CompuGroup Medical SE & Co. KGaA’s Post

CompuGroup Medical offers its customers high security standards in the processing of healthcare data. The C5-attested cloud applications in Germany are another milestone on this path.   CGM has received C5 attestation (Type 1) for cloud services in Germany in accordance with the criteria of the German Federal Office for Information Security (BSI). Cloud products of CGM have been attested compliance with C5 criteria retroactively as of May 31, 2024 by an independent auditing company. The German Digital Act (DigiG) prescribes C5 (Type 1) as the security standard for cloud services in the German healthcare and social services sector from July 1, 2024.   C5 stands for Cloud Computing Compliance Criteria Catalogue and specifies more than 120 security criteria, including the areas of information security organization, physical security, regular operations, portability and interoperability.   https://lnkd.in/eQccXK4v

“Cloud assurance” Cocooncloud is implementing security processes to ensure that their customers can trust the security and reliability of their cloud services by cloud assurance. What does 'cloud assurance' mean?" One way to describe cloud assurance: the process of providing confidence that a cloud service will perform during its lifecycle according to established policies, specifications, declared features and SLAs, and in compliance with  applicable laws and regulations. Cloud assurance is often based on distinct mechanisms: 1. Contracts and terms of use, including service level agreements  2. Provider self-assessment and technical documents (e.g., specifications) and due diligence questionnaires  3. External attestation and certification audit reports (e.g., SOC2, ISO27001)  4. First-party risk assessment against a set of controls, sometimes with an independent auditor  5. Provider reputation  6. Provider financial stability and market value  7. Provider cyber-insurance #cloud #Cloudassurance #ISO 27001 #SOC2

Today I will cover the new A.5.2.3 ISO 27001 control "Information Security for Use of Cloud Services" and how it impacts the people, processes, and technology within your organization. Description. This control requires you to set security requirements for cloud services in order to have better protection of your information in the cloud. This includes purchasing, using, managing, and terminating the use of cloud services. #People - People will be tasked with specifying then subsequently managing and administering information security concepts as related to cloud services, in their capacity as a “cloud services customer”. #Process - Processes should be updated to ensure that security requirements for cloud services and for determining the criteria for selecting a cloud provider are formerly documented; further, you should define a process for determining acceptable use of the cloud, and also the security requirements when cancelling the use of a cloud service. Organizations should scrutinize cloud service agreements and ensure that four main operational requirements are met: - Confidentiality. - Security/data integrity. - Service availability. - Information handling. #Technology - In many cases, new technology will not be needed, because the cloud services provider already has security features. In some cases, however, you might need to upgrade your service as certain features my not be a part of what you currently pay for. For the most part, the only change required will be using existing cloud security features in a more thorough way. #iso27001

https://lnkd.in/er978xb7 I have a fair amount of experience in the cloud. Picked up multiple security certifications along the way. I cannot remember getting a security certification from a cloud vendor where architecture was based upon Business Impact Analysis, Risk Framework and finally Controls. ISC2 has a certification "CCSP", even if you don't take the exam, the CBK is a good read. https://lnkd.in/e6erfqCV Securing the cloud has unique challenges over securing the enterprise. Live and learn. "The Security, Trust, Assurance, and Risk (STAR) Registry is a publicly accessible registry that documents the security and privacy controls provided by popular cloud computing offerings. STAR encompasses the key principles of transparency, rigorous auditing, and harmonization of standards outlined in the Cloud Controls Matrix (CCM). Publishing to the registry allows organizations to show current and potential customers their security and compliance posture, including the regulations, standards, and frameworks they adhere to. It ultimately reduces complexity and helps alleviate the need to fill out multiple customer questionnaires."

Cloud Security Alliance | CSA STAR assessments - Introduction Any organization providing cloud services or cloud-based services can benefit from completing the CSA STAR program’s cloud security and privacy assessments. These assessments are based on Cloud Security Alliance’s Cloud Controls Matrix (CCM), as well as the privacy requirements for GDPR compliance. CSA STAR assessments fall under two levels of assurance: Level 1 (self-assessments) and Level 2 (third-party assessments). The Security, Trust, Assurance, and Risk (STAR) Registry is a publicly accessible registry that documents the security and privacy controls provided by popular cloud computing offerings. STAR benefits your organization in several ways: 1. Enhanced Transparency 2. Global Recognition 3. Cloud-specific Focus 4. Consistency and comparability 5. Continuous monitoring and improvement 6. Customer confidence and competitive advantage What should you pursue if applicable? (source: CSA official website) Level one? Organizations should pursue this level if they are... - Operating in a low-risk environment - Wanting to offer increased transparency around the security controls they have in place. - Looking for a cost-effective way to improve trust and transparency Level two? Organizations should pursue this level if they are... - Operating in a medium to high risk environment - Already hold or adhere to the following: ISO27001, SOC 2, GB/T 22080-2008, or GDPR - Looking for a cost-effective way to increase assurance for cloud security and privacy. #cloudsecurityalliance #CSA #CCM #starattestation #cloudassurance #tobecontinued #usefulinsights https://lnkd.in/dKNJjg6s

FedCloud Ready: Secure, Compliant Cloud Solutions for Government Agencies Is your agency struggling to navigate the complexities of federal cloud adoption? At Aleut, we specialize in Cloud Services & Management solutions specifically designed for the unique needs of the U.S. government. We understand the challenges you face: FedRAMP Compliance: We guide you through the FedRAMP process, ensuring your cloud environment meets the strictest security standards. Data Security & Privacy: We prioritize robust data protection strategies to safeguard sensitive government information. Cost Management for Public Funds: Our expertise helps you optimize cloud spending and maximize the value of taxpayer dollars. Our comprehensive approach empowers federal agencies to: Achieve Cloud Smart Goals: Align your cloud adoption with the "Cloud Smart" strategy, promoting efficiency and innovation. Reduce Risk & Maintain Control: Implement secure frameworks and governance practices for a controlled and compliant cloud environment. Increase Visibility & Optimize Performance: Gain real-time insights into your cloud operations, allowing for informed decision-making and improved performance. Don't let cloud complexities hinder your agency's mission. We'll help you harness the power of the cloud securely and compliantly. Ready to unlock the benefits of FedCloud? Contact us today! #fedcloud #fedramp #governmentcloud #cloudgovernance #cloudsecurity #cloudcompliance Dominick DeQuarto Corey Chambliss Kathryn Schalla Andy Waskow

🌟 One more day until the AWS Public Sector Summit in Washington D.C.! I am excited to be attending this year's Summit. AWS's Day One culture—centered on relentless innovation, agility, and a customer-first approach—continues to propel the cloud industry forward. 💡 As public sector organizations increasingly adopt cloud solutions, ensuring compliance with FedRAMP standards is critical. FedRAMP provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud services, ensuring they meet stringent federal requirements. 🔍 At MegaplanIT, an accredited Third Party Assessment Organization (3PAO), we specialize in FedRAMP assessment services. Our rigorous assessments help cloud service providers (CSPs) achieve and maintain FedRAMP authorization, ensuring their solutions are secure, compliant, and ready for federal deployment. 🔒 With our in-depth knowledge and expertise, we guide CSPs through the entire FedRAMP assessment process, from initial preparation to final authorization. Our comprehensive approach ensures that your cloud services meet the highest standards of security and compliance. 🚀 Let’s connect to discuss how we can support your journey to FedRAMP compliance, providing you with the confidence to serve the federal sector with secure and compliant cloud solutions. #AWSsummit #DayOneCulture #FedRAMP #CyberSecurity #3PAO #CloudCompliance #PublicSector #Innovation MegaplanIT https://lnkd.in/gzZt9Ptp

#NetApp products and services are audited regularly against the #SOC2 (AT Section 101) standard by an independent third-party auditor. #NetAppCloudInsights 2023 SOC 2 Type II Report - A Type 2 report of the audit assessment performed by Schellman, an independent auditor, on the systems, design, and operational effectiveness of NetApp Cloud Insights #securitycontrols. #NetAppBlueXP 2023 SOC 2 Type II Report - A Type 2 report of the audit assessment performed by Schellman, an independent auditor, on the systems, design, and operational effectiveness of NetApp Cloud Insights security controls. #NetAppAstra 2023 SOC 2 Type II Report - A Type 2 report of the audit assessment performed by #Schellman, an independent auditor, on the systems, design, and operational effectiveness of NetApp Cloud Insights security controls.

#ccsp #issap Question of the Day :) You are a cloud security consultant engaged by a company migrating their on-premises infrastructure to a cloud environment. Data security and regulatory compliance are top priorities. They express interest in utilizing Trusted Platform Modules (TPMs) for enhanced security. Considering your understanding of TPM capabilities and the client's specific needs, which of the following actions BEST represents the MOST valuable recommendation for leveraging TPMs within their cloud infrastructure, aligned with the principles of cloud security best practices? A. Recommend deploying TPMs on all virtual machines (VMs) within the cloud environment for maximum data protection. B. Conduct a risk assessment to identify critical data assets and prioritize integrating TPMs only for VMs storing those assets. C. Advocate for cloud provider-managed TPM solutions for ease of integration and minimal overhead for the client. D. Focus on integrating TPMs within the cloud provider's key management service (KMS) for centralized control and simplified key lifecycle management.

This one is for our auditor friends. Do you know the gaps in the compliance frameworks and what your organization needs in order to be compliant? Help your organization interpret cloud service attestations with greater confidence with these questions and resources from Oracle Security: https://lnkd.in/guXvbt7u