This document establishes commonly accepted control objectives, controls and guidelines for implementing measures to protect Personally Identifiable Information (PII) in line with the privacy principles in ISO\/IEC 29100 for the public cloud computing environment.<\/p>\n
In particular, this document specifies guidelines based on ISO\/IEC 27002, taking into consideration the regulatory requirements for the protection of PII which can be applicable within the context of the information security risk environment(s) of a provider of public cloud services.<\/p>\n
This document is applicable to all types and sizes of organizations, including public and private companies, government entities and not-for-profit organizations, which provide information processing services as PII processors via cloud computing under contract to other organizations.<\/p>\n
The guidelines in this document can also be relevant to organizations acting as PII controllers. However, PII controllers can be subject to additional PII protection legislation, regulations and obligations, not applying to PII processors. This document is not intended to cover such additional obligations.<\/p>\n
| PDF Pages<\/th>\n | PDF Title<\/th>\n<\/tr>\n | ||||||
|---|---|---|---|---|---|---|---|
| 2<\/td>\n | undefined <\/td>\n<\/tr>\n | ||||||
| 4<\/td>\n | European foreword Endorsement notice <\/td>\n<\/tr>\n | ||||||
| 8<\/td>\n | Foreword <\/td>\n<\/tr>\n | ||||||
| 9<\/td>\n | Introduction <\/td>\n<\/tr>\n | ||||||
| 13<\/td>\n | 1 Scope 2 Normative references 3 Terms and definitions <\/td>\n<\/tr>\n | ||||||
| 15<\/td>\n | 4 Overview 4.1 Structure of this document <\/td>\n<\/tr>\n | ||||||
| 16<\/td>\n | 4.2 Control categories 5 Information security policies 5.1 Management direction for information security 5.1.1 Policies for information security <\/td>\n<\/tr>\n | ||||||
| 17<\/td>\n | 5.1.2 Review of the policies for information security 6 Organization of information security 6.1 Internal organization 6.1.1 Information security roles and responsibilities 6.1.2 Segregation of duties 6.1.3 Contact with authorities 6.1.4 Contact with special interest groups 6.1.5 Information security in project management 6.2 Mobile devices and teleworking 7 Human resource security 7.1 Prior to employment 7.2 During employment <\/td>\n<\/tr>\n | ||||||
| 18<\/td>\n | 7.2.1 Management responsibilities 7.2.2 Information security awareness, education and training 7.2.3 Disciplinary process 7.3 Termination and change of employment 8 Asset management 9 Access control 9.1 Business requirements of access control 9.2 User access management <\/td>\n<\/tr>\n | ||||||
| 19<\/td>\n | 9.2.1 User registration and de-registration 9.2.2 User access provisioning 9.2.3 Management of privileged access rights 9.2.4 Management of secret authentication information of users 9.2.5 Review of user access rights 9.2.6 Removal or adjustment of access rights 9.3 User responsibilities 9.3.1 Use of secret authentication information 9.4 System and application access control 9.4.1 Information access restriction <\/td>\n<\/tr>\n | ||||||
| 20<\/td>\n | 9.4.2 Secure log-on procedures 9.4.3 Password management system 9.4.4 Use of privileged utility programs 9.4.5 Access control to program source code 10 Cryptography 10.1 Cryptographic controls 10.1.1 Policy on the use of cryptographic controls 10.1.2 Key management 11 Physical and environmental security 11.1 Secure areas <\/td>\n<\/tr>\n | ||||||
| 21<\/td>\n | 11.2 Equipment 11.2.1 Equipment siting and protection 11.2.2 Supporting utilities 11.2.3 Cabling security 11.2.4 Equipment maintenance 11.2.5 Removal of assets 11.2.6 Security of equipment and assets off-premises 11.2.7 Secure disposal or re-use of equipment 11.2.8 Unattended user equipment 11.2.9 Clear desk and clear screen policy 12 Operations security 12.1 Operational procedures and responsibilities <\/td>\n<\/tr>\n | ||||||
| 22<\/td>\n | 12.1.1 Documented operating procedures 12.1.2 Change management 12.1.3 Capacity management 12.1.4 Separation of development, testing and operational environments 12.2 Protection from malware 12.3 Backup 12.3.1 Information backup <\/td>\n<\/tr>\n | ||||||
| 23<\/td>\n | 12.4 Logging and monitoring 12.4.1 Event logging 12.4.2 Protection of log information 12.4.3 Administrator and operator logs <\/td>\n<\/tr>\n | ||||||
| 24<\/td>\n | 12.4.4 Clock synchronization 12.5 Control of operational software 12.6 Technical vulnerability management 12.7 Information systems audit considerations 13 Communications security 13.1 Network security management 13.2 Information transfer 13.2.1 Information transfer policies and procedures 13.2.2 Agreements on information transfer 13.2.3 Electronic messaging 13.2.4 Confidentiality or non-disclosure agreements <\/td>\n<\/tr>\n | ||||||
| 25<\/td>\n | 14 System acquisition, development and maintenance 15 Supplier relationships 16 Information security incident management 16.1 Management of information security incidents and improvements 16.1.1 Responsibilities and procedures 16.1.2 Reporting information security events 16.1.3 Reporting information security weaknesses 16.1.4 Assessment of and decision on information security events <\/td>\n<\/tr>\n | ||||||
| 26<\/td>\n | 16.1.5 Response to information security incidents 16.1.6 Learning from information security incidents 16.1.7 Collection of evidence 17 Information security aspects of business continuity management 18 Compliance 18.1 Compliance with legal and contractual requirements 18.2 Information security reviews 18.2.1 Independent review of information security 18.2.2 Compliance with security policies and standards 18.2.3 Technical compliance review <\/td>\n<\/tr>\n | ||||||
| 27<\/td>\n | Annex A (normative) Public cloud PII processor extended control set for PII protection <\/td>\n<\/tr>\n | ||||||
| 35<\/td>\n | Bibliography <\/td>\n<\/tr>\n<\/table>\n","protected":false},"excerpt":{"rendered":" Information technology. Security techniques. Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors<\/b><\/p>\n |