Cloud Security and Standards
Standard ISO 22301 for business continuity management specifies the requirements for planning, establishing, operating and constantly improving a management system for protection from disruptive events, while minimizing the probability of the occurrence of disruptive events, preparing for them, handling them and recovering from them, by identifying the organization’s key services and products, the critical activities supporting them, and the risks they face in the event of an unexpected incident.
A relatively new standard defined in 2015 which specifies relevant additions for cloud computing. The standard expressly notes the shared responsibility for information security borne by the cloud supplier and the customer, and defines the framework of each party’s responsibility.
International standard for security of information systems in the field of health care, published in late 2010 by the International Standards Organization. Its purpose is to provide medical organizations with tools for protecting personal medical information in their possession. The initiative for this standard came from Israel. Personal medical information stored by medical organizations around the world is, on one hand, particularly sensitive, while on the other hand, it is in an environment bustling with users and visitors.
The standard for information security management systems, ISO 27001, defines simple, methodical and purposeful principles for establishing, managing and maintaining the appropriate information security systems for an organization. Certification for an information security management system in accordance with ISO 27001 requirements proves that the organization is taking the appropriate measures to realize its commitment to protect the information and manage it efficiently.
This standard attests to the fact that the company meets customer requirements and all legal requirements, strives to increase customer satisfaction, implements self-investigation and constant improvement processes, and acts to implement processes for preventing risks and disruptive events, in order to uphold its obligations to company customers, and to provide service above and beyond the accepted standards.
Emergency Economy is an inter-ministerial body responsible for preparing factories, services and products that are vital to the Israeli economy during emergencies, in order to enable as normal a routine as possible on the home front. Emergency Economy is also responsible for activating these elements during wartime or emergencies, for preparing the local authorities, and for ensuring preparedness to receive evacuated civilians.
The CSA has created a control matrix designed to reflect the level of preparedness of cloud service providers in terms of information security, risk management, and survivability, for customers and potential customers interested in purchasing their services. Subject to international standardization bodies, the CSA issues certification under the name Star in order to assess cloud service providers (CSPs).
The National Cyber-Protection Authority
Providing cloud services to customers guided by the National Cyber-Protection Authority.
SSAE 16, which replaced SAS-70 as a U.S. standard, has caused a small revolution in reporting and a major revolution in the responsibility taken by the management of service organizations for the information specified in the report and for reporting flaws and controls at the company as well as the auditing process of the accountant expressing an opinion on the report.