Software-as-a-Service (SaaS) providers continue to face increasing customer demand to attain security compliance certifications that demonstrate commitment to security, 隐私, 保密及其他. A major challenge when trying to achieve these certifications is understanding what each framework requires while managing time and cost. Another obstacle faced by multinational organizations specifically is contending with the ever-growing labyrinth of geocompliance certifications. As each country or region introduces its own information security requirements and practices (e.g., the Information Security Registered Assessors Program [IRAP] in Australia, 欧盟云计算行为准则, 德国BSI云计算合规性控制目录[C5], the Information System Security Management and Assessment Program [ISMAP] in Japan, 西班牙国家安全局(Esquema Nacional de Seguridad), there is a growing expectation for enterprises to conform to several information security standards before gaining or continuing to have access to these particular markets. 在很多情况下, 这些合规性认证不再值得拥有, 而是做生意的必需品. Each standard shares commonalities with a system and organization controls (SOC) 2 report and/or the International Organization for Standardization (ISO) standard ISO 27001, but also has its own built-in nativist characteristics that set it apart.
Pursuing every national and international certification individually results in a repetitive cycle of ongoing walkthroughs, 面试, 测试和证据要求(1).e.、审计). 当团队进行这些评估时, a lack of clear responsibility and ownership over certain domains and controls often occurs, resulting in an unnecessary waste of time and effort for engineering resources and eventually leading to compliance fatigue. 为了解决这个问题, cloud service providers (CSPs) should consider creating a common cloud controls framework (CCF)—a central information security compliance and certification methodology that can include certifications such as SOC 2, ISO 27001, C5, 实体, ISMAP, IRAP, 和更多的. 一个通用的CCF,比如思科云控制框架,1 helps engineering teams accelerate most certification efforts to efficiently gain market access while improving their security postures as a whole.
A common CCF… helps engineering teams accelerate most certification efforts to efficiently gain market access while improving their security postures as a whole.
A central CCF can be considered a one-stop shop response to the complex alphabet soup of compliance standards on the market today. Having a central CCF can help various product engineering teams meet their security compliance needs and understand the level of effort required for each compliance certification. CSPs with many different types of SaaS offerings working in silos and evaluating every security framework at face value can often result in confusion and burnout among engineering teams. Having a common CCF provides a clear and central framework that teams can consult going forward. 加上对控制责任的清晰描述, this helps engineering teams understand their responsibilities and their roles in compliance and security for each certification. In addition to helping teams decipher various compliance requirements, a CCF can clearly illustrate control overlap between different certifications, 哪一种会导致较少的控制集冗余.
中央CCF也可以变得灵活, with the ability to adhere to and address newer versions of certification requirements as they appear and evolve in the market. This can be done by enabling a CCF to have version histories while capturing all the changes of new and/or existing certifications, resulting in less maintenance from various teams trying to understand the differences of each framework as they go through new releases. Rather, teams can simply reference a CCF to understand all framework changes and adjustments.
Another beneficial aspect of having a CCF is the standardization of central security tooling. If a CSP can correctly optimize and implement central security tooling across different engineering teams, it can reduce the engineering team’s operational maintenance overhead. 例如, instead of each team purchasing or building its own vulnerability assessment tool and running its own vulnerability assessments, why not consolidate all efforts into 1 central tool for all teams to leverage from a central repository? 通过整合和维护一组中央安全工具, csp可以简化并提供对安全事件的快速响应, thereby increasing the organization’s compliance and security posture.
Having a cross-compliance controls framework is an important tool for any enterprise to make sense of the geocompliance puzzle. CCF不是一劳永逸的解决方案, 而是, 是主动的, 不断发展, 和自适应解决方案,以帮助csp获得安全认证. 如果设计正确, organizations with a central CCF can streamline market access and improve security.
尾注
1 思科, 思科云控制框架 (CCF) V2正式发布.美国,2022年
詹姆斯黄
是思科全球云合规团队的高级经理吗. He leads the commercial and federal execution of Cisco’s cloud offering certifications. 黄在隐私方面有经验, 全球云安全, 信任与遵从, and risk management for mitigating industry security challenges while enabling market access across various global markets. Prior to his time at 思科, he was a senior risk consultant with Ernst & 年轻的.