Other Standards Flashcards
SOC
Service Organization Controls
reporting framework, which gives organizations the flexibility to be audited based on the needs of the particular organization.
audit reports are performed in accordance with Statements on Standards for Attestation Engagements (SSAE)
audits performed by CPAs
AICPA
American Institute of Certified Public Accounts
manages the SSAE (Statement on Standards of Attestation Engagements)
SOC reports align to SSAE 18
SOC 1
SOC 1 is a control report that focuses strictly on an organization’s financial reporting controls
Primarily used by Auditors and Controller’s Offices
—Extra info—-
statements and a service organization’s controls that can impact a customer’s financial statements. A service organization that performs payroll or credit card processing would require a SOC 1 report.
SOC 2
SOC 2 reports evaluate an organization based AICPA’s five “Trust Services Principles: Security, Availability, Processing Integrity, Confidentiality, and Privacy.” These reports are restricted to regulators and company’s management team, and usually are only shared with NDA and provider engagement (no contract & NDA, no SOC 2)
SOC 2 reports are tightly controlled, due to the sensitivity of their contents.
SOC 3
SOC 3 takes the same information contained in a SOC 2 report but sensitive data about controls and tests are removed. In essence, a SOC 3 report will indicate whether an organization has demonstrated each of the five Trust Services principles. SOC 3 reports are intended to be publicly available (usually for marketing)
PCI DSS - Description, Why was it created, What does it contain?
Payment Card Industry Data Security Standard
An information security standard that governs all organizations that accept, store, or transmit branded cardholder (credit/debit) data and/or sensitive authentication data from the major credit card companies (VISA, MC, AMEX, Discover)
There are 6 goals broken down into 12 requirements that an organization must meet to fullfill PCI DSS
Seeks to standardize controls around cardholder data to reduce credit card fraud
List Goals of PCI DSS aligned to requirements
- Build and maintain a secure network and systems
1: Install and maintain a firewall configuration to
protect cardholder data.
2: Do not use vendor-supplied defaults for system passwords and other
security parameters. - Protect cardholder data
3: Protect stored cardholder data.
4: Encrypt transmission of cardholder data across open, public networks. - Maintain a vulnerability management program
5: Protect all systems against malware and regularly update anti-virus software
or programs.
6: Develop and maintain secure systems and applications. - Implement strong access control measures
7: Restrict access to cardholder data by business need to know.
8: Identify and authenticate access to system components.
9: Restrict physical access to cardholder data. - Regularly monitor and test networks
10: Track and monitor all access to network resources and cardholder data.
11: Regularly test security systems and processes. - Maintain an information security policy
12: Maintain a policy that addresses information security for all personnel.
FedRAMP
Federal Risk and Authorization Management Program a US government-wide program established to create a standardized approach to security assessment, authorization, and continuous monitoring of cloud products and service.
Enforces NIST guidelines for any CSP that provides service to USG
NIST 800-145 Definition of Cloud Computing
Cloud computing is a MODEL for enabling ubiquitous, convenient, ON DEMAND NETWORK ACCESS to a SHARED POOL of configurable computing resources that can be rapidly PROVISIONED and released with MINIMAL management effort or SERVICE PROVIDER interaction
List viewpoints of ISO 17789 CCRA
User View
Functional View
Implementation View
Deployment View
ISO 17789 CCRA User View
The system context, the parties, roles and sub-roles and cloud computing activities
ISO 17789 CCRA Functional View
The functions necessary for the support of cloud computing activities
ISO 17789 CCRA Implementation View
The functions necessary for the implementation of a cloud service within service parts and/or infrastructure parts
ISO 17789 CCRA Deployment View
How the functions of a cloud service are technically implemented within already existing infrastructure or within new elements to be introduced in the infrastructure
List 4 Functional Layers of ISO 17789 CCRA
User Layer
Access Layer
Service Layer
Resource Layer
Define ISO 17789 CCRA User Layer
Functional components supporting activities of the cloud service partners (CSN) and cloud service customers (CSC)
Define Access Layer of ISO 17789 CCRA
Functional components that facilitate DISTRIBUTION and INTERCONNECTION
Define Service Layer of ISO 17789 CCRA
Functional components that provide the cloud service plus related administration and business capabilities; and the orchestration capability necessary to realize them
Define Resource Layer of ISO 17789 CCRA
Functional components that represent the resources needed to implement the cloud computing system