Information Technology Reference
In-Depth Information
•
binding corporate rules which shall specify according to Article 43 ”Trans-
fer by way of binding corporate rules”; their legally binding nature; the
structure and contact details of the group of undertakings; the data trans-
ferandthetypeofprocessingaswellaspurpose;thegeneraldataprotection
principles; the acceptance by the controller or processor established on the
territory; the mechanisms for verification of compliance with the rules; or
•
standard data protection clauses adopted by the commission and by a
supervisory authority; or
•
contractual clauses between the controller or processor and the recipient
of the data.
Some exceptions for the transfer of personal data, if the above described points
do not exist are stated in Article 44 ”Derogations”.
Figure 1 summarizes the described evaluationframework.Providers/consumers
can use it to review if the legal and technical requirements are given and fulfilled
by the provider and consumer. The framework is applicable on all service models
and all deployment models of cloud computing. It shall be used by screening the
provider and the contractual relationship according to the listed points, and fur-
ther to check if the own organizational provisions comply with the upcoming EU
data protection regulation.
LegalandOrganizationalRequirements
DataProtection
Governance:
ServiceLevelAgreements:
DataCenter:
ͲCertifications
ͲAdequatesystemavailability(uptime,responsetime)
ͲNumberofdatacentersͲDatalocation
ͲAudits
ͲCreditsincaseofoutages
ͲPhysicalsecurityͲDataisolation
ͲAdequatecompensationforabreach
ͲDatabackup
ͲNotificationincasesoffailureorcriticalsituations
SupportandInformation:
Compliance(excerpt):
DataSecurityandPrivacy:
ͲFrequentlyAskQuestions(FAQ)
ͲHealthInsurancePortabilityandAccountabilityAct(HIPPA)
ͲDatasanitizationͲDataownership
ͲHelpLinesandWikis
ͲGrammͲLeachͲBlileyAct(GLBA)
ͲAuditsandcertificationsͲIdentityandkeymanagement
ͲReactiontimeonrequests
ͲFederalInformationSecurityManagementAct(FISMA)
ͲDataencryptionͲEͲdiscovery
ͲDocumentationaboutsecurity
ͲSarbanesOxleyAct(SOX)
ͲData/vendorlockͲinͲIncidentresponsestrategies
ͲBillingsystem
ͲSafeHarbor
ͲMonitoringmechanismsͲNetworksecuritystrategies
ͲBusinesscontinuity
ͲEUDataProtectionDirective95/46/EC
EUDataProtectionRegulationRequirements
Responsibilities(Article22):
VendorͲLockin:
ͲImplementationofAppropriateMeasures: ͲDocumentation(Article28)
ͲRighttodataportability(Article18)
ͲDatasecurity(Article33)
DataLifecycle:
ͲDataprotectionimpactassessment(Article33)
ͲRighttobeforgottenandtoerasure(Article17)
ͲPriorauthorization(Article34)
DataLocation/InternationalTransfer:
ͲDataprotectionofficer(Article35)
ͲGeneralprinciplefortransfers(Article40)
ͲDocumentation(Article28)
ͲTransferswithanadequacydecision(Article41)
ͲMechanismsforverification
ͲTransferbythewayofappropriatesafeguards(Article42)
Representative:
Processor(Article26):
DataLoss/DataBreach:
ͲDesignationofarepresentativeintheEU ͲChosenprocessorbycontrollershall:
ͲSecurityofprocessing(Article30)
Ͳactonlyoninstructions
ͲNotificationtothesupervisoryauthority(Article31)
Ͳemployreliablestaff
ͲNotificationtothedatasubject(Article32)
Ͳimplementrequiredmeasures
Jointcontroller(Article24)
Ͳsupportcontrollerincomplying
Ͳhandoverallresultsafterprocessing
Ͳmakeavailableallinformationforcompliance
Fig. 1.
Cloud Security and Privacy Evaluation Framework
