¿Cuales son los estandares?
El cloud computing como cualquier otro servicio esta sujeto al cumplimiento de estandares de mercado.
ISO/IEC 27001:2013 is a widely-adopted global security standard that outlines the requirements for information security management systems and provides a systematic approach to managing company and customer information based on periodic risk assessments. The latest standard, ISO/IEC 27001:2013, was published on September 25, 2013 by the International Organization of Standardization (ISO) and the International Electrotechnical Commission (IEC) under the joint ISO and IEC subcommittee.
ISO/IEC 20000-1:2011 is a service management system (SMS) standard. It specifies requirements for the service provider to plan, establish, implement, operate, monitor, review, maintain and improve an SMS. The requirements include the design, transition, delivery and improvement of services to fulfill agreed service requirements.
ISO 22301:2012 specifies requirements to plan, establish, implement, operate, monitor, review, maintain and continually improve a documented management system to protect against, reduce the likelihood of occurrence, prepare for, respond to, and recover from disruptive incidents when they arise.
ISO 9001:2015 specifies requirements for a quality management system when an organization: a) needs to demonstrate its ability to consistently provide products and services that meet customer and applicable statutory and regulatory requirements, and b) aims to enhance customer satisfaction through the effective application of the system, including processes for improvement of the system and the assurance of conformity to customer and applicable statutory and regulatory requirements.
ISO/IEC 27017:2015 gives guidelines for information security controls applicable to the provision and use of cloud services by providing: - additional implementation guidance for relevant controls specified in ISO/IEC 27002; - additional controls with implementation guidance that specifically relate to cloud services.
CSA STAR certification is a new and targeted international professional certification program by the founders of global standards - the British Standards Institution (BSI) and the international Cloud Security Alliance (CSA), aimed at coping with specific problems related to cloud security. CSA STAR Certified cloud vendors provide service capabilities transparently, helping customers to make more informed decisions when buying and using services.
Service Organization Control Reports are internal control reports on the services provided by a service organization providing valuable information that users need to assess and address the risks associated with an outsourced service.
systems' controls over financial reporting (SOC 1 Report)
confidentiality, security and availability of users' data (SOC 2 Report).
C5 is intended primarily for professional cloud service providers, their auditors and customers of the cloud service providers. It has 17 distinct control requirements that the cloud providers either have to comply with or meet defined minimum standards. It is a required assessment for working with the public sector in Germany and is being increasingly adopted by the private sector. The philosophy behind C5 is to unify the currently fragmented certification of cloud provisions.
The Multi-Tier Cloud Security (MTCS) Singapore Standard (SS584) is the world’s first cloud security standard that covers multiple tiers of cloud security. Cloud Service Providers (CSPs) can apply MTCS to meet a variety of cloud user requirements, ensuring the security of sensitive data and continuity of critical business functions. MTCS has three levels of security, Level 1 being the base and Level 3 being the most stringent.
The provider must complete the assessment related to the ability of Object Storage Service (“OSS”) solution to comply with the broker-dealer media requirements promulgated by the Securities and Exchange Commission (SEC) Rule 17a-4(f) and Financial Industry Regulatory Authority (FINRA) Rule 4511.
Through this assessment, the provider can serve more customers in the global financial industry, as these regulatory requirements have been widely adopted by many other countries outside of the US as part of the measurement of a product function and feature.
Under Rule 17a-4, electronic records must be preserved exclusively in a non-rewriteable and non-erasable format. This interpretation further clarifies that broker-dealers employ a storage system that prevents alteration or erasure of the records for the required retention period. Broker-dealers are allowed to preserve records on “electronic storage media.” Rule 17a-4 defines the term “electronic storage media” as any digital storage medium or system. The rule requires the preservation of electronic storage media to be exclusively in a non-rewriteable and non-erasable format. WORM (write once read many) media is used for compliance with the rule.
ISO/IEC 27018:2014 establishes commonly accepted control objectives, controls and guidelines for implementing measures to protect Personally Identifiable Information (PII) in accordance with the privacy principles in ISO/IEC 29100 for the public cloud computing environment. In particular, ISO/IEC 27018:2014 specifies guidelines based on ISO/IEC 27002, taking into consideration the regulatory requirements for the protection of PII which might be applicable within the context of the information security risk environment(s) of a provider of public cloud services.
The EU GDPR is a consolidated legal framework intend to ensure the protection of “fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data”. It is a mandatory law requiring compliance with provisions that apply throughout the European Union to the business usage of personal data. It will replace the patchwork of existing regulations and frameworks. The GDPR replaces the 20-year-old Directive (95/46/EC).
The Personal Data Protection Commission regulates the personal data protection in Singapore. It establishes Personal Data Protection Act 2012 (PDPA), a data protection law that comprises various rules governing the collection, use, disclosure and care of personal data.