How to create a sound security certification scheme - a European experience

Security and privacy certifications and attestations have been identified as one of most effective and efficient means to increase the level of trust in cloud services and stimulate their adoption. Based on this on assumption a number of efforts have begun in Europe at policy level mainly led by the European Commission (EC), in collaboration with ENISA and the Clouds Standards Coordination CSC ETSI effort. These efforts have aroused much interest in European solutions for cloud standards and software industry development beyond the European Union.

Cloud Computing Security Considerations - Australia

The Australian Department of Defence issued the Cloud Computing Security Considerations, which explains several cloud related terms such as delivery models, deployment models and service types and benefits. The document targets users with the aim of increasing their understanding of the fundamentals of the cloud computing paradigm and helps them identify security threats that might have a malicious impact on their applications and data deployed in the cloud. Instead of being a list of security issues that need to be taken into account, they are expressed as a series of questions that need to be answered by the potential user and can help the user understand the risks that he or she might be taking when migrating to the cloud.

Federal Risk and Authorization Management Program (FedRAMP) - USA

FedRAMP is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud-based services. FedRAMP uses a “do once, use many times” framework that intends to saves costs, time, and staff required to conduct redundant agency security assessments and process monitoring reports.

EuroCloud – STAR Audit

The EuroCloud STAR Audit provides transparency about the Cloud Service Delivery chain and involved subcontractors; legal compliance according to individual regulations per EU country; data security and data privacy. DC resilience; business operations; reversibility and interoperability

EuroPrise - The European Privacy Seal

EuroPrise is a European certification scheme that certifies compliance of IT products and services with a catalogue of criteria that are based on the European Data Protection directives (95/46/EC and 2002/58/EC) and opinions of Article 29 working party. The EuroPrise trustmark is awarded after (1) an evaluation by an independent accredited auditor and (2) the validation of the produced evaluation report by the Europrise certification body.

SSAE16 – SOC 1-2-3 - Service Organization Control (SOC)

For over 20 years, Certified Public Accountants have performed specialized audits of information technology (IT) internal controls at service organizations. During this time, a report by a CPA firm has become the standard for reporting on internal controls at a service organization as required by the U.S. Government, Security and Exchange Commission (SEC), the financial services industry, and standard contract terms with countless service organization users. One of the main reasons for this wide adoption has been that the professional standards that underpin these CPA reports provide customers with a basis for relying on the reports’ conclusions. The objective of these service organization reports (SOC) has been to provide the customers of service organizations, and the auditors of those customers, assurance over the effective operation of IT controls designed to address IT risk to information processing. To provide the framework for CPAs to examine controls and to help management understand the related risks, the American Institute of Certified Public Accountants (AICPA) established three Service Organization Control (SOC) reporting options (SOC 1, SOC 2 and SOC 3 reports).

ISO-IEC 27001: 2013 - Information security certification scheme

ISO/IEC 27001 is the international standard for information security management. It outlines how to put in place an independently assessed and certified information security management system. This allows you to more effectively secure all financial and confidential data, so minimizing the likelihood of it being accessed illegally or without permission.