Physical Environment ISO/IEC TS 22237-1:2018: Information technology — Data center facilities and infrastructures enumerates availability and protection classes that define different levels of recommended environment restrictions, automated support systems, and design criteria for data centers. The ISO/IEC 22237 seven-part series is comprised of: ISO/IEC TS 22237-1:2018 Information technology — Data center facilities and infrastructures outlines…
Category: security
Secure Cloud Data Center Design – Part 1
Secure cloud data center design begins with a logical design that then leads to physical design. ISO/IEC 19441:2017 provides illumination on two key concerns related to data in a data center, namely portability and interoperability. The basic environmental protection concerns within a data center are evolving to include concerns outside of the data center. Logical…
Continuous Operations
In order to support continuous operations, the following principles should be adopted as part of the security operations policies. Audit logging: Higher levels of assurance are required for protection, retention, and lifecycle management of audit logs, adhering to applicable legal, statutory, or regulatory compliance obligations. Audit logging also provides unique user access accountability that can…
Data Event Logging and Event Attributes
In order to be able to perform effective audits and investigations, the event log should contain as much of the relevant data as possible for the processes being examined. OWASP Proactive Controls v3.0, section C9, recommends the following when implementing security logging functions. For security logging implementation: Use a common logging format and approach within…
An Effective Information Security Continuous Monitoring (ISCM) Strategy
Continuous monitoring is a concept that has grown in importance during the transition to cloud computing. Information Security Continuous Monitoring (ISCM) is defined as “maintaining ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions.” Resource: NIST SP 800-137, page vi http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-137.pdf The terms continuous and ongoing in this context mean…
Applying Controls for Personally Identifiable Information (PII)
The operative application of defined controls for the protection of PII is widely affected by the “cluster” of providers/sub-providers involved in the operation of a specific cloud service; therefore, any attempt to provide guidelines for this can be made only at a general level. Since the goal of applying data protection measures is to fulfill…
Data Security on the Cloud
Data stored in the cloud replicates, moves, and is backed up and restored just as non-cloud data is. However, the dynamic and elastic nature of the cloud can present unique challenges when looking to build efficient data governance policies in the virtualized, multitenant environment of the cloud. From time to time, an organization needs to…
Data Protection on the Cloud
Data protection policies should include guidelines for the different data lifecycle phases. In the cloud, the following three policies should receive proper adjustments and attention: Data retention Data deletion Data archiving Policies serve as the operational foundation for all aspects of data management and should be clearly reflected in data retention, deletion, and archival activities….
Data Classification for P&DP Purposes
The figure below provides a quick recap of the main input entities for data classification regarding P&DP. Data classification can be accomplished in different ways ranging from “tagging” the data by using other external information, to extrapolating the classification from the content of the data. The latter method, however, may raise some concerns because, according…
Classification of Discovered Sensitive Data
Classification of data for the purpose of compliance with the applicable privacy and data protection laws plays an essential role for the operative control of those elements that are the feeds of the P&DP compliance. This means that not only the “nature” of the data should be traced with classification but also its relationship with…