Compliance on AWS Flashcards
What are the three compliance standards noted for the AWS SysOps certification
PCI
ISO
HIPPA
What does ISO stand for?
International Organization for Standards.
Which ISO standard concerns AWS
ISO/IEC 27001:2005
What is ISO/IEC 27001:2005
Specifies requirements for establishing, implementing, operating, monitoring, reviewing, maintaining, and improving a documented Information Security Management System within the context of the organization’s overall business risks.
Is AWS ISO/IEC 27001:2005 compliant?
Yes.
What does FedRAMP stand for?
The Federal Risk and Authorization Management Program.
What is FedRAMP?
A government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services.
What does HIPAA stand for?
Health Insurance Portability and Accountability Act of 1996
What is HIPAA?
A law to make it easier for people to keep health insurance, protect the confidentiality and security of healthcare information and help the healthcare industry control administrative costs.
What does NIST stand for?
National Institute of Standards and Technology
What does NIST do for compliance?
Provides a set of industry standards and best practices to help organizations manage cybersecurity risks.
What does PCI stand for?
Payment Card Industry
What standard does PCI use for securing data?
PCI DSS - Payment Card Industry Data Security Standard
What is PCI DSS
A widely accepted set of policies and procedures intended to optimize the security of credit, debit, and cash card transactions and protect cardholders against misuse of their personal information.
What is the current PCI DSS version?
v3.2
What is the primary goal of PCI DSS v3.2?
Build and maintain a secure network and system for payment card transactions.
What is PCI DSS requirement 1?
Install and maintain a firewall configuration to protect cardholder data.
What is PCI DSS requirement 2?
Do not use vendor-supplied defaults for system passwords and other security parameters
What is PCI DSS requirement 3?
Protect stored cardholder data through measures such as rest encryption.
What is data at rest?
data that is stored on long term media.
What is data in transit?
Data that is communicated from one system to another.
True or false: Data encryption and storage methods should be considered for both data at rest and data in transit?
True.
What are methods that can be used to secure data at rest
Ensure strong encryption of data stored on media. Store data in databases, and encrypt databases where feasible.
What are methods to secure data in transit?
Utilize transport layer security methods such as TLS, SSL, HTTPS.
What is PCI DSS requirement 4?
Encrypt transmission of cardholder data across open, public networks.
What is PCI DSS requirement 5?
Protect all systems against malware and regularly update anti-virus systems.
What is PCI DSS requirement 6?
Develop and maintain secure systems and applications
What is PCI DSS requirement 7?
Restrict access to cardholder data by business need to know.
What is PCI DSS requirement 8?
Identify and authenticate access to system components
What is PCI DSS requirement 9?
Restrict physical access to cardholder data
What is PCI DSS requirement 10?
Track and monitor all access to network resources and cardholder data
What is PCI DSS requirement 11?
Regularly test security systems and processes.
What is PCI DSS requirement 12?
Maintain a policy that addresses information security for all personnel
What is SAS70?
Statement on Auditing Standards no. 70
What is SO1?
Service Organization Controls - Accounting Standards
What is FISMA?
Federal Information Security Modernization Act
What is FIPS 140-2?
US government standard for cryptograhic modules.
How many rating levels does FIPS 140-2 maintain?
4, with 1 being the lowest, 4 being the highest.
Does AWS key management service meet FIPS 140-2 level 3 requirements?
No.
Which AWS service is rated for level 3 of FIPS 140-2?
Cloud HSM.
What is the AWS URL for their compliance overview?
https://aws.amazon.com/compliance