ISO 27018 & Trust
Tolga Erbay - Risk & Compliance at Dropbox Patrick Heim - Trust & Security at Dropbox
Today’s take-aways • A high-level overview of ISO 27018 requirements • A summary of common engineering, legal and process-
based challenges • Helpful tips to scope and scale your privacy-related
processes to meet the requirements of the standard • An overview of what assurances to look for when
acquiring cloud services
What is ISO 27018? • First truly international standard for cloud
privacy and data protection • Requirements for the collection, use,
disclosure and retention of personal information
• Framework fits into Information Security Management System (ISMS) framework
• Auditable / Certification
ISO 27018 Requirements
• Consent & Purpose Limitation • Control • Transparency • Cooperation & Notification • Verification
Challenges across the organization
Engineering Legal & Privacy Security
Everybody needs to be onboard
• What does Trust mean? • Expectations of each
requirement • Relationships
Consent & Purpose Limitation
Challenge • Explicit consent can be difficult to maintain • Marketing opt-in might be required…and
what’s the alternative? Lessons Learned • TOS and Privacy Policy • Notify users of changes • Freemium or tiered? Marketing-enabled
and non-marketing modes
Transparency
Challenge • Location of data centers • Names of sub-processors • Mechanism of deletion/return of data
Lessons Learned • NDA or Confidentiality • Country or geography, not address • Deep understanding, methods and timing
Challenge • User notification of 3rd party disclosures • Regulatory considerations
Lessons Learned • Policies, principles and process • Transparency reports and best practices • Can’t interpret law for customer
Cooperation & Notification
Cloud Services: What assurances to look for in privacy and data protection?
Compliance
• ISO 27001 & 27018 Certification • SOC 2 Type II Report • Data Protection regulatory
mechanisms / Safe Harbor Certified • Cloud Security Alliance: Security,
Trust & Assurance Registry
Security
• API & Standards Support • Vulnerability Management &
Bug Bounties • Scanning & Penetration Testing • Detection & Response • Control & Visibility • Information Security Program • Policies & Enforcement • Risk Assessment
Privacy
• Privacy Policy • Data Usage & Retention • Transparency • Principles • Validation
ISO 27018 & Trust
Tolga Erbay - Risk & Compliance at Dropbox Patrick Heim - Trust & Security at Dropbox