Sunday, 7 August 2022

Impact of service level agreements on a manufacturing organization & ISO 27001

1. Managing a service level agreement (SLA) is a continuous process and should be constantly monitored, updated, and improved to meet the business needs of the manufacturing organization.

2. A service level agreement (SLA) with a cloud service provider (CSP) is a live document that must be well-understood and negotiated between the cloud service customer (CSC) and the CSP so the manufacturing organization (CSC) can manage and satisfy all security and regulatory compliance requirements in the cloud. When the manufacturing organization signs the SLA as a legally binding agreement with the CSP, it should not stop here because things are not done. They are actually never done.

3. Managing an SLA is a continuous process and should be constantly monitored, updated, and improved to meet the business needs of the manufacturing organization. This is a critically important process because it provides many opportunities for continuous improvements in satisfying statutory, regulatory, and contractual obligations for the manufacturing organization.

4. When we talk about sensitive business data and software applications in the cloud in terms of SLA, please keep in mind the manufacturing organization possesses the legal ownership and has full control of data assets stored in the cloud regardless of the physical location in which they are hosted. Furthermore, the CSP typically is not provided with access to the data at all. Most CSPs actually claim they don’t even know what data the manufacturing organization has stored in the cloud.

5. On the other hand, the CSP is legally responsible to protect any hosted data assets that are owned by their customers (i.e. manufacturing organizations) based on SLA, so the CSP cannot delete, modify, copy, or even sell customer data without the customer’s knowledge.

6. How the CSP handles sensitive data and software applications can vary. This is something the manufacturing organization needs to investigate to help ensure provided functions meet particular business interests in terms of security and regulatory compliance.

7. For example, one of the things that the manufacturing organization must determine is whether data is encrypted when it is being transmitted to and from the cloud (data in transit), whatever data is encrypted when it is used by software applications (data in use), but also whether data is encrypted when it is stored in the cloud (data at rest).

8. Regulatory requirements can influence configurations for, and the selection of, an appropriate cloud computing environment. Depending on the industry sectors, one of the regulatory requirements for manufacturing organizations can be that manufacturer’s data must be within national boundaries.


PHYSICAL LOCATION OF STORED DATA
1. However, the CSP might not be able to determine exactly where the data are physically stored particularly when redundant cloud infrastructures are implemented. The physical locations of the servers that are used to store and process manufacturer’s data can become a critical contractual issue. In other words, one of the biggest questions that seems to arise when it comes to cloud computing is where exactly manufacturer’s data is physically located. It might be stored on a data center server in a different country.

2. That could be a sticky issue because depending on the industry and what organization is storing in the cloud, the manufacturing organization might have many security or legal reasons for ensuring the data is stored in a data center within national borders, and being operated by citizens of a particular country, domestically.

3. So it really depends on what the manufacturing organization is doing in the cloud and what type of business the manufacturing organization is in. At very least, requirements for the physical location of the stored data must be clearly defined under the SLA between the CSP and the manufacturing organization. For successful adoption of cloud computing services, a manufacturing organization needs assurance the CSP is trustworthy and is taking all possible precautions to reduce vulnerabilities and protect critical assets. This assurance often comes in the form of industry-recognized security certifications (for example, ISO 27001) obtained by the CSP, confirming they comply with certain standards and regulations, and providing the manufacturing organization access to audit reports.

4. An effective and trusted cloud environment is implemented through a combination of effective risk management and compliance with regulatory requirements (including legal responsibilities and standards). Both parties-CSP and CSC-are required to satisfy legal requirements and standards, but this must be considered from two different views.

5. From the CSP perspective, they have to satisfy the laws and regulations governing their own business, as well as the legal obligations defined by the SLA. For example, the CSP cannot make multiple copies of data outside of its own national borders if this is not legally permitted, and it cannot sell data to someone else to make a profit.

6. On the other hand, the CSC must satisfy regulatory requirements with the organizations and regulatory bodies they do business with.

7. In terms of standards, this is primarily related to CSPs, since they want to attract manufacturing organizations to do business with. For example, one of the basic standards that every CSP should follow is ISO 27001.

8. However, the manufacturing organization does not need to be ISO 27001 certified because there are so many elements in ISO 27001 and other standards, recommendations and best practices that manufacturing organizations can use to secure its data and software applications while satisfying regulatory compliance requirements.


ISO 27001
1. ISO 27001 (formally known as ISO/IEC 27001:2005) is a specification for an information security management system (ISMS). An ISMS is a framework of policies and procedures that includes all legal, physical and technical controls involved in an organisation's information risk management processes.

2. According to its documentation, ISO 27001 was developed to "provide a model for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an information security management system."

3. ISO 27001 uses a topdown, risk-based approach and is technology-neutral. The specification defines a six-part planning process:
1. Define a security policy.
2. Define the scope of the ISMS.
3. Conduct a risk assessment.
4. Manage identified risks.
5. Select control objectives and controls to be implemented.
6. Prepare a statement of applicability.

4. The specification includes details for documentation, management responsibility, internal audits, continual improvement, and corrective and preventive action. The standard requires cooperation among all sections of an organisation.

5. The 27001 standard does not mandate specific information security controls, but it provides a checklist of controls that should be considered in the accompanying code of practice, ISO/IEC 27002:2005. This second standard describes a comprehensive set of information security control objectives and a set of generally accepted good practice security controls.

6. ISO 27002 contains 12 main sections:
1. Risk assessment
2. Security policy
3. Organization of information security
4. Asset management
5. Human resources security
6. Physical and environmental security
7. Communications and operations management
8. Access control
9. Information systems acquisition, development and maintenance
10. Information security incident management
11. Business continuity management
12. Compliance

7. Organisations are required to apply these controls appropriately in line with their specific risks. Third-party accredited certification is recommended for ISO 27001 conformance.

8. Other standards being developed in the 27000 family are:
27003 – implementation guidance.
27004 - an information security management measurement standard suggesting metrics to help improve the effectiveness of an ISMS.
27005 – an information security risk management standard. (Published in 2008)
27006 - a guide to the certification or registration process for accredited ISMS certification or registration bodies. (Published in 2007)
27007 – ISMS auditing guideline.

Source:
https://www.controleng.com/articles/impact-of-service-level-agreements-on-a-manufacturing-organization/

https://www.techtarget.com/whatis/definition/ISO-27001