Development of Cloud Security Guidance, with Mapping MY PDPA Standard to CCM Control Domains, Jointly Developed by MDEC and CSA
Published 12/06/2018
By Ekta Mishra, Research Analyst/APAC, Cloud Security Alliance
The Cloud Security Alliance Cloud Controls Matrix (CCM) provides a controls framework that gives detailed understanding of security concepts and principles that are aligned to the Cloud Security Alliance guidance in 13 domains. The foundations of the CSA CCM rest on its customized relationship to other industry-accepted security standards, regulations, and controls frameworks such as the ISO 27001/27002, ISACA COBIT, PCI, NIST, Jericho Forum and NERC CIP and will augment or provide internal control direction for service attestations and control reports provided by cloud providers.
As a framework, the CSA CCM provides organizations with the needed structure, detail, and clarity relating to information security tailored to the cloud industry. The CSA CCM strengthens existing information security control environments by emphasizing business information security control requirements, reduces and identifies consistent security threats and vulnerabilities in the cloud, provides standardized security and operational risk management, and seeks to normalize security expectations, cloud taxonomy and terminology, and security measures implemented in the cloud.
The Malaysian Personal Data Protection Commissioner issued the Personal Data Protection Standards 2015, which came into force on 23 December 2015 (the “Standards"). To those who are affected, namely any person that “processes” and “has control over or authorizes the processing of any personal data in relation to commercial transactions” (in other words, any person or company that deals with personal data in the course of its business, also known as “data users”), the Standards stand to be a new compliance hurdle and would impose additional responsibilities on these data users, over and above those set by the Malaysia Personal Data Protection Act 2010 (“PDPA”).
The inclusion of the Malaysian Personal Data Protection Standards into the CSA CCM aligns the regional standard to over 30 global frameworks mapped in the CSA framework. Additionally, the mapping, conducted by the Malaysian Digital Economic Corporation (MDEC), further expands the coverage of the CSA CCM into the APAC region.
How to read the document: |
1. The 4 sections from MY PDPA 2015 were mapped with CCM control domains. This was accomplished through matching each control in the CCM to a control(s) in MY PDPA to determine equivalence. This approach considered which CCM control is associated with control(s) in MY PDPA, and to what degree they are equivalent to each other. The extent of equivalence between controls of the two frameworks approximates the amount of efforts necessary to incorporate MY PDPA, using CCM as a base. |
2. The CCM Control ID was used as a reference for the CCM control domain name. |
3. A gap identification and analysis was conducted for remaining controls not considered equivalent (ie Partial and Full gaps) after the initial mapping. Furthermore, a gap analysis provides indicators on how much efforts it may take to bridge gaps between the two frameworks. |
4. The controls from MY PDPA which were determined to have Full and Partial gaps will be used as compensating controls in the main CCM document. |
The four sections of the document have been derived from Malaysia (MY) Personal Data Protection Standard 2015 | |
Data Security for Personal Data Processed Electronically | A data user shall take practical steps to protect the personal data from any loss, misuse, modifications, unauthorized or accidental access or disclosure, alteration or destruction |
Data Security for Personal Data Processed Non-Electronically | A data user shall take practical steps to protect the personal data from any loss, misuse, modifications, unauthorized or accidental access or disclosure, alteration or destruction |
Retention Standard | A data user shall take practical steps to ensure that all personal data is destroyed or permanently deleted if it is no longer required for the purpose for which it was to be processed |
Data Integrity Standard | A data user shall take reasonable steps to ensure that the personal data is accurate, complete, not misleading and kept updated by having regard to the purpose, including any directly related purpose, for which the personal data was collected and processed further |