managing Personally Identifiable Information (PII)KP Naidu
 
What is ISO 27001 ISMS
What is ISO 27001 ISMSWhat is ISO 27001 ISMS
What is ISO 27001 ISMSBusiness Beam
 
Guide to Risk Management Framework (RMF)
Guide to Risk Management Framework (RMF)Guide to Risk Management Framework (RMF)
Guide to Risk Management Framework (RMF)MetroStar
 
Control Standards for Information Security
Control Standards for Information SecurityControl Standards for Information Security
Control Standards for Information SecurityJohnHPazEMCPMPITIL5G
 
Presentation on iso 27001-2013, Internal Auditing and BCM
Presentation on iso 27001-2013, Internal Auditing and BCMPresentation on iso 27001-2013, Internal Auditing and BCM
Presentation on iso 27001-2013, Internal Auditing and BCMShantanu Rai
 
ISO/IEC 27001:2022 – What are the changes?
ISO/IEC 27001:2022 – What are the changes?ISO/IEC 27001:2022 – What are the changes?
ISO/IEC 27001:2022 – What are the changes?PECB
 
NQA ISO 27001 A Guide to Annex A
NQA ISO 27001 A Guide to Annex ANQA ISO 27001 A Guide to Annex A
NQA ISO 27001 A Guide to Annex ANA Putra
 
ISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks Effectively
ISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks EffectivelyISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks Effectively
ISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks EffectivelyPECB
 
ISO 27001_2022 Standard_Presentation.pdf
ISO 27001_2022 Standard_Presentation.pdfISO 27001_2022 Standard_Presentation.pdf
ISO 27001_2022 Standard_Presentation.pdfSerkanRafetHalil1
 
NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewTandhy Simanjuntak
 
Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023PECB
 
Steps to iso 27001 implementation
Steps to iso 27001 implementationSteps to iso 27001 implementation
Steps to iso 27001 implementationRalf Braga
 
isms-presentation.ppt
isms-presentation.pptisms-presentation.ppt
isms-presentation.pptHasnolAhmad2
 

What's hot (20)

ISO 27005:2022 Overview 221028.pdf
ISO 27005:2022 Overview 221028.pdfISO 27005:2022 Overview 221028.pdf
ISO 27005:2022 Overview 221028.pdf
 
Managing Personally Identifiable Information (PII)
Managing Personally Identifiable Information (PII)Managing Personally Identifiable Information (PII)
Managing Personally Identifiable Information (PII)
 
What is ISO 27001 ISMS
What is ISO 27001 ISMSWhat is ISO 27001 ISMS
What is ISO 27001 ISMS
 
Guide to Risk Management Framework (RMF)
Guide to Risk Management Framework (RMF)Guide to Risk Management Framework (RMF)
Guide to Risk Management Framework (RMF)
 
ISO 27005 Risk Assessment
ISO 27005 Risk AssessmentISO 27005 Risk Assessment
ISO 27005 Risk Assessment
 
Control Standards for Information Security
Control Standards for Information SecurityControl Standards for Information Security
Control Standards for Information Security
 
Presentation on iso 27001-2013, Internal Auditing and BCM
Presentation on iso 27001-2013, Internal Auditing and BCMPresentation on iso 27001-2013, Internal Auditing and BCM
Presentation on iso 27001-2013, Internal Auditing and BCM
 
ISO/IEC 27001:2022 – What are the changes?
ISO/IEC 27001:2022 – What are the changes?ISO/IEC 27001:2022 – What are the changes?
ISO/IEC 27001:2022 – What are the changes?
 
NQA ISO 27001 A Guide to Annex A
NQA ISO 27001 A Guide to Annex ANQA ISO 27001 A Guide to Annex A
NQA ISO 27001 A Guide to Annex A
 
ISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks Effectively
ISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks EffectivelyISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks Effectively
ISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks Effectively
 
ISO 27001_2022 Standard_Presentation.pdf
ISO 27001_2022 Standard_Presentation.pdfISO 27001_2022 Standard_Presentation.pdf
ISO 27001_2022 Standard_Presentation.pdf
 
NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An Overview
 
PCI-DSS_Overview
PCI-DSS_OverviewPCI-DSS_Overview
PCI-DSS_Overview
 
Multi cloud security architecture
Multi cloud security architecture Multi cloud security architecture
Multi cloud security architecture
 
GDPR and Security.pdf
GDPR and Security.pdfGDPR and Security.pdf
GDPR and Security.pdf
 
Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023
 
Steps to iso 27001 implementation
Steps to iso 27001 implementationSteps to iso 27001 implementation
Steps to iso 27001 implementation
 
Implémenter et gérer un projet iso 27001
Implémenter et gérer un projet iso 27001Implémenter et gérer un projet iso 27001
Implémenter et gérer un projet iso 27001
 
Iso 27001 Checklist
Iso 27001 ChecklistIso 27001 Checklist
Iso 27001 Checklist
 
isms-presentation.ppt
isms-presentation.pptisms-presentation.ppt
isms-presentation.ppt
 

Similar to ISO 27017 – What are the Business Advantages of Cloud Security?

Cloud Security By Dr. Anton Ravindran
Cloud Security By Dr. Anton RavindranCloud Security By Dr. Anton Ravindran
Cloud Security By Dr. Anton RavindranGSTF
 
Cloud Security Standards: What to Expect and What to Negotiate V2.0
Cloud Security Standards: What to Expect and What to Negotiate V2.0Cloud Security Standards: What to Expect and What to Negotiate V2.0
Cloud Security Standards: What to Expect and What to Negotiate V2.0Cloud Standards Customer Council
 
Security for Cloud Computing: 10 Steps to Ensure Success V3.0
Security for Cloud Computing: 10 Steps to Ensure Success V3.0Security for Cloud Computing: 10 Steps to Ensure Success V3.0
Security for Cloud Computing: 10 Steps to Ensure Success V3.0Cloud Standards Customer Council
 
Legal And Regulatory Issues Cloud Computing...V2.0
Legal And Regulatory Issues Cloud Computing...V2.0Legal And Regulatory Issues Cloud Computing...V2.0
Legal And Regulatory Issues Cloud Computing...V2.0David Spinks
 
Risk management for cloud computing hb final
Risk management for cloud computing hb finalRisk management for cloud computing hb final
Risk management for cloud computing hb finalChristophe Monnier
 
Latest Developments in Cloud Security Standards and Privacy
Latest Developments in Cloud Security Standards and PrivacyLatest Developments in Cloud Security Standards and Privacy
Latest Developments in Cloud Security Standards and PrivacyCloud Standards Customer Council
 
AWS re:Invent 2016: Chalk Talk: Applying Security-by-Design to Drive Complian...
AWS re:Invent 2016: Chalk Talk: Applying Security-by-Design to Drive Complian...AWS re:Invent 2016: Chalk Talk: Applying Security-by-Design to Drive Complian...
AWS re:Invent 2016: Chalk Talk: Applying Security-by-Design to Drive Complian...Amazon Web Services
 
The Art of Cloud Auditing - ISACA ID
The Art of Cloud Auditing - ISACA IDThe Art of Cloud Auditing - ISACA ID
The Art of Cloud Auditing - ISACA IDEryk Budi Pratama
 
PTC Cloud Services Datasheet: Security Primer
PTC Cloud Services Datasheet: Security PrimerPTC Cloud Services Datasheet: Security Primer
PTC Cloud Services Datasheet: Security PrimerPTC
 
Cloud Security using NIST guidelines
Cloud Security using NIST guidelinesCloud Security using NIST guidelines
Cloud Security using NIST guidelinesSrishti Ahuja
 
Cloud Security using NIST guidelines
Cloud Security using NIST guidelinesCloud Security using NIST guidelines
Cloud Security using NIST guidelinesSrishti Ahuja
 
IRJET- Authentication and Access Control for Cloud Computing Comparing Proble...
IRJET- Authentication and Access Control for Cloud Computing Comparing Proble...IRJET- Authentication and Access Control for Cloud Computing Comparing Proble...
IRJET- Authentication and Access Control for Cloud Computing Comparing Proble...IRJET Journal
 
IRJET- SAAS Attacks Defense Mechanisms and Digital Forensic
IRJET- SAAS Attacks Defense Mechanisms and Digital ForensicIRJET- SAAS Attacks Defense Mechanisms and Digital Forensic
IRJET- SAAS Attacks Defense Mechanisms and Digital ForensicIRJET Journal
 
Cloud is not an option, but is security?
Cloud is not an option, but is security?Cloud is not an option, but is security?
Cloud is not an option, but is security?Jody Keyser
 
PCI DSS Compliance in the Cloud
PCI DSS Compliance in the CloudPCI DSS Compliance in the Cloud
PCI DSS Compliance in the CloudControlCase
 
CSA Introduction 2013 David Ross
CSA Introduction 2013 David RossCSA Introduction 2013 David Ross
CSA Introduction 2013 David RossGraeme Wood
 

Similar to ISO 27017 – What are the Business Advantages of Cloud Security? (20)

Cloud Security By Dr. Anton Ravindran
Cloud Security By Dr. Anton RavindranCloud Security By Dr. Anton Ravindran
Cloud Security By Dr. Anton Ravindran
 
Cloud Security Standards: What to Expect and What to Negotiate V2.0
Cloud Security Standards: What to Expect and What to Negotiate V2.0Cloud Security Standards: What to Expect and What to Negotiate V2.0
Cloud Security Standards: What to Expect and What to Negotiate V2.0
 
Security for Cloud Computing: 10 Steps to Ensure Success V3.0
Security for Cloud Computing: 10 Steps to Ensure Success V3.0Security for Cloud Computing: 10 Steps to Ensure Success V3.0
Security for Cloud Computing: 10 Steps to Ensure Success V3.0
 
Legal And Regulatory Issues Cloud Computing...V2.0
Legal And Regulatory Issues Cloud Computing...V2.0Legal And Regulatory Issues Cloud Computing...V2.0
Legal And Regulatory Issues Cloud Computing...V2.0
 
Risk management for cloud computing hb final
Risk management for cloud computing hb finalRisk management for cloud computing hb final
Risk management for cloud computing hb final
 
Latest Developments in Cloud Security Standards and Privacy
Latest Developments in Cloud Security Standards and PrivacyLatest Developments in Cloud Security Standards and Privacy
Latest Developments in Cloud Security Standards and Privacy
 
AWS re:Invent 2016: Chalk Talk: Applying Security-by-Design to Drive Complian...
AWS re:Invent 2016: Chalk Talk: Applying Security-by-Design to Drive Complian...AWS re:Invent 2016: Chalk Talk: Applying Security-by-Design to Drive Complian...
AWS re:Invent 2016: Chalk Talk: Applying Security-by-Design to Drive Complian...
 
The Art of Cloud Auditing - ISACA ID
The Art of Cloud Auditing - ISACA IDThe Art of Cloud Auditing - ISACA ID
The Art of Cloud Auditing - ISACA ID
 
PTC Cloud Services Datasheet: Security Primer
PTC Cloud Services Datasheet: Security PrimerPTC Cloud Services Datasheet: Security Primer
PTC Cloud Services Datasheet: Security Primer
 
Cloud Security Solution Overview
Cloud Security Solution OverviewCloud Security Solution Overview
Cloud Security Solution Overview
 
Cloud services and it security
Cloud services and it securityCloud services and it security
Cloud services and it security
 
Cloud Security using NIST guidelines
Cloud Security using NIST guidelinesCloud Security using NIST guidelines
Cloud Security using NIST guidelines
 
Cloud Security using NIST guidelines
Cloud Security using NIST guidelinesCloud Security using NIST guidelines
Cloud Security using NIST guidelines
 
IRJET- Authentication and Access Control for Cloud Computing Comparing Proble...
IRJET- Authentication and Access Control for Cloud Computing Comparing Proble...IRJET- Authentication and Access Control for Cloud Computing Comparing Proble...
IRJET- Authentication and Access Control for Cloud Computing Comparing Proble...
 
IRJET- SAAS Attacks Defense Mechanisms and Digital Forensic
IRJET- SAAS Attacks Defense Mechanisms and Digital ForensicIRJET- SAAS Attacks Defense Mechanisms and Digital Forensic
IRJET- SAAS Attacks Defense Mechanisms and Digital Forensic
 
Cloud is not an option, but is security?
Cloud is not an option, but is security?Cloud is not an option, but is security?
Cloud is not an option, but is security?
 
PCI DSS Compliance in the Cloud
PCI DSS Compliance in the CloudPCI DSS Compliance in the Cloud
PCI DSS Compliance in the Cloud
 
CSA Introduction 2013 David Ross
CSA Introduction 2013 David RossCSA Introduction 2013 David Ross
CSA Introduction 2013 David Ross
 
Introduction to CSA Australia 2013 by David Ross
Introduction to CSA Australia 2013 by David RossIntroduction to CSA Australia 2013 by David Ross
Introduction to CSA Australia 2013 by David Ross
 
Compliance in Public Cloud & CSA Framework
Compliance in Public Cloud & CSA FrameworkCompliance in Public Cloud & CSA Framework
Compliance in Public Cloud & CSA Framework
 

More from Alvin Integrated Services [AIS]

Pandemic: Crisis or Opportunity? ISO 22301 best practice Implementation tips ...
Pandemic: Crisis or Opportunity? ISO 22301 best practice Implementation tips ...Pandemic: Crisis or Opportunity? ISO 22301 best practice Implementation tips ...
Pandemic: Crisis or Opportunity? ISO 22301 best practice Implementation tips ...Alvin Integrated Services [AIS]
 
Digital Maturity – Business as Usual & Integration of multiple ISO Management...
Digital Maturity – Business as Usual & Integration of multiple ISO Management...Digital Maturity – Business as Usual & Integration of multiple ISO Management...
Digital Maturity – Business as Usual & Integration of multiple ISO Management...Alvin Integrated Services [AIS]
 
Thinking beyond “Conventional” Crisis Communication.
Thinking beyond “Conventional” Crisis Communication.Thinking beyond “Conventional” Crisis Communication.
Thinking beyond “Conventional” Crisis Communication.Alvin Integrated Services [AIS]
 
Effective Leadership – The Cornerstone – applied study on ISO 22000:2018 Food...
Effective Leadership – The Cornerstone – applied study on ISO 22000:2018 Food...Effective Leadership – The Cornerstone – applied study on ISO 22000:2018 Food...
Effective Leadership – The Cornerstone – applied study on ISO 22000:2018 Food...Alvin Integrated Services [AIS]
 
COVID – 19 and Resilience: Has ISO 22316 standard been responsive?
COVID – 19 and Resilience: Has ISO 22316 standard been responsive?COVID – 19 and Resilience: Has ISO 22316 standard been responsive?
COVID – 19 and Resilience: Has ISO 22316 standard been responsive?Alvin Integrated Services [AIS]
 
Business Continuity Management System: How, Why and for What?
Business Continuity Management System: How, Why and for What?Business Continuity Management System: How, Why and for What?
Business Continuity Management System: How, Why and for What?Alvin Integrated Services [AIS]
 
ISO 31000:2018 Risk Management System, Framework and Implementation
ISO 31000:2018 Risk Management System, Framework and ImplementationISO 31000:2018 Risk Management System, Framework and Implementation
ISO 31000:2018 Risk Management System, Framework and ImplementationAlvin Integrated Services [AIS]
 

More from Alvin Integrated Services [AIS] (9)

Designing an effective Crisis Management Framework
Designing an effective Crisis Management FrameworkDesigning an effective Crisis Management Framework
Designing an effective Crisis Management Framework
 
Pandemic: Crisis or Opportunity? ISO 22301 best practice Implementation tips ...
Pandemic: Crisis or Opportunity? ISO 22301 best practice Implementation tips ...Pandemic: Crisis or Opportunity? ISO 22301 best practice Implementation tips ...
Pandemic: Crisis or Opportunity? ISO 22301 best practice Implementation tips ...
 
Digital Maturity – Business as Usual & Integration of multiple ISO Management...
Digital Maturity – Business as Usual & Integration of multiple ISO Management...Digital Maturity – Business as Usual & Integration of multiple ISO Management...
Digital Maturity – Business as Usual & Integration of multiple ISO Management...
 
ISO 31000: Culture vs Documentation, the way forward
ISO 31000: Culture vs Documentation, the way forwardISO 31000: Culture vs Documentation, the way forward
ISO 31000: Culture vs Documentation, the way forward
 
Thinking beyond “Conventional” Crisis Communication.
Thinking beyond “Conventional” Crisis Communication.Thinking beyond “Conventional” Crisis Communication.
Thinking beyond “Conventional” Crisis Communication.
 
Effective Leadership – The Cornerstone – applied study on ISO 22000:2018 Food...
Effective Leadership – The Cornerstone – applied study on ISO 22000:2018 Food...Effective Leadership – The Cornerstone – applied study on ISO 22000:2018 Food...
Effective Leadership – The Cornerstone – applied study on ISO 22000:2018 Food...
 
COVID – 19 and Resilience: Has ISO 22316 standard been responsive?
COVID – 19 and Resilience: Has ISO 22316 standard been responsive?COVID – 19 and Resilience: Has ISO 22316 standard been responsive?
COVID – 19 and Resilience: Has ISO 22316 standard been responsive?
 
Business Continuity Management System: How, Why and for What?
Business Continuity Management System: How, Why and for What?Business Continuity Management System: How, Why and for What?
Business Continuity Management System: How, Why and for What?
 
ISO 31000:2018 Risk Management System, Framework and Implementation
ISO 31000:2018 Risk Management System, Framework and ImplementationISO 31000:2018 Risk Management System, Framework and Implementation
ISO 31000:2018 Risk Management System, Framework and Implementation
 

Recently uploaded

18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdfssuser54595a
 
Solving Puzzles Benefits Everyone (English).pptx
Solving Puzzles Benefits Everyone (English).pptxSolving Puzzles Benefits Everyone (English).pptx
Solving Puzzles Benefits Everyone (English).pptxOH TEIK BIN
 
Crayon Activity Handout For the Crayon A
Crayon Activity Handout For the Crayon ACrayon Activity Handout For the Crayon A
Crayon Activity Handout For the Crayon AUnboundStockton
 
How to Make a Pirate ship Primary Education.pptx
How to Make a Pirate ship Primary Education.pptxHow to Make a Pirate ship Primary Education.pptx
How to Make a Pirate ship Primary Education.pptxmanuelaromero2013
 
CELL CYCLE Division Science 8 quarter IV.pptx
CELL CYCLE Division Science 8 quarter IV.pptxCELL CYCLE Division Science 8 quarter IV.pptx
CELL CYCLE Division Science 8 quarter IV.pptxJiesonDelaCerna
 
Types of Journalistic Writing Grade 8.pptx
Types of Journalistic Writing Grade 8.pptxTypes of Journalistic Writing Grade 8.pptx
Types of Journalistic Writing Grade 8.pptxEyham Joco
 
Roles & Responsibilities in Pharmacovigilance
Roles & Responsibilities in PharmacovigilanceRoles & Responsibilities in Pharmacovigilance
Roles & Responsibilities in PharmacovigilanceSamikshaHamane
 
Hierarchy of management that covers different levels of management
Hierarchy of management that covers different levels of managementHierarchy of management that covers different levels of management
Hierarchy of management that covers different levels of managementmkooblal
 
Pharmacognosy Flower 3. Compositae 2023.pdf
Pharmacognosy Flower 3. Compositae 2023.pdfPharmacognosy Flower 3. Compositae 2023.pdf
Pharmacognosy Flower 3. Compositae 2023.pdfMahmoud M. Sallam
 
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...Marc Dusseiller Dusjagr
 
Introduction to AI in Higher Education_draft.pptx
Introduction to AI in Higher Education_draft.pptxIntroduction to AI in Higher Education_draft.pptx
Introduction to AI in Higher Education_draft.pptxpboyjonauth
 
Painted Grey Ware.pptx, PGW Culture of India
Painted Grey Ware.pptx, PGW Culture of IndiaPainted Grey Ware.pptx, PGW Culture of India
Painted Grey Ware.pptx, PGW Culture of IndiaVirag Sontakke
 
Organic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptxOrganic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptxVS Mahajan Coaching Centre
 
Proudly South Africa powerpoint Thorisha.pptx
Proudly South Africa powerpoint Thorisha.pptxProudly South Africa powerpoint Thorisha.pptx
Proudly South Africa powerpoint Thorisha.pptxthorishapillay1
 
Historical philosophical, theoretical, and legal foundations of special and i...
Historical philosophical, theoretical, and legal foundations of special and i...Historical philosophical, theoretical, and legal foundations of special and i...
Historical philosophical, theoretical, and legal foundations of special and i...jaredbarbolino94
 
Like-prefer-love -hate+verb+ing & silent letters & citizenship text.pdf
Like-prefer-love -hate+verb+ing & silent letters & citizenship text.pdfLike-prefer-love -hate+verb+ing & silent letters & citizenship text.pdf
Like-prefer-love -hate+verb+ing & silent letters & citizenship text.pdfMr Bounab Samir
 
What is Model Inheritance in Odoo 17 ERP
What is Model Inheritance in Odoo 17 ERPWhat is Model Inheritance in Odoo 17 ERP
What is Model Inheritance in Odoo 17 ERPCeline George
 
MARGINALIZATION (Different learners in Marginalized Group
MARGINALIZATION (Different learners in Marginalized GroupMARGINALIZATION (Different learners in Marginalized Group
MARGINALIZATION (Different learners in Marginalized GroupJonathanParaisoCruz
 
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...JhezDiaz1
 

Recently uploaded (20)

18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
 
Solving Puzzles Benefits Everyone (English).pptx
Solving Puzzles Benefits Everyone (English).pptxSolving Puzzles Benefits Everyone (English).pptx
Solving Puzzles Benefits Everyone (English).pptx
 
Crayon Activity Handout For the Crayon A
Crayon Activity Handout For the Crayon ACrayon Activity Handout For the Crayon A
Crayon Activity Handout For the Crayon A
 
Model Call Girl in Bikash Puri Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Bikash Puri Delhi reach out to us at 🔝9953056974🔝Model Call Girl in Bikash Puri Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Bikash Puri Delhi reach out to us at 🔝9953056974🔝
 
How to Make a Pirate ship Primary Education.pptx
How to Make a Pirate ship Primary Education.pptxHow to Make a Pirate ship Primary Education.pptx
How to Make a Pirate ship Primary Education.pptx
 
CELL CYCLE Division Science 8 quarter IV.pptx
CELL CYCLE Division Science 8 quarter IV.pptxCELL CYCLE Division Science 8 quarter IV.pptx
CELL CYCLE Division Science 8 quarter IV.pptx
 
Types of Journalistic Writing Grade 8.pptx
Types of Journalistic Writing Grade 8.pptxTypes of Journalistic Writing Grade 8.pptx
Types of Journalistic Writing Grade 8.pptx
 
Roles & Responsibilities in Pharmacovigilance
Roles & Responsibilities in PharmacovigilanceRoles & Responsibilities in Pharmacovigilance
Roles & Responsibilities in Pharmacovigilance
 
Hierarchy of management that covers different levels of management
Hierarchy of management that covers different levels of managementHierarchy of management that covers different levels of management
Hierarchy of management that covers different levels of management
 
Pharmacognosy Flower 3. Compositae 2023.pdf
Pharmacognosy Flower 3. Compositae 2023.pdfPharmacognosy Flower 3. Compositae 2023.pdf
Pharmacognosy Flower 3. Compositae 2023.pdf
 
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
 
Introduction to AI in Higher Education_draft.pptx
Introduction to AI in Higher Education_draft.pptxIntroduction to AI in Higher Education_draft.pptx
Introduction to AI in Higher Education_draft.pptx
 
Painted Grey Ware.pptx, PGW Culture of India
Painted Grey Ware.pptx, PGW Culture of IndiaPainted Grey Ware.pptx, PGW Culture of India
Painted Grey Ware.pptx, PGW Culture of India
 
Organic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptxOrganic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptx
 
Proudly South Africa powerpoint Thorisha.pptx
Proudly South Africa powerpoint Thorisha.pptxProudly South Africa powerpoint Thorisha.pptx
Proudly South Africa powerpoint Thorisha.pptx
 
Historical philosophical, theoretical, and legal foundations of special and i...
Historical philosophical, theoretical, and legal foundations of special and i...Historical philosophical, theoretical, and legal foundations of special and i...
Historical philosophical, theoretical, and legal foundations of special and i...
 
Like-prefer-love -hate+verb+ing & silent letters & citizenship text.pdf
Like-prefer-love -hate+verb+ing & silent letters & citizenship text.pdfLike-prefer-love -hate+verb+ing & silent letters & citizenship text.pdf
Like-prefer-love -hate+verb+ing & silent letters & citizenship text.pdf
 
What is Model Inheritance in Odoo 17 ERP
What is Model Inheritance in Odoo 17 ERPWhat is Model Inheritance in Odoo 17 ERP
What is Model Inheritance in Odoo 17 ERP
 
MARGINALIZATION (Different learners in Marginalized Group
MARGINALIZATION (Different learners in Marginalized GroupMARGINALIZATION (Different learners in Marginalized Group
MARGINALIZATION (Different learners in Marginalized Group
 
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...
 

ISO 27017 – What are the Business Advantages of Cloud Security?

  • 1. Contact us: info@alvinintegrated.com | +91 8802 505619, +91 8287509289 | www.alvinintegrated.com Platinum Sponsor OUR SPONSORS & PARTNERS Event Partner www.alvinintegrated.com Knowledge Partners 27th FEB 2021 (SATURDAY) 09:00 AM - 17:30 PM IST
  • 2. ISO 27017 - WHAT ARE THE BUSINESS ADVANTAGES OF CLOUD SECURITY? 27th February 2021 (Saturday) Time: 09:30 am - 09:55 am IST ISO 27017:2015 By Ramkumar Ramachandran, Principal Consultant, Ascentant Corporation, Chennai, India
  • 3. SPEAKER INTRODUCTION Ramkumar Ramachandran Principal Consultant, Ascentant Corporation, Chennai, India • Expertise – ISMS / Data Privacy / CMMI / Agile / GDPR • IIMC Alumni - SMP • US / UK / France / China / Singapore / Taiwan / Thailand / Malaysia / Indonesia / Bahrain / Kuwait / Qatar / Saudi Arabia / Srilanka / New Zealand • Aeronautical Engineer / IIMC Alumni / MIT Sloan Systems Thinking • CSQA, CISA, PMP, CDPSE • Systems Thinking – MIT Sloan School of Management • LA QMS/ISMS/SMS/BCMS, SAFe Agilist • ram@ascentantcorp.biz Ramkumar Ramachandran (c) 3
  • 5. CONTENT • History of ISO 27001 • Cloud Infrastructure Evolution • Need for Cloud Security • ISO 27017 – Additional guidance for Cloud Security to ISO 27002 controls • ISO 27017 – Additional Controls • Implementing ISO 27017 Insert Footer Here 5
  • 6. EVOLUTION OFISMS 1995 1998 Initiative from Department of Trade and Industry BS 7799 Part 1 BS 7799 Part 2 1999 New issue of BS 7799 Part 1 & 2 2000 ISO/IEC 17799:2000 2001 BS 7799-2:2002 (drafted) Sep 2002 BS 7799-2:2002 Passed and accepted Jun 2005 ISO 17799:2005 ISO/IEC 27001:2005 Oct 2005  Sep 2013 ISO/IEC 27001:2013
  • 7. ISO 27001 STRUCTURE CLAUSES ANNEX A - CONTROLS 7 Context of the Organization Leadership Planning Support Operations Performance Evaluation Improvement Information Security Policies Organization of Information Security Human Resource Security Asset Management Access Control Cryptography Physical and Environmental Security Operations Security Communications Security Software Acquisition Development Maintenance Supplier Management Incident Management Security in BCM Compliance
  • 8. ISO 27002 – CODE OF PRACTICE – CONTROLSHIERARCHY Group Control Objective Controls Controls Control Objective Control Copyright © 2018 8 14 of them 35 of them 114 of them
  • 9. ISO 27017 - STRUCTURE 9 ISO 27001 Requirements ISO 27002 Code of Practice Additional Controls for ISO 27017
  • 10. CLOUD – DEFINITION BY NIST Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction (from NIST) Insert Footer Here 10
  • 11. CLOUD INFRASTRUCTUREEVOLUTION Insert Footer Here 11 Mainframe Desktop /Laptop Client Server Thin Client Cloud Infrastructure
  • 12. VISUAL CLOUD INFRASTRUCTUREDEPICTION Insert Footer Here 12 SaaS PaaS IaaS
  • 13. CLOUD SECURITY – BASIC SECURITY RISK CONSIDERATIONS Organizational Security Risks Resource Planning / Change Management / Malicious Insiders Physical Security Risks Data Location / Server, Storage & Network Technological Security Risks Application Development / Portability / Lack of Interoperability standards Compliance and Audit Risks Legal Challenges / Compliance & Audit / Business Continuity & Disaster Recovery Data Security Risks Identity & Access Management / Multi-tenancy risks / Backup / Data Privacy 13
  • 14. CLOUD SECURITY – DATA SECURITYCONSIDERATIONS Privacy Safeguarding personal data as per privacy commitments Confidentiality Ensuring data is accessed only on need to know basis Integrity Confidence that the data stored in the cloud is not altered in any way by unauthorized parties Availability This property ensures that the CSC has access to their data, and are not denied access 14
  • 15. CLOUD SECURITY – DATA STAGES Data-in-transit This is when data is in the process of being transmitted either to the cloud infrastructure or to the computing device used by the CSC. Here, data is most at risk of being intercepted, hence violating confidentiality Data-at-rest This is when data has been stored in the cloud infrastructure. The main issue with this stage for the CSC is their loss of control over the data. The onus of defending against attacks at this stage hence fall on the CSP Data-in-use This is when data is being processed into information. Here, the issues might lie with the corruption of data while it is being processed 15
  • 16. ISO 27017 HIGHLIGHTS • Guidelines for information security controls applicable to the provision and use of cloud services • Additional implementation guidance for relevant controls specified in ISO/IEC 27002 • Provides controls and implementation guidance for both cloud service providers and cloud service customers • Structured similar to ISO/IEC 27002 • Includes clauses 5 to 18 of ISO/IEC 27002 by stating the applicability of its texts at each clause and paragraph • When controls are needed in addition to ISO/IEC 27002, they are given in Annex A: Cloud Service Extended Control Set 16
  • 17. NEW CONTROLS FOR CLOUD SECURITY IN ISO 27017 17 Control Ref Seven New Controls 6.3.1 Shared roles and responsibilities within a cloud computing environment 8.1.5 Removal of cloud service customer assets 9.5.1 Segregation in virtual computing environments 9.5.2 Virtual machine hardening 12.1.5 Administrator’s operational security 12.4.5 Monitoring of cloud services 13.1.4 Alignment of security management for virtual and physical networks
  • 18. ISO 27017 APPROACH Insert Footer Here 18 Cloud service customer Cloud service provider Guideline for the Cloud Service Subscriber / Customer Guideline for the Cloud service hosting company
  • 19. 4 CLOUD SECTORSPECIFIC CONCEPTS 19 As per A 15 Supplier Management CSC should meet its ISMS goals CSP should provide services to enable CSC to meet their ISMS Goals Where CSP cannot meet CSC ISMS requirements, CSC should implement additional controls Both CSC and CSP should have strong risk management practices in place
  • 20. 6 ORGANISATIONOF INFORMATIONSECURITY – ROLES& RESPONSIBILITIES Activity Cloud Service Customer Cloud Service Provider Request to create User Ids Primary IT Lead Creation of User Ids Primary Lead Access Provisioning for Users Primary IT Lead Access Control Review Primary Department Heads Backup Plan Creation Primary IT Lead Backup Execution Primary Backup Executive End Point Security Primary Security Team Data Encryption Primary Security Team Insert Footer Here 20
  • 21. 8 ASSET MANAGEMENT– INVENTORY OFASSETS Insert Footer Here 21 Data Storage Location Customer Master Details Cloud Employee Salary On-Prem Helpdesk Tickets Cloud Internal Data Client A Client B Client C
  • 22. 8 ASSET MANAGEMENT– ASSET LABELLING Example:  CLD/S/I/001 Label Code can be a Bar Code, QR Code etc. as well Insert Footer Here 22 <Location / Type of Asset / Criticality / Serial Number> Serial Number Soft Copy Internal Cloud
  • 23. 9 ACCESS CONTROL– USER REGISTRATION /DE-REGISTRATION/ ACCESS Insert Footer Here 23 Registration Provisioning Details De-Registration Details Access Provisioning Details Confirmation
  • 24. 9 ACCESSCONTROL– AUTHENTICATION TECHNIQUES 24 Standard User Validation Access Enabling Admin User Validation 1 Validation 2 Access Enabling
  • 25. 9 ACCESSCONTROL– INFORMATIONACCESS RESTRICTION Cloud Service Cloud Service Function Cloud Customer Data Read Write Delete Read Write Delete Read Write Delete Developer X X X Tester X X X Lead X X X X PM X X X X X X Admin X X X X X X X X X Insert Footer Here 25
  • 26. 10 CRYPTOGRAPHY – ENCRYPTION CYCLE 26 GENERATION STORAGE ACTIVATION DISTRIBUTION ROTATION EXPIRATION REVOCATION DESTRUCTION
  • 27. 12 OPERATIONSSECURITY – CHANGEMANAGEMENT Cloud Service Customer Cloud Service Provider Insert Footer Here 27 Change Management of CSC Should consider Changes done by CSP Any change done by CSP Should be communicated to CSC
  • 28. 12 OPERATIONSSECURITY – CAPACITYMANAGEMENT Insert Footer Here 28
  • 29. 12 OPERATIONSSECURITY– TECHNICALVULNERABILITY MANAGEMENT Insert Footer Here 29
  • 30. Insert Footer Here 30 13 COMMUNICATIONSSECURITY– SEGREGATIONOF NETWORK Tenant 1 Tenant 2 Tenant 3
  • 31. 15 SUPPLIER RELATIONSHIPS – SECURITYIN CONTRACTS The roles and responsibilities in the agreement should address the following, but not limited to it: - Insert Footer Here 31 • Malware protection • Backup • Cryptographic controls • Vulnerability management • Incident management • Technical compliance checking • Security testing • Auditing • Collection, maintenance and protection of evidence, including logs and audit trails • Protection of information upon termination of the service agreement • Authentication and access control • Identity and access management
  • 32. 15 SUPPLIER RELATIONSHIPS – TECHNOLOGYSUPPLY CHAIN Insert Footer Here 32 Contract Terms apply to the entire technology supply chain
  • 33. 16 INFORMATIONSECURITYINCIDENTMANAGEMENT Insert Footer Here 33 Incidents Reported Incidents / Incident Status CSP
  • 34. ANNEXA – CLOUD SERVICEEXTENDEDCONTROLSET CLD.6.3 Relationship between cloud service customer and cloud service provider CLD.6.3.1 Shared roles and responsibilities within a cloud computing environment Responsibilities for shared information security roles in the use of the cloud service should be allocated to identified parties, documented, communicated and implemented by both the cloud service customer and the cloud service provider. 34 Cloud service customer Cloud service provider The cloud service customer should define or extend its existing policies and procedures in accordance with its use of cloud services and make cloud service users aware of their roles and responsibilities in the use of the cloud service. The cloud service provider should document and communicate its information security capabilities, roles, and responsibilities for the use of its cloud service. This is along with the information security roles and responsibilities for which the cloud service customer would need to implement and manage as part of its use of the cloud service.
  • 35. ANNEXA – CLOUD SERVICEEXTENDEDCONTROLSET CLD.8.1 Responsibility for assets CLD.8.1.5 Removal of cloud service customer assets Assets of the cloud service customer that are on the cloud service provider's premises should be removed, and returned if necessary, in a timely manner upon termination of the cloud service agreement. 35 Cloud service customer Cloud service provider The cloud service customer should request a documented description of the termination of service process. This process should cover the return and removal of cloud service customer's assets followed by the deletion of all copies of those assets from the cloud service provider's systems. The cloud service provider should provide information about the arrangements for the return and removal of any cloud service customer's assets upon termination of the agreement for the use of a cloud service
  • 36. ANNEXA – CLOUD SERVICEEXTENDEDCONTROLSET CLD.9.5 Access control of cloud service customer data in shared virtual environment CLD.9.5.1 Segregation in virtual computing environments A cloud service customer's virtual environment running on a cloud service should be protected from other cloud service customers and unauthorized persons 36 Cloud service customer Cloud service provider (no additional implementation guidance) The cloud service provider should enforce appropriate logical segregation of cloud service customer data, virtualized applications, operating systems, storage, and network for: • The separation of resources used by cloud service customers in multi-tenant environments; • The separation of the cloud service provider's internal administration from resources used by cloud service customers. Objective: To mitigate information security risks when using the shared virtual environment of cloud computing
  • 37. ANNEXA – CLOUD SERVICEEXTENDEDCONTROLSET CLD.9.5 Access control of cloud service customer data in shared virtual environment CLD.9.5.2 Virtual machine hardening Virtual machines in a cloud computing environment should be hardened to meet business needs. 37 Cloud service customer Cloud service provider When configuring virtual machines, cloud service customers and cloud service providers should ensure that appropriate aspects are hardened (e.g., only those ports, protocols and services that are needed), and that the appropriate technical measures are in place (e.g., anti-malware, logging) for each virtual machine used. Objective: To mitigate information security risks when using the shared virtual environment of cloud computing
  • 38. ANNEXA – CLOUD SERVICEEXTENDEDCONTROLSET CLD.12.1 Operational procedures and responsibilities CLD.12.1.5 Administrator's operational security Procedures for administrative operations of a cloud computing environment should be defined, documented and monitored. 38 Cloud service customer Cloud service provider The cloud service customer should document procedures for critical operations where a failure can cause unrecoverable damage to assets in the cloud computing environment. Examples of the critical operations are: • Installation, changes, and deletion of virtualized devices such as servers, networks and storage; • Termination procedures for cloud service usage; • Backup and restoration. The cloud service provider should provide documentation about the critical operations and procedures to cloud service customers who require it.
  • 39. ANNEXA – CLOUD SERVICEEXTENDEDCONTROLSET CLD.12.4 Logging and monitoring CLD.12.4.5 Monitoring of Cloud Services The cloud service customer should have the capability to monitor specified aspects of the operation of the cloud services that the cloud service customer uses 39 Cloud service customer Cloud service provider The cloud service customer should request information from the cloud service provider of the service monitoring capabilities available for each cloud service. The cloud service provider should provide capabilities that enable the cloud service customer to monitor specified aspects, relevant to the cloud service customer, of the operation of the cloud services. For example, to monitor and detect if the cloud service is being used as a platform to attack others, or if sensitive data is being leaked from the cloud service. Appropriate access controls should secure the use of the monitoring capabilities
  • 40. ANNEXA – CLOUD SERVICEEXTENDEDCONTROLSET CLD.13.1 Network security management CLD.13.1.4 Alignment of security management for virtual and physical networks Upon configuration of virtual networks, consistency of configurations between virtual and physical networks should be verified based on the cloud service provider's network security policy. 40 Cloud service customer Cloud service provider (no additional implementation guidance) The cloud service provider should define and document an information security policy for the configuration of the virtual network consistent with the information security policy for the physical network. The cloud service provider should ensure that the virtual network configuration matches the information security policy regardless of the means used to create the configuration.
  • 42. Please give your feedbacks in the chat box about the session!!