Fique seguro e recupere rapidamente: 16 Verificações de conformidade e segurança a serem procuradas em um provedor de serviços em nuvem

There are countless benefits for legal professionals to be able to work and collaborate remotely in the cloud, but it’s important to also be aware of the associated security challenges and vulnerabilities that come with cloud technology. A security breach or failure to meet specific compliance guidelines could potentially put you and your team at risk of significant legal and financial trouble, not to mention potential downtime and losing the trust of your clients.

A boa notícia é que muitos provedores de serviços em nuvem respeitáveis oferecem a seus usuários a capacidade de confiar ou “herdar” a segurança incorporada e os controles de conformidade que já existem na infraestrutura de aplicativos do provedor. Para melhor ajudar você e sua equipe jurídica a fazer a escolha certa em provedores de serviços de nuvem, identificamos 16 padrões, certificações, relatórios de auditoria, regulamentos e atestados, bem como leis americanas e internacionais, para procurar como indicadores que seu trabalho com provedores de serviços de nuvem individuais é seguro, protegido e compatível. Quanto mais desses “itens de verificação” seu fornecedor atender ou cumprir, melhor posicionado ele estará para ter controles de segurança e conformidade em vigor para beneficiar e proteger seus clientes de nuvem, incluindo sua equipe jurídica.

16 Controles de conformidade e segurança a serem procurados em um provedor de serviços em nuvem

Esta lista de verificações de conformidade e segurança inclui o reconhecimento internacional Organization para padronização (ISO) 27000 família de padrões e controles, bem como padrões internacionais baseados nos EUA que não são apenas exigidos em seu estado ou país original, mas desde então têm sido reconhecidos de forma mais ampla como importantes referências de segurança.

1. ISO 27001 specifies requirements for establishing, implementing, maintaining, and continually improving an Information Security Management System (ISMS) within the context of the organization.
2. ISO 27017 provides guidance on the information security aspects of cloud computing and cloud services as well as additional implementation guidance for relevant controls specified in ISO/IEC 27002.
3. ISO 27018 establishes commonly accepted control objectives, controls, and guidelines for implementing measures to protect Personally Identifiable Privacy Information (PII) in accordance with the privacy principles in ISO/IEC 29100 for the public cloud computing environment.
4. ISO 27701 is a privacy extension to ISO/IEC 27001 designed to enhance the existing ISMS with additional requirements in order to establish, implement, maintain, and continually improve a Privacy Information Management System (PIMS). In addition, the controls in ISO 27701 address many of the requirements in the EU’s General Data Protection Regulation (GDPR), so being certified in the ISO 27701 controls can also be used to independently validate compliance with GDPR.
5. Service Organization Controls (SOC) reports help companies to establish trust and confidence in their service delivery processes and controls. This is achieved through detailed information and assurance about a cloud service provider’s ability to adhere to some or all of the Trust Principles: security, availability, privacy, processing, integrity, and confidentiality.
6. The Federal Information Processing Standard (FIPS) (140-3) specifies the security requirements that need to be satisfied by cryptographic modules and is a critical standard when dealing with highly regulated industries. It’s important to note the differences between FIPS 140-2 which meets the tamper resistant standard and FIPS 140-3 which meets the higher tamper proof standard. In addition, FIPS 140-2 only addresses security requirements after completion, but FIPS 140-3 now evaluates security requirements at all stages of cryptographic module creation - design, implementation, and final operational deployment.
7. The Federal Risk and Authorization Management Program (FedRAMP) is a US government-wide certification program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services supplied to government agencies, vendors, and customers.
8. Export Administration Regulations (EAR) are export control regulations run by different departments of the US government, such as the US Department of Commerce, which administers EAR to regulate the export of “dual-use” items, including technical data and technical assistance, which are designed for commercial purposes but could have military applications such as computers, aircraft, and pathogens.
9. Defense Federal Acquisition Regulation Supplement (DFARS) requirements and regulations are meant to guarantee the integrity of Controlled Unclassified Information (CUI), or sensitive information belonging to the US government that third parties such as suppliers, partners, and trade associations may hold or use.
10. The Federal Information Security Management Act (FISMA) is US legislation that defines a framework for guidelines and security standards to protect government information and operations.
11. The Health Insurance Portability and Accountability Act (HIPAA) defines nationally standardized privacy protections for patients’ medical records and other health information provided to and managed primarily by health plans, doctors, hospitals, and other healthcare providers in the US. However, it can also apply to employers that offer group health plans and any business or individual that provides services to physicians, healthcare providers, and insurance companies.
12. SEC Rule 17a-4 applies to US broker-dealers and other relevant parties who trade securities or function as brokers for traders, including banks, securities firms, and stock brokerage firms, requiring them to store all business records for a period of no less than six years on non-rewriteable and non-erasable media, with the first two years being in an easily accessible place.
13. The EU Model Clauses are standardized contractual clauses used in agreements between service providers and their customers to ensure that any personal data leaving the European Economic Area will be transferred in compliance with EU data protection laws and meet GDPR requirements.
14. The Australian Cyber Security Centre’s (ACSC) cloud security guidance informs Commonwealth entities, cloud service providers (CSPs), and Infosec Registered Assessors Program (IRAP) assessors on how to perform a comprehensive security assessment of CSPs and their services.
15. The General Data Protection Regulation (GDPR) regulates how companies protect EU citizens’ personal data and has become the benchmark privacy law for many countries.
16. The California Consumer Privacy Act (CCPA) is a state statute intended to enhance privacy rights and consumer protection for residents of the US state of California.

Escolha uma solução de nuvem que priorize a segurança e a conformidade

A escolha de trabalhar com um provedor de serviços de nuvem validado como compatível com muitos desses diferentes padrões e regulamentos permite que você confie ou “herde” a conformidade resultante e os controles de segurança exigidos por esses padrões e leis. Seu organizationA liderança da , sua equipe jurídica e seus clientes podem ter certeza de que seus dados estão em mãos seguras e competentes.

Como uma solução de nuvem nativa projetada com profissionais jurídicos em mente, o NetDocuments fornece a você e sua equipe os controles rígidos de segurança e conformidade mais adequados para o trabalho jurídico, permitindo que você trabalhe e colabore com facilidade e eficiência.

To learn more about how NetDocuments can help you fulfill compliance obligations and client mandates to protect sensitive information, contact us today at (866) 638-3627 or click here to request a demo.

Read David’s original article on this topic in the International Legal Technology Association’s summer 2022 edition of Peer to Peer magazine.