Cloud Computing

Cloud Computing Standards start from the top, with an overview and vocabulary serving as a foundation upon which reference architecture, software asset management, and security techniques can be built upon. With the variety of technologies in play, and the evolving nature of cloud computing, a solid standardized foundation offers much-needed reliability.

ISO/IEC 27018:2019

Information technology - Security techniques - Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors

This document establishes commonly accepted control objectives, controls and guidelines for implementing measures to protect Personally Identifiable Information (PII) in line with the privacy principles in ISO/IEC 29100 for the public cloud computing environment. In particular, this document specifies guidelines based on ISO/IEC 27002, taking into consideration the regulatory requirements for the protection of PII which can be applicable within the context of the information security risk environment(s) of a provider of public cloud services. This document is applicable to all types and sizes of organizations, including public and private companies, government entities and not-for-profit organizations, which provide information processing services as PII processors via cloud computing under contract to other organizations. The guidelines in this document can also be relevant to organizations acting as PII controllers. However, PII controllers can be subject to additional PII protection legislation, regulations and obligations, not applying to PII processors. This document is not intended to cover such additional obligations.

ISO/IEC 19944-1:2020

Cloud computing and distributed platforms ? Data flow, data categories and data use - Part 1: Fundamentals

This document extends the existing cloud computing vocabulary and reference architecture in ISO/IEC 17788 and ISO/IEC 17789 to describe an ecosystem involving devices using cloud services, describes the various types of data flowing within the devices and cloud computing ecosystem, describes the impact of connected devices on the data that flow within the cloud computing ecosystem, describes flows of data between cloud services, cloud service customers and cloud service users, provides foundational concepts, including a data taxonomy, and identifies the categories of data that flow across the cloud service customer devices and cloud services. This document is applicable primarily to cloud service providers, cloud service customers and cloud service users, but also to any person or organisation involved in legal, policy, technical or other implications of data flows between devices and cloud services.

IEC 62481-1-3 Ed. 1.0 en:2017

Digital living network alliance (DLNA) home networked device interoperability guidelines - Part 1-3: Architectures and protocols - Cloud access

IEC 624811-3:2017(E) specifies guidelines for accessing content in the cloud, that is, outside of the home by devices in the home. These Guidelines focus on the discovery, association, and control of Apps capable of augmenting DLNA devices with the ability to consume content from sources outside the home. The basic support is realized with the UPnP ApplicationManagement Service.

ISO/IEC 19086-1:2016

Information technology - Cloud computing - Service level agreement (SLA) framework - Part 1: Overview and concepts

ISO/IEC 19086-1:2016 seeks to establish a set of common cloud SLA building blocks (concepts, terms, definitions, contexts) that can be used to create cloud Service Level Agreements (SLAs). This document specifies a) an overview of cloud SLAs, b) identification of the relationship between the cloud service agreement and the cloud SLA, c) concepts that can be used to build cloud SLAs, and d) terms commonly used in cloud SLAs. ISO/IEC 19086-1:2016 is for the benefit and use of both cloud service providers and cloud service customers. The aim is to avoid confusion and facilitate a common understanding between cloud service providers and cloud service customers. Cloud service agreements and their associated cloud SLAs vary between cloud service providers, and in some cases different cloud service customers can negotiate different contract terms with the same cloud service provider for the same cloud service. This document aims to assist cloud service customers when they compare cloud services from different cloud service providers. ISO/IEC 19086-1:2016 does not provide a standard structure that can be used for a cloud SLA or a standard set of cloud service level objectives (SLOs) and cloud service qualitative objectives (SQOs) that will apply to all cloud services or all cloud service providers. This approach provides flexibility for cloud service providers in tailoring their cloud SLAs to the particular characteristics of the offered cloud services. ISO/IEC 19086-1:2016 does not supersede any legal requirement.

ISO/IEC 19086-3:2017

Information technology - Cloud computing - Service level agreement (SLA) framework - Part 3: Core conformance requirements

ISO/IEC 19086-3:2017 specifies the core conformance requirements for service level agreements (SLAs) for cloud services based on ISO/IEC 19086 1 and guidance on the core conformance requirements. This document is for the benefit of and use by both cloud service providers and cloud service customers. ISO/IEC 19086-3:2017 does not provide a standard structure that would be used for cloud SLAs.

ISO/IEC 19831:2015

Cloud Infrastructure Management Interface (CIMI) Model and RESTful HTTP-based Protocol - An Interface for Managing Cloud Infrastructure

ISO/IEC 19831:2015 describes the model and protocol for management interactions between a cloud Infrastructure as a Service (IaaS) Provider and the Consumers of an IaaS service. The basic resources of IaaS (machines, storage, and networks) are modeled with the goal of providing Consumer management access to an implementation of IaaS and facilitating portability between cloud implementations that support the specification. This document specifies a Representational State Transfer (REST)-style protocol using HTTP. However, the underlying model is not specific to HTTP, and it is possible to map it to other protocols as well. CIMI addresses the management of the lifecycle of infrastructure provided by a Provider. CIMI does not extend beyond infrastructure management to the control of the applications and services that the Consumer chooses to run on the infrastructure provided as a service by the Provider. Although CIMI may be to some extent applicable to other cloud service models, such as Platform as a Service ( PaaS ) or Storage as a Service ( SaaS ), these uses are outside the design goals of CIMI.

ISO/IEC 27017:2015

Information technology - Security techniques - Code of practice for information security controls based on ISO/IEC 27002 for cloud services

ISO/IEC 27017:2015 gives guidelines for information security controls applicable to the provision and use of cloud services by providing: - additional implementation guidance for relevant controls specified in ISO/IEC 27002; - additional controls with implementation guidance that specifically relate to cloud services. This Recommendation | International Standard provides controls and implementation guidance for both cloud service providers and cloud service customers.

ISO/IEC TR 20000-9:2015

Information technology - Service management - Part 9: Guidance on the application of ISO/IEC 20000-1 to cloud services

ISO/IEC TR 20000-9:2015 provides guidance on the use of ISO/IEC 20000 1:2011 for service providers delivering cloud services. It is applicable to different categories of cloud service, such as those defined in ISO/IEC 17788/ITU-T Y.3500 and ISO/IEC 17789/ITU-T Y.3502, including, but not limited to, the following: a) infrastructure as a service (IaaS); b) platform as a service (PaaS); c) software as a service (SaaS). It is also applicable to public, private, community, and hybrid cloud deployment models. The applicability of ISO/IEC 20000 1 is independent of the type of technology or service model used to deliver the services. All requirements in ISO/IEC 20000 1 can be applicable to cloud service providers. The structure of ISO/IEC TR 20000-9:2015 does not follow the structure of ISO/IEC 20000 1. The guidance is presented as a set of scenarios that can address many of the typical activities of a cloud service provider. The guidance in ISO/IEC TR 20000-9:2015 can also be useful for customers of cloud service providers. This part of ISO/IEC TR 20000-9:2015 can be used as guidance for a cloud service provider in designing, managing, or improving an SMS to support cloud services. ISO/IEC TR 20000-9:2015 does not add any requirements to those stated in ISO/IEC 20000 1 and does not state explicitly how evidence can be provided to an assessor or auditor. The scope of ISO/IEC TR 20000-9:2015 excludes any specifications for products or tools.

ISO/IEC 17788:2014

Information technology - Cloud computing - Overview and vocabulary

ISO/IEC 17788:2014 provides an overview of cloud computing along with a set of terms and definitions. It is a terminology foundation for cloud computing standards. ISO/IEC 17788:2014 is applicable to all types of organizations (e.g., commercial enterprises, government agencies, not-for-profit organizations).

ISO/IEC 17789:2014

Information technology - Cloud computing - Reference architecture

ISO/IEC 17789:2014 specifies the cloud computing reference architecture (CCRA). The reference architecture includes the cloud computing roles , cloud computing activities , and the cloud computing functional components and their relationships.

ISO/IEC 27036-1:2021

Cybersecurity - Supplier relationships - Part 1: Overview and concepts

This document is an introductory part of ISO/IEC 27036. It provides an overview of the guidance intended to assist organizations in securing their information and information systems within the context of supplier relationships. It also introduces concepts that are described in detail in the other parts of ISO/IEC 27036. This document addresses perspectives of both acquirers and suppliers.

ISO/IEC 27036-2:2014

Information technology - Security techniques - Information security for supplier relationships - Part 2: Requirements

ISO/IEC 27036-2:2014 specifies fundamental information security requirements for defining, implementing, operating, monitoring, reviewing, maintaining and improving supplier and acquirer relationships. These requirements cover any procurement and supply of products and services, such as manufacturing or assembly, business process procurement, software and hardware components, knowledge process procurement, Build-Operate-Transfer and cloud computing services. These requirements are intended to be applicable to all organizations, regardless of type, size and nature. To meet these requirements, an organization should have already internally implemented a number of foundational processes, or be actively planning to do so. These processes include, but are not limited to, the following: governance, business management, risk management, operational and human resources management, and information security.

ISO/IEC 27036-3:2013

Information technology - Security techniques - Information security for supplier relationships - Part 3: Guidelines for information and communication technology supply chain security

ISO/IEC 27036-3:2013 provides product and service acquirers and suppliers in the information and communication technology (ICT) supply chain with guidance on: gaining visibility into and managing the information security risks caused by physically dispersed and multi-layered ICT supply chains; responding to risks stemming from the global ICT supply chain to ICT products and services that can have an information security impact on the organizations using these products and services. These risks can be related to organizational as well as technical aspects (e.g. insertion of malicious code or presence of the counterfeit information technology (IT) products); integrating information security processes and practices into the system and software lifecycle processes, described in ISO/IEC 15288 and ISO/IEC 12207, while supporting information security controls, described in ISO/IEC 27002. ISO/IEC 27036-3:2013 does not include business continuity management/resiliency issues involved with the ICT supply chain. ISO/IEC 27031 addresses business continuity.

ISO/IEC 27036-4:2016

Information technology - Security techniques - Information security for supplier relationships - Part 4: Guidelines for security of cloud services

ISO/IEC 27036-4:2016 provides cloud service customers and cloud service providers with guidance on a) gaining visibility into the information security risks associated with the use of cloud services and managing those risks effectively, and b) responding to risks specific to the acquisition or provision of cloud services that can have an information security impact on organizations using these services. ISO/IEC 27036-4:2016 does not include business continuity management/resiliency issues involved with the cloud service. ISO/IEC 27031 addresses business continuity. ISO/IEC 27036-4:2016 does not provide guidance on how a cloud service provider should implement, manage and operate information security. Guidance on those can be found in ISO/IEC 27002 and ISO/IEC 27017. The scope of ISO/IEC 27036-4:2016 is to define guidelines supporting the implementation of information security management for the use of cloud services.

ISO/IEC 19770-1:2017

Information technology - IT asset management - Part 1: IT asset management systems - Requirements

ISO/IEC 19770-1:2017 specifies requirements for an IT asset management system within the context of the organization. ISO/IEC 19770-1:2017 can be applied to all types of IT assets and by all types and sizes of organizations. NOTE 1 This document is intended to be used for managing IT assets in particular, but it can also be applied to other asset types. It can be suitable, in whole or in part, for managing embedded software and firmware, however its use for these purposes has not been determined. It is not intended for managing information assets per se, i.e. it is not intended for managing information as an asset independent of hardware and software assets. Certain types of data and information are covered, such as data and information about IT assets in scope, and depending on how the scope is defined, it can cover digital information content assets. See the Introduction for an explanation about IT assets. NOTE 2 This document does not specify financial, accounting, or technical requirements for managing specific IT asset types. NOTE 3 For the purposes of this document, the term IT asset management system is used to refer to a management system for IT asset management. ISO/IEC 19770-1:2017 is a discipline-specific extension of ISO 55001:2014, with changes, and is not a sector-specific application of that International Standard. ISO 55001:2014 is intended to be used for managing physical assets in particular, but it can also be applied to other asset types. This document specifies requirements for the management of IT assets which are additional to those specified in ISO 55001:2014. Conformance to this document does not imply conformance to ISO 55001:2014. ISO/IEC 19770-1:2017 can be used by internal and external parties to assess the organization's ability to meet the organization's own IT asset management requirements.

ISO/IEC 19770-2:2015

Information technology - Software asset management - Part 2: Software identification tag

ISO/IEC 19770-2:2015 establishes specifications for tagging software to optimize its identification and management. This part of ISO/IEC 19770 applies to the following. a) Tag producers: these organizations and/or tools create software identification (SWID) tags for use by others in the market. A tag producer may be part of the software creator organization, the software licensor organization, or be a third-party organization. These organizations and/or tools can broadly be broken down into the following categories. Platform providers: entities responsible for the computer or hardware device and/or associated operating system, virtual environment, or application platform, on which software may be installed or run. Platform providers which support this part of ISO/IEC 19770 may additionally provide tag management capabilities at the level of the platform or operating system. Software providers: entities that create, license, or distribute software. For example, software creators, independent software developers, consultants, and repackagers of previously manufactured software. Software creators may also be in-house software developers. Tag tool providers: entities that provide tools to create software identification tags. For example, tools within development environments that generate software identification tags, or installation tools that may create tags on behalf of the installation process, and/or desktop management tools that may create tags for installed software that did not originally have a software identification tag. b) Tag consumers: these tools and/or organizations utilize information from SWID tags and are typically broken down into the following two major categories: software consumers: entities that purchase, install, and/or otherwise consume software; IT discovery and processing tool providers: entities that provide tools to collect, store, and process software identification tags. These tools may be targeted at a variety of different market segments, including software security, compliance, and logistics. ISO/IEC 19770-2:2015 does not prescribe Information Technology Asset Management (ITAM) or other IT-related processes required for reconciliation of software entitlements with software identification tags or other IT requirements. ISO/IEC 19770-2:2015 is not intended to conflict either with any organization's policies, procedures or standards or with any national or international laws and regulations.

ISO/IEC 19770-5:2015

Information technology - IT asset management - Overview and vocabulary

ISO/IEC 19770-5:2015 provides a) an overview of the ISO/IEC 19770 family of standards, b) an introduction to IT asset management (ITAM) and software asset management (SAM), c) a brief description of the foundation principles and approaches on which SAM is based, and d) consistent terms and definitions for use throughout the ISO/IEC 19770 family of standards. ISO/IEC 19770-5:2015 is applicable to all types of organization (e.g. commercial enterprises, government agencies, and non-profit organizations).

INCITS/ISO/IEC 27002:2013 (R2019)

Information technology - Security techniques - Code of practice for information security controls

ISO/IEC 27002:2013 gives guidelines for organizational information security standards and information security management practices including the selection, implementation and management of controls taking into consideration the organization's information security risk environment(s).

ARMA TR 20-2012

Mobile Communications and Records and Information Management

This technical report provides RIM-related adviceáfor the use ofámobile communications technologies, such asásmartphones and tablets, in the organizational setting. It focuses at the implementation level, including such topics as policy design, collaborating with information technology professionals, security, and training.

ADA TR 1019-2003

Technical Security Services

The scope of this paper is to focus on those requirements for meeting the challenge of maintaining privacy and security of Individually Identifiable Health Information using Technical Security Services. These processes are put in place to protect information and to control and monitor individual access to information.Securing health care information in a reasonable and scaleable manner can be achieved by applying policies and procedures designed to cover four major areas of information management. These areas are Administrative Procedures, Physical Safeguards, Technical Security Services and Technical Security Mechanisms.


Next Generation Interconnection Interoperability (NGIIF) Reference Document: Part III, Installation, Testing and Maintenance Responsibilities for SS7 Links and Trunks Attachment E SS7 Network Gateway Screening

This document details SS7 essential messages, tests and concerns related to the provision of Gateway Screening capabilities between two interconnecting networks. SS7 messages are only allowed to pass between network elements that have been identified by both networks as a supporting element of a jointly provided service or application. Network Gateway Screening tables are configured based on the requirements and security concerns of the screening network. At the time of network interconnection, both networks share screening information to ensure no network incompatibility has been introduced by the interaction of the screening functions. After interconnection is established, screening changes that affect the terms and conditions of the interconnection agreement require prior notification to the affected interconnected network provider. Where applicable, this document may address NGN aspects.

ETSI EG 201 189-v1.4.1-2000-09

Integrated Services Digital Network (ISDN) - Digital Subscriber Signalling System No. one (DSS1) protocol; - Master list of codepoints and operation values (FOREIGN STANDARD)

Updates existing document with: Security Tools, Remote Control, Line Hunting, Trunk Hunting supplementary service coding information.

ETSI EG 201 781-v1.1.1-2000-07

Intelligent Networks (IN) - Lawful interception (FOREIGN STANDARD)

The scope of this ETSI Guide is to cover the standardisation of functions to allow lawful interception of services running in on IN platform. These functions probably need to be defined in the SSP anc SCP, including the information flox between these entities. Alternatives will, however, be investigated. As specific parts of the information flow are confidential, security aspects need to be addressed. Reference documents: ETR 330, ETR 331, ES 201 158.

Information Security Package 17799

Information Security Package 17799

This package includes the standard INCITS/ISO/IEC 17799-2005 - Information technology - Security techniques - Code of practice for information security management publications standard and the guidance document Contracting for Information Security in Commercial Transactions: An Introductory Guide (the latter published by the Internet Security Alliance).

Information Security Package 27001

Information Security Package 27001

This package includes the standard INCITS/ISO/IEC 27001-2005 - Information technology - Security techniques - Information security management systems - Requirements and Contracting for Informaton Security in Commercial Transactions Volume II: Model Contract Terms for ISO/IEC 27001 Information Security Management Services.

Financial Impact of Cyber Security

The Financial Impact of Cyber Security - Questions Every CFO Should Ask For A Successful Multi-Disciplined Risk Management Approach

The Financial Impact of Cyber Risk , an action guide for C-Suite executives, is the first known document that provides guidance to help CFOs and executives responsible for legal issues, business operations and technology, privacy and compliance, risk assessment and insurance, and corporate communications mitigate the impact of cyber attacks. Recommended standards: ISO/IEC 27001 and 27002 IT Security Techniques Package , ISO/IEC 27005:2008 , NIST 800-53 , NIST 800-30 , NIST 800-55 Rev 1 , NIST SP 800-100