This article was produced by Olswang LLP, which joined with CMS on 1 May 2017.
New ISO 27018 Code of practice for protection of PII in public clouds
In August this year the ISO published a new security standard for cloud services: ISO/IEC 27018 - Information technology - Security techniques - Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors ("ISO 27018"). Datonomy reported in May this year that this new standard was on its way. This publication is a welcome step towards ensuring compliance with the principles of privacy laws and further boosting customer confidence in cloud computing technologies. Read our full summary here.
EU: New standardisation guidelines for cloud computing services SLAs
As reported on Datonomy here, these new guidelines were published in June by the Cloud Select Industry Group.
Forming partof the European Commission's wider Cloud Computing strategy which was unveiled in 2012, the guidelines have been described as a first step towards standardised building blocks for terminology and metrics in cloud SLAs. They aim to improve the drafting clarity and customer understanding of cloud SLAs. European Commission Vice-President Viviane Reding said: "[the] new guidelines will help generate trust in innovative computing solutions and help EU citizens save money. More trust means more revenue for companies in Europe's digital single market." The 62 page guidelines - created by a drafting team which included participants from IBM, Amazon, Microsoft and T-Systems - deal with service levels relating to availability, reliability, security, support services and data management, and take into account the guidance of the Article 29 Working Party.
UK: Cyber security certification scheme launched
As reported on Datonomy here, following the consultations on the requirements for a preferred standard for cyber security, which concluded in November 2013 (background information here), the Government has launched a new cyber security certification scheme. The scheme focuses on five main controls for basic cyber hygiene:
- boundary firewalls and internet gateways;
- secure configuration;
- access control;
- malware protection; and
- patch management.
Businesses can apply for a "Cyber Essentials" certificate (based on independently verified self-assessment) or a "Cyber Essential Plus" certificate (offering a higher level of assurance through external testing). The scheme is designed to be affordable and offers a snapshot of the organisation's cyber security effectiveness on the day of assessment. Guidance on meeting the Cyber Essentials requirements can be downloaded from the government-approved cyberstreetwise website here, and a summary of the scheme can be found here. Vodafone has become the first telecoms company to gain the UK 'cyber essentials plus' accreditation.
UK: impact of ICO fines on data security
As reported on Datonomy here, the ICO has published a review of the impact of its civil monetary penalties ("CMPs"), the vast majority of which have related to security breaches. The review canvassed the views of representatives from 14 organisations who had received a CMP and 85 peer organisations who had not. The findings suggest that overall CMPs are effective at improving data protection compliance. However some respondents felt that there was a lack of transparency about how CMPs have been calculated and some showed a lack of understanding of just what poor practices trigger the CMP threshold.
Social Media cookies collect information about you sharing information from our website via social media tools, or analytics to understand your browsing between social media tools or our Social Media campaigns and our own websites. We do this to optimise the mix of channels to provide you with our content. Details concerning the tools in use are in our privacy policy.