Compliance on AWS

Question 1

What are the three compliance standards noted for the AWS SysOps certification

Answer 1

PCI
ISO
HIPPA

Question 2

What does ISO stand for?

Answer 2

International Organization for Standards.

Question 3

Which ISO standard concerns AWS

Answer 3

ISO/IEC 27001:2005

Question 4

What is ISO/IEC 27001:2005

Answer 4

Specifies requirements for establishing, implementing, operating, monitoring, reviewing, maintaining, and improving a documented Information Security Management System within the context of the organization’s overall business risks.

Question 5

Is AWS ISO/IEC 27001:2005 compliant?

Answer 5

Yes.

Question 6

What does FedRAMP stand for?

Answer 6

The Federal Risk and Authorization Management Program.

Question 7

What is FedRAMP?

Answer 7

A government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services.

Question 8

What does HIPAA stand for?

Answer 8

Health Insurance Portability and Accountability Act of 1996

Question 9

What is HIPAA?

Answer 9

A law to make it easier for people to keep health insurance, protect the confidentiality and security of healthcare information and help the healthcare industry control administrative costs.

Question 10

What does NIST stand for?

Answer 10

National Institute of Standards and Technology

Question 11

What does NIST do for compliance?

Answer 11

Provides a set of industry standards and best practices to help organizations manage cybersecurity risks.

Question 12

What does PCI stand for?

Answer 12

Payment Card Industry

Question 13

What standard does PCI use for securing data?

Answer 13

PCI DSS - Payment Card Industry Data Security Standard

Question 14

What is PCI DSS

Answer 14

A widely accepted set of policies and procedures intended to optimize the security of credit, debit, and cash card transactions and protect cardholders against misuse of their personal information.

Question 15

What is the current PCI DSS version?

Answer 15

v3.2

Question 16

What is the primary goal of PCI DSS v3.2?

Answer 16

Build and maintain a secure network and system for payment card transactions.

Question 17

What is PCI DSS requirement 1?

Answer 17

Install and maintain a firewall configuration to protect cardholder data.

Question 18

What is PCI DSS requirement 2?

Answer 18

Do not use vendor-supplied defaults for system passwords and other security parameters

Question 19

What is PCI DSS requirement 3?

Answer 19

Protect stored cardholder data through measures such as rest encryption.

Question 20

What is data at rest?

Answer 20

data that is stored on long term media.

Question 21

What is data in transit?

Answer 21

Data that is communicated from one system to another.

Question 22

True or false: Data encryption and storage methods should be considered for both data at rest and data in transit?

Answer 22

True.

Question 23

What are methods that can be used to secure data at rest

Answer 23

Ensure strong encryption of data stored on media. Store data in databases, and encrypt databases where feasible.

Question 24

What are methods to secure data in transit?

Answer 24

Utilize transport layer security methods such as TLS, SSL, HTTPS.

Question 25

What is PCI DSS requirement 4?

Answer 25

Encrypt transmission of cardholder data across open, public networks.

Question 26

What is PCI DSS requirement 5?

Answer 26

Protect all systems against malware and regularly update anti-virus systems.

Question 27

What is PCI DSS requirement 6?

Answer 27

Develop and maintain secure systems and applications

Question 28

What is PCI DSS requirement 7?

Answer 28

Restrict access to cardholder data by business need to know.

Question 29

What is PCI DSS requirement 8?

Answer 29

Identify and authenticate access to system components

Question 30

What is PCI DSS requirement 9?

Answer 30

Restrict physical access to cardholder data

Question 31

What is PCI DSS requirement 10?

Answer 31

Track and monitor all access to network resources and cardholder data

Question 32

What is PCI DSS requirement 11?

Answer 32

Regularly test security systems and processes.

Question 33

What is PCI DSS requirement 12?

Answer 33

Maintain a policy that addresses information security for all personnel

Question 34

What is SAS70?

Answer 34

Statement on Auditing Standards no. 70

Question 35

What is SO1?

Answer 35

Service Organization Controls - Accounting Standards

Question 36

What is FISMA?

Answer 36

Federal Information Security Modernization Act

Question 37

What is FIPS 140-2?

Answer 37

US government standard for cryptograhic modules.

Question 38

How many rating levels does FIPS 140-2 maintain?

Answer 38

4, with 1 being the lowest, 4 being the highest.

Question 39

Does AWS key management service meet FIPS 140-2 level 3 requirements?

Answer 39

No.

Question 40

Which AWS service is rated for level 3 of FIPS 140-2?

Answer 40

Cloud HSM.

Question 41

What is the AWS URL for their compliance overview?

Answer 41

https://aws.amazon.com/compliance