Which of the following frameworks helps an Organisation to assess cloud service providers?

Security Frameworks

NIST

First published by the National Institute of Standards and Technology in 2014, this template provides guidelines for mitigating overall cybersecurity risk. It is based on five pillars: identify, protect, detect, respond, recover.

ISO 27001/ 27017

This template is by the International Organization for Standards and is generally seen as the gold standard of cloud cybersecurity. ISO 27001 was originally published in 2005 and therefore did not fully address cloud security. ISO 27017 serves as an addendum to the original standard to address cloud-specific concerns such as shared responsibility with cloud service providers and separation of customers’ virtual environments from one another. This framework helps to define the responsibilities of both cloud service providers and customers. You can earn an ISO 27001 certification to demonstrate compliance with the standard, however, there is no certification specifically for ISO 27017.

Compliance Frameworks

CSA Cloud Controls Matrix (CCM)

The CSA Cloud Controls Matrix is a framework that provides controls that address all aspects of cloud computing. The matrix is based on guidelines for cloud security written by the Cloud Security Alliance (CSA). CSA is an organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment.

This framework is meant to be used by cloud service providers to ensure their own security, as well as cloud consumers to ensure that they’re selecting a secure vendor.

Payment Card Industry Data Security Standard (PCI DSS)

This framework specifically applies to organizations processing payment information, so this is one that retailers will want to pay attention to. The PCI DSS Framework is broken down into 12 requirements, each of which have their own even more detailed subsections.

1. Protect your system with firewalls
2. Configure passwords and settings
3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public networks
5. Use and regularly update anti-virus software
6. Regularly update and patch systems
7. Restrict access to cardholder data to business need to know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to workplace and cardholder data
10. Implement logging and log management
11. Conduct vulnerability scans and penetration tests
12. Documentation and risk assessments

General Data Protection Regulation (GDPR)

GDPR is of concern for you if you are storing data on any customers from the European Union. Certain states in the U.S., such as California, are implementing their own privacy laws similar to GDPR, so even if you are not currently doing business in the EU, it may be beneficial to pay attention and make sure you’re compliant with the multitude of new state laws popping up. These laws require data holders to be able to easily access and delete data upon request from the consumer, which means it is essential for you to understand where specific data resides. This may be difficult without a comprehensive cloud data governance policy.

Sarbanes-Oxley Act

The Sarbanes-Oxley Act (SOX) is a 2002 U.S. law meant to protect investors from fraudulent financial disclosure by publicly traded corporations. This is primarily a financial requirement, but it does impact IT because security is responsible for storing the data that is referenced in the law. In particular, security departments should pay attention to section 404, which stipulates the need for management assessment of internal controls. Essentially, if your financial data is in an insecure system, the Public Company Accounting Oversight Board (PCAOB), which is responsible for SOX enforcement, will not view your financial data as reliable because of the potential for tampering. For example, data encryption is recommended as one of the best practices that ensure confidence in financial reporting.

Architecture Frameworks

You’ll also see something called well-architected frameworks. These are frameworks for cloud architects based on specific cloud service providers. These are available for AWS, Microsoft Azure, and Google Cloud.

Which Framework to Follow?

The industry you’re in, where your customers are located, and the type of data you have access to will all determine which standards you must comply with, but all retailers will need to be aware of universal consumer standards such as PCI DSS. There is also significant overlap between frameworks, so ensuring compliance with one will help you on your way to achieving others. If you’re concerned about compliance, utilizing a Cloud Security Posture Management tool (CSPM) can help you by automatically checking for alignment with the popular frameworks.

Adhering to these frameworks is essential for avoiding fines as well as protecting your data from a costly breach and loss of consumer confidence. RH-ISAC members have access to a community of over 200 fellow retailers with experience implementing cloud security frameworks. Membership can extend your team’s capabilities and provide valuable advice to simplify cloud compliance.

Which of the following frameworks helps an organization to assess cloud service providers?

What are cloud frameworks?

Which framework is used by cloud consumers for selecting appropriate cloud service provider's security controls?

Which standard is used in assessing cloud service security?