Information technology — Cloud computing — Taxonomy based data handling for cloud services

This document: — describes a framework for the structured expression of data-related policies and practices in the cloud computing environment, based on the data taxonomy in ISO/IEC 19944; — provides guidelines on application of the taxonomy for handling of data based on data subcategory and classification; — covers expression of data-related policies and practices including, but not limited to data geolocation, cross border flow of data, data access and data portability, data use, data management, and data governance; — describes how the framework can be used in codes of conduct for practices regarding data at rest and in transit, including cross border data transfer, as well as remote access to data; — provides use cases for data handling challenges, i.e. control, access and location of data according to ISO/IEC 19944 data categories. This document is applicable primarily to cloud service providers, cloud service customers (CSCs) and cloud service users, but also to any person or organization involved in legal, policy, technical or other implications of taxonomy-based data management in cloud services.

Titre manque

General Information

Status
Published
Publication Date
06-Feb-2020
Current Stage
6060 - International Standard published
Start Date
07-Feb-2020
Completion Date
07-Feb-2020
Ref Project

Buy Standard

Standard
ISO/IEC 22624:2020 - Information technology -- Cloud computing -- Taxonomy based data handling for cloud services
English language
37 pages
sale 15% off
Preview
sale 15% off
Preview

Standards Content (sample)

INTERNATIONAL ISO/IEC
STANDARD 22624
First edition
2020-02
Information technology — Cloud
computing — Taxonomy based data
handling for cloud services
Reference number
ISO/IEC 22624:2020(E)
ISO/IEC 2020
---------------------- Page: 1 ----------------------
ISO/IEC 22624:2020(E)
COPYRIGHT PROTECTED DOCUMENT
© ISO/IEC 2020

All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may

be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting

on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address

below or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Fax: +41 22 749 09 47
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii © ISO/IEC 2020 – All rights reserved
---------------------- Page: 2 ----------------------
ISO/IEC 22624:2020(E)
Contents Page

Foreword ........................................................................................................................................................................................................................................iv

Introduction ..................................................................................................................................................................................................................................v

1 Scope ................................................................................................................................................................................................................................. 1

2 Normative references ...................................................................................................................................................................................... 1

3 Terms and definitions ..................................................................................................................................................................................... 1

4 Symbols and abbreviated terms ........................................................................................................................................................... 2

5 Overview: The need for a structured expression of data policies and practices

based on a common data taxonomy ................................................................................................................................................. 3

6 Framework for the structured expression of data related policies and practices ...........................4

6.1 General ........................................................................................................................................................................................................... 4

6.2 Framework elements ......................................................................................................................................................................... 4

6.2.1 General...................................................................................................................................................................................... 4

6.2.2 Data categories .................................................................................................................................................................. 5

6.2.3 Data identification qualifiers ................................................................................................................................. 6

6.2.4 Data usage scopes ........................................................................................................................................................... 7

6.2.5 Actions ...................................................................................................................................................................................... 8

6.2.6 Data classification ........................................................................................................................................................... 9

6.2.7 Further elements specific to the application domain ...................................................................10

7 Using the framework .....................................................................................................................................................................................10

7.1 Modes of framework usage .......................................................................................................................................................10

7.2 Framework element usage ........................................................................................................................................................11

7.2.1 Data categories ...............................................................................................................................................................11

7.2.2 Data identification qualifiers ..............................................................................................................................11

7.2.3 Scopes and actions ......................................................................................................................................................11

7.3 Policy expressions .............................................................................................................................................................................11

7.4 Example ......................................................................................................................................................................................................11

8 Expression of data related policies in relation to specific areas of concern .......................................12

8.1 General ........................................................................................................................................................................................................12

8.2 Data geolocation .................................................................................................................................................................................12

8.3 Cross border flow of data ............................................................................................................................................................13

8.3.1 Data jurisdictions considerations ..................................................................................................................13

8.3.2 Cross border data transfer ...................................................................................................................................15

8.4 Data portability and data access ...........................................................................................................................................17

8.4.1 General...................................................................................................................................................................................17

8.4.2 Data required for data portability or data access .............................................................................17

8.4.3 Formats and portability ..........................................................................................................................................18

8.5 Data use ......................................................................................................................................................................................................19

8.6 Data management .............................................................................................................................................................................19

8.6.1 Data security ...................................................................... ...............................................................................................19

8.6.2 Data quality .......................................................................................................................................................................21

8.7 Data governance .................................................................................................................................................................................22

9 Application of the framework to codes of conduct ........................................................................................................26

Annex A (informative) Example for use of this document ..........................................................................................................30

Bibliography .............................................................................................................................................................................................................................37

© ISO/IEC 2020 – All rights reserved iii
---------------------- Page: 3 ----------------------
ISO/IEC 22624:2020(E)
Foreword

ISO (the International Organization for Standardization) and IEC (the International Electrotechnical

Commission) form the specialized system for worldwide standardization. National bodies that

are members of ISO or IEC participate in the development of International Standards through

technical committees established by the respective organization to deal with particular fields of

technical activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other

international organizations, governmental and non-governmental, in liaison with ISO and IEC, also

take part in the work.

The procedures used to develop this document and those intended for its further maintenance are

described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for

the different types of document should be noted. This document was drafted in accordance with the

editorial rules of the ISO/IEC Directives, Part 2 (see www .iso .org/ directives).

Attention is drawn to the possibility that some of the elements of this document may be the subject

of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent

rights. Details of any patent rights identified during the development of the document will be in the

Introduction and/or on the ISO list of patent declarations received (see www .iso .org/ patents) or the IEC

list of patent declarations received (see http:// patents .iec .ch).

Any trade name used in this document is information given for the convenience of users and does not

constitute an endorsement.

For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and

expressions related to conformity assessment, as well as information about ISO's adherence

to the World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT)

see www .iso .org/ iso/ foreword .html.

This document was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology,

Subcommittee SC 38, Cloud Computing and Distributed Platforms.

Any feedback or questions on this document should be directed to the user’s national standards body. A

complete listing of these bodies can be found at www .iso .org/ members .html.
iv © ISO/IEC 2020 – All rights reserved
---------------------- Page: 4 ----------------------
ISO/IEC 22624:2020(E)
Introduction

Many of the policies and practices in place for handling data in the cloud computing ecosystem need

to be described based on the category of the data they address. For instance, personally identifiable

information (PII) impose specific data management requirements not only in terms of security but also

with regard to mechanisms that allow cloud service users to whom such data relate to exercise control

on the usage and transfer of such data. Organisational data such as cloud service usage information and

telemetry data from cloud services, which can be used for operational purposes such as improvement

of service quality, may have to fulfil specific quality requirements to be useful for a given application.

Customer content data can be related to intellectual property rights and possibly needs appropriate

protection by the cloud service provider (CSP). Certain data can be transferred from one jurisdiction

to another. Depending on their data category, different instruments (multi-national laws, corporate

binding rules, bilateral agreements) are applicable to enable such transfers.

When such policies and practices are to be described, it is helpful to do so in a structured and consistent

way so that they can be better expressed, evaluated, analysed, and compared by the stakeholders in

the cloud computing ecosystem. ISO/IEC 19944 provides a comprehensive taxonomy defining a fine-

grained system of data categories that can be applied to various domains of policies for the handling

of data in a cloud computing ecosystem such as cross border data transfer, data geolocation, data

usage, data access and data portability, data management including data quality management and data

security, or data governance, and provides guidelines on how to describe data handling policies and

practices within codes of conduct (CoC).

This document describes such a structured and common approach to express any desired data handling

policies and practices. It is important to emphasize that the policies and practices themselves are out of

the scope of this document. This document describes a common structure and approach to express any

desired data handling policies and practices. It is important to emphasize that the policies and practices

are out of the scope of this document. A set of examples from data handling domains are provided in the

document as guidance to understand how to use ISO/IEC 19944 regarding application of policies and

analysis of policy requirements to such domains.
© ISO/IEC 2020 – All rights reserved v
---------------------- Page: 5 ----------------------
INTERNATIONAL STANDARD ISO/IEC 22624:2020(E)
Information technology — Cloud computing — Taxonomy
based data handling for cloud services
1 Scope
This document:

— describes a framework for the structured expression of data-related policies and practices in the

cloud computing environment, based on the data taxonomy in ISO/IEC 19944;

— provides guidelines on application of the taxonomy for handling of data based on data subcategory

and classification;

— covers expression of data-related policies and practices including, but not limited to data geolocation,

cross border flow of data, data access and data portability, data use, data management, and data

governance;

— describes how the framework can be used in codes of conduct for practices regarding data at rest

and in transit, including cross border data transfer, as well as remote access to data;

— provides use cases for data handling challenges, i.e. control, access and location of data according to

ISO/IEC 19944 data categories.

This document is applicable primarily to cloud service providers, cloud service customers (CSCs) and

cloud service users, but also to any person or organization involved in legal, policy, technical or other

implications of taxonomy-based data management in cloud services.
2 Normative references

The following documents are referred to in the text in such a way that some or all of their content

constitutes requirements of this document. For dated references, only the edition cited applies. For

undated references, the latest edition of the referenced document (including any amendments) applies.

ISO/IEC 17788, Information technology — Cloud computing — Overview and vocabulary

ISO/IEC 19944, Information technology — Cloud computing — Cloud services and devices: Data flow, data

categories and data use
3 Terms and definitions

For the purposes of this document, the terms and definitions given in ISO/IEC 17788, ISO/IEC 19944

and the following apply:

ISO and IEC maintain terminological databases for use in standardization at the following addresses:

— IEC Electropedia: available at http:// www .electropedia .org/
— ISO Online browsing platform: available at https:// www .iso .org/ obp
3.1
codes of conduct
CoC

agreed set of behaviours between organisations to enhance customer and/or partner outcomes and

experiences
© ISO/IEC 2020 – All rights reserved 1
---------------------- Page: 6 ----------------------
ISO/IEC 22624:2020(E)
3.2
confidentiality

property that information is not made available or disclosed to unauthorized individuals, entities, or

processes
[SOURCE: ISO 24534-5:2011, 3.11]
3.3
integrity

property of being designed such that any modification of the electronically stored information, without

proper authorization, is not possible
3.4
availability
property of being accessible and useable upon demand by an authorized entity
[SOURCE: ISO 22600-1:2014, 3.7]
3.5
data access
process by which a system can read published data on another system

Note 1 to entry: This data access happens over a network connection and the data typically does not persist after

the connection is terminated.
3.6
data transfer
copying or moving data from one system to another
3.7
data geolocation
geographic location of a data object at rest
4 Symbols and abbreviated terms
APEC Asia-Pacific Economic Cooperation
BCR Binding Corporate Rules
CBPR Cross-border Privacy Rules
CPTPP Comprehensive and Progressive Agreement for Trans-Pacific Partnership
CoC Codes of Conduct
CSC Cloud Service Customer
CSN Cloud Service partner
CSP Cloud Service Provider
DRM Digital Rights Management
EU European Union
EUII End User Identifiable Information
GDPR General Data Protection Regulation
GPS Global Positioning System
2 © ISO/IEC 2020 – All rights reserved
---------------------- Page: 7 ----------------------
ISO/IEC 22624:2020(E)
HBI High Business Impact
IaaS Infrastructure as a Service
IPR Intellectual Property Rights
IRM Information Rights Management
IT Information Technology
LBI Low Business Impact
MBI Medium Business Impact
NASPO National Associations of State Procurement Officials
OII Organization Identifiable Information
PII Personally Identifiable Information
5 Overview: The need for a structured expression of data policies and practices
based on a common data taxonomy

Data policies and practices, at corporate or government level, need to be crisply expressed with the

desired degree of precision and clarity. The need for varying degree of precision, along with the need

to compare and analyse various policies in an efficient manner, calls for a common and structured

approach to the expression of these policies and practices, an approach that is based on a common data

taxonomy.
ISO/IEC 19944 provides a comprehensive set of elements which can be used to

a) assign a data category to a given data set (e.g. personally identifiable information (PII),

organisational identifiable information, customer content data),

b) provide classes of actions applied to such data (e.g. use to provide a service, to optimize it, to

provide marketing information),

c) include scopes explaining on what level the use of data happens (e.g. service level vs. enterprise/

organisational level vs. use by 3rd parties), and

d) define the level of de-identification (or anonymization) applied to a data set (qualifiers such as

"identified", "anonymized", "aggregated").

These elements are referred to in the document as “data categories” or “data taxonomy”, “actions”,

“scopes”, and “qualifiers” without explicitly referencing ISO/IEC 19944. Clause 6 provides a

comprehensive overview of the elements. The framework described in this document references the

framework in ISO/IEC 19944.

In order to define application specific data handling policies and practices, these elements need

to be applied to the application domain at hand. This includes data classifications with regards to

security or risk levels that apply to data, as well as technical and organisational qualifications of data.

Hence, the approach described in this document requires the considerations of data categories as

described in ISO/IEC 19944 as well as orthogonal information dependent on the concrete application

under consideration. Examples which are used to explain this approach therefore employ a tabular

representation format emphasizing the orthogonal character of generic data categorization (rows) and

application specific elements (columns). Therefore, for a person who is concerned with the development

of, for example, enterprise policies for data use by a set of cloud services, all relevant cases which need

to be considered are visible.
© ISO/IEC 2020 – All rights reserved 3
---------------------- Page: 8 ----------------------
ISO/IEC 22624:2020(E)

Implicitly, ISO/IEC 19944 focuses on personal data and PII, and does not explicitly cover non-personal

data, or mixed sets of data that contain both PII and non-personal data. Non-personal data is defined as

any data that is not personal and is not covered under PII, e.g. scientific data, sales data. Mixed data sets

contain both PII and non-personal data such as human resource data that contains both organizational

structures and personal employee data. It is important to recognize these different sets as different

[9]

policies and regulations could apply to each. For example, the EU GDPR regulates aspects of PII and the

[10]

free-flow of non-personal data regulation sets policies concerning the geo-location and movement of

non-personal data. In line with ISO/IEC 19944, this document focuses on PII and does not delve deeper

into aspects explicitly related to non-personal or mixed sets of data.
The document is structured as follows:

— Clause 6 describes the framework for the structured expression of data related policies and practices

including elements of the framework building on ISO/IEC 19944. It then expands discussion on data

classification (6.2.6).
— Clause 7 discusses guidance for using the framework defined in Clause 6.
— Clause 8 covers use of framework in specific areas of concern.
— Clause 9 describes the application of the framework to codes of conduct.
Examples for data handling challenges are provided throughout the document.
6 Framework for the structured expression of data related policies and practices
6.1 General

This document uses the taxonomy and data use expression structure specified in ISO/IEC 19944. Any

policy or practice that conforms to this document and uses the taxonomy or data use expression shall

meet the requirements of ISO/IEC 19944 as appropriate.

To handle key data management topics, Clause 6 describes a harmonized structure to express a desired

policy for data management based on various data types, using data taxonomy in ISO/IEC 19944. The

data management policies based on a common structure specified by this document can be expressed,

compared and negotiated.

It is important to point out that this document does not define one or more data policies, rather it offers

a common structure and framework for others to use in order to express their policy of choice.

Moreover, this document does not stipulate any specific format or syntax to be used to express policies

and practices related to a categorization of data. Although tables are frequently employed throughout

this document to illustrate the usage of the framework, the use of tabular formats is not normative or

mandatory but serves for the presentation of examples only.
6.2 Framework elements
6.2.1 General

ISO/IEC 19944 defines a number of elements to express statements that describe the use of data by a

CSP, namely a data categorization hierarchy, a set of qualifiers indicating the level of de-identification of

data, and a hierarchy of scopes that describe at which level data are collected and processed by the CSP,

a number of actions used to process data, and on which level the result of data processing is used. This

clause provides an overview of the elements that are described in detail in ISO/IEC 19944.

4 © ISO/IEC 2020 – All rights reserved
---------------------- Page: 9 ----------------------
ISO/IEC 22624:2020(E)
6.2.2 Data categories
6.2.2.1 General

The data taxonomy described in ISO/IEC 19944:2017,A.1 as shown in Figure 1 below defines four main

data categories, namely customer content data, derived data, CSP data, and account data

Figure 1 — Data categorization hierarchy according to ISO/IEC 19944:2017, A.1
6.2.2.2 Customer content data

Customer content data is cloud service customer (CSC) data extended to include similar data objects

provided to applications executing locally on the device. This includes content directly created by

customers and their users and all data that customers provide to the cloud service, or are provided to

the cloud service on behalf of customers, through the capabilities of the service or application. This also

includes data that the user intentionally creates through the use of the app or cloud service. This data

category contains a large variety of sub-categories. The reader is referred to ISO/IEC 19944:2017, 8.2.2

for details.
6.2.2.3 Derived data
6.2.2.3.1 General

Derived data is cloud service derived data extended to include similar data objects derived as a user

exercises the capabilities of an application executing locally on the device.
© ISO/IEC 2020 – All rights reserved 5
---------------------- Page: 10 ----------------------
ISO/IEC 22624:2020(E)
6.2.2.3.2 End user identifiable information

End user identifiable information (EUII) is defined as data associated with a user that are captured

or generated from the use of the service by that user; EUII is linkable to that user but is not customer

content data. This data category contains a large variety of sub-categories. The reader is referred to

ISO/IEC 19944:2017, 8.2.3.2 for details.
6.2.2.3.3 Organization identifiable information

Organization identifiable information (OII) is the data that can be used to identify a particular tenant

(general configuration or usage data), is not linkable to a user and does not contain customer content data.

This also includes data aggregated from the users of a tenant that is not linkable to the individual user.

6.2.2.4 CSP data
6.2.2.4.1 General

This category includes data that is exclusively under the control of the CSP. It is unique to the system

and under the control of the CSP.
6.2.2.4.2 Access and authentication data

Access and authentication data is the data used within the cloud service to manage access to other

categories of data or capabilities within the service.
6.2.2.4.3 Operations data

Operations data is data which is used for supporting the operation of CSPs and system maintenance,

such as service logs, technical information about a subscription (e.g. service topology), technical

information about a tenant (e.g. customer role name), configuration settings/files.

6.2.2.5 Account data

Account data is a class of data specific to each CSC that is required to sign up for, purchase or administer

the cloud service. This data includes information such as names, addresses, payment information.

Account data is generally under the control of the CSP although each CSC usually has the capability to

input, read and edit their own account data but not the records of other CSCs.
6.2.3 Data identification qualifiers

Data in any category can provide or contribute to information that identifies or can be linked to an

individual. The extent to which individuals are directly identified in the data, and how easy it is to

associate a set of characteristics in the data to an individual is described by the following set of

qualifiers (see Figure 2):
6 © ISO/IEC 2020 – All rights reserved
---------------------- Page: 11 ----------------------
ISO/IEC 22624:2020(E)
Figure 2 — Data identification qualifiers according to ISO/IEC 19944:2017, A.2

— Identified data. Data that can unambiguously be associated with a specific person because PII is

observable in the information.

— Pseudonymized data. Data for which all identifiers are substituted by aliases for which the alias

assignment is such that it cannot be reversed by reasonable efforts of anyone other than the party

that performed them.

— Unlinked pseudonymized data. Data for which all identifiers are erased or substituted by aliases

for which the assignment function is erased or irreversible, such that the linkage cannot be re-

established by reasonable efforts of anyone including the party that performed them.

— Anonymized data. Data that is unlinked and which attributes are altered in such a way that there

is a reasonable level of confidence that a person cannot be identified, directly or indirectly, by the

data alone or in combination with other data.

— Aggregated data. Statistical data that does not contain individual-level entries and is combined

from information about enough different persons that individual-level attributes are not identifiable.

6.2.4 Data usage scopes

ISO/IEC 19944:2017, 9.4.1 defines that “scope” provides a way to clearly describe the boundaries

of collection and use of data in the devices and cloud services ecosystem. These scopes can be used to

describe the applications and services associated with data use (see Figure 3). The definitions are listed

in increasing breadth of scope and the wider scopes include the narrower scopes, except for “third

party” items which exist in an independent scope. Capabilities are parts of an application or a cloud

service whi
...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.