Upload
salvatore-randall
View
220
Download
1
Tags:
Embed Size (px)
Citation preview
Cloud Data Privacy and Data Sovereignty
Chris [email protected]
Agenda Government Leadership Australian and State Government Frameworks for Mortals Managing and Evaluating Risk Office 365 Compliance
Australian Government Leadership
Opens $5B in ICT spending to cloud
Requires federal agencies to consider cloud
Australian Government Leadership
GOAL:- “The Australian Government will be a leader in the use of cloud services to achieve greater efficiency, generate greater value from ICT investment, deliver better services and support a more flexible workforce
STATEMENT:- Australian Government agencies will:- consider cloud services for new ICT procurements- commence procurement of public cloud services for their test & devneeds, as appropriate value for money- transition public facing websites to public cloud hosting at natural ICTrefresh points- establish info sharing initiatives to facilitate continual improvement, case studies, risk models, lessons etc
SA Government LeadershipDiscussion Paper which focuses on the importance of “connectedness” and improving the state’s ability to innovate
Digital by default
Moving from…• Buying software to buying services• Big monolithic projects to rapid prototyping• Competing for resources to sharing first
Little mention of…• Social Computing• Cloud Computing
Security Policies and Frameworks
ISO 31000:2009Risk Management
Protective Security Policy Framework
Information Security Management - Controls
Protective Security Management Framework
Information Security Management Framework
ISO 27002IT Security Management
Commonwealth
SA Government
ISO 27001
Standards
What does it mean for Office 365? ISMF Standard 12 - Section 7.2.1. Risk identification associated with external organisations - Responsible Parties must conduct a thorough risk assessment in accordance with Section 5.1 of the PSMF and supported by the Government of South Australia Risk Management Policy Statement prior to granting access to information and/or information processing facilities by any External Organisation.
7.2.2 ISMF Standard 13Access provided to third parties (including customers, contractors etc.) shall be controlled based on the specific business requirements of the Responsible Party
So… There are no specific aversions to cloud based technologies, and
There are no requirements for cloud infrastructure to be hosted in Australia
If… A Risk Assessment is completed, and
The Business Requirements are compatible
Because… Privacy Act 1988
Schedule 3 – National Privacy Principles – 9 – Trans border Data flows
An organisation in Australia or an external Territory may transfer personal information about an individual to someone (other than the organisation or the individual) who is in a foreign country only if:
(a) the organisation reasonably believes that the recipient of the information is subject to a law, binding scheme or contract which effectively upholds principles for fair handling of the information that are substantially similar to the National Privacy Principles; or
Risk Assessment
Bridging the gapISO 27001
EU Safe Habor
Data Processing Agreement
HIPAA/FISMA
Protective Security Management Framework
Information Security Management Framework
GAP
ClassificationEncryption
• Use Rights Management Service• E3,E4 or On-Premise
• Use your Risk Assessment to build a Classification Scheme and don’t store certain data in the cloud
Office 365 provides
What you need to do
Questions & Next steps•Microsoft is working to reduce uncertainty with PSPF, ISMF•More Risk Analysis Tools coming