December is Cloud Privacy Month
You are going to ask yourself, why are we writing about cloud security, when this is a privacy blog. Because there is no Privacy without Security.
When your organization is investing in a cloud service provider, the first hurdle to overcome is understanding their security #posture. If that assessment comes back with very few (hopefully none) red flags, that’s a good sign.
Why would that be good news for privacy:
- The CSP knows their business and knows that it completely depends on a successful attack – so strong security is part of the business model
- They understand the information that is entrusted to them and take steps to adequately protect it, because they have a Data Classification Policy which they have fully implemented
- The CSP has implemented Security principles
- Understand the requirements for Confidentiality, Availability, Integrity, Connectivity and the risks associated with these, and whether they fall in the “acceptable” range
- Understand the legal and regulatory implications of the information entrusted to the CSP (this is where the privacy team will really benefit: it is important to understand data flows, transfers etc.)
- Assets protection and resilience, including a backup strategy
- Segregation of environments and users to reduce the possibility of compromised service
- Security governance framework which coordinates and directs its management of the service and information within it.
- Operational security, including personnel security
- Development security
- Supply chain security
- Secure user and identity management
- Secure service use and administration
- The CSP has invested in assurance for their service, including privacy controls
- The CSP works with the organization to ensure mitigating controls are in place and additional residual risks are identified
- There is a culture of continuous risk monitoring and management
At Managed Privacy Canada we have reviewed many third parties on behalf of our clients and we have a tried and tested methodology to spot, document, and recommend mitigations for cloud risks. Our privacy risk sweeps will point out your organization’s areas of vulnerability, while our privacy impact assessments scan your projects for possible risks. To book your free 20- minute consultation with our Privacy Experts and take privacy-as-a-service for a spin, visit managedprivacy.ca
LinkedIn: @Managed Privacy Canada