There are countless benefits for legal professionals to be able to work and collaborate remotely in the cloud, but it’s important to also be aware of the associated security challenges and vulnerabilities that come with cloud technology. A security breach or failure to meet specific compliance guidelines could potentially put you and your team at risk of significant legal and financial trouble, not to mention potential downtime and losing the trust of your clients.
La buena noticia es que muchos proveedores de servicios en la nube de buena reputación ofrecen a sus usuarios la capacidad de confiar o "heredar" los controles integrados de seguridad y cumplimiento que ya existen dentro de la infraestructura de aplicaciones del proveedor. Para ayudarlo a usted y a su equipo legal a tomar la decisión correcta en cuanto a los proveedores de servicios en la nube, hemos identificado 16 estándares, certificaciones, informes de auditoría, reglamentaciones y atestaciones, así como leyes estadounidenses e internacionales, para buscar como indicadores que su trabajo con proveedores de servicios en la nube individuales es seguro y cumple con las normas. Cuantos más de estos "elementos de verificación" cumpla su proveedor, mejor posicionados estarán para tener controles de seguridad y cumplimiento para beneficiar y proteger a sus clientes de la nube, incluido su equipo legal.
16 Controles de cumplimiento y seguridad que debe buscar en un proveedor de servicios en la nube
Esta lista de verificaciones de cumplimiento y seguridad incluye la certificación internacional reconocida a nivel mundial. Organization para la estandarización (ISO) 27000 familia de estándares y controles, así como estándares internacionales basados en EE. UU. que no solo se requieren dentro de su estado o país original, sino que desde entonces se han reconocido más ampliamente como importantes puntos de referencia de seguridad.
- ISO 27001 specifies requirements for establishing, implementing, maintaining, and continually improving an Information Security Management System (ISMS) within the context of the organization.
- ISO 27017 provides guidance on the information security aspects of cloud computing and cloud services as well as additional implementation guidance for relevant controls specified in ISO/IEC 27002.
- ISO 27018 establishes commonly accepted control objectives, controls, and guidelines for implementing measures to protect Personally Identifiable Privacy Information (PII) in accordance with the privacy principles in ISO/IEC 29100 for the public cloud computing environment.
- ISO 27701 is a privacy extension to ISO/IEC 27001 designed to enhance the existing ISMS with additional requirements in order to establish, implement, maintain, and continually improve a Privacy Information Management System (PIMS). In addition, the controls in ISO 27701 address many of the requirements in the EU’s General Data Protection Regulation (GDPR), so being certified in the ISO 27701 controls can also be used to independently validate compliance with GDPR.
- Service Organization Controls (SOC) reports help companies to establish trust and confidence in their service delivery processes and controls. This is achieved through detailed information and assurance about a cloud service provider’s ability to adhere to some or all of the Trust Principles: security, availability, privacy, processing, integrity, and confidentiality.
- The Federal Information Processing Standard (FIPS) (140-3) specifies the security requirements that need to be satisfied by cryptographic modules and is a critical standard when dealing with highly regulated industries. It’s important to note the differences between FIPS 140-2 which meets the tamper resistant standard and FIPS 140-3 which meets the higher tamper proof standard. In addition, FIPS 140-2 only addresses security requirements after completion, but FIPS 140-3 now evaluates security requirements at all stages of cryptographic module creation - design, implementation, and final operational deployment.
- The Federal Risk and Authorization Management Program (FedRAMP) is a US government-wide certification program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services supplied to government agencies, vendors, and customers.
- Export Administration Regulations (EAR) are export control regulations run by different departments of the US government, such as the US Department of Commerce, which administers EAR to regulate the export of “dual-use” items, including technical data and technical assistance, which are designed for commercial purposes but could have military applications such as computers, aircraft, and pathogens.
- Defense Federal Acquisition Regulation Supplement (DFARS) requirements and regulations are meant to guarantee the integrity of Controlled Unclassified Information (CUI), or sensitive information belonging to the US government that third parties such as suppliers, partners, and trade associations may hold or use.
- The Federal Information Security Management Act (FISMA) is US legislation that defines a framework for guidelines and security standards to protect government information and operations.
- The Health Insurance Portability and Accountability Act (HIPAA) defines nationally standardized privacy protections for patients’ medical records and other health information provided to and managed primarily by health plans, doctors, hospitals, and other healthcare providers in the US. However, it can also apply to employers that offer group health plans and any business or individual that provides services to physicians, healthcare providers, and insurance companies.
- SEC Rule 17a-4 applies to US broker-dealers and other relevant parties who trade securities or function as brokers for traders, including banks, securities firms, and stock brokerage firms, requiring them to store all business records for a period of no less than six years on non-rewriteable and non-erasable media, with the first two years being in an easily accessible place.
- The EU Model Clauses are standardized contractual clauses used in agreements between service providers and their customers to ensure that any personal data leaving the European Economic Area will be transferred in compliance with EU data protection laws and meet GDPR requirements.
- The Australian Cyber Security Centre’s (ACSC) cloud security guidance informs Commonwealth entities, cloud service providers (CSPs), and Infosec Registered Assessors Program (IRAP) assessors on how to perform a comprehensive security assessment of CSPs and their services.
- The General Data Protection Regulation (GDPR) regulates how companies protect EU citizens’ personal data and has become the benchmark privacy law for many countries.
- The California Consumer Privacy Act (CCPA) is a state statute intended to enhance privacy rights and consumer protection for residents of the US state of California.
Elija una solución en la nube que priorice la seguridad y el cumplimiento
La elección de trabajar con un proveedor de servicios en la nube que cumple con muchos de estos diferentes estándares y regulaciones lo posiciona para confiar o "heredar" los controles de seguridad y cumplimiento resultantes requeridos por esos estándares y leyes. Su organizationEl liderazgo de , su equipo legal y sus clientes pueden estar seguros de que sus datos están en manos seguras y capaces.
Como una solución de nube nativa diseñada pensando en los profesionales legales, NetDocuments le brinda a usted y a su equipo los estrictos controles de seguridad y cumplimiento más adecuados para el trabajo legal, al mismo tiempo que les permite trabajar y colaborar de manera fácil y eficiente.
To learn more about how NetDocuments can help you fulfill compliance obligations and client mandates to protect sensitive information, contact us today at (866) 638-3627 or click here to request a demo.
Read David’s original article on this topic in the International Legal Technology Association’s summer 2022 edition of Peer to Peer magazine.
Usted también puede estar interesado en…