Cloud Service Provider Compliance and Security Controls

There are countless benefits for legal professionals to be able to work and collaborate remotely in the cloud; it is, however, important to also be aware of the associated security challenges and vulnerabilities associated with cloud technology. 

A security breach or failure to meet specific compliance guidelines could put you and your team at risk of significant legal and financial trouble, not to mention potential downtime and losing the trust of your clients.

The good news is that many reputable cloud service providers offer their users the ability to rely on or “inherit” the embedded security and compliance controls that already exist within the provider’s application infrastructure.

To assist you and your legal team in making the right choice in cloud service providers, David Hansen, Vice President of Compliance at NetDocuments, authored the “16 Compliance and Security Controls to Look for in a Cloud Service Provider” for ILTA’s Peer to Peer magazine, below.

This list of compliance and security checks includes the globally recognised International Organization for Standardization (ISO) 27000 family of standards and controls as well as US-based international standards that are not only required within their original state or country but have since been recognised more broadly as important security benchmarks.

1. ISO 27001 specifies requirements for establishing, implementing, maintaining, and continually improving an Information Security Management System (ISMS) within the context of the organisation.
2. ISO 27017 provides guidance on the information security aspects of cloud computing and cloud services as well as additional implementation guidance for relevant controls specified in ISO/IEC 27002.
3. ISO 27018 establishes commonly accepted control objectives, controls, and guidelines for implementing measures to protect Personally Identifiable Privacy Information (PII) in accordance with the privacy principles in ISO/IEC 29100 for the public cloud computing environment.
4. ISO 27701 is a privacy extension to ISO/IEC 27001 designed to enhance the existing ISMS with additional requirements in order to establish, implement, maintain, and continually improve a Privacy Information Management System (PIMS). In addition, the controls in ISO 27701 address many of the requirements in the EU’s General Data Protection Regulation (GDPR), so being certified in the ISO 27701 controls can also be used to independently validate compliance with GDPR.
5. Service Organization Controls (SOC) reports help companies establish trust and confidence in their service delivery processes and controls. This is achieved through detailed information and assurance about a cloud service provider’s ability to adhere to some or all of the Trust Principles: security, availability, privacy, processing, integrity, and confidentiality.
6. The Federal Information Processing Standard (FIPS) (140-3) specifies the security requirements that need to be satisfied by cryptographic modules and is a critical standard when dealing with highly regulated industries. It’s important to note the differences between FIPS 140-2, which meets the tamper-resistant standard, and FIPS 140-3, which meets the higher tamper-proof standard. In addition, FIPS 140-2 only addresses security requirements after completion, but FIPS 140-3 now evaluates security requirements at all stages of cryptographic module creation - design, implementation, and final operational deployment.
7. The Federal Risk and Authorization Management Program (FedRAMP) is a US government-wide certification program that provides a standardised approach to security assessment, authorisation, and continuous monitoring for cloud products and services supplied to government agencies, vendors, and customers.
8. Export Administration Regulations (EAR) are export control regulations run by different departments of the US government, such as the US Department of Commerce, which administers EAR to regulate the export of “dual-use” items, including technical data and technical assistance, which are designed for commercial purposes but could have military applications such as computers, aircraft, and pathogens.
9. Defense Federal Acquisition Regulation Supplement (DFARS) requirements and regulations are meant to guarantee the integrity of Controlled Unclassified Information (CUI), or sensitive information belonging to the US government that third parties such as suppliers, partners, and trade associations may hold or use.
10. The Federal Information Security Management Act (FISMA) is the US legislation that defines a framework for guidelines and security standards to protect government information and operations.
11. The Health Insurance Portability and Accountability Act (HIPAA) defines nationally standardised privacy protections for patients’ medical records and other health information provided to and managed primarily by health plans, doctors, hospitals, and other healthcare providers in the US. However, it can also apply to employers that offer group health plans and any business or individual that provides services to physicians, healthcare providers, and insurance companies.
12. SEC Rule 17a-4 applies to US broker-dealers and other relevant parties who trade securities or function as brokers for traders, including banks, securities firms, and stock brokerage firms, requiring them to store all business records for a period of no less than six years on non-rewriteable and non-erasable media, with the first two years being in an easily accessible place.
13. The EU Model Clauses are standardised contractual clauses used in agreements between service providers and their customers to ensure that any personal data leaving the European Economic Area will be transferred in compliance with EU data protection laws and meet GDPR requirements.
14. The Australian Cyber Security Centre’s (ACSC) cloud security guidance informs Commonwealth entities, cloud service providers (CSPs), and Infosec Registered Assessors Program (IRAP) assessors on how to perform a comprehensive security assessment of CSPs and their services.
15. The General Data Protection Regulation (GDPR) regulates how companies protect EU citizens’ personal data and have become the benchmark privacy law for many countries.
16. The California Consumer Privacy Act (CCPA) is a state statute intended to enhance privacy rights and consumer protection for residents of the US state of California.

The more of these “check items” your vendor meets or complies with, the better positioned you are to have security and compliance controls in place to benefit and protect your customers and your legal team.

Also read: Galilee Solicitors Achieves ISO 27001 Certification