Blog Post

Valutare la sicurezza dei fornitori cloud? Ecco alcuni acronimi che è bene conoscere

Mark Goldin

Chief Technology Officer, Cornerstone

La sicurezza è chiaramente una preoccupazione primaria per qualunque impresa che voglia migrare i suoi dati e processi nel cloud, specialmente quando si tratta di talent management e di protezione dei dati personali sensibili dei dipendenti. Meno chiaro è cosa andare a guardare quando si devono valutare dei fornitori e valutare le loro politiche di sicurezza. La faccenda si complica quando si incappa nella moltitudine di acronimi utilizzati per indicare standard e certificazioni di sicurezza.

Ecco di seguito una rapida panoramica sulle certificazioni che i fornitori di servizi cloud dovrebbero possedere (o essere impegnati a conseguire), il loro significato e la relativa importanza.

ISO/IEC 27001:2013

Pubblicato da ISO, un’organizzazione internazionale indipendente, ISO/IEC 27001:2013 è uno standard che “specifica i requisiti per la costruzione, l’implementazione, la manutenzione e il miglioramento continuo di un sistema per la gestione della sicurezza delle informazioni all’interno di un’organizzazione”.

In breve, esso definisce una serie di regole e controlli mirati a definire il modo in cui un’azienda gestisce la sicurezza delle informazioni. ISO/IEC 27001:2013, nato come standard per le aziende europee, è oggi adottato globalmente, Molte aziende oggi richiedono ai fornitori cloud di essere certificati ISO - e di rinnovare la certificazione per tutto il periodo di durata del contratto.

Ricordate che “certificato ISO” e “Conforme ISO” sono due cose diverse. La certificazione indica che un’azienda risponde o a tutti i requisiti ISO/IEC 27001:2013 o a un particolare sottoinsieme di controlli e che lo status di questi controlli è stato verificato da un revisore indipendente. La certificazione è un processo continuo: i verificatori controllano i requisiti annualmente e osservano i miglioramenti. Non dimenticate di chiedere ai fornitori di servizi cloud un SOA (Statement of Applicability), un documento che indica quali controlli erano in atto quando il fornitore è stato sottoposto a revisione.

“Conforme ISO” indica invece che un fornitore dichiara di seguire i requisiti dello standard ISO, pur senza essere stato mai ufficialmente certificato. Si tratta di una pratica accettabile, ma le aziende dovrebbero comunque dedicare del tempo a studiare le misure di sicurezza del fornitore, in particolare se quest’ultimo gestirà dati sensibili.

ISO/IEC 27018:2014

Molti fornitori cloud sono impegnati ad aggiungere il codice deontologico ISO/IEC 27018:2014 alla certificazione ISO/IEC 27001:2013. Uno standard più recente, ISO/IEC 27018:2014, “stabilisce obiettivi di controllo, controlli e linee guida comunemente accettate per l’implementazione di misure tese a proteggere le Personal Identifiable Information (PII) in accordo con i principi di privacy ISO/IEC 29100 per gli ambienti di cloud computing pubblico”.

Analogamente a ISO/IEC 27001:2013, anche ISO/IEC 27018:2014 diventerà probabilmente un requisito indicato specificatamente in molti contratti con i fornitori di servizi cloud.

SSAE 16 SOC 1 and SOC 2

Lo Statement on Standards for Attestation Engagements No. 16 (SSAE 16), conosciuto anche come SOC 1 (Service Organization Control) è stato finalizzato nel 2010 dall’Auditing Standards Board dell’American Institute of Certified Public Accountants (AICPA). SSAE 16 descrive i controlli definiti per i service provider e ha l’obiettivo di aiutare le aziende a meglio comprendere i processi e le procedure attuate che contribuiscono a costruire fiducia nei processi di erogazione dei servizi dei fornitori cloud.

SOC 2, basato sui Trust Services Principles and Criteria di AICPA, dettaglia tra gli altri controlli molto specifici per la sicurezza e la privacy ed è un ulteriore standard di conformità che sempre più aziende introducono nei contratti di servizio con i fornitori cloud.

Per dimostrare di essere conformi a SSAE 16 e AICPA Trust Services Principles and Criteria, le aziende devono presentare report SOC 1 e/o SOC 2. Il fornitore cloud deve specificatamente presentare un report “SOC 1, Type II” e/o “SOC 2, Type II”, che conferma che i controlli siano stati testati. (Type I è semplicemente una descrizione di come un’azienda opera i controlli). E’ opportuno dedicare particolare attenzione a chi ha fatto l’audit del report: nelle grandi aziende, questo tipo di revisione è generalmente più completo. E’ importante leggere attentamente il report per cercare qualunque controllo non andato a buon fine o eccezioni che non sono state notate dal revisore.

ISAE 3402 Type II

Si tratta della versione europea di SSAE 16 SOC 1, Type II. Normalmente, non è necessario che i fornitori cloud posseggano questa certificazione, ma averla è un elemento positivo.

FedRAMP

Il Federal Risk and Authorization Management Program (FedRAMP), “è un programma governativo statunitense basato sulla Special Publication 800-53 Revision 4 del National Institute of Standards and Technology (NIST) che descrive un approccio standardizzato alla valutazione della sicurezza, alle autorizzazioni e al monitoraggio continuo per i prodotti e servizi cloud”.

Il processo di certificazione FedRAMP è complicato e possono passare anni prima che il fornitore riceva il permesso di operare (“Authority to Operate", ATO). Pertanto, se un fornitore di servizi cloud è certificato FedRAMP significa che i sui processi e controlli di sicurezza soddisfano requisiti molto rigorosi.

Una lista dei fornitori certificati FedRAMP è disponibile sul sito del programma.

CSA CCM

Il Cloud Security Alliance Cloud Controls Matrix (CSA CCM) è uno standard emergente “studiato specificatamente per fornire i principi fondamentali di sicurezza per i fornitori cloud e assistere i potenziali clienti a valutare i rischi globali per la sicurezza di un fornitore cloud”. La matrice (può essere scaricata qui) è un quadro di controllo elaborato da CSA. I controlli sono mappati ad altri standard di sicurezza riconosciuti, come quelli precedentemente descritti.

I fornitori di servizi cloud non sono obbligati a utilizzare questo quadro di riferimento. Ma se lo fanno, o stanno lavorando per adottarlo, ciò suggerisce un forte impegno per la sicurezza. E’ possibile chiedere al fornitore se ha completato il CSA Consensus Assessments Initiative Questionnaire (CAIQ) o verificare sul CSA STAR Registry se è stato presentato.

PCI

Il Payment Card Industry Data Security Standard (PCI DSS) è un insieme di requisiti compilato per garantire che le aziende che elaborano, memorizzano o trasmettono informazioni sulle carte di credito abbiano un ambiente sicuro. Per essere certificati, i fornitori cloud che trattano questo genere di dati devono implementare e mantenere lo standard. Maggiori informazioni sullo standard sono disponibili sul sito https://www.pcisecuritystandards.org.

I requisiti di sicurezza che un fornitore cloud deve soddisfare per proteggere i dati dei clienti dipendono dal tipo di informazioni che gli saranno affidate. Più sensibili sono i dati, più importante è l’adesione agli standard di settore. In ogni caso, tutti i fornitori di servizi cloud devono essere in grado di dimostrare ai propri clienti cosa fanno per garantire la sicurezza.

Related Resources

Want to keep learning? Explore our products, customer stories, and the latest industry insights.

Strategies and Tools for Driving Learner Engagement

On-demand Webinar

Strategies and Tools for Driving Learner Engagement

Many organizations are prioritizing learning to attract, retain, and grow top talent, but implementing the strategies at the right time for the right learner can be tough. Doing it with tight resources, even tougher. Andersen Corporation has experienced this. They knew it wasn’t enough to follow the standard “if you build it, they will come” mentality for learning. In this session, Strategies and Tools for Driving Learner Engagement, you’ll come away with: New ideas from the Andersen team as they share how they’ve been able to achieve a consistent increase in the consumption of Cornerstone Content Anytime (CCA) courses month over month Considerations to help you get started building your own effective communications strategy Tips and tools for executing a sustainable plan that drives continuous engagement and builds a culture of passionate learners In addition to hearing about Andersen’s content journey, you’ll also get a refresher from the Cornerstone team on the learner engagement tools we have available and ways that you can leverage your partnership with Cornerstone to get the most out of your learning content. Watch Now

Sitting on the bench: strengths, talents, soft and hard skills

Blog Post

Sitting on the bench: strengths, talents, soft and hard skills

Before knowing what individual skills we have to sacrifice for the good of the company, we have to understand what skills we have in our organisation. In HR circles we talk a lot about skills. Most of us have experienced university students entering work life with fresh knowledge that seemed obsolete before the internship ended. For this reason, companies that are committed to innovation understand the importance of an always learning approach to growth. If we create a learning culture, we can adapt to a changing world and win the battle to volatility. Ok – great! Understood – we need new skills all the time. But which skills do we have to teach and how can HR departments identify them? This is one of the biggest difficulties that learning departments face today. But, fear not! Technology can come to the rescue. Just like Netflix knows what I'm interested in watching, thanks to AI, a complex algorithm and a huge database, skills can be identified and developed through the same processes. However, building what's called a skills taxonomy, like the one Cornerstone offers, from scratch would be just as insane as pretending to build my mobile phone myself from my desk at home. Let's leave that specialised work to those who have the time, the resources, and use their knowledge to our advantage. Hard skills, soft skills or strengths. We know that technical knowledge or hard skills can be acquired easily thanks to technology. This interconnected world with millions of online tutorials offers us a never-ending portfolio of knowledge and explanations that we can access anytime and anywhere. Soft skills, on the other hand, are not so easy to acquire and develop, yet are of greatest importance. How can this be possible? Do you remember the intern that started in your company and didn't understand the dynamics of the office, but could create some bad-ass Excel tables? When talent is brought in that has never been in work environments before, we realise that they may lack skills such as active listening, a feeling of responsibility or even motivation. These are skills that allow our graduates and new talents to solve problems, collaborate, and have critical and constructive thinking. This means that the skills taxonomy will not only help us understand what hard skills we will have to develop in individuals, but also which soft skills we must encourage in teams. But rather than focusing on the skills that we lack, what if we could focus on our strengths? What skill do I have, what am I particularly good at that is very necessary for my job? How can I improve on that skill and optimise it so that the whole team benefits from it? Let's think positively. Let's not focus only on everything we don't know and what we still have to learn, but on what we know we are good at and how we can elevate and multiply it. Therefore, a successful strategy understands that as an employee I need to grow and learn new things - be it soft or hard skills - that take me out of my comfort zone, but at the same time also have access and be able to understand what my strengths are and how to improve them. Individualism. Happiness. Sacrifice for the team. The Playbook is a documentary on Netflix that interviews some of the best sports coaches in the world and you can see a trend in team sports: the role of the coach is to help the team work together, even if the individual player has to make a sacrifice. Change the word coach for manager, team for department and player for employee. The role of a manager is to help the department work together, even if the employee has to make a sacrifice. This concept confronts us with a dilemma: we live in an individualistic society. We all believe in the right to be in a search for happiness and purpose at work. We feel we have the right to be promoted and, at times, in this myopia we lose sight of the department or, even worse, the company needs. Without a company you don't need employees. If we want to build an innovative and resilient organisation, we have to hire talent that complements and makes the community stronger. A community that works as a whole and that has team members that can develop their skills – and their strengths too. For this reason, skill taxonomies have to focus not only on a micro level, but also on a macro level. Trade failure for learning. In this video by Paolo Gallo, asks the audience what the opposite of achievement is. People shout failure in unison to which Paolo responds "no, the opposite of achievement is learning." This concept is perhaps a bit utopian, but very necessary if we really want to generate a culture of learning in our companies or work groups. We all have to build a space in which to innovate and take risks as part of our day to day. Sharing the learning processes - failures - with the group provides us with transparency, empathy, creates understanding between people and provides us with a macro vision of the team we are part of. Thus, synergies and opportunities for collaboration will emerge and collaborative learning will naturally evolve. To accelerate these values, we can look for examples within our companies where learning or “failures” have led to great achievements. Also offering post-mortem meetings for large projects involving the entire department or even rewarding those who take the risk, even if they haven’t quite got it right. In conclusion, it is our duty as an employer to educate and provide the transparency that our employees need to understand the needs of the whole team. This concept is closely linked to the idea of ​​social responsibility, with initiatives that are committed to values such as diversity or the environment. As an employee, my responsibility is to be in a constant learning process, not to lose curiosity and to understand that my skills must be complemented with those of the rest of the team. Consequently, we will have an understanding of the macro and the micro that will help us understand and know when we have to wait and sit on the bench.

Cornerstone SMB Learning Management Survey Results

Research

Cornerstone SMB Learning Management Survey Results

“Smooth seas do not make skillful sailors.” Often attributed to Franklin Delano Roosevelt, this old African proverb helps us realize that some days can be tough on our journey. It is helpful to remember that rough seas help us learn how to manage, how to cope. And it is not just life skills we are talking about; it is an organizational dynamic. Learning has often been billed as a competitive advantage, being able to adapt and adjust faster is how businesses think of employee learning and development (with the notable exception of those who are just focused on maintaining compliance). The thought process goes, “by developing and training our employees, well have the most skilled workers, which will translate into productivity, retention, and ultimately success in our marketspace.” All of which are true, but the year 2020 taught the world of work some additional, hard lessons about the value of investing in learning: the key to adaptability and survival of every business starts and ends with learning. Remote work, virtual collaboration, and new skills training became the lifeboat that saw us to shore. To our surprise, we found that not only could we survive this way, but we could also thrive. We may not be able to predict the next crisis, competitor, or marketplace change, but you can prepare your workforce to be adaptable and your business to be ready to take on any challenge.

Schedule a personalized 1:1

Talk to a Cornerstone expert about how we can help with your organization’s unique people management needs.

© Cornerstone 2022
Legal