It’s rare to scroll through a newsfeed nowadays without stumbling upon terms like “data breach notification”, “privacy”, and “Internet of Things”. Articles on these topics eventually bring up the concepts of security and data privacy, or more specifically, how third parties are securing (or not securing) your data. This highlights the fact that the concept of privacy is inherently tied to security, since a core principle of any privacy standard, directive, or framework, is how personal data is secured. It is not surprising then, that over the last few years, cloud service providers like OneLogin have been increasingly fielding questions not just about security, but also about privacy. In fact, at times, the line between a security control and a privacy control is impossible to draw.
Even though there are plenty of privacy principles out there, reference guides outlining prescriptive controls were very few and the AICPA’s Generally Accepted Privacy Principles (GAPP) became the de facto guide since it was already tied to SOC 2 Reporting. This guide does not make the distinction between data controllers and data processors, so there was a certain level of interpretation that needed to be done to determine how to best address the criteria outlined therein. By and large, most cloud service providers are considered data processors; they process the information that customers tell them to, while their customers are the data controllers; they decide how and what information gets processed. This means that the responsibilities of these two entity types are distinctly different and that’s why ISO 27018:2014 is so useful to data processors right out of the box.
How you can use it
The cover of the standard says it all, Information technology - Security techniques - Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors. More succinctly put, it prescribes security controls for cloud service providers acting as data processors, like OneLogin. Data processors now have a good control reference guide, including implementation guidance, that speaks directly to them.
ISO 27018:2014 does build upon ISO 27002:2013 controls, so if you have not started going down the path of ISO 27001 certification, you will have some legwork to do to make sure that whatever security controls you have in place align with the expected ISO 27002 security controls. If your security program is already based on established security frameworks, this should not be too much of a challenge and there are a lot of mapping guides out there to help you out.
If you have already gone down the path of ISO 27001 certification, there currently seems to be a lack of entities that can audit your company to become ISO 27018:2014 certified, but that should not stop you from striving to become compliant with the standard. GAPP is still a good privacy control reference guide for cloud service providers, but the ISO standard provides a good second opinion on the subject. Going back to the concept of sometimes being unable to separate a security control from a privacy control, augmenting your privacy program can result in an augmented security program as well.
How we are using it
We augmented our current privacy controls by finding and addressing any gaps between GAPP and ISO 27018:2014. In most cases, the gaps were addressed by including certain aspects of the control that might have been implied; just not clearly enough. In other cases, new controls were defined that ended up addressing areas that customers have inquired about in the past, so the entire exercise definitely felt like a value add for OneLogin. After all, any time we can improve the transparency of how we secure the data we process on behalf of our customers, all parties benefit.
Similar to the NIST Cybersecurity Framework, the ISO 27018:2014 standard is the type of addition that will help augment your overall compliance program, especially if you are a data processor.