Need to backup to multiple availability zones in different geographic regions.Īre backup media protected in transit and when outside the organization’s boundaries? If yes, please describe the process.ĭata that is stored to S3 is stored across multiple availability zones and is encrypted. Is data regularly backed up in accordance with a written policy? If yes, please describe the process. Back-up tapes? If yes, describe the encryption methods and algorithms, including key management.Ĭan use AES-256, AWS Key Management Service.If NO, please describe the compensating controls. Blackberry, iPhone, iPad, Android)? If yes, describe the encryption methods and algorithms used. PDA’s, Tablets, and Smart Phones (e.g.Laptop, notebook or netbook computers? If yes, describe the encryption methods and algorithms used.USB thumb drives, CD/DVD, other flash memory? If yes, describe the encryption methods and algorithms used.Ĭan use Symantec Data Loss Prevention AES-256.Is the company’s data processed or stored on any of the following devices: Is the transfer of personal information to/from the organization protected by encryption? If yes, describe the encryption methods and algorithms used.Īll communication can be done via SSL/TLS with AES-256 encryption. You can leverage CloudTrail to monitor such activity and Aptibles for logging and auditing of all API calls.ĭo you keep and review logs of System Administrator and Operator activity? If yes, how long are these retained? On the workstations, you can leverage Symantec Client Security for IDS.ĭo you retain audit logs of user activity? AWS SOC 1 Type II report provides details on the specific control activities executed by AWS. In the cloud, AWS Incident response program (detection, investigation and response to incidents) have been developed in alignment with ISO 27001 standard. Is network and host-based IDS deployed on all internet connections, servers and workstations? Is data logically and/or physically segregated in order to properly identify and control access to data from separate customers?įor those customers who want to be single tenant with their data physically separated, use a configuration typically with a separate EC2 instance and separate dedicated storage. In Amazon VPCs, ACLs act like network firewalls and control access at the subnet level. Third party suppliers? Please describe the controls.In terms of accessing cloud at Aptible, all access is remote access. Employees? Please describe the controls.You can leverage Amazon’s Virtual Private Clouds to create logical isolated sections. Leverage Symantec Client Security 2.0 on laptops.Īre the company’s web servers, application servers and databases in separate physical tiers? If YES, please describe the tiers applicable to the services in scope. In addition, leverage security group firewalls between Aptible layers. On cloud servers, Network Firewall management and Amazon’s anti-virus program are reviewed by independent third-party auditors as a part of AWS ongoing compliance with SOC, PCI DSS, ISO 27001 and FedRAMPsm. Is your company separated from the internet by firewall? If YES, please describe firewall protection and management process. On the server, security updates are provided via the Amazon Linux AMI yum repositories as well as via updated Amazon Linux AMIs. Is there a process in place to identify and promptly distribute vendor security patches? If YES, please describe the process including how vulnerabilities are monitored and assessed. You can leverage tools like BitDefender for servers and Symantec Client Security 2.0 for laptops.Īre desktop and server antivirus signatures updated daily? If NO, please note any other frequency. Is there a documented change management process that covers both systems infrastructure and application programs? If YES, please describe the process.Ītlassian’s Jira can be used for Change Management for system infrastructures and application programs.ĭo you have physically or logically separated environments for development, test and operations?įor each deployment, create separate environment for development, staging, and production.Īre policies, procedures and technical controls in place to protect against malicious code such as viruses, worms and spyware? Servers adhere to the CIS Amazon Linux standards as specified here. HIPAA Communications and Operations Management Questions to considerĪre servers hardened according to a pre-defined, documented configuration standard? If YES, please describe the standard.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |