The Microsoft approach to cloud transparency – Part VI – The benefits of standardized frameworks

Welcome! Please comment and leave me a note telling me what you like and what you'd like to see more of. Sign up to my RSS Feed!

Thank you for coming back for the exciting Part VI of The Microsoft approach to cloud  transparency

The Microsoft approach to cloud transparency

Using the Cloud Security Alliance’s Security, Trust & Assurance Registry (STAR)

Part VI – The benefits of standardized frameworks

 

CoBIT

The Control Objectives for Information and related Technology (COBIT) framework is a well thought-out and generally accepted standard that was published to help organizations evaluate information technology-related risk.

First published in 1996 and currently in its fifth revision (published in 2012), COBIT is published by the IT Governance Institute, which is affiliated with the Information Systems Audit and Control Association (ISACA). Although the previous version (4.1, published in 2007) was organized by using 34 high-level processes and 215 detailed control objectives, the new version is different. For COBIT 5, ISACA chose to partition the document into 37 high-level processes and 17 goals. COBIT is designed to bridge management and control gaps between technical and business risks.

For more information about COBIT, see the “Additional reading” section later in this paper.

COBIT is a very useful tool to help correlate disparate standards such as the Information Technology Infrastructure Library (ITIL), Capability Maturity Model Integration (CMMi), and ISO 27002.

 

 NIST Special Publication (SP) 800 series

The U.S. National Institute of Standards and Technology (NIST) publishes various standards for use by U.S. government agencies and departments. Most notable among these standards is the SP800 series, which focuses on security and privacy. NIST was the originator of the globally accepted working definition of cloud computing, which is now published as Draft SP800-145. This draft publication has been submitted to the ISO/IEC standards body for inclusion in a forthcoming international standard.

Also of note in the SP800 series is SP800-53, which defines the security controls that must be implemented in computing solutions to meet the requirements of the Federal Information Security and Management Act (FISMA). The controls are also found in the Federal Risk and Authorization Management Program (FedRAMP), which is a U.S. government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. Microsoft has achieved FISMA Moderate Authorization to Operate (ATO) for GFS and Office 365.

 

Come back next week for Part VII!

Leave a Reply

Your email address will not be published. Required fields are marked *


*