Information Security Blog

HomeInformation Security BlogInformation Security (ISO 27001) In The Cloud

Information Security (ISO 27001) In The Cloud

Information Security (ISO 27001) In The Cloud

Do you have Nephophobia?

At a recent CISO Executive Network event in Philadelphia, Peter Stern from IBM began his presentation with the term Nephophobia: Fear of clouds.  I loved the clever intro so I decided to borrow it for this blog article.

Where is the cloud?

Apple, Google and Amazon already launched their own cloud and now Microsoft has joined them as another company to store your data on the web. With computers becoming a necessary part of living, educating, learning and working, it is a smart move for more companies to start building their clouds.

“Cloud computing is Internet-based computing, whereby shared servers provide resources, software, and information to computers and other devices on demand, as with the electricity grid.” – Wikipedia

So how is it helpful to the average consumer? Here is a perfect example. By using Office 365 or Google Docs, a student can write the paper for class and save it to the cloud. The advantages of having that document in the cloud are as follows.

  1. The document is backed up off-site. Meaning, god forbid the student’s computer crashes, the file is safe and can be restored at any time.
  2. The document can be accessed from anywhere. Google Docs was the first (that I know of) cloud system that offered a web-based form of Microsoft Word. Meaning, that same student can edit his/her paper from anywhere in the world without Microsoft Word installed.

Response to Security

image: Technet.com

Moving right along

So let’s say you’re need for “the cloud” is not for personal use. Let’s say your business has client data, reports, or anything that needs to be shared easily and securely. How does someone know if “the cloud” from Company X is secure? That’s the fun part.

I have been working here at Pivot Point Security for a few months now. In that time I have been learning about various forms of information security attestation.  The one, in particular, I want to share is ISO 27001. Before this I had no idea what it was or what the advantages are. Basically, it is verification that the Information Security Management System (ISMS) is compliant with ISO 27001 and the best practices detailed in ISO 27002.  A company that has become ISO 27001 certified means that all of the necessary steps and controls have been taken and implemented to make sure that the design and operation is secure.

Amazon Web Services and Microsoft Office 365 are both ISO 27001 certified.  However, Google Apps and Rackspace are not ISO 27001 certified, but are SAS-70.  John Verry, ISO 27001 Certified Lead Auditor at Pivot Point Security wrote a great blog post called “SAS-70 is Dead, Long Live the King (ISO 27001?)”. It is John’s opinion that ISO 27001 is the “best general purpose form of information security attestation available right now”.

So now that I shared some interesting information with you, I hope that you begin to look at ISO 27001.  It’s great for business and customers.  In fact, we are finding that more and more of our clients are moving towards ISO 27001 because of their customer demand.

Scott



Related Articles That Might Interest You

Best Practices for Firing A Network Security Administrator

Firing A Network Security AdministratorWant to know how to fire a Network Admin? Need to know what precautions to take? Firing any employee can be a stressful event. Firing one who has significant knowledge of and privileged access to your Information Technology/Security infrastructure is even more stressful, as the risks are so notable.

Free Whitepaper: Stop Wasting Money on Penetration Testing

penetration-testing-whitepaper

Penetration Testing is most frequently performed to:

  • Substantiate the net effectiveness of a mature control environment
  • Prove to a third party that an environment is secure/trustworthy
  • Quickly assess the security of a less mature control environment (in a sense a technical risk assessment)
  • To validate that significant changes did not have unanticipated results

Download: Information Security Attestation Guide

Information Security GuideA Best-Practices Guide to Information Security Attestation

Download our proven Information Security Guide to simplify the process of protecting your data, proving you’re secure and growing your business.

Free Download: ISO 27001 Implementation Roadmap

ISO 27001 RoadmapHave no fear – our “roadmap” will guide you, step by step, through the entire ISO 27001 process.

Getting to ISO 27001 certification is a process made up of things you already know – and things you may already be doing!

Free Whitepaper: Five Best Practices for SIEM

siem-whitepaper

The promise of SIEM is the consolidation of all relevant Security Event Logs from disparate sources into a single unified and normalized data store.

Free Download: A Best Practices Guide to Database Security

database security roadmap

Because data is only as secure as the systems & processes it relies on – a holistic approach to data security is essential. This roadmap is not meant to be exhaustive but rather to stimulate the necessary thought process to put you on the path to good data security.

Is ISO 27001 Right for (Y)our Organization?

iso-27001-webinar

Thinking about ISO 27001 Certification? View our free On-Demand ISO 27001 Webinar

  • How to deal with increasing threats
  • How to manage multiple regulatory requirements
  • How to handle client requests for attestation
  • To validate that significant changes did not have unanticipated results

Categories: Simplified

Tags: , ,

About the Author:

Marketing at Pivot Point Security
Subscribe to Comments

Add a Comment