AWS Risk and Compliance Whitepaper for Additional Details - Policy Available At

AWS Risk and Compliance Whitepaper for Additional Details - Policy Available At

Amazon Web Services: Risk and Compliance January 2017 (Consult http://aws.amazon.com/compliance/resources for the latest version of this paper) Amazon Web Services Risk and Compliance January 2017 This document is intended to provide information to assist AWS customers with integrating AWS into their existing control framework supporting their IT environment. This document includes a basic approach to evaluating AWS controls and provides information to assist customers with integrating control environments. This document also addresses AWS-specific information around general cloud computing compliance questions. Table of Contents Risk and Compliance Overview .......................................................................................................................3 Shared Responsibility Environment ............................................................................................................................................... 3 Strong Compliance Governance ...................................................................................................................................................... 4 Evaluating and Integrating AWS Controls ...................................................................................................4 AWS IT Control Information ........................................................................................................................................................... 5 AWS Global Regions .......................................................................................................................................................................... 5 AWS Risk and Compliance Program ..............................................................................................................6 Risk Management .............................................................................................................................................................................. 6 Control Environment ........................................................................................................................................................................ 6 Information Security ......................................................................................................................................................................... 7 AWS Certifications, Programs, Reports, and Third-Party Attestations................................................7 CJIS ...................................................................................................................................................................................................... 7 CSA ....................................................................................................................................................................................................... 7 Cyber Essentials Plus ........................................................................................................................................................................ 8 DoD SRG Levels 2 and 4 ................................................................................................................................................................... 8 FedRAMP SM ........................................................................................................................................................................................ 8 FERPA .................................................................................................................................................................................................. 9 FIPS 140-2 ........................................................................................................................................................................................... 9 FISMA and DIACAP .......................................................................................................................................................................... 9 GxP ..................................................................................................................................................................................................... 10 HIPAA ................................................................................................................................................................................................ 10 IRAP ................................................................................................................................................................................................... 11 ISO 9001 ............................................................................................................................................................................................ 11 ISO 27001 .......................................................................................................................................................................................... 12 ISO 27017 ........................................................................................................................................................................................... 14 ISO 27018 .......................................................................................................................................................................................... 15 ITAR ................................................................................................................................................................................................... 16 MPAA ................................................................................................................................................................................................. 16 MTCS Tier 3 Certification ............................................................................................................................................................... 16 Page 2 of 87 Amazon Web Services Risk and Compliance January 2017 NIST ................................................................................................................................................................................................... 16 PCI DSS Level 1 ................................................................................................................................................................................. 17 SOC 1/ISAE 3402 ............................................................................................................................................................................. 18 SOC 2 .................................................................................................................................................................................................. 19 SOC 3 .................................................................................................................................................................................................. 19 Key Compliance Questions and AWS ............................................................................................................................................ 20 AWS Contact .......................................................................................................................................................25 Appendix A: CSA Consensus Assessments Initiative Questionnaire v3.0.1 ....................................... 26 Appendix B: AWS alignment with the Australian Signals Directorate (ASD) Cloud Computing Security Considerations ..................................................................................................................................63 Appendix C: Glossary of Terms ..................................................................................................................... 83 Risk and Compliance Overview AWS and its customers share control over the IT environment, both parties have responsibility for managing the IT environment. AWS’ part in this shared responsibility includes providing its services on a highly secure and controlled platform and providing a wide array of security features customers can use. The customers’ responsibility includes configuring their IT environments in a secure and controlled manner for their purposes. While customers don’t communicate their use and configurations to AWS, AWS does communicate its security and control environment relevant to customers. AWS does this by doing the following: • Obtaining industry certifications and independent third-party attestations described in this document • Publishing information about the AWS security and control practices in whitepapers and web site content • Providing certificates, reports, and other documentation directly to AWS customers under NDA (as required) For a more detailed description of AWS security please see: AWS Security Center: https://aws.amazon.com/security/ For a more detailed description of AWS Compliance please see AWS Compliance page: https://aws.amazon.com/compliance/ Additionally, The AWS Overview of Security Processes Whitepaper covers AWS’ general security controls and service-specific security. Shared Responsibility Environment Moving IT infrastructure to AWS services creates a model of shared responsibility between the customer and AWS. This shared model can help relieve customer’s operational burden as AWS operates, manages and controls

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    87 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us