SOC on Amazon Web Services (AWS) What You Need To Know Understanding the regulatory roadmap for SOC on AWS

Size: px
Start display at page:

Download "SOC on Amazon Web Services (AWS) What You Need To Know Understanding the regulatory roadmap for SOC on AWS"

Transcription

1 SOC on Amazon Web Services (AWS) What You Need To Know Understanding the regulatory roadmap for SOC on AWS Jeff Cook November 2015 Summary Service Organization Control (SOC) reports (formerly SAS 70 or SSAE 16) are designed to help service organizations that operate information systems (and provide information system services to other entities) build trust and confidence in their service delivery processes and controls through a report by an independent Certified Public Accountant (CPA). Each type of SOC report is designed to help service organizations meet specific user needs. If you are leveraging Amazon Web Services (AWS) as a platform for your cloud offering (SaaS/PaaS), this FAQ will help you: Understand the value of SOC reporting Understand what AWS SOC validations can be leveraged Understand how your SOC audit would be affected by leveraging AWS What You Need To Know for SOC Audits Question Who does SOC apply to? Answer There are various roles in relation to SOC. Here are the common terms you will hear: Service Organization an entity that possesses, stores, or handles information or transactions on behalf of its customers (user entities) User Entity the company that outsources its information or business processes to a service organization Service Auditor a CPA firm that reports on the controls of a service organization User Auditor a CPA firm that audits a user entity that uses the service organization 1

2 Question What are the different SOC reports? Answer There are 3 different versions of SOC reports. SOC 1 (formerly SSAE 16), SOC 2, and SOC 3. Each report serves a different purpose, which is summarized below: Report type Intended Users of the Report Business Need What SOC 1 Management of the service organization User entities User auditors Audit of the financial statements of user entities Controls relevant to user entity financial reporting (e.g., payroll processing) SOC 2 Management of the service organization User entities User auditors Regulators Other SOC 3 Any users with need for confidence in the security, availability, processing integrity, confidentiality, or privacy of a service organization s system Audit of the financial statements of user entities Meeting governance, risk, and compliance programs Oversight Due diligence Marketing purposes General public information Detail not needed Controls relevant to a service organization system s security, availability, processing integrity, confidentiality, or privacy Seal and report on controls 2

3 Question As a Cloud Service Provider (CSP), how do I know which SOC report is right for me? Answer The AICPA (2015) summarized the need for SOC reports in the following table: HOW TO IDENTIFY THE RIGHT SOC REPORT FOR MY ORGANIZATION? Will the report be used by your customers and their auditors to plan and perform an audit or integrated audit of your customer s financial statements? Yes SOC 1 Report Will the report be used by your customers as part of their compliance with the Sarbanes-Oxley Act or similar law or regulation? Yes SOC 1 Report Will the report be used by your customers or stakeholders to gain confidence and place trust in your organization s systems or fulfill contractual obligations? Yes SOC 2 or 3 Report Do you need to make the report generally available or seal? Yes SOC 3 Report Do your customers have the need for and ability to understand the details of the processing and controls at a service organization, the tests performed by the service auditor and results of those tests? Yes No SOC 2 Report SOC 3 Report Question What is the difference between a Type 1 and Type 2 report? Answer A type 1 report focuses on the description of a service organization s system, related control objectives, and the suitability of controls to achieve those objectives as of a specified point in time. A type 2 report contains the same information as a type 1 report with the addition of an assessment of the operating effectiveness of the controls to achieve the control objectives included in the description throughout a specified period of time. A type 2 report also includes a detailed description of the service auditor s tests of controls and results over that period of time. Question What are the trust principles for SOC 2 and 3? Answer Trust services are a set of services based on a core set of criteria that address the risks and opportunities of IT-enabled systems and/or privacy programs. A service organization can choose to report on any of the trust principles for a SOC 2 engagement. 3

4 The following criteria are used in SOC 2 and 3 trust services engagements: Security - The system is protected against unauthorized access (both physical and logical). Availability - The system is available for operation and use as committed or agreed. Processing Integrity - System processing is complete, accurate, timely, and authorized. Confidentiality - Information designated as confidential is protected as committed or agreed. Privacy - Personal information is collected, used, retained, disclosed and destroyed in conformity with the commitments in the entity s privacy notice and with criteria set forth in Generally Accepted Privacy Principles issued by the AICPA and CICA (Chartered Accountants of Canada). What You Need To Know for SOC and AWS Question What SOC reports has AWS performed and what do they do? Answer There are three types of AWS SOC reports (all are 6 month reports 10/1-3/31 and 4/1-9/30): AWS SOC 1: A description of the AWS control environment and external audit of AWS defined controls and objectives o Focuses on AWS's processes and controls relevant to their customers financial reporting. Many AWS customers use the AWS SOC 1 as a part of their Sarbanes-Oxley efforts and other security and compliance initiatives where key controls operated by AWS are evaluated and validated. o Attests that the AWS control objectives are appropriately designed and the controls safeguarding customer data are operating effectively. The AWS SOC 1 report includes AWS data centers in US East (Northern Virginia), US West (Oregon), US West (Northern California), AWS GovCloud (US) (Oregon), EU (Dublin), EU (Frankfurt), Asia Pacific (Singapore), Asia Pacific (Sydney), Asia Pacific (Tokyo), and South America (Sao Paulo) that support in-scope services. These regions include AWS edge regions, of which more detail can be found here: https://aws.amazon.com/about-aws/globalinfrastructure/. o Purpose is to provide information to customers and their auditors about AWS' control environment that may be relevant to their internal controls over financial reporting and their assessment and opinion of the effectiveness of those controls. 4

5 o AWS Partner Consideration: The AWS SOC 1 report potentially serves your organization for the determination of AWS as a subservice organization related to your system, and also how your company monitors the controls of AWS as a subservice organization (see below for further discussion of subservice organizations). AWS SOC 2: Security and Availability Principles o This report is leveraged by a wide range of AWS customers, including but not limited to customers in the technology, healthcare, banking, and financial services industries. This report is leveraged to meet a wide range of security control and compliance requirements based on the AICPA s mature industry control criteria. o An evaluation of the design and operating effectiveness of controls that meet the criteria for the security and availability principles. This report provides additional transparency into AWS security and availability based on a defined industry standard and further demonstrates AWS commitment to protecting customer data. The AWS SOC 2 report includes AWS data centers in US East (Northern Virginia), US West (Oregon), US West (Northern California), AWS GovCloud (US) (Oregon), EU (Dublin), EU (Frankfurt), Asia Pacific (Singapore), Asia Pacific (Sydney), Asia Pacific (Tokyo), and South America (Sao Paulo) that support in-scope services. These regions include AWS edge regions, of which more detail can be found here: https://aws.amazon.com/about-aws/global-infrastructure/. o The purpose is to provide customers and users with a business need with an independent assessment of AWS' control environment relevant to system security. o AWS Partner Consideration: The AWS SOC 2 report potentially serves your organization for the determination of AWS as a subservice organization related to your system, and also how your company monitors the controls of AWS as a subservice organization (see below for further discussion of subservice organizations). AWS SOC 3: Security and Availability Principles (the AWS SOC 3 report is publically available here: https://d0.awsstatic.com/whitepapers/compliance/soc3_amazon_web_services.p df) o A summarized version of the SOC 2 report and enables you to validate that AWS has completed a favorable independent audit against the AICPA s Security Trust Principles. 5

6 o The report includes the external auditor's opinion of the operation of controls (based on the Trust Principles included in the SOC 2 report), the assertion from AWS management regarding the effectiveness of controls, and an overview of AWS Infrastructure and Services. The AWS SOC 3 report includes AWS data centers in US East (Northern Virginia), US West (Oregon), US West (Northern California), AWS GovCloud (US) (Oregon), EU (Dublin), EU (Frankfurt), Asia Pacific (Singapore), Asia Pacific (Sydney), Asia Pacific (Tokyo), and South America (Sao Paulo) that support in-scope services. These regions include AWS edge regions, of which more detail can be found here: https://aws.amazon.com/about-aws/globalinfrastructure/. This is a great resource for customers to validate that AWS has obtained external auditor assurance without going through the process to request a SOC 2 report. o The purpose is to provide customers and users with a business need with an independent assessment of AWS' control environment relevant to system security without disclosing AWS internal information. o AWS Partner Consideration: The AWS SOC 3 report potentially serves your organization for the determination of AWS as a subservice organization related to your system, however more detail would be needed (a SOC 2 report) in order to monitor the controls of AWS as a subservice organization (see below for further discussion of subservice organizations). 6

7 Question What AWS services are in scope for the SOC reports? Answer AWS Cloud Formation AWS Cloud HSM AWS CloudTrail AWS Direct Connect Amazon DynamoDB Amazon EC2 VM Import/Export Amazon Elastic Amazon Elastic Block Amazon ElastiCache Beanstalk Store (EBS) Amazon Elastic Compute Cloud (EC2) Amazon Elastic Load Balancing (ELB) Amazon Elastic MapReduce (EMR) Amazon Glacier AWS Identity and Access Management (IAM) AWS Key Management Service (KMS) Amazon Redshift Amazon Relational Amazon Route 53 Database Service (RDS) Amazon SimpleDB Amazon Simple Service (SES) Amazon Storage Service (S3) Amazon Simple Amazon Simple Queue AWS Storage Gateway Workflow (SWF) Amazon Virtual Private Cloud (VPC) Service (SQS) Amazon WorkSpaces As always, AWS moves quickly in service additions so check in with your AWS account representative periodically to ensure what are the latest services under these SOC boundary validations. Question How do I request a AWS SOC 1 or 2 report? Answer You can request an AWS SOC 1 or SOC 2 Report through your Business Development representative. Don t have one? You can request one here. 7

8 Question Why do the AWS SOC 2 and SOC 3 reports only include the trust principles of security and availability? Answer Because the nature of AWS services is to provide its customers a virtualized platform to use for their services, the most critical principles as they relate to AWS customers would be the security of the AWS environment and to make sure that the AWS environment is available for use. AWS in these situations is not processing your organization (or user entity data), therefore the other trust principles are excluded. AWS Partner Consideration: The determination of what trust principles your organization is to report on should be based on the needs of your customers and what they would want to know about your system. Using the AWS platform will provide some insight as to the use of a subservice organization (discussed below) for your system, but ultimately, your consideration of the appropriate trust principles for your report should be independent of what AWS reports on. Question Does that mean I don t need to perform any work for the principles of security and availability? Answer NO! Your organization would still need to have a description of the system and related controls for security and availability at your level as it relates to the needs of your user entities (customers). If your organization is processing data, you may also have to include the principles of processing integrity and confidentiality (and if you handle PII, privacy). The controls related to those trust principles would also have to be tested in the case of a type 2 report. 8

9 Question - What control objectives does the AWS SOC 1 provide? Answer The report itself identifies the control activities that support each of these objectives and the independent auditor s results of their testing procedures of each control. Security Organization Amazon User Access Logical Security Secure Data Handling Physical Security and Environmental Safeguards Change Management Data Integrity, Availability and Redundancy Incident Handling Controls provide reasonable assurance that information security policies have been implemented and communicated throughout the organization. Controls provide reasonable assurance that procedures have been established so that Amazon user accounts are added, modified and deleted in a timely manner and are reviewed on a periodic basis. Controls provide reasonable assurance that unauthorized internal and external access to data is appropriately restricted and access to customer data is appropriately segregated from other customers. Controls provide reasonable assurance that data handling between the customer s point of initiation to an AWS storage location is secured and mapped accurately. Controls provide reasonable assurance that physical access to Amazon s operations building and the data centers is restricted to authorized personnel and that procedures exist to minimize the effect of a malfunction or physical disaster to the computer and data center facilities. Controls provide reasonable assurance that changes (including emergency / non-routine and configuration) to existing IT resources are logged, authorized, tested, approved and documented. Controls provide reasonable assurance that data integrity is maintained through all phases including transmission, storage and processing. Controls provide reasonable assurance that system incidents are recorded, analyzed, and resolved. 9

10 Question If we are leveraging AWS, what considerations do I have for my SOC audit? Answer If you are using AWS services, you would have to follow the guidance from the AICPA for the consideration of subservice organizations. Per the AICPA, a vendor (AWS) is considered a sub-service organization only if: the services provided by the vendor are likely to be relevant to the user s understanding of the service organization s system as it relates to the principle included in the scope of the engagement, and the service organization is relying on controls at the subservice organization to meet one or more of the applicable trust services criteria. For example, if AWS is responsible for monitoring server capacity and usage and projecting future capacity demands based on historical trends, the controls at AWS may be needed for your organization to meet its availability commitments and, consequently, the applicable trust services criteria for the availability principle. However, controls at AWS may not be needed if your organization independently performs high-level capacity monitoring and reviews the future capacity demands projected by AWS for appropriateness. In some instances, a service organization may stipulate in its contract with a vendor that the vendor perform certain controls that the service organization believes are necessary to address the risks related to the vendor s services. When a service organization has determined that its controls alone meet the applicable trust services criteria or that its monitoring of the vendor s services is sufficient to meet the applicable trust services criteria, the service auditor evaluates the suitability of the design of the service organization s controls over the services provided by the vendor in meeting the applicable trust services criteria and in a type 2 report tests the operating effectiveness of those controls or the monitoring performed by the service organization. 10

11 Question - We ve determined that AWS is a subservice organization relevant to our SOC report, now what? Answer If AWS is a subservice organization, you will have to determine if the carve-out or inclusive method of reporting will be performed for your description of your system. Carve-out Method: When the carve-out method is used, your description of your organization s system identifies the nature of the services and functions performed by the subservice organization (AWS) and the types of controls that you expect to be implemented at AWS but excludes details of the AWS system and controls. Your description does not include the detailed processing or controls at AWS. Your description prepared using the carve-out method generally is most useful if the services provided by you are not extensive or if a type 1 or type 2 report that meets the needs of user entities is available from AWS. Inclusive Method: When the inclusive method is used, your description of the AWS system includes a description of the nature of the services and functions performed by AWS, as well the applicable trust services criteria and controls implemented by AWS. Your controls are presented separately from those of AWS. Although the inclusive method provides more information for user entities, it may not be appropriate or feasible in all circumstances. In determining which approach to use, you should consider (a) the nature and extent of the information about AWS that user entities may need and (b) the practical difficulties entailed in implementing the inclusive method. The inclusive method is difficult to implement in certain circumstances because the approach entails extensive planning and communication among the service auditor, your service organization, and AWS. With Either Method: Regardless of which method is used, your description should include controls at your organization that monitor the services provided by AWS. Examples of monitoring controls include testing performed by your internal audit function at AWS, reviewing output reports, holding periodic discussions with AWS, making site visits to AWS, and reviewing reports on AWS system (SOC reports). 11

12 Question - What other considerations are there for CSPs using AWS infrastructure? Answer Considerable judgment is necessary to identify the boundaries of the system based on the services provided by AWS. In the cloud environment, concerns arise from the dynamic nature of the architecture itself. The ability of your offering to rapidly expand, through the use of subservice organizations or contract, by decommissioning virtualized components, may present you with unique challenges. In evaluating the boundaries of the system, you should begin by considering the broadest boundaries of the system. These broad boundaries may encompass multiple subservice organizations or the subservice organizations of AWS. If the boundaries of your system are defined too narrowly, you have to consider whether your report will be meaningful and useful to user entities. Due to the complexity of cloud services, the challenge of defining the boundaries of your system often goes beyond the usual considerations in a SOC 2 engagement. You also have to understand the architecture involved. The risks to you include failure to identify all the third parties that have potential access to client data or subservice organizations that share responsibility for implementing controls necessary to achieve the applicable trust services criteria. A SaaS provider, for example, may itself use services from an IaaS, which may sometimes outsource its overflow to a subservice organization. These multiple levels of providers would be a particular concern if, for example, you are contractually or otherwise bound to limit access to protected information to a contractually identified group of personnel. Other Information for SOC Question Who can perform SOC audits? Answer SOC engagements were developed by the CPA profession, which has long been a thought leader in assurance engagements. CPAs are the premier providers of SOC reports for service organizations that must reassure users about their systems. As provided from the AICPA, here are some reasons why you would choose a CPA as a trusted provider of SOC reports: 12

13 Question Are there independence considerations for firms providing SOC support? Answer Yes, independence is required by the AICPA Code of Professional Conduct for examination engagements. The AICPA has also issued a plain English guide to independence found here: uments/plain%20english%20guide.pdf While there are other considerations for independence listed in the guide, the largest requirement affecting SOC is the assumption of management responsibilities. An attest (audit) client must agree to assume certain responsibilities related to nonattest services (advisory) provided in order for independence to be maintained (including management responsibilities, oversight, evaluation, and acceptance of responsibility for results). 13

14 Question - How long do most SOC audits take? Answer Most SOC Type 1 audits are fairly quick to turn around. Because the audit is performed at a point in time and only requires an audit opinion on the description and design of controls, a Type 1 audit can take usually 1 2 months (assuming all documentation, system descriptions, and controls are written and ready for audit). A SOC Type 2 audit will take longer, and is directly related to the audit period for the Type 2 report. For example, a 12 month Type 2 audit will take place primarily toward the end of the period, but there is testing that needs to be performed throughout the period (usually at certain points chosen by the auditor). The report itself can typically be expected within 1 2 months after the end of the period. Question - What is the best approach to determine SOC readiness/success? Answer As with many other IT assessments, a gap analysis would provide your organization with a high-level initial review of your system and related documentation in order to determine your readiness for a SOC audit. The results of a gap analysis performed by a qualified firm can provide you the strategic roadmap you need to get your organization ready for your audit with minimal exceptions in the report. For further information about the approach for SOC, see the following whitepaper: Question - My organization already has other IT assessments being performed (FISMA, FedRAMP, ISO, HIPAA, etc.) is there potential for re-use of that information? Answer Yes! SOC shares many common objectives with other IT assessments and there is potential for re-use of your policies/procedures and other control documentation to repurpose for SOC. A gap analysis (as discussed above) can help determine the amount of re-use you have, saving your organization time and money. 14

15 Navigating the complexities of cloud ecosystems can be a daunting task. Understanding the boundaries around what regulatory bodies are applicable, how and where they apply, and what preparation is needed to be successful are key elements of a successful SOC audit. If you have any questions and wish to speak further, feel free to send an inquiry and we can assist on how SOC and the AWS ecosystem come together. Jeff Cook Manager, Strategic Accounts Veris Group, LLC 15

PCI on Amazon Web Services (AWS) What You Need To Know Understanding the regulatory roadmap for PCI on AWS

PCI on Amazon Web Services (AWS) What You Need To Know Understanding the regulatory roadmap for PCI on AWS PCI on Amazon Web Services (AWS) What You Need To Know Understanding the regulatory roadmap for PCI on AWS David Clevenger November 2015 Summary Payment Card Industry (PCI) is an accreditation body that

More information

Amazon Web Services: Risk and Compliance July 2015

Amazon Web Services: Risk and Compliance July 2015 Amazon Web Services: Risk and Compliance July 2015 (Consult http://aws.amazon.com/compliance/aws-whitepapers/ for the latest version of this paper) Page 1 of 128 This document is intended to provide information

More information

Service Organization Controls 3 Report

Service Organization Controls 3 Report Service Organization Controls 3 Report Report on the Amazon Web Services System Relevant to Security For the Period April 1, 2013 March 31, 2014 Ernst & Young LLP Suite 1600 560 Mission Street San Francisco,

More information

Service Organization Controls 3 Report

Service Organization Controls 3 Report Service Organization Controls 3 Report Report on the Amazon Web Services System Relevant to Security and Availability For the Period April 1, 2015 September 30, 2015 Ernst & Young LLP Suite 1600 560 Mission

More information

Service Organization Control (SOC) reports What are they?

Service Organization Control (SOC) reports What are they? Service Organization Control (SOC) reports What are they? Jeff Cook, CPA, CITP, CIPT, CISA June 2015 Introduction Service Organization Control (SOC) reports are on the rise in the IT assurance and compliance

More information

SAS No. 70, Service Organizations

SAS No. 70, Service Organizations SAS No. 70, Service Organizations A standard for reporting on a service organization s controls affecting user entities' financial statements. Only for use by service organization management, existing

More information

With Eversync s cloud data tiering, the customer can tier data protection as follows:

With Eversync s cloud data tiering, the customer can tier data protection as follows: APPLICATION NOTE: CLOUD DATA TIERING Eversync has developed a hybrid model for cloud-based data protection in which all of the elements of data protection are tiered between an on-premise appliance (software

More information

Effectively using SOC 1, SOC 2, and SOC 3 reports for increased assurance over outsourced operations. kpmg.com

Effectively using SOC 1, SOC 2, and SOC 3 reports for increased assurance over outsourced operations. kpmg.com Effectively using SOC 1, SOC 2, and SOC 3 reports for increased assurance over outsourced operations kpmg.com b Section or Brochure name Effectively using SOC 1, SOC 2, and SOC 3 reports for increased

More information

SSAE 16 for Transportation & Logistics Companies. Chris Kradjan Kim Koch

SSAE 16 for Transportation & Logistics Companies. Chris Kradjan Kim Koch SSAE 16 for Transportation & Logistics Companies Chris Kradjan Kim Koch 1 The material appearing in this presentation is for informational purposes only and should not be construed as advice of any kind,

More information

Amazon Web Services: Risk and Compliance January 2013

Amazon Web Services: Risk and Compliance January 2013 Amazon Web Services: Risk and Compliance January 2013 (Please consult http://aws.amazon.com/security for the latest version of this paper) Page 1 of 59 This document intends to provide information to assist

More information

SERVICE ORGANIZATION CONTROL REPORTS SM. Formerly SAS 70 Reports

SERVICE ORGANIZATION CONTROL REPORTS SM. Formerly SAS 70 Reports SERVICE ORGANIZATION CONTROL REPORTS SM Formerly SAS 70 Reports SAS No. 70, Service Organizations Standard for reporting on a service organization s controls affecting user entities financial statements

More information

Agenda. - Introduction to Amazon s Cloud - How ArcGIS users adopt Amazon s Cloud - Why ArcGIS users adopt Amazon s Cloud - Examples

Agenda. - Introduction to Amazon s Cloud - How ArcGIS users adopt Amazon s Cloud - Why ArcGIS users adopt Amazon s Cloud - Examples Amazon Web Services Agenda - Introduction to Amazon s Cloud - How ArcGIS users adopt Amazon s Cloud - Why ArcGIS users adopt Amazon s Cloud - Examples How did Amazon Get into Cloud Computing? On-Premise

More information

Netop Environment Security. Unified security to all Netop products while leveraging the benefits of cloud computing

Netop Environment Security. Unified security to all Netop products while leveraging the benefits of cloud computing Netop Environment Security Unified security to all Netop products while leveraging the benefits of cloud computing Contents Introduction... 2 AWS Infrastructure Security... 3 Standards - Compliancy...

More information

Understanding SOC Reports for Effective Vendor Management. Jason T. Clinton January 26, 2016

Understanding SOC Reports for Effective Vendor Management. Jason T. Clinton January 26, 2016 Understanding SOC Reports for Effective Vendor Management Jason T. Clinton January 26, 2016 MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS 2012 Wolf & Company, P.C. Before we

More information

Information for Management of a Service Organization

Information for Management of a Service Organization Information for Management of a Service Organization Copyright 2011 American Institute of Certified Public Accountants, Inc. New York, NY 10036-8775 All rights reserved. For information about the procedure

More information

Amazon Web Services: Risk and Compliance July 2012

Amazon Web Services: Risk and Compliance July 2012 Amazon Web Services: Risk and Compliance July 2012 (Please consult http://aws.amazon.com/security for the latest version of this paper) 1 This document intends to provide information to assist AWS customers

More information

Razvoj Java aplikacija u Amazon AWS Cloud: Praktična demonstracija

Razvoj Java aplikacija u Amazon AWS Cloud: Praktična demonstracija Razvoj Java aplikacija u Amazon AWS Cloud: Praktična demonstracija Robert Dukarić University of Ljubljana Faculty of Computer and Information Science Laboratory for information systems integration Competence

More information

Reports on Service Organizations Where we ve been?

Reports on Service Organizations Where we ve been? Reports on Service Organizations Where we ve been? What s changing? How does this impact Internal Audit? Eric Wright Shareholder Frank Dezort Senior Manager Schneider Downs & Co., Inc. May 2, 2011 Overview

More information

Amazon Web Services: Risk and Compliance May 2011

Amazon Web Services: Risk and Compliance May 2011 Amazon Web Services: Risk and Compliance May 2011 (Please consult http://aws.amazon.com/security for the latest version of this paper) 1 This document intends to provide information to assist AWS customers

More information

Amazon Web Services: Risk and Compliance January 2011

Amazon Web Services: Risk and Compliance January 2011 Amazon Web Services: Risk and Compliance January 2011 (Please consult http://aws.amazon.com/security for the latest version of this paper) 1 This document intends to provide information to assist AWS customers

More information

Scaling in the Cloud with AWS. By: Eli White (CTO & Co-Founder @ mojolive) eliw.com - @eliw - mojolive.com

Scaling in the Cloud with AWS. By: Eli White (CTO & Co-Founder @ mojolive) eliw.com - @eliw - mojolive.com Scaling in the Cloud with AWS By: Eli White (CTO & Co-Founder @ mojolive) eliw.com - @eliw - mojolive.com Welcome! Why is this guy talking to us? Please ask questions! 2 What is Scaling anyway? Enabling

More information

SOC Readiness Assessments. SOC Report - Type 1. SOC Report - Type 2. Building Trust and Confidence in Third-Party Relationships

SOC Readiness Assessments. SOC Report - Type 1. SOC Report - Type 2. Building Trust and Confidence in Third-Party Relationships Building Trust and Confidence in Third-Party Relationships Today s businesses rely heavily on outsourcing certain business tasks or functions to service organizations, even those that are core to their

More information

Effectively using SOC1, SOC2 and SOC3 reports for increased assurance over outsourced controls. kpmg.com

Effectively using SOC1, SOC2 and SOC3 reports for increased assurance over outsourced controls. kpmg.com Effectively using SOC1, SOC2 and SOC3 reports for increased assurance over outsourced controls kpmg.com b Section Effectively or Brochure using SOC1, name SOC2 and SOC3 reports for increased assurance

More information

SSAE 16 Everything You Wanted To Know But Are Afraid To Ask. Kurt Hagerman CISA, CISSP, QSA Managing Director, Coalfire December 8, 2011

SSAE 16 Everything You Wanted To Know But Are Afraid To Ask. Kurt Hagerman CISA, CISSP, QSA Managing Director, Coalfire December 8, 2011 SSAE 16 Everything You Wanted To Know But Are Afraid To Ask Kurt Hagerman CISA, CISSP, QSA Managing Director, Coalfire December 8, 2011 1 Agenda SAS 70 Misunderstood and Overused o Why the change? SSAE

More information

EEDC. Scalability Study of web apps in AWS. Execution Environments for Distributed Computing

EEDC. Scalability Study of web apps in AWS. Execution Environments for Distributed Computing EEDC Execution Environments for Distributed Computing 34330 Master in Computer Architecture, Networks and Systems - CANS Scalability Study of web apps in AWS Sergio Mendoza sergio.mendoza@est.fib.upc.edu

More information

Introduction to AWS in Higher Ed

Introduction to AWS in Higher Ed Introduction to AWS in Higher Ed Lori Clithero loricli@amazon.com 206.227.5054 University of Washington Cloud Day 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved. 2 Cloud democratizes

More information

Cloud Security Trust Cisco to Protect Your Data

Cloud Security Trust Cisco to Protect Your Data Trust Cisco to Protect Your Data As cloud adoption accelerates, organizations are increasingly placing their trust in third-party cloud service providers (CSPs). But can you fully trust your most sensitive

More information

Feeley & Driscoll, P.C. Certified Public Accountants / Business Consultants www.fdcpa.com. Visit us on the web: www.fdcpa.com Or Call: 888-875-9770

Feeley & Driscoll, P.C. Certified Public Accountants / Business Consultants www.fdcpa.com. Visit us on the web: www.fdcpa.com Or Call: 888-875-9770 Feeley & Driscoll, P.C. Certified Public Accountants / Business Consultants www.fdcpa.com SAS 70 Background 2 SAS No. 70 Reports on the Processing of Transactions by Service Organizations Independent examination

More information

Cloud Computing An Auditor s Perspective

Cloud Computing An Auditor s Perspective Cloud Computing An Auditor s Perspective Sailesh Gadia, CPA, CISA, CIPP sgadia@kpmg.com December 9, 2010 Discussion Agenda Introduction to cloud computing Types of cloud services Benefits, challenges,

More information

Ayla Networks, Inc. SOC 3 SysTrust 2015

Ayla Networks, Inc. SOC 3 SysTrust 2015 Ayla Networks, Inc. SOC 3 SysTrust 2015 SOC 3 SYSTRUST FOR SERVICE ORGANIZATIONS REPORT July 1, 2015 To December 31, 2015 Table of Contents SECTION 1 INDEPENDENT SERVICE AUDITOR S REPORT... 2 SECTION 2

More information

Frequently asked questions: SOC 2 and 3

Frequently asked questions: SOC 2 and 3 1. Is the licensing requirement for a SOC 2 or 3 different than for a SOC 1? SOC reports are attestation reports issued in accordance with AICPA standards. Therefore, licensing requirements are the same

More information

Using ArcGIS for Server in the Amazon Cloud

Using ArcGIS for Server in the Amazon Cloud Federal GIS Conference February 9 10, 2015 Washington, DC Using ArcGIS for Server in the Amazon Cloud Bonnie Stayer, Esri Amy Ramsdell, Blue Raster Session Outline AWS Overview ArcGIS in AWS Cloud Builder

More information

CLOUD COMPUTING WITH AWS An INTRODUCTION. John Hildebrandt Solutions Architect ANZ

CLOUD COMPUTING WITH AWS An INTRODUCTION. John Hildebrandt Solutions Architect ANZ CLOUD COMPUTING WITH AWS An INTRODUCTION John Hildebrandt Solutions Architect ANZ AGENDA Todays Agenda Background and Value proposition of AWS Global infrastructure and the Sydney Region AWS services Drupal

More information

Vendor Management Best Practices

Vendor Management Best Practices 23 rd Annual and One Day Seminar Vendor Management Best Practices Catherine Bruder CPA, CITP, CISA, CISM, CTGA Michigan Texas Florida Insight. Oversight. Foresight. SM Doeren Mayhew Bruder 1 $100 billion

More information

AWS Cloud for HPC and Big Data

AWS Cloud for HPC and Big Data AWS Cloud for HPC and Big Data David Pellerin, Business Development Principal IDC HPC User Forum September 16, 2014 AWS Regions US West (Oregon) US West (Northern California) GovCloud (ITAR Compliance)

More information

Using AWS in the context of Australian Privacy Considerations October 2015

Using AWS in the context of Australian Privacy Considerations October 2015 Using AWS in the context of Australian Privacy Considerations October 2015 (Please consult https://aws.amazon.com/compliance/aws-whitepapers/for the latest version of this paper) Page 1 of 13 Overview

More information

Service Organization Control (SOC) Reports Focus on SOC 2 Reporting Standard

Service Organization Control (SOC) Reports Focus on SOC 2 Reporting Standard Information Systems Audit and Controls Association Service Organization Control (SOC) Reports Focus on SOC 2 Reporting Standard February 4, 2014 Tom Haberman, Principal, Deloitte & Touche LLP Reema Singh,

More information

SOC 3 for Security and Availability

SOC 3 for Security and Availability SOC 3 for Security and Availability Independent Practioner s Trust Services Report For the Period October 1, 2013 through September 30, 2014 Independent SOC 3 Report for the Security and Availability Trust

More information

The Changing SAS 70 Landscape Dan Hirstein Director Rebecca Goodpasture Senior Manager Deloitte & Touche LLP January 13, 2011

The Changing SAS 70 Landscape Dan Hirstein Director Rebecca Goodpasture Senior Manager Deloitte & Touche LLP January 13, 2011 The Changing SAS 70 Landscape Dan Hirstein Director Rebecca Goodpasture Senior Manager Deloitte & Touche LLP January 13, 2011 Table of Contents A Short History of SAS 70 Overview of SSAE 16 and ISAE 3402

More information

Service Organization Control Reports

Service Organization Control Reports SAS 70 ENDS EXIT TO SSAE 16 Service Organization Control Reports What Did We Learn from Year One? Agenda Definitions Service Organization Reports What are they? Year One Experiences SSAE 16 Year One Experiences

More information

AIST Data Symposium. Ed Lenta. Managing Director, ANZ Amazon Web Services

AIST Data Symposium. Ed Lenta. Managing Director, ANZ Amazon Web Services AIST Data Symposium Ed Lenta Managing Director, ANZ Amazon Web Services Why are companies adopting cloud computing and AWS so quickly? #1: Agility The primary reason businesses are moving so quickly to

More information

Expand Your Infrastructure with the Elastic Cloud. Mark Ryland Chief Solutions Architect Jenn Steele Product Marketing Manager

Expand Your Infrastructure with the Elastic Cloud. Mark Ryland Chief Solutions Architect Jenn Steele Product Marketing Manager Expand Your Infrastructure with the Elastic Cloud Mark Ryland Chief Solutions Architect Jenn Steele Product Marketing Manager Today we re going to talk about The Cloud Scenarios Questions You Probably

More information

Amazon Web Services. 18.11.2015 Yu Xiao

Amazon Web Services. 18.11.2015 Yu Xiao Amazon Web Services 18.11.2015 Yu Xiao Agenda Introduction to Amazon Web Services(AWS) 7 Steps to Select the Right Architecture for Your Web Applications Private, Public or Hybrid Cloud? AWS Case Study

More information

OFFICE OF AUDITS & ADVISORY SERVICES CLOUD COMPUTING AUDIT FINAL REPORT

OFFICE OF AUDITS & ADVISORY SERVICES CLOUD COMPUTING AUDIT FINAL REPORT County of San Diego Auditor and Controller OFFICE OF AUDITS & ADVISORY SERVICES CLOUD COMPUTING AUDIT FINAL REPORT Chief of Audits: Juan R. Perez Audit Manager: Lynne Prizzia, CISA, CRISC Senior Auditor:

More information

Anypoint Platform Cloud Security and Compliance. Whitepaper

Anypoint Platform Cloud Security and Compliance. Whitepaper Anypoint Platform Cloud Security and Compliance Whitepaper 1 Overview Security is a top concern when evaluating cloud services, whether it be physical, network, infrastructure, platform or data security.

More information

Amazon Web Services. 2015 Annual ALGIM Conference. Tim Dacombe-Bird Regional Sales Manager Amazon Web Services New Zealand

Amazon Web Services. 2015 Annual ALGIM Conference. Tim Dacombe-Bird Regional Sales Manager Amazon Web Services New Zealand Amazon Web Services 2015 Annual ALGIM Conference Tim Dacombe-Bird Regional Sales Manager Amazon Web Services New Zealand 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Agenda Who

More information

Webtrends Inc. Service Organization Controls (SOC) 3 SM Report on the SaaS Solutions Services System Relevant to Security

Webtrends Inc. Service Organization Controls (SOC) 3 SM Report on the SaaS Solutions Services System Relevant to Security Webtrends Inc. Service Organization Controls (SOC) 3 SM Report on the SaaS Solutions Services System Relevant to Security For the Period January 1, 2015 through June 30, 2015 SOC 3 SM SOC 3 is a service

More information

Daren Kinser Auditor, UCSD Jennifer McDonald Auditor, UCSD

Daren Kinser Auditor, UCSD Jennifer McDonald Auditor, UCSD Daren Kinser Auditor, UCSD Jennifer McDonald Auditor, UCSD Agenda Cloud Computing Technical Overview Cloud Related Applications Identified Risks Assessment Criteria Cloud Computing What Is It? National

More information

Service Organization Controls. Managing Risks by Obtaining a Service Auditor s Report

Service Organization Controls. Managing Risks by Obtaining a Service Auditor s Report Service Organization Controls Managing Risks by Obtaining a Service Auditor s Report Contributing Authors Audrey Katcher, CPA, CITP, Partner at RubinBrown, LLP Janis Parthun, CPA, CITP, Sr. Technical Manager

More information

Using ArcGIS for Server in the Amazon Cloud

Using ArcGIS for Server in the Amazon Cloud Using ArcGIS for Server in the Amazon Cloud Randall Williams, Esri Subrat Bora, Esri Esri UC 2014 Technical Workshop Agenda What is ArcGIS for Server on Amazon Web Services Sounds good! How much does it

More information

CAN NUCLEAR INSTALLATIONS AND RESEARCH CENTERS ADOPT CLOUD COMPUTING?

CAN NUCLEAR INSTALLATIONS AND RESEARCH CENTERS ADOPT CLOUD COMPUTING? CAN NUCLEAR INSTALLATIONS AND RESEARCH CENTERS ADOPT CLOUD COMPUTING? Ameer Pichan School of Electrical Engineering & Computing Curtin University, Australia What is it? Similar to other services net r

More information

Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed member of Baker Tilly International. Understanding SOC 3

Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed member of Baker Tilly International. Understanding SOC 3 Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed member of Baker Tilly International. Understanding SOC 3 Agenda 1) A brief perspective on where SOC 3 originated

More information

Simone Brunozzi, AWS Technology Evangelist, APAC. Fortress in the Cloud

Simone Brunozzi, AWS Technology Evangelist, APAC. Fortress in the Cloud Simone Brunozzi, AWS Technology Evangelist, APAC Fortress in the Cloud AWS Cloud Security Model Overview Certifications & Accreditations Sarbanes-Oxley (SOX) compliance ISO 27001 Certification PCI DSS

More information

Druva Phoenix: Enterprise-Class. Data Security & Privacy in the Cloud

Druva Phoenix: Enterprise-Class. Data Security & Privacy in the Cloud Druva Phoenix: Enterprise-Class Data Security & Privacy in the Cloud Advanced, multi-layer security to provide the highest level of protection for today's enterprise. Table of Contents Overview...3 Cloud

More information

Information for Management of a Service Organization

Information for Management of a Service Organization Information for Management of a Service Organization Copyright 2015 American Institute of Certified Public Accountants, Inc. New York, NY 10036-8775 All rights reserved. For information about the procedure

More information

Goodbye, SAS 70! Hello, SSAE 16!

Goodbye, SAS 70! Hello, SSAE 16! Goodbye, SAS 70! Hello, SSAE 16! A Session to Provide Insight on the New Standard and What Service Providers and End-Users Need to Know January 3, 2012 Agenda Introduction Background on what was SAS 70

More information

A Most Simple Cloud. Is Amazon RDS for Oracle Right for You? Jeremiah Wilton, Principal Consultant. June, 2014

A Most Simple Cloud. Is Amazon RDS for Oracle Right for You? Jeremiah Wilton, Principal Consultant. June, 2014 A Most Simple Cloud Is Amazon RDS for Oracle Right for You? Jeremiah Wilton, Principal Consultant June, 2014 Jeremiah Wilton wilton@pythian.com @oradebug Working with Oracle since 1994 (v.5) Amazon s first

More information

Pega as a Service. Kim Singletary, Dir. Product Marketing Cloud Matt Yanchyshyn, Sr. Mgr., AWS Solutions Architect

Pega as a Service. Kim Singletary, Dir. Product Marketing Cloud Matt Yanchyshyn, Sr. Mgr., AWS Solutions Architect 1 Pega as a Service Kim Singletary, Dir. Product Marketing Cloud Matt Yanchyshyn, Sr. Mgr., AWS Solutions Architect This information is not a commitment, promise or legal obligation to deliver any material,

More information

Service Organization Control (SOC) Reports

Service Organization Control (SOC) Reports Service Organization Control (SOC) Reports Transitioning from SAS 70 to SSAE 16 Deloitte & Touche LLP Agenda Overview SAS 70/SSAE 16 Historical Perspective The New Framework Under SSAE 16 (SOC 1) Impact

More information

Cloud models and compliance requirements which is right for you?

Cloud models and compliance requirements which is right for you? Cloud models and compliance requirements which is right for you? Bill Franklin, Director, Coalfire Stephanie Tayengco, VP of Technical Operations, Logicworks March 17, 2015 Speaker Introduction Bill Franklin,

More information

Crypto-Options on AWS. Bertram Dorn Specialized Solutions Architect Security/Compliance Network/Databases Amazon Web Services Germany GmbH

Crypto-Options on AWS. Bertram Dorn Specialized Solutions Architect Security/Compliance Network/Databases Amazon Web Services Germany GmbH Crypto-Options on AWS Bertram Dorn Specialized Solutions Architect Security/Compliance Network/Databases Amazon Web Services Germany GmbH Amazon.com, Inc. and its affiliates. All rights reserved. Agenda

More information

The Evolution of Media Workflows

The Evolution of Media Workflows The Evolution of Media Workflows 2013 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified, or distributed in whole or in part without the express consent of Amazon.com,

More information

TECH INSIGHTS TRUST AND TRANSPARENCY IN A CLOUDY WORLD. IT advisory services

TECH INSIGHTS TRUST AND TRANSPARENCY IN A CLOUDY WORLD. IT advisory services TECH INSIGHTS IT advisory services TRUST AND TRANSPARENCY IN A CLOUDY WORLD Service Organization Controls (SOC) Reporting for Financial and Data Security In a world of cloud computing and business process

More information

Acquia Comments on EU Recommendations for Data Processing in the Cloud

Acquia Comments on EU Recommendations for Data Processing in the Cloud Acquia Comments on EU Recommendations for Data Processing in the Cloud Executive Summary On July 1, 2012, European Union (EU) data protection regulators provided guidelines for service providers processing

More information

White Paper How Noah Mobile uses Microsoft Azure Core Services

White Paper How Noah Mobile uses Microsoft Azure Core Services NoahMobile Documentation White Paper How Noah Mobile uses Microsoft Azure Core Services The Noah Mobile Cloud service is built for the Microsoft Azure platform. The solutions that are part of the Noah

More information

www.boost ur skills.com

www.boost ur skills.com www.boost ur skills.com AWS CLOUD COMPUTING WORKSHOP Write us at training@boosturskills.com BOOSTURSKILLS No 1736 1st Amrutha College Road Kasavanhalli,Off Sarjapur Road,Bangalore-35 1) Introduction &

More information

Cloud Security Trust Cisco to Protect Your Data

Cloud Security Trust Cisco to Protect Your Data Trust Cisco to Protect Your Data As cloud adoption accelerates, organizations are increasingly placing their trust in third-party cloud service providers (CSPs). But can you fully trust your most sensitive

More information

Enterprise Cloud Computing with AWS. for internal partner use only

Enterprise Cloud Computing with AWS. for internal partner use only Enterprise Cloud Computing with AWS for internal partner use only How did Amazon Get into Cloud Computing? On-Premise Infrastructure is Costly & Complex Large Capital Expenditures Patching Software Scaling

More information

SSAE 16 & SAS 70 A Primer on Changes to Service Organization Audit Standards

SSAE 16 & SAS 70 A Primer on Changes to Service Organization Audit Standards A Member of OneBeacon Insurance Group SSAE 16 & SAS 70 A Primer on Changes to Service Organization Audit Standards Author: Jack Fletcher, Risk Control Technology Specialist Published: November 2014 Executive

More information

G24 - SAS 70 Practices and Developments Todd Bishop

G24 - SAS 70 Practices and Developments Todd Bishop G24 - SAS 70 Practices and Developments Todd Bishop SAS No. 70 Practices & Developments Todd Bishop Senior Manager, PricewaterhouseCoopers LLP Agenda SAS 70 Background Information and Overview Common SAS

More information

AWS Storage: Minimizing Costs While Retaining Functionality

AWS Storage: Minimizing Costs While Retaining Functionality AWS Storage: Minimizing Costs While Retaining Functionality This whitepaper, the second in our Cost Series, discusses persistent storage with Amazon Web Services. It will focus upon Elastic Block Store

More information

PATCH MANAGER what does it do?

PATCH MANAGER what does it do? PATCH MANAGER what does it do? PATCH MANAGER SAAS maps all your physical assets and physical infrastructure such as network and power cabling, racks, servers, switches, UPS and generators. It provides

More information

Securing Amazon It s a Jungle Out There

Securing Amazon It s a Jungle Out There ANALYST BRIEF Securing Amazon It s a Jungle Out There PART 1 CONTROLS AND OPTIONS OFFERED BY AMAZON Author Rob Ayoub Overview Infrastructure as a service (IaaS) is a foundational component of modern cloud

More information

Famly ApS: Overview of Security Processes

Famly ApS: Overview of Security Processes Famly ApS: Overview of Security Processes October 2015 Please consult http://famly.co for the latest version of this paper Page 1 of 10 Table of Contents 1. INTRODUCTION TO SECURITY AT FAMLY... 3 2. PHYSICAL

More information

Cloud and the future of Unemployment Sean Rhody, CTO Capgemini Government Solutions

Cloud and the future of Unemployment Sean Rhody, CTO Capgemini Government Solutions Cloud and the future of Unemployment Sean Rhody, CTO Capgemini Government Solutions Agenda Current State Frustrations Evolving Tax Solutions PaaS, SaaS, IaaS and you Changing the Model Q&A 1 Current State

More information

Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed member of Baker Tilly International. Understanding SOC 2

Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed member of Baker Tilly International. Understanding SOC 2 Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed member of Baker Tilly International. Understanding SOC 2 Agenda 1) A brief perspective on where SOC 2 originated

More information

Protecting your brand in the cloud Transparency and trust through enhanced reporting

Protecting your brand in the cloud Transparency and trust through enhanced reporting Protecting your brand in the cloud Transparency and trust through enhanced reporting Third-party Assurance November 2011 At a glance Cloud computing has unprecedented potential to deliver greater business

More information

Hans Bos Microsoft Nederland. hans.bos@microsoft.com

Hans Bos Microsoft Nederland. hans.bos@microsoft.com Hans Bos Microsoft Nederland Email: Twitter: hans.bos@microsoft.com @hansbos Microsoft s Cloud Environment Consumer and Small Business Services Software as a Service (SaaS) Enterprise Services Third-party

More information

LONDON. 2015, Amazon Web Services, Inc. or its affiliates. All rights reserved

LONDON. 2015, Amazon Web Services, Inc. or its affiliates. All rights reserved LONDON 2015, Amazon Web Services, Inc. or its affiliates. All rights reserved Best Practices for Building Partner Managed Services on AWS Kelly Hartman, Global Segment Leader, MSPs Kyle Lichtenberg, Solutions

More information

Thing Big: How to Scale Your Own Internet of Things. Walter'Pernstecher'-'pernstec@amazon.de' Dr.'Markus'Schmidberger'-'schmidbe@amazon.

Thing Big: How to Scale Your Own Internet of Things. Walter'Pernstecher'-'pernstec@amazon.de' Dr.'Markus'Schmidberger'-'schmidbe@amazon. Thing Big: How to Scale Your Own Internet of Things Walter'Pernstecher'-'pernstec@amazon.de' Dr.'Markus'Schmidberger'-'schmidbe@amazon.de' Internet of Things is the network of physical objects or "things"

More information

Cloud Computing: Compliance and Client Expectations

Cloud Computing: Compliance and Client Expectations Cloud Computing: Compliance and Client Expectations February 15, 2012 MOSS ADAMS LLP 1 TODAY S PRESENTERS Moderator Kevin Villanueva, CPA, CISA, CISM, CITP, CRISC Sr. Manager, Infrastructure and Security

More information

Simple Storage Service (S3)

Simple Storage Service (S3) Simple Storage Service (S3) Amazon S3 is storage for the Internet. It is designed to make web-scale computing easier for developers. Amazon S3 provides a simple web services interface that can be used

More information

WELCOME TO SECURE360 2013

WELCOME TO SECURE360 2013 WELCOME TO SECURE360 2013 Don t forget to pick up your Certificate of Attendance at the end of each day. Please complete the Session Survey front and back, and leave it on your seat. Are you tweeting?

More information

Scalable Application. Mikalai Alimenkou http://xpinjection.com 11.05.2012

Scalable Application. Mikalai Alimenkou http://xpinjection.com 11.05.2012 Scalable Application Development on AWS Mikalai Alimenkou http://xpinjection.com 11.05.2012 Background Java Technical Lead/Scrum Master at Zoral Labs 7+ years in software development 5+ years of working

More information

FAQs New Service Organization Standards and Implementation Guidance

FAQs New Service Organization Standards and Implementation Guidance FAQs New Service Organization Standards and Implementation Guidance During the past two years several significant changes have occurred in audit and attest standards for reporting on controls at service

More information

AWS Benefits, Regions & Across. Paul Yung Head of Territory Development HK, Macau & TW pyung@amazon.com

AWS Benefits, Regions & Across. Paul Yung Head of Territory Development HK, Macau & TW pyung@amazon.com AWS Benefits, Regions & Across Paul Yung Head of Territory Development HK, Macau & TW pyung@amazon.com Consumer Business Seller Business IT Infrastructure Business What is Cloud Computing? An analogy:

More information

SOC 3 for Security and Availability

SOC 3 for Security and Availability SOC 3 for Security and Availability Independent Practioner s Trust Services Report For the Period October 1, 2014 through September 30, 2015 Independent SOC 3 Report for the Security and Availability Trust

More information

Information Security ISO Standards. Feb 11, 2015. Glen Bruce Director, Enterprise Risk Security & Privacy

Information Security ISO Standards. Feb 11, 2015. Glen Bruce Director, Enterprise Risk Security & Privacy Information Security ISO Standards Feb 11, 2015 Glen Bruce Director, Enterprise Risk Security & Privacy Agenda 1. Introduction Information security risks and requirements 2. Information Security Management

More information

10 Considerations for a Cloud Procurement. Anthony Kelly Erick Trombley David DeBrandt Carina Veksler January 2015

10 Considerations for a Cloud Procurement. Anthony Kelly Erick Trombley David DeBrandt Carina Veksler January 2015 10 Considerations for a Cloud Procurement Anthony Kelly Erick Trombley David DeBrandt Carina Veksler January 2015 www.lbmctech.com info@lbmctech.com Purpose: Cloud computing provides public sector organizations

More information

Understanding ISO 27018 and Preparing for the Modern Era of Cloud Security

Understanding ISO 27018 and Preparing for the Modern Era of Cloud Security Understanding ISO 27018 and Preparing for the Modern Era of Cloud Security Presented by Microsoft and Foley Hoag LLP s Privacy and Data Security Practice Group May 14, 2015 Proposal or event name (optional)

More information

About the Presenter. Presentation Objectives. SaaS / Cloud Computing Risk Management AICPA Attest Alternatives

About the Presenter. Presentation Objectives. SaaS / Cloud Computing Risk Management AICPA Attest Alternatives SaaS / Cloud Computing Risk Management AICPA Attest Alternatives Presenter: Dan Schroeder, CPA/CITP Habif, Arogeti, & Wynne, LLP Georgia Society of CPAs Annual Convention June 16, 2010 About the Presenter

More information

The silver lining: Getting value and mitigating risk in cloud computing

The silver lining: Getting value and mitigating risk in cloud computing The silver lining: Getting value and mitigating risk in cloud computing Frequently asked questions The cloud is here to stay. And given its decreased costs and increased business agility, organizations

More information

Getting Started with SAP BI on AWS

Getting Started with SAP BI on AWS Getting Started with SAP BI on AWS Travis Hagens, Amazon Web Services Puneet Chopra, YASH Technologies August 25, 2015 Housekeeping Audio instructions How and when to ask questions (chat, email, etc.)

More information

AWS for M&E. Bhavik Vyas / bhavikv@amazon.com Amazon Web Services M&E Partner Eco-System Manager DEG Up in the Clouds May 2015

AWS for M&E. Bhavik Vyas / bhavikv@amazon.com Amazon Web Services M&E Partner Eco-System Manager DEG Up in the Clouds May 2015 AWS for M&E Bhavik Vyas / bhavikv@amazon.com Amazon Web Services M&E Partner Eco-System Manager DEG Up in the Clouds May 2015 2013 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied,

More information

Running Oracle Applications on AWS

Running Oracle Applications on AWS Running Oracle Applications on AWS Bharath Terala Sr. Principal Consultant Apps Associates LLC June 09, 2014 Copyright 2014. Apps Associates LLC. 1 Agenda About the Presenter About Apps Associates LLC

More information

A Flexible and Comprehensive Approach to a Cloud Compliance Program

A Flexible and Comprehensive Approach to a Cloud Compliance Program A Flexible and Comprehensive Approach to a Cloud Compliance Program Stuart Aston Microsoft UK Session ID: SPO-201 Session Classification: General Interest Compliance in the cloud Transparency Responsibility

More information

3.B METHODOLOGY SERVICE PROVIDER

3.B METHODOLOGY SERVICE PROVIDER 3.B METHODOLOGY SERVICE PROVIDER Approximately four years ago, the American Institute of Certified Public Accountants (AICPA) issued Statement on Standards for Attestation Engagements (SSAE) No. 16, Reporting

More information

AWS Security. Security is Job Zero! CJ Moses Deputy Chief Information Security Officer. AWS Gov Cloud Summit II

AWS Security. Security is Job Zero! CJ Moses Deputy Chief Information Security Officer. AWS Gov Cloud Summit II AWS Security CJ Moses Deputy Chief Information Security Officer Security is Job Zero! Overview Security Resources Certifications Physical Security Network security Geo-diversity and Fault Tolerance GovCloud

More information

Digital Healthcare: Author. A HIPAA compliant cloud strategy. Choosing a Cloud Service Provider. Alex Ginzburg

Digital Healthcare: Author. A HIPAA compliant cloud strategy. Choosing a Cloud Service Provider. Alex Ginzburg : A HIPAA compliant cloud strategy. Choosing a Cloud Service Provider Author Alex Ginzburg VP of Technology, Intervention Insights, Inc. Kanda Software 200 Wells Ave, Newton, MA 02459 617-340-3850 Over

More information