2020 has been the year of COVID-19, with new norms for organisations relying on geographically separated workforces. It has seen a significant uptake in cloud-based applications and services to keep businesses operating. At the top of this list has been virtual communication technologies. Products such as Microsoft Teams, Zoom and similar collaboration platforms have been almost universally adopted. Document sharing, personnel management, and financial applications are not far behind.
COVID-19 lockdown restrictions arrived very quickly. Organisations which had not proactively prepared a business continuity plan had to make quick procurement decisions for the products and services needed to keep trading. Others required undertaking a formal review of privacy policies. It meant understanding the geographic location of processed and store data. Just as important was assessing whether the cloud service provider would willingly support GDPR requirements. Notifying breach reports and cooperating with data subject right requests has become a secondary consideration to “how much” and “how soon”.
What are the best practices?
Organisations need to decide on what is the best practice for in-house services. It means assessing technical resilience, software patching, user access management and data backups. Whilst cloud services are essentially “data processed on somebody else’s server”, responsibilities remain with the data controller and still need to be considered. Sadly, that is where most risk assessments fail.
Many cloud service providers will willingly share their security and data protection controls. Worryingly, however, most potential customers either do not know that this information exists or fail to understand the importance of reviewing it. The UK Government’s National Cyber Security Centre has published “14 Cloud Security Principles.” These focus on the main areas which should be considered, from the perspective of the organisation providing the cloud service, and potential consumers.
The role of ISO 27001
ISO27001 is the most used standard for providing information security. It extends to the activities that may affect its confidentiality, integrity, or availability. Moving from an in-house managed capability to a cloud service will change the overall assessment of risk. This is because at least part of the protection for the valuable data being entrusted to the cloud will pass to the cloud service provider. The same is true for the physical data centre provider for software-as-a-service “SaaS” applications. It is exceedingly difficult to physically assess such third-party activities. It makes the reliance on contractual clauses and supporting evidence even more important.
Customers do not need to be aiming for formal ISO27001 certification to benefit from the best practice security controls that it contains within its “Annex A”. These can be considered in the context of an external cloud service (typically SaaS offerings). Importantly, more focused guidance can be found within the supplementary controls within the ISO27017 standard. Helpfully, this framework introduces the different role and responsibilities of the supplier (e.g. technical responsibilities for keeping the cloud service secure). It also defines the customer responsibilities (e.g. understanding the capabilities and limitations of a cloud service and guidance on how to consume it securely).
The long term impact of COVID-19
COVID-19 is likely to persist for a while to come. Organisations should take the time to identify those hasty lockdown decisions that may have been taken. It is also an opportunity to revisit the security of data which now finds itself in the cloud. A further consideration is to re-assess the workforce’s readiness for using the cloud. Is human error (most commonly caused by ignorance of published policy) challenging the organisation’s risk posture?
Assessments of the security of home workers must address several key areas. They will be on the outside of the strong perimeter and network controls which are in place within most corporate premises. Do individuals understand the organisation’s posture of using virtual private networks (VPNs) to secure communications? What about the requirements of the acceptable use policy (AUP) governing what software can and cannot be installed? Is there clear communication of how personal (BYOD) devices can (or cannot) be used for business purposes? All of these considerations are most usefully served up in an updated training session. This, of course, can be delivered remotely to ensure maximum participation.
Cloud services have certainly assisted many organisations in keeping trading during these difficult times. However, this “new normal” brings different and changing risks which need to be managed and controlled. There is no better time to take a look at these than now. Proactive prevention is always significantly better than reactive investigations. Nobody wants to risk losing the trust of valuable customers and the inevitable effect on that all too vulnerable revenue stream.
InfoSaaS is a specialist provider of intuitive software solutions, helping organisations to achieve, maintain and streamline their data security, risk management and general business compliance activities. Delivered via its unique “ICF” (InfoSaaS Compliance Framework) and supported with consultancy and helpful training, InfoSaaS solutions incorporate over 20 years’ industry experience.
Organisations use the ICF platform to effectively implement, progress and achieve their specific business compliance objectives, which for many includes obtaining externally validated ISO certifications. The ICF covers a wide range of data security, risk management and general business compliance activities (supporting ISO9001, ISO27001, ISO27017, ISO27018 and ISO27701) including supply chain management (ISO28001), data protection (UK Data Protection Act 2018 and GDPR) and health and safety risk management (ISO45001).
To ensure the best possible outcomes for all of its clients, InfoSaaS has created a global network of trusted, expert business compliance professionals, including partners and consultants who can deliver on-site or remote consultancy, training and support as required.