Cloud Data Privacy and Data Sovereignty Chris Dury chris@dury.me

Cloud Data Privacy and Data Sovereignty

Chris Durychris@dury.me

Agenda Government Leadership Australian and State Government Frameworks for Mortals Managing and Evaluating Risk Office 365 Compliance

Australian Government Leadership

Opens $5B in ICT spending to cloud

Requires federal agencies to consider cloud

Australian Government Leadership

GOAL:- “The Australian Government will be a leader in the use of cloud services to achieve greater efficiency, generate greater value from ICT investment, deliver better services and support a more flexible workforce

STATEMENT:- Australian Government agencies will:- consider cloud services for new ICT procurements- commence procurement of public cloud services for their test & devneeds, as appropriate value for money- transition public facing websites to public cloud hosting at natural ICTrefresh points- establish info sharing initiatives to facilitate continual improvement, case studies, risk models, lessons etc

SA Government LeadershipDiscussion Paper which focuses on the importance of “connectedness” and improving the state’s ability to innovate

Digital by default

Moving from…• Buying software to buying services• Big monolithic projects to rapid prototyping• Competing for resources to sharing first

Little mention of…• Social Computing• Cloud Computing

Security Policies and Frameworks

ISO 31000:2009Risk Management

Protective Security Policy Framework

Information Security Management - Controls

Protective Security Management Framework

Information Security Management Framework

ISO 27002IT Security Management

Commonwealth

SA Government

ISO 27001

Standards

What does it mean for Office 365? ISMF Standard 12 - Section 7.2.1. Risk identification associated with external organisations - Responsible Parties must conduct a thorough risk assessment in accordance with Section 5.1 of the PSMF and supported by the Government of South Australia Risk Management Policy Statement prior to granting access to information and/or information processing facilities by any External Organisation.

7.2.2 ISMF Standard 13Access provided to third parties (including customers, contractors etc.) shall be controlled based on the specific business requirements of the Responsible Party

So… There are no specific aversions to cloud based technologies, and

There are no requirements for cloud infrastructure to be hosted in Australia

If… A Risk Assessment is completed, and

The Business Requirements are compatible

Because… Privacy Act 1988

Schedule 3 – National Privacy Principles – 9 – Trans border Data flows

An organisation in Australia or an external Territory may transfer personal information about an individual to someone (other than the organisation or the individual) who is in a foreign country only if:

                     (a)  the organisation reasonably believes that the recipient of the information is subject to a law, binding scheme or contract which effectively upholds principles for fair handling of the information that are substantially similar to the National Privacy Principles; or

Risk Assessment

Office 365 Compliance

http://trustoffice365.com/

Bridging the gapISO 27001

EU Safe Habor

Data Processing Agreement

HIPAA/FISMA

Protective Security Management Framework

Information Security Management Framework

GAP

ClassificationEncryption

• Use Rights Management Service• E3,E4 or On-Premise

• Use your Risk Assessment to build a Classification Scheme and don’t store certain data in the cloud

Office 365 provides

What you need to do

Questions & Next steps•Microsoft is working to reduce uncertainty with PSPF, ISMF•More Risk Analysis Tools coming