PCI DSS Cloud Computing Guidelines

Size: px
Start display at page:

Download "PCI DSS Cloud Computing Guidelines"

Transcription

1 Standard: PCI Data Security Standard (PCI DSS) Versin: 2.0 Date: February 2013 Authr: Clud Special Interest Grup PCI Security Standards Cuncil Infrmatin Supplement: PCI DSS Clud Cmputing Guidelines

2 Table f Cntents 1 Executive Summary Intended Use Audience Terminlgy Clud Overview Deplyment and Service Mdels Clud Prvider / Clud Custmer Relatinships Understanding Rles and Respnsibilities Rles and Respnsibilities fr Different Deplyments Mdels Respnsibilities fr Different Service Mdels Nested Service-Prvider Relatinships PCI DSS Cnsideratins Understanding PCI DSS Respnsibilities PCI DSS Respnsibilities fr Different Service Mdels Security as a Service (SecaaS) Segmentatin Cnsideratins Scping Cnsideratins PCI DSS Cmpliance Challenges What des I am PCI cmpliant mean? Verifying Scpe f Validated Services and Cmpnents Verifying PCI DSS Cntrls Managed by the Clud Prvider Additinal Security Cnsideratins Gvernance, Risk and Cmpliance Facilities and Physical Security Data svereignty and Legal cnsideratins Data Security Cnsideratins Technical Security Cnsideratins Incident Respnse and Investigatin Cnclusin Appendix A: Sample PCI DSS Respnsibilities fr Different Service Mdels Appendix B: Sample Inventry Appendix C: Sample PCI DSS Respnsibility Matrix Appendix D: PCI DSS Implementatin Cnsideratins Acknwledgements References Abut the PCI Security Standards Cuncil The intent f this dcument is t prvide supplemental infrmatin. Infrmatin prvided here des nt replace i i

3 1 Executive Summary Clud cmputing is a frm f distributed cmputing that is yet t be standardized 1. There are a number f factrs t be cnsidered when migrating t clud services, and rganizatins need t clearly understand their needs befre they can determine if and hw they will be met by a particular slutin r prvider. As clud cmputing is still an evlving technlgy, evaluatins f risks and benefits may change as the technlgy becmes mre established and its implicatins becme better understd. Clud security is a shared respnsibility between the clud service prvider (CSP) and its clients. If payment card data is stred, prcessed r transmitted in a clud envirnment, PCI DSS will apply t that envirnment, and will typically invlve validatin f bth the CSP s infrastructure and the client s usage f that envirnment. The allcatin f respnsibility between client and prvider fr managing security cntrls des nt exempt a client frm the respnsibly f ensuring that their cardhlder data is prperly secured accrding t applicable PCI DSS requirements. It s imprtant t nte that all clud services are nt created equal. Clear plicies and prcedures shuld be agreed between client and clud prvider fr all security requirements, and respnsibilities fr peratin, management and reprting shuld be clearly defined and understd fr each requirement. 1.1 Intended Use This dcument prvides guidance n the use f clud technlgies and cnsideratins fr maintaining PCI DSS cntrls in clud envirnments. This guidance builds n that prvided in the PCI DSS Virtualizatin Guidelines and is intended fr rganizatins using, r thinking f using, prviding, r assessing clud technlgies as part f a cardhlder data envirnment (CDE). This dcument is structured as fllws: Executive Summary Includes a brief summary f sme key pints and prvides cntext fr the remainder f the dcument. Clud Overview Describes the deplyment and service mdels discussed thrughut this dcument. Clud Prvider/ Clud Custmer Relatinships Discusses hw rles and respnsibilities may differ acrss different clud service and deplyment mdels PCI DSS Cnsideratins Prvides guidance and examples t help determine respnsibilities fr individual PCI DSS requirements, and includes segmentatin and scping cnsideratins. PCI DSS Cmpliance Challenges Describes sme f the challenges assciated with validating PCI DSS cmpliance in a clud envirnment. Additinal Security Cnsideratins Explres a number f business and technical security cnsideratins fr the use f clud technlgies. Cnclusin Presents recmmendatins fr starting discussins abut clud services. 1 NIST Guidelines n Security and Privacy in Public Clud Cmputing (SP SP ) The intent f this dcument is t prvide supplemental infrmatin. Infrmatin prvided here des nt replace 1 1

4 The fllwing appendices are included t prvide additinal guidance: Appendix A: PCI DSS Respnsibilities fr different Service Mdels Presents additinal cnsideratins t help determine PCI DSS respnsibilities acrss different clud service mdels. Appendix B: Sample Inventry Presents a sample system inventry fr clud cmputing envirnments. Appendix C: PCI DSS Respnsibility Matrix Presents a sample matrix fr dcumenting hw PCI DSS respnsibilities are assigned between clud prvider and client. Appendix D: PCI DSS Implementatin Cnsideratins Suggests a starting set f questins that may help in determining hw PCI DSS requirements can be met in a particular clud envirnment. This dcument is intended t prvide an initial pint f discussin fr clud prviders and clients, and des nt delve int specific technical cnfiguratins. This dcument des nt endrse the use f any specific technlgies, prducts, r services. The infrmatin in this dcument is intended as supplemental guidance and des nt supersede, replace r extend PCI DSS requirements. Fr the purpses f this dcument, all references made are t PCI DSS versin Audience The infrmatin in this dcument is intended fr merchants, service prviders, assessrs and ther entities lking fr guidance n the use f clud cmputing in the cntext f PCI DSS. Fr example: Merchants The security and PCI DSS cnsideratins are applicable t all types f clud envirnments, and may be useful t merchants managing their wn clud infrastructure as well as thse lking t engage with a third party. Guidance fr wrking with third-party clud prviders and PCI DSS cmpliance challenges may als be useful. Clud service prviders The security and PCI DSS cnsideratins may prvide useful infrmatin fr CSPs t assist their understanding f the PCI DSS requirements, and may als help CSPs t better understand their clients PCI DSS needs. Guidance n CSP/client relatinships and PCI DSS cmpliance challenges may als be useful fr prviders. Assessrs The security and PCI DSS cnsideratins may help assessrs t understand what they might need t knw abut an envirnment in rder t be able t determine whether a PCI DSS requirement has been met. 1.3 Terminlgy The fllwing terms are used thrughut this dcument: CSP Clud Service Prvider. The CSP, r clud prvider, is the entity prviding the clud service. The CSP acquires and manages the infrastructure required fr prviding the services, runs the clud sftware that prvides the services, and delivers the clud services thrugh netwrk access. 2 Clud custmer r client The entity subscribing t a service prvided by a clud prvider. May include merchants, service prviders, payment prcessrs, and ther entities utilizing clud services. May als be referred t as a clud tenant. 2 NIST Clud Cmputing Reference Architecture (SP ) The intent f this dcument is t prvide supplemental infrmatin. Infrmatin prvided here des nt replace 2 2

5 2 Clud Overview Clud cmputing prvides a mdel fr enabling n-demand netwrk access t a shared pl f cmputing resurces (fr example: netwrks, servers, strage, applicatins, and services) that can be rapidly prvisined and released with minimal management effrt r clud prvider interactin. 3 Clud cmputing can be used t prvide clients with access t the latest technlgies withut a cstly investment in hardware and sftware. Due t the ecnmies f scale assciated with the delivery f clud services, CSPs can ften prvide access t a greater range f technlgies and security resurces than the client might therwise have access t. rganizatins withut a depth f technically-skilled persnnel may als wish t leverage the skills and knwledge prvided by CSP persnnel t securely manage their clud peratins. Clud cmputing therefre hlds significant ptential t help rganizatins reduce IT cmplexity and csts, while increasing agility. Clud cmputing is als seen as a means t accmmdate business requirements fr high availability and redundancy, including business cntinuity and disaster recvery. 2.1 Deplyment and Service Mdels Deplyment mdels are defined t distinguish between different mdels f wnership and distributin f the resurces used t deliver clud services t different custmers. Clud envirnments may be deplyed ver a private infrastructure, public infrastructure, r a cmbinatin f bth. The mst cmmn deplyment mdels, as defined by NIST, include: Private clud The clud infrastructure is perated slely fr a single rganizatin (client). It may be managed by the rganizatin itself r a third-party prvider, and may be n-premise r ff-premise. Hwever, it must be slely dedicated fr the use f ne entity. Cmmunity clud The clud infrastructure is shared by several rganizatins and supprts a specific cmmunity with shared requirements r cncerns (fr example, business mdel, security requirements, plicy, r cmpliance cnsideratins). It may be managed by the rganizatins r a third party, and may be n-premise r ff-premise. Public clud The clud infrastructure is made available t the general public r a large industry grup and is wned by an rganizatin selling clud services. Public clud infrastructure exists n the premises f the clud prvider. Hybrid clud The clud infrastructure is a cmpsitin f tw r mre cluds (private, cmmunity, r public) that remain unique entities but are bund tgether by technlgy t enable prtability. Hybrid cluds are ften used fr redundancy r lad-balancing purpses fr example, applicatins within a private clud culd be cnfigured t utilize cmputing resurces frm a public clud as needed during peak capacity times (smetimes called clud-bursting ). With respect t understanding rles and respnsibilities, this paper is largely fcused n public clud scenaris. Hwever, many f the cncepts discussed remain applicable t the ther deplyment mdels. 3 The NIST Definitin f Clud Cmputing (SP ) The intent f this dcument is t prvide supplemental infrmatin. Infrmatin prvided here des nt replace 3 3

6 Service mdels identify different cntrl ptins fr the clud custmer and clud prvider. Fr example, SaaS custmers simply use the applicatins and services prvided by the CSP, where IaaS custmers maintain cntrl f their wn envirnment hsted n the CSP s underlying infrastructure. The three mst cmmnly used service mdels are described as fllws 4 : Sftware as a Service (SaaS) Capability fr clients t use the prvider s applicatins running n a clud infrastructure. The applicatins are accessible frm varius client devices thrugh either a thin client interface, such as a web brwser, r a prgram interface. Platfrm as a Service (PaaS) Capability fr clients t deply their applicatins (created r acquired) nt the clud infrastructure, using prgramming languages, libraries, services, and tls supprted by the prvider. Infrastructure as a Service (IaaS) Capability fr clients t utilize the prvider s prcessing, strage, netwrks, and ther fundamental cmputing resurces t deply and run perating systems, applicatins and ther sftware n a clud infrastructure. The main difference between service levels relates t hw cntrl is shared between client and CSP, which in turn impacts the level f respnsibility fr bth parties. It shuld be nted that, ther than in a truly private clud (n-premise) scenari, the client rarely has any cntrl ver hardware, and it is the degree t which virtual cmpnents, applicatins and sftware are managed by the different parties that differentiates the service mdels. As a general rule, SaaS prvides clients with the least amunt f cntrl, whereas IaaS ffers the mst cntrl fr the client. It s imprtant t nte that these descriptins fr deplyment and service mdels, althugh widely accepted by the industry, may nt be universally fllwed by clud prviders r reflect actual clud envirnments. Fr example, a CSP might be selling a private clud service that des nt meet the intent f private as it is described abve. Similarly, the details f what is and what is nt included in a particular service will prbably vary between CSPs, even if they each identify their service by the same term (IaaS, PaaS, r SaaS). The level f security respnsibility acrss the clud service mdels generally migrates twards the client as the client mves frm a SaaS mdel (least client respnsibility) t an IaaS mdel (mst client respnsibility). The greatest level f respnsibility fr the CSP t maintain security and peratinal cntrls is present in the SaaS service mdel. Figure 1 n the fllwing page shws hw cntrl is typically shared between the CSP and client acrss different service mdels. 4 Adapted frm The NIST Definitin f Clud Cmputing (SP ) The intent f this dcument is t prvide supplemental infrmatin. Infrmatin prvided here des nt replace 4 4

7 Figure 1: Level f cntrl/respnsibility fr client and CSP acrss different service mdels While clients may be attracted t the SaaS and PaaS mdels due t the resurce savings and reduced respnsibility fr administering the clud envirnment, they shuld be aware that these mdels als crrespnd t a greater lss f cntrl f the envirnment husing their sensitive data. Cntractual agreements and nging due diligence becme especially critical where cntrl is utsurced, t ensure that the required security measures are being met and maintained by the CSP fr the duratin f the agreement. The intent f this dcument is t prvide supplemental infrmatin. Infrmatin prvided here des nt replace 5 5

8 3 Clud Prvider / Clud Custmer Relatinships 3.1 Understanding Rles and Respnsibilities The lines f accuntability and respnsibility will be different fr each service and deplyment mdel. Clear plicies and prcedures shuld be agreed upn between client and clud prvider fr all security requirements, and clear respnsibilities fr peratin, management and reprting need t be defined fr each requirement. 3.2 Rles and Respnsibilities fr Different Deplyments Mdels The entity perfrming the rle f CSP will vary accrding t the type f deplyment mdel. Fr example, the CSP rle may be assigned entirely t an external third party (as in a public clud), r the rle may be undertaken by an internal department r business functin (as in an n-premise private clud). Similarly, the rle f CSP may be assigned t mre than ne entity in a cmmunity r hybrid clud scenari. T understand hw respnsibilities are assigned in a particular deplyment mdel, cnsider the fllwing: Private clud Where a private clud is managed n-premise, the CSP rle may be undertaken within the client rganizatin. Fr example, the IT department culd take n the rle f CSP with varius peratinal departments as its clients. In this scenari, the client rganizatin retains full cntrl f their envirnment and its security and cmpliance. Dedicated, private cluds may als be prvisined ff-premise by a third-party CSP. In this case, the delineatin f respnsibility will als depend n the particular service mdel, as described in Sectin 3.3, Respnsibilities fr Different Service Mdels. Cmmunity clud The CSP culd be ne f the client rganizatins within the cmmunity r a separate third party. The delineatin f respnsibility fllws the particular service mdel implemented. Public clud The CSP is a third party that is an rganizatinally-separate entity t its clients. The clud is deplyed within a CSP s envirnment and respnsibility is delineated accrding t the particular service mdel, as defined by the CSP. Hybrid clud The CSP rle may be assigned t bth internal and third-party entities fr different elements f the verall clud infrastructure. Respnsibility will be assigned based n the cmbinatin f deplyment mdels and service mdels implemented. The respnsibility fr implementatin, peratin, and management f security cntrls will be shared differently within each f the clud mdels, and needs t be clearly understd by bth the client and CSP. The client als needs t understand the level f versight r visibility they will have int security functins that are utside their cntrl. If these security respnsibilities are nt prperly assigned, cmmunicated, and understd, insecure cnfiguratins r vulnerabilities culd g unnticed and unaddressed, resulting in ptential explit and data lss r ther cmprmise. The intent f this dcument is t prvide supplemental infrmatin. Infrmatin prvided here des nt replace 6 6

9 3.3 Respnsibilities fr Different Service Mdels In all deplyment mdels, and particularly in public clud envirnments, it is imprtant fr all parties t understand the specific elements f the service mdel used and its assciated risks. Any clud deplyment mdel that is nt truly private (n-premise) is by nature a shared respnsibility mdel, where a prtin f respnsibility fr the clud service falls under the realm f the CSP, and a prtin f respnsibility als falls t each client. The level f respnsibility that falls t the CSP r the client is determined by the clud service mdel being utilized that is, IaaS, PaaS, r SaaS. Clear delineatin f respnsibilities shuld be established as a prerequisite t any clud service implementatin t prvide a baseline fr the clud peratin. Figure 2 n the fllwing page illustrates hw cntrl f the different technical layers is ften shared acrss different service mdels. Fr illustratin purpses, different layers f the clud stack are described as fllws: Layer Applicatin Prgram Interface (API) r Graphical User Interface (GUI) Applicatin Slutin stack Operating systems (OS) Virtual machine (VM) Virtual netwrk infrastructure Hypervisr Prcessing and memry Data Strage Netwrk Physical facility Descriptin The interface used by the client r their custmers t interact with the applicatin. The current mst cmmn API is RESTful HTTP r HTTPS. The current mst cmmn GUI is an HTTP r HTTPS based Web site. The actual applicatin being used by ne r mre clients r their custmers. This is the prgramming language used t build and deply applicatins. Sme examples include.net, Pythn, Ruby, Perl, etc. In a virtualized envirnment, the OS runs within each VM. Alternatively, if there is n underlying hypervisr present, the perating system runs directly n the strage hardware. The virtual cntainer assigned fr client use. Fr cmmunicatins within and between virtual machines When virtualizatin is used t manage resurces, the hypervisr is respnsible fr allcating resurces t each virtual machine. It may als be leveraged fr implementing security. The physical hardware that supplies CPU time and physical memry. The physical hardware used fr file strage. This can be a physical r virtual netwrk. It is respnsible fr carrying cmmunicatins between systems and pssibly the Internet. The actual physical building where the clud systems are lcated. Appendix B illustrates a sample inventry fr clud cmputing systems, as guidance fr hw CSPs and their custmers can dcument the different layers f the clud envirnment. The intent f this dcument is t prvide supplemental infrmatin. Infrmatin prvided here des nt replace 7 7

10 Figure 2: Example f hw cntrl may be assigned between CSP and clients acrss different service mdels. CSP Clud Layer Service Mdels IaaS PaaS SaaS Data Interfaces (APIs, GUIs) Applicatins Slutin Stack (Prgramming languages) Operating Systems (OS) Virtual Machines Virtual netwrk infrastructure Hypervisrs Prcessing and Memry Data Strage (hard drives, remvable disks, backups, etc.) Netwrk (interfaces and devices, cmmunicatins infrastructure) Physical facilities / data centers Nte: This table prvides an example f hw respnsibilities might be assigned accrding t cmmn descriptins f the different service mdels. Hwever, it s imprtant t nte that the technlgy layers and their crrespnding lines f respnsibility may be different fr each CSP, even if they use the same terminlgy t describe their service, and the individual service fferings may r may nt align with the respnsibly assignments indicated abve. Sme CSPs ffer multiple ptins fr their services fr example, a CSP may have ne IaaS ffering that includes a client-cntrlled hypervisr and a separate IaaS ffering with n client access t the hypervisr. It s imperative that clients and CSPs clearly dcument and understand where the bundaries are in their particular relatinship rather than assuming that any particular respnsibility mdel applies t them. The intent f this dcument is t prvide supplemental infrmatin. Infrmatin prvided here des nt replace 8 8

11 Even where a client des nt have cntrl ver a particular layer, they may still have sme respnsibility fr the cnfiguratins r settings that the CSP maintains n their behalf. Fr example, a client may need t define firewall rules and review firewall rule-sets fr thse firewalls applicable t the prtectin f their envirnment, even thugh the CSP actually cnfigures and manages the firewalls. Similarly, clients may be respnsible fr apprving and reviewing user access permissins t their data resurces, while the CSP cnfigures the access accrding t client needs. The allcatin f respnsibility fr managing security cntrls des nt exempt a client frm the respnsibility f ensuring that their cardhlder data is prperly secured. 3.4 Nested Service-Prvider Relatinships Nested service-prvider relatinships are nt uncmmn in clud scenaris, as CSPs smetimes rely n ther third-party cmpanies t deliver their services. Fr examples, sme CSPs use third-party strage prviders as part f their clud service ffering, while sme might partner with ther CSPs fr redundancy r fail-ver as part f their clud-delivery strategy. Identifying all third-party relatinships that the CSP has in place is imprtant in rder t understand the ptential ramificatins t a client s envirnment. The existence f multiple nested relatinships fr example, where there is a chain f vendrs and/r ther prviders required fr delivery f a clud service will als add cmplexity t bth the CSP s and the client s PCI DSS assessment prcess. The intent f this dcument is t prvide supplemental infrmatin. Infrmatin prvided here des nt replace 9 9

12 4 PCI DSS Cnsideratins 4.1 Understanding PCI DSS Respnsibilities The respnsibilities delineated between the client and the CSP fr managing PCI DSS cntrls are influenced by a number f variables, including but nt limited t: The purpse fr which the client is using the clud service. The scpe f PCI DSS requirements that the client is utsurcing t the CSP. The services and system cmpnents that the CSP has validated within its wn peratins. The service ptin that the client has selected t engage the CSP (IaaS, PaaS r SaaS). The scpe f any additinal services the CSP is prviding t practively manage the client s cmpliance (fr example, additinal managed security services). The client needs t clearly understand the scpe f respnsibility that the CSP is accepting fr each PCI DSS requirement, and which services and system cmpnents are validated fr each requirement. Fr example, PCI DSS Requirements 6.1 and 6.2 address the need fr vulnerabilities t be identified, ranked accrding t risk, and deplyed in a timely manner. If nt prperly defined, a client culd assume that the CSP is managing this prcess fr the entire clud envirnment, whereas the CSP culd be managing vulnerabilities fr their underlying infrastructure nly, and assuming that the client is managing vulnerabilities fr perating systems and applicatins. 4.2 PCI DSS Respnsibilities fr Different Service Mdels As a general rule, the mre aspects f a client s peratins that the CSP manages, the mre respnsibility the CSP has fr maintaining PCI DSS cntrls. Hwever, utsurcing maintenance f cntrls is nt the same as utsurcing respnsibility fr the data verall. Clud custmers shuld nt make assumptins abut any service, and shuld clearly spell ut in cntracts, memrandums f understanding, and/r SLAs exactly which party is respnsible fr securing which system cmpnents and prcesses. Figure 3 n the fllwing page prvides an example f hw respnsibilities fr PCI DSS requirements may be shared between clients and CSPs acrss the three service mdels. There will f curse be exceptins and variatins acrss each individual service, and this table is prvided as a guideline fr clients and CSPs t help plan discussins and negtiatins. Respnsibilities have been identified as fllws: Generally each client will retain respnsibility fr maintaining and verifying the requirement. CSP Generally the CSP will maintain and verify the requirement fr their clients. Bth Generally respnsibility is shared between the client and the CSP. This may be due t the requirement applying t elements present in bth the client envirnment and the CSP-managed envirnment, r because bth parties need t be invlved in the management f a particular cntrl. Appendix A includes additinal cnsideratins fr determining hw PCI DSS respnsibilities may be assigned fr each service mdel. The intent f this dcument is t prvide supplemental infrmatin. Infrmatin prvided here des nt replace

13 Figure 3: Example f hw PCI DSS respnsibilities may be shared between clients and CSPs. CSP BOTH and CSP PCI DSS Requirement Example respnsibility assignment fr management f cntrls IaaS PaaS SaaS 1: Install and maintain a firewall cnfiguratin t prtect cardhlder data Bth Bth CSP 2: D nt use vendr-supplied defaults fr system passwrds and ther security parameters Bth Bth CSP 3: Prtect stred cardhlder data Bth Bth CSP 4: Encrypt transmissin f cardhlder data acrss pen, public netwrks Bth CSP 5: Use and regularly update anti-virus sftware r prgrams Bth CSP 6: Develp and maintain secure systems and applicatins Bth Bth Bth 7: Restrict access t cardhlder data by business need t knw Bth Bth Bth 8: Assign a unique ID t each persn with cmputer access Bth Bth Bth 9: Restrict physical access t cardhlder data CSP CSP CSP 10: Track and mnitr all access t netwrk resurces and cardhlder data Bth Bth CSP 11: Regularly test security systems and prcesses Bth Bth CSP 12: Maintain a plicy that addresses infrmatin security fr all persnnel Bth Bth Bth PCI DSS Appendix A: Additinal PCI DSS Requirements fr Shared Hsting Prviders CSP CSP CSP Nte: The sample respnsibilities illustrated in this table d nt include cnsideratin fr any activities r peratins perfrmed utside f a hypthetical clud service ffering. This table prvides an example f hw PCI DSS respnsibilities might be assigned fr different service mdels. Hwever, each CSP ultimately defines their wn service, and particular service fferings may r may nt be cnsistent with thse illustrated abve. s and CSPs shuld clearly dcument their respnsibilities as applicable t their particular agreement. The cncept f shared r jint respnsibility can be a particular tricky path t navigate. While sme services and functins will be relatively straightfrward t scpe and establish bundaries, many services and functins will verlap if nt clearly demarcated at the utset f the service relatinship. The intent f this dcument is t prvide supplemental infrmatin. Infrmatin prvided here des nt replace

14 Where the CSP maintains respnsibility fr PCI DSS cntrls, the client is still respnsible fr mnitring the CSP s nging cmpliance fr all applicable requirements. CSPs shuld be able t prvide their clients with nging assurance that requirements are being met, and where the CSP is managing requirements n behalf f the client, they shuld have mechanisms in place t prvide the custmer with the applicable recrds fr example, audit lgs shwing all access t client data. s are still required t validate their cmpliance in accrdance with payment brand prgrams. Appendix C illustrates a sample PCI DSS Respnsibly Matrix, as guidance fr hw CSPs and their custmers can dcument PCI DSS respnsibility assignments. Appendix D includes Implementatin Cnsideratins fr PCI DSS Requirements. 4.3 Security as a Service (SecaaS) Security as a Service, r SecaaS, is smetimes used t describe the delivery f security services using a SaaS-based delivery mdel. SecaaS slutins nt directly invlved in string, prcessing, r transmitting CHD may still be an integral part f the security f the CDE. As an example, a SaaS-based anti-malware slutin may be used t update anti-malware signatures n the client s systems via a clud-delivery mdel. In this example, the SecaaS ffering is delivering a PCI DSS cntrl t the client s envirnment, and the SecaaS functinality will need t be reviewed t verify that it is meeting the applicable requirements. 4.4 Segmentatin Cnsideratins Outside f a clud envirnment, individual client envirnments wuld nrmally be physically, rganizatinally, and administratively separate frm each ther. s utilizing a public r therwise shared clud must rely n the CSP t ensure that their envirnment is adequately islated frm the ther client envirnments. In additin t enfrcing separatin between client envirnments, segmentatin may als be desired within a client s envirnment t islate their CDE cmpnents frm nn-cde cmpnents in rder t reduce their wn PCI DSS scpe. Segmentatin n a clud-cmputing infrastructure must prvide an equivalent level f islatin as that achievable thrugh physical netwrk separatin. Mechanisms t ensure apprpriate islatin may be required at the netwrk, perating system, and applicatin layers; and mst imprtantly, there shuld be guaranteed islatin f data that is stred. envirnments must be islated frm each ther such that they can be cnsidered separately managed entities with n cnnectivity between them. Any systems r cmpnents shared by the client envirnments, including the hypervisr and underlying systems, must nt prvide an access path between envirnments. Any shared infrastructure used t huse an in-scpe client envirnment wuld be in scpe fr that client s PCI DSS assessment. A segmented clud envirnment exists when the CSP enfrces islatin between client envirnments. Examples f hw segmentatin may be prvided in shared clud envirnments include, but are nt limited t: Traditinal Applicatin Service Prvider (ASP) mdel, where physically separate servers are prvided fr each client s cardhlder data envirnment. Virtualized servers that are individually dedicated t a particular client, including any virtualized disks such as SAN, NAS r virtual database servers. The intent f this dcument is t prvide supplemental infrmatin. Infrmatin prvided here des nt replace

15 Envirnments where clients run their applicatins in separate lgical partitins using separate database management system images and d nt share disk strage r ther resurces. The PCI DSS assessr must validate the effectiveness f the segmentatin t ensure it prvides adequate islatin. If adequate segmentatin is prvided between clients, the client envirnment and the CSP-managed envirnment and prcesses wuld be in scpe fr a client s PCI DSS assessment. If adequate segmentatin is nt in place r cannt be verified, the entire clud envirnment wuld be in-scpe fr any ne client s assessment. Examples f nn-segmented clud envirnments include but are nt limited t: Envirnments where rganizatins use the same applicatin image n the same server and are nly separated by the access cntrl system f the perating system r the applicatin. Envirnments where rganizatins use different images f an applicatin n the same server and are nly separated by the access cntrl system f the perating system r the applicatin. Envirnments where rganizatins data is stred in the same instance f the database management system s data stre. Withut adequate segmentatin, all clients f the shared infrastructure, as well as the CSP, wuld need t be verified as being PCI DSS cmpliant in rder fr any ne client t be assured f the cmpliance f the envirnment. This will likely make cmpliance validatin unachievable fr the CSP r any f their clients Segmentatin Challenges Segmentatin in traditinal hsted envirnments can be applied via separate physical servers and security measures applied using knwn methds. The difference in a clud envirnment is that there are cmmn shared layers (such as hypervisrs and virtual infrastructure layers), which can present a single pint f entry (r attack) fr all systems abve r belw thse shared layers. The security applied t these layers is therefre critical nt nly t the security f the individual envirnments they supprt, but als t ensure that segmentatin is enfrced between different client envirnments. Once any layer f the clud architecture is shared by CDE and nn-cde envirnments, segmentatin becmes increasingly cmplex. This cmplexity is nt limited t shared hypervisrs; all layers f the infrastructure that culd prvide an entry pint t a CDE must be included when verifying segmentatin. In a private clud envirnment, ne apprach that may help reduce the cmplexity f segmentatin effrts culd be t lcate all CDE virtual cmpnents n a dedicated CDE hypervisr, and ensure all nn-cde virtual cmpnents are lcated n separate hypervisrs, adequately segmented frm the CDE hypervisr. The need fr adequate segmentatin f client envirnments in a public r shared clud is underscred by the principle that the ther client envirnments running n the same infrastructure are t be cnsidered untrusted netwrks. The client has n way f cnfirming whether ther client envirnments are securely cnfigured, patched apprpriately t prtect against attack, r that they are nt already cmprmised r even designed t be malicius. This is particularly relevant where a CSP ffers IaaS and PaaS services, as the individual clients have greater cntrl and management f their envirnments. The intent f this dcument is t prvide supplemental infrmatin. Infrmatin prvided here des nt replace

16 4.4.2 Segmentatin Respnsibilities Ultimately, the CSP needs t take wnership f the segmentatin between clients and verify it is effective and prvides adequate islatin between individual client envirnments, between client envirnments and the CSP s wn envirnment, and between client envirnments and ther untrusted envirnments (such as the Internet). Applicable PCI DSS cntrls fr the segmentatin functins wuld als be the CSP s respnsibility (fr example, firewall rules, audit lgging, dcumentatin, reviews, etc.). The client is respnsible fr the prper cnfiguratin f any segmentatin cntrls implemented within their wn envirnment (fr example, using virtual firewalls t separate in-scpe VMs frm ut-f-scpe VMs), and fr ensuring that effective islatin is maintained between in-scpe and ut-f-scpe cmpnents. s wishing t implement segmentatin within their clud envirnment als need t cnsider hw the CSP s envirnment and prcesses may impact the effectiveness f the segmentatin. Fr example, CSP systems culd be prviding cnnectivity between the client s wn VMs that is nt visible t the client. s shuld als cnsider hw the CSP manages ffline r drmant VMs, and whether in-scpe and ut-f-scpe VMs culd ptentially be stred tgether by the CSP withut active segmentatin cntrls Segmentatin Technlgies Traditinal netwrk segmentatin technlgies cnsist f hardware devices such as firewalls, switches, ruters, and s frth. These physical cmpnents culd be used t separate VMs hsted n the same r multiple hypervisrs similar t the manner in which systems culd be segmented in a physical netwrk. This wuld require hypervisrs with multiple netwrk interfaces and PCI DSS cmpliant cnfiguratins fr the varius types f netwrk hardware. Additinally, virtual cunterparts f firewalls, switches and ruters nw exist and can be incrprated int a virtual envirnment. As mentined abve, a key cnsideratin is hw secure the cmmn layers (such as hypervisrs and shared physical cmpnents) are, and whether they represent a ptential attack surface between znes r clients. The answer is that yes, they d; hwever the assciated risks are still nt well understd. Examples f cntrls t be cnsidered when evaluating segmentatin ptins include, but are nt limited t: Physical firewalls and netwrk segmentatin at the infrastructure level Firewalls at the hypervisr and VM level VLAN tagging r zning in additin t firewalls Intrusin-preventin systems at the hypervisr and/r VM level t detect and blck unwanted traffic Data-lss-preventin tls at the hypervisr and/r VM level Cntrls t prevent ut-f-band cmmunicatins ccurring via the underlying infrastructure Islatin f shared prcesses and resurces frm client envirnments Segmented data stres fr each client Strng, tw-factr authenticatin Separatin f duties and administrative versight Cntinuus lgging and mnitring f perimeter traffic, and real-time respnse The intent f this dcument is t prvide supplemental infrmatin. Infrmatin prvided here des nt replace

17 4.5 Scping Cnsideratins Merchant r ther rganizatins lking t stre, prcess, r transmit payment card data in a clud envirnment shuld clearly understand the impact that extending their CDE int the clud will have n their PCI DSS scpe. Fr example, in a private-clud deplyment, an rganizatin culd either implement adequate segmentatin t islate in-scpe systems frm ther systems and services, r they culd cnsider their private clud t be whlly in scpe fr PCI DSS. In a public clud, the client rganizatin and CSP will need t wrk clsely tgether t define and verify scpe bundaries, as bth parties will have systems and services in scpe. Appendix D includes Implementatin Cnsideratins fr PCI DSS Requirements. Recmmendatins fr minimizing and simplifying PCI DSS scpe in a clud envirnment include: Dn t stre, prcess r transmit payment card data in the clud. This is the mst effective way t keep a clud envirnment ut f scpe, as PCI DSS cntrls are nt required if there is n payment card data t prtect. Implement a dedicated physical infrastructure that is used nly fr the in-scpe clud envirnment. The scping prcess will be simplified if all in-scpe peratins are limited t a knwn, defined set f physical and virtual system cmpnents that are managed independently frm ther cmpnents. Once defined, the client will be reliant n the CSP s ability t ensure scpe bundaries are maintained fr example, by ensuring that all segmentatin cntrls are perating effectively and that any new cmpnents cnnected t the in-scpe envirnment are immediately brught int scpe and prtected accrdingly. Minimize reliance n third-party CSPs fr prtecting payment card data. The mre security cntrls the CSP is respnsible fr, the greater the scpe f the CDE will ptentially be, thereby increasing the cmplexity invlved in defining and maintaining CDE bundaries. Ensuring that clear-text accunt data is never accessible in the clud may als assist t reduce the number f PCI DSS requirements applicable t the clud envirnment. As an example, let s say the client perfrms all encryptin and decryptin peratins and all key-management functins 5 in their wn data center and uses a third-party clud nly t stre r transmit encrypted data. In this scenari, clear-text data wuld never exist in the clud envirnment nt even temprarily r in memry. Additinally, the clud envirnment wuld never have access t cryptgraphic keys r key-management prcesses. It shuld be nted that the encrypted data is still in scpe fr PCI DSS (generally fr the entity that cntrls r manages the encrypted data and/r the cryptgraphic keys 6 ) t ensure that applicable cntrls are in place. Hwever, by keeping all encryptin/decryptin and key-management peratins islated frm the clud, the number f PCI DSS requirements that the CSP is required t maintain may be reduced, as these requirements will instead be applicable t the client s wn envirnment and persnnel. The CSP will still be in scpe fr any PCI DSS requirements it manages n behalf f the client fr example, access cntrls managed by the CSP will need t be verified t ensure that nly authrized persns (as determined by the client) have access t the encrypted data, and that access is nt granted t unauthrized persns. 5 In accrdance with PCI DSS Requirements 6 Refer t FAQ Is encrypted cardhlder data in scpe fr PCI DSS? n PCI SSC website fr additinal guidance. The intent f this dcument is t prvide supplemental infrmatin. Infrmatin prvided here des nt replace

18 Alternatively, if clear-text accunt data is present (fr example, in memry) in the clud envirnment, r the ability t retrieve accunt data exists (fr example, if decryptin keys and encrypted data are present), all applicable PCI DSS requirements wuld apply t that envirnment Scping Examples fr Different Deplyment Mdels Fr private clud envirnments, segmentatin effrts are fcused n islating CDE cmpnents frm nn-cde cmpnents t reduce the number f systems in scpe fr PCI DSS. In public r shared clud envirnments, segmentatin between clients is critical fr the security f the entire client envirnment, and is additinal t any segmentatin managed by the client within their envirnment fr the purpses f scping. A number f simple scping examples are presented here t prvide guidance. Scenari Envirnment descriptin PCI DSS scping guidance Case 1: Private Clud hsted and cntrlled by entity seeking PCI DSS cmpliance, with segmentatin. Case 2: Private Clud hsted and cntrlled by entity seeking PCI DSS cmpliance, n segmentatin. All CDE VMs are hsted n a single, dedicated hypervisr; nn-cde VMs are hsted n a separate hypervisr(s). Validated segmentatin f CDE systems frm nn-cde systems using a cmbinatin f physical and lgical cntrls All VMs are hsted n ne r mre hypervisrs; sme VMs are cnsidered part f the CDE and sme are nt. N segmentatin f CDE systems frm nn-cde systems. The CDE hypervisr and VMs, and all clud cmpnents that are nt segmented are in scpe (segmentatin must be validated as prviding effective islatin) The entire clud envirnment and all cnnected systems are in scpe and cnsidered part f the CDE (similar t a flat netwrk). The intent f this dcument is t prvide supplemental infrmatin. Infrmatin prvided here des nt replace

19 Scenari Envirnment descriptin PCI DSS scping guidance Case 3: Third-party CSP hsting a PCI DSS cmpliant public clud supprting multiple clients, with validated segmentatin fr client envirnments. Case 4: Third-party CSP hsting a PCI DSS cmpliant public clud supprting multiple clients, n client segmentatin. VMs may be n ne r multiple hypervisrs, all hypervisrs and VMs are cnfigured by CSP t supprt PCI DSS requirements. Multiple clients hsted n each hypervisr. Validated segmentatin f client envirnments using a cmbinatin f physical and lgical cntrls. VMs may be n ne r multiple hypervisrs, all hypervisrs cnfigured by CSP t supprt PCI DSS requirements. Multiple clients hsted n each hypervisr, VM cnfiguratin managed by each client. Segmentatin between client envirnments is nt verified. The CSP is respnsible fr cmpliance f all elements f the clud service prvided. Each client s scpe wuld include their wn envirnment (fr example, VMs, applicatins etc.) and any ther elements nt managed by the CSP. Segmentatin must be validated as prviding effective islatin between clients as part f the CSP s validatin, and may require additinal validatin as part f each client s validatin. Entire clud service and all client envirnments are in scpe. Nte that validating PCI DSS cmpliance may be intractable and infeasible as every client envirnment wuld need t be included in the assessment. The intent f this dcument is t prvide supplemental infrmatin. Infrmatin prvided here des nt replace

20 5 PCI DSS Cmpliance Challenges String, prcessing, r transmitting cardhlder data in the clud brings that clud envirnment int scpe fr PCI DSS, and it may be particularly challenging t validate PCI DSS cmpliance in a distributed, dynamic infrastructure such as a public r ther shared clud. Fr example, it can be difficult t identify which system cmpnents are in scpe fr a particular service, r identify wh is respnsible fr particular PCI DSS cntrls. Sme f the technical cntrls and auditing prcesses traditinally used t attain a measurable level f assurance in static envirnments (fr example, in-huse data strage servers) are nt designed fr rapidlychanging clud envirnments and prcesses (fr example, clud bursting, cntinual deplyment and retirement f virtual machines, dynamic IP addressing, and s n). Additinally, clients and assessrs ften can t see and tuch CDE systems as they wuld in a traditinal envirnment (fr example, by visiting the data center). The distributed architectures f clud envirnments add layers f technlgy and cmplexity that challenge traditinal assessment methds. Fr example, hw des an assessr determine an apprpriate sample size fr a dynamic clud envirnment in which systems can appear and disappear in minutes? Examples f cmpliance challenges include but are nt limited t: s may have little r n visibility int the CSP s underlying infrastructure and the related security cntrls. s may have limited r n versight r cntrl ver cardhlder data strage. Organizatins might nt knw where cardhlder data is physically stred, r the lcatin(s) can regularly change. Fr redundancy r high availability reasns, data culd be stred in multiple lcatins at any given time. Sme virtual cmpnents d nt have the same level f access cntrl, lgging, and mnitring as their physical cunterparts. Perimeter bundaries between client envirnments can be fluid. Public clud envirnments are usually designed t allw access frm anywhere n the Internet. It can be challenging t verify wh has access t cardhlder data prcessed, transmitted, r stred in the clud envirnment. It can be challenging t cllect, crrelate, and/r archive all f the lgs necessary t meet applicable PCI DSS requirements. Organizatins using data-discvery tls t identify cardhlder data in their envirnments, and t ensure that such data is nt stred in unexpected places, may find that running such tls in a clud envirnment can be difficult and result in incmplete results. It can be challenging fr rganizatins t verify that cardhlder card data has nt leaked int the clud. Many large prviders might nt supprt right-t-audit fr their clients. s shuld discuss their needs with the prvider t determine hw the CSP can prvide assurance that required cntrls are in place. The intent f this dcument is t prvide supplemental infrmatin. Infrmatin prvided here des nt replace

Process of Setting up a New Merchant Account

Process of Setting up a New Merchant Account Prcess f Setting up a New Merchant Accunt Table f Cntents PCI DSS... 3 Wh t cntact?... 3 Bakcgrund n PCI... 3 Why cmply?... 3 Hw t cmply?... 3 PCI DSS Scpe... 4 Des PCI DSS Apply t Me?... 4 What if I am

More information

Version: Modified By: Date: Approved By: Date: 1.0 Michael Hawkins October 29, 2013 Dan Bowden November 2013

Version: Modified By: Date: Approved By: Date: 1.0 Michael Hawkins October 29, 2013 Dan Bowden November 2013 Versin: Mdified By: Date: Apprved By: Date: 1.0 Michael Hawkins Octber 29, 2013 Dan Bwden Nvember 2013 Rule 4-004J Payment Card Industry (PCI) Patch Management (prpsed) 01.1 Purpse The purpse f the Patch

More information

COPIES-F.Y.I., INC. Policies and Procedures Data Security Policy

COPIES-F.Y.I., INC. Policies and Procedures Data Security Policy COPIES-F.Y.I., INC. Plicies and Prcedures Data Security Plicy Page 2 f 7 Preamble Mst f Cpies FYI, Incrprated financial, administrative, research, and clinical systems are accessible thrugh the campus

More information

GUIDANCE FOR BUSINESS ASSOCIATES

GUIDANCE FOR BUSINESS ASSOCIATES GUIDANCE FOR BUSINESS ASSOCIATES This Guidance fr Business Assciates dcument is intended t verview UPMCs expectatins, as well as t prvide additinal resurces and infrmatin, t UPMC s HIPAA business assciates.

More information

VCU Payment Card Policy

VCU Payment Card Policy VCU Payment Card Plicy Plicy Type: Administrative Respnsible Office: Treasury Services Initial Plicy Apprved: 12/05/2013 Current Revisin Apprved: 12/05/2013 Plicy Statement and Purpse The purpse f this

More information

Licensing Windows Server 2012 R2 for use with virtualization technologies

Licensing Windows Server 2012 R2 for use with virtualization technologies Vlume Licensing brief Licensing Windws Server 2012 R2 fr use with virtualizatin technlgies (VMware ESX/ESXi, Micrsft System Center 2012 R2 Virtual Machine Manager, and Parallels Virtuzz) Table f Cntents

More information

State of Wisconsin DET Dedicated Virtual Host Services Offering Definition

State of Wisconsin DET Dedicated Virtual Host Services Offering Definition State f Wiscnsin DET Dedicated Virtual Hst Services Offering Definitin Dcument Revisin Histry Date Versin Creatr Ntes 10/29/2010 1.0 Phil Staley Initial draft 11/3/2010 1.1 Phil Staley Ryan McKee Secnd

More information

PROTIVITI FLASH REPORT

PROTIVITI FLASH REPORT PROTIVITI FLASH REPORT The PCI Security Standards Cuncil Releases PCI DSS Versin 3.2 May 9, 2016 On April 28, 2016, the PCI Security Standards Cuncil (PCI SSC) released PCI Data Security Standard (PCI

More information

HIPAA HITECH ACT Compliance, Review and Training Services

HIPAA HITECH ACT Compliance, Review and Training Services Cmpliance, Review and Training Services Risk Assessment and Risk Mitigatin: The first and mst imprtant step is t undertake a hlistic risk assessment that examines the risks and cntrls related t fur critical

More information

Information Services Hosting Arrangements

Information Services Hosting Arrangements Infrmatin Services Hsting Arrangements Purpse The purpse f this service is t prvide secure, supprted, and reasnably accessible cmputing envirnments fr departments at DePaul that are in need f server-based

More information

The Importance Advanced Data Collection System Maintenance. Berry Drijsen Global Service Business Manager. knowledge to shape your future

The Importance Advanced Data Collection System Maintenance. Berry Drijsen Global Service Business Manager. knowledge to shape your future The Imprtance Advanced Data Cllectin System Maintenance Berry Drijsen Glbal Service Business Manager WHITE PAPER knwledge t shape yur future The Imprtance Advanced Data Cllectin System Maintenance Cntents

More information

Licensing Windows Server 2012 for use with virtualization technologies

Licensing Windows Server 2012 for use with virtualization technologies Vlume Licensing brief Licensing Windws Server 2012 fr use with virtualizatin technlgies (VMware ESX/ESXi, Micrsft System Center 2012 Virtual Machine Manager, and Parallels Virtuzz) Table f Cntents This

More information

System Business Continuity Classification

System Business Continuity Classification Business Cntinuity Prcedures Business Impact Analysis (BIA) System Recvery Prcedures (SRP) System Business Cntinuity Classificatin Cre Infrastructure Criticality Levels Critical High Medium Lw Required

More information

CLOUD COMPUTING: SECURITY THREATS AND MECHANISM

CLOUD COMPUTING: SECURITY THREATS AND MECHANISM CLOUD COMPUTING: SECURITY THREATS AND MECHANISM Vaishali Jshi 1, Lakshmi 2, Vivek Gupta 3 1,2,3 Department f Cmputer Science Engineering, Acrplis Technical Campus, Indre ABSTRACT Clud cmputing is a mdel

More information

Cloud Services Frequently Asked Questions FAQ

Cloud Services Frequently Asked Questions FAQ Clud Services Frequently Asked Questins FAQ Revisin 1.0 6/05/2015 List f Questins Intrductin What is the Caradigm Intelligence Platfrm (CIP) clud? What experience des Caradigm have hsting prducts like

More information

Restricted Document. Pulsant Technical Specification

Restricted Document. Pulsant Technical Specification Pulsant Technical Specificatin Title Pulsant Dedicated Server Department Prduct Develpment Cntributrs RR Classificatin Restricted Versin 1.0 Overview Pulsant ffer a Dedicated Server service t underpin

More information

TrustED Briefing Series:

TrustED Briefing Series: TrustED Briefing Series: Since 2001, TrustCC has prvided IT audits and security assessments t hundreds f financial institutins thrugh ut the United States. Our TrustED Briefing Series are white papers

More information

BAMS Third Party Service Providers (TPSPs) FAQs

BAMS Third Party Service Providers (TPSPs) FAQs BAMS Third Party Service Prviders (TPSPs) FAQs 1) What is the Third Party Service Prvider (TPSP) Agent Registratin Prgram? The TPSP Agent Registratin Prgram is a Card Brand (Visa USA Inc and MasterCard

More information

Change Management Process

Change Management Process Change Management Prcess B1.10 Change Management Prcess 1. Intrductin This plicy utlines [Yur Cmpany] s apprach t managing change within the rganisatin. All changes in strategy, activities and prcesses

More information

Improved Data Center Power Consumption and Streamlining Management in Windows Server 2008 R2 with SP1

Improved Data Center Power Consumption and Streamlining Management in Windows Server 2008 R2 with SP1 Imprved Data Center Pwer Cnsumptin and Streamlining Management in Windws Server 2008 R2 with SP1 Disclaimer The infrmatin cntained in this dcument represents the current view f Micrsft Crpratin n the issues

More information

Data Protection Act Data security breach management

Data Protection Act Data security breach management Data Prtectin Act Data security breach management The seventh data prtectin principle requires that rganisatins prcessing persnal data take apprpriate measures against unauthrised r unlawful prcessing

More information

A96 CALA Policy on the use of Computers in Accredited Laboratories Revision 1.5 August 4, 2015

A96 CALA Policy on the use of Computers in Accredited Laboratories Revision 1.5 August 4, 2015 A96 CALA Plicy n the use f Cmputers in Accredited Labratries Revisin 1.5 August 4, 2015 A96 CALA Plicy n the use f Cmputers in Accredited Labratries TABLE OF CONTENTS TABLE OF CONTENTS... 1 CALA POLICY

More information

Licensing the Core Client Access License (CAL) Suite and Enterprise CAL Suite

Licensing the Core Client Access License (CAL) Suite and Enterprise CAL Suite Vlume Licensing brief Licensing the Cre Client Access License (CAL) Suite and Enterprise CAL Suite Table f Cntents This brief applies t all Micrsft Vlume Licensing prgrams. Summary... 1 What s New in This

More information

Data Protection Policy & Procedure

Data Protection Policy & Procedure Data Prtectin Plicy & Prcedure Page 1 Prcnnect Marketing Data Prtectin Plicy V1.2 Data prtectin plicy Cntext and verview Key details Plicy prepared by: Adam Haycck Apprved by bard / management n: 01/01/2015

More information

SPECIFICATION. Hospital Report Manager Connectivity Requirements. Electronic Medical Records DRAFT. OntarioMD Inc. Date: September 30, 2010

SPECIFICATION. Hospital Report Manager Connectivity Requirements. Electronic Medical Records DRAFT. OntarioMD Inc. Date: September 30, 2010 OntariMD Inc. Electrnic Medical Recrds SPECIFICATION Hspital Reprt Manager Cnnectivity Requirements DRAFT Date: September 30, 2010 Versin: 1.0 2007-2010 OntariMD Inc. All rights reserved HRM EMR Cnnectivity

More information

Using PayPal Website Payments Pro UK with ProductCart

Using PayPal Website Payments Pro UK with ProductCart Using PayPal Website Payments Pr UK with PrductCart Overview... 2 Abut PayPal Website Payments Pr & Express Checkut... 2 What is Website Payments Pr?... 2 Website Payments Pr and Website Payments Standard...

More information

Personal Data Security Breach Management Policy

Personal Data Security Breach Management Policy Persnal Data Security Breach Management Plicy 1.0 Purpse The Data Prtectin Acts 1988 and 2003 impse bligatins n data cntrllers in Western Care Assciatin t prcess persnal data entrusted t them in a manner

More information

In-House Counsel Day Priorities for 2012. Cloud Computing the benefits, potential risks and security for the future

In-House Counsel Day Priorities for 2012. Cloud Computing the benefits, potential risks and security for the future In-Huse Cunsel Day Pririties fr 2012 Clud Cmputing the benefits, ptential risks and security fr the future Presented by David Richardsn Thursday 1 March 2012 WIN: What in-huse lawyers need Knwledge, supprt

More information

PCI - Why You Need to be Compliant When Accepting Credit Card Payments. Agenda. Breaches in the Headlines. Breach Events & Commonalities

PCI - Why You Need to be Compliant When Accepting Credit Card Payments. Agenda. Breaches in the Headlines. Breach Events & Commonalities PCI - Why Yu Need t be Cmpliant When Accepting Credit Card Payments Tuesday, March 27, 2012 Agenda Breach Events & Cmmnalities Evlutin f PCI PCI Requirements Risks f Nn-cmpliance Industry Initiatives t

More information

Vantiv eprotect iframe Technical Assessment Paper Prepared for:

Vantiv eprotect iframe Technical Assessment Paper Prepared for: Vantiv eprtect iframe Technical Assessment Paper Prepared fr: Octber 13, 2015 P a g e 2 Cntents EXECUTIVE SUMMARY...3 OVERVIEW... 3 ABOUT VANTIV EPROTECT... 4 OPERATIONAL FLOW... 5 TECHNICAL ASSESSMENT...6

More information

IN-HOUSE OR OUTSOURCED BILLING

IN-HOUSE OR OUTSOURCED BILLING IN-HOUSE OR OUTSOURCED BILLING Medical billing is ne f the mst cmplicated aspects f running a medical practice. With thusands f pssible cdes fr diagnses and prcedures, and multiple payers, the ability

More information

University of Texas at Dallas Policy for Accepting Credit Card and Electronic Payments

University of Texas at Dallas Policy for Accepting Credit Card and Electronic Payments University f Texas at Dallas Plicy fr Accepting Credit Card and Electrnic Payments Cntents: Purpse Applicability Plicy Statement Respnsibilities f a Merchant Department Prcess t Becme a Merchant Department

More information

The ADVANTAGE of Cloud Based Computing:

The ADVANTAGE of Cloud Based Computing: The ADVANTAGE f Clud Based Cmputing: A Web Based Slutin fr: Business wners and managers that perate equipment rental, sales and/r service based rganizatins. R M I Crpratin Business Reprt RMI Crpratin has

More information

System Business Continuity Classification

System Business Continuity Classification System Business Cntinuity Classificatin Business Cntinuity Prcedures Infrmatin System Cntingency Plan (ISCP) Business Impact Analysis (BIA) System Recvery Prcedures (SRP) Cre Infrastructure Criticality

More information

State of Wisconsin. File Server Service Service Offering Definition

State of Wisconsin. File Server Service Service Offering Definition State f Wiscnsin File Server Service Service Offering Definitin Dcument Revisin Histry Date Versin Creatr Ntes 2/16/2008 1.0 JD Urfer First pass 2/16/2008 2.0 Tm Runge Editing changes 2/19/2009 2.1 Tm

More information

Vulnerability Management:

Vulnerability Management: Vulnerability Management: Creating a Prcess fr Results Kyle Snavely Veris Grup, LLC Summary Organizatins increasingly rely n vulnerability scanning t identify risks and fllw up with remediatin f thse risks.

More information

POLICY 1390 Information Technology Continuity of Business Planning Issued: June 4, 2009 Revised: June 12, 2014

POLICY 1390 Information Technology Continuity of Business Planning Issued: June 4, 2009 Revised: June 12, 2014 State f Michigan POLICY 1390 Infrmatin Technlgy Cntinuity f Business Planning Issued: June 4, 2009 Revised: June 12, 2014 SUBJECT: APPLICATION: PURPOSE: CONTACT AGENCY: Plicy fr Infrmatin Technlgy (IT)

More information

In addition to assisting with the disaster planning process, it is hoped this document will also::

In addition to assisting with the disaster planning process, it is hoped this document will also:: First Step f a Disaster Recver Analysis: Knwing What Yu Have and Hw t Get t it Ntes abut using this dcument: This free tl is ffered as a guide and starting pint. It is des nt cver all pssible business

More information

Request for Resume (RFR) CATS II Master Contract. All Master Contract Provisions Apply

Request for Resume (RFR) CATS II Master Contract. All Master Contract Provisions Apply Sectin 1 General Infrmatin RFR Number: (Reference BPO Number) Functinal Area (Enter One Only) F50B3400026 7 Infrmatin System Security Labr Categry A single supprt resurce may be engaged fr a perid nt t

More information

Best Practices for Optimizing Performance and Availability in Virtual Infrastructures

Best Practices for Optimizing Performance and Availability in Virtual Infrastructures Best Practices fr Optimizing Perfrmance and Availability in Virtual Infrastructures www.nimsft.cm Best Practices fr Optimizing Perfrmance and Availability in Virtual Infrastructures PAGE 2 Table f Cntents

More information

PENETRATION TEST OF THE INDIAN HEALTH SERVICE S COMPUTER NETWORK

PENETRATION TEST OF THE INDIAN HEALTH SERVICE S COMPUTER NETWORK Department f Health and Human Services OFFICE OF INSPECTOR GENERAL PENETRATION TEST OF THE INDIAN HEALTH SERVICE S COMPUTER NETWORK Inquiries abut this reprt may be addressed t the Office f Public Affairs

More information

HIPAA Compliance 101. Important Terms. Pittsburgh Computer Solutions 724-942-1337

HIPAA Compliance 101. Important Terms. Pittsburgh Computer Solutions 724-942-1337 HIPAA Cmpliance 101 Imprtant Terms Cvered Entities (CAs) The HIPAA Privacy Rule refers t three specific grups as cvered entities, including health plans, healthcare clearinghuses, and health care prviders

More information

expertise hp services valupack consulting description security review service for Linux

expertise hp services valupack consulting description security review service for Linux expertise hp services valupack cnsulting descriptin security review service fr Linux Cpyright services prvided, infrmatin is prtected under cpyright by Hewlett-Packard Cmpany Unpublished Wrk -- ALL RIGHTS

More information

Table of Contents. This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.

Table of Contents. This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY. Table f Cntents Tp Pricing and Licensing Questins... 2 Why shuld custmers be excited abut Micrsft SQL Server 2012?... 2 What are the mst significant changes t the pricing and licensing fr SQL Server?...

More information

HP ExpertOne. HP2-T21: Administering HP Server Solutions. Table of Contents

HP ExpertOne. HP2-T21: Administering HP Server Solutions. Table of Contents HP ExpertOne HP2-T21: Administering HP Server Slutins Industry Standard Servers Exam preparatin guide Table f Cntents Overview 2 Why take the exam? 2 HP ATP Server Administratr V8 certificatin 2 Wh shuld

More information

ITIL V3 Planning, Protection and Optimization (PPO) Certification Program - 5 Days

ITIL V3 Planning, Protection and Optimization (PPO) Certification Program - 5 Days ITIL V3 Planning, Prtectin and Optimizatin (PPO) Certificatin Prgram - 5 Days Prgram Overview The ITIL Intermediate Qualificatin: Planning, Prtectin and Optimizatin (PPO) Certificate is a free-standing

More information

Systems Support - Extended

Systems Support - Extended 1 General Overview This is a Service Level Agreement ( SLA ) between and the Enterprise Windws Services t dcument: The technlgy services the Enterprise Windws Services prvides t the custmer. The targets

More information

ITIL Service Offerings & Agreement (SOA) Certification Program - 5 Days

ITIL Service Offerings & Agreement (SOA) Certification Program - 5 Days ITIL Service Offerings & Agreement (SOA) Certificatin Prgram - 5 Days Prgram Overview ITIL is a set f best practices guidance that has becme a wrldwide-adpted framewrk fr Infrmatin Technlgy Services Management

More information

Presentation: The Demise of SAS 70 - What s Next?

Presentation: The Demise of SAS 70 - What s Next? Presentatin: The Demise f SAS 70 - What s Next? September 15, 2011 1 Presenters: Jeffrey Ziplw - Partner BlumShapir Jennifer Gerasimv Senir Manager Delitte. SAS 70 Backgrund and Overview Purpse f a SAS

More information

Managed Firewall Service Definition. SD007v1.1

Managed Firewall Service Definition. SD007v1.1 Managed Firewall Service Definitin SD007v1.1 Managed Firewall Service Definitin Service Backgrund It is imprtant t nte that the functin f any firewall service is t filter traffic cming int the netwrk (als

More information

ITIL Release Control & Validation (RCV) Certification Program - 5 Days

ITIL Release Control & Validation (RCV) Certification Program - 5 Days ITIL Release Cntrl & Validatin (RCV) Certificatin Prgram - 5 Days Prgram Overview ITIL is a set f best practices guidance that has becme a wrldwide-adpted framewrk fr Infrmatin Technlgy Services Management

More information

Bit9 Security Solution Technology Whitepaper Date: September 17, 2015

Bit9 Security Solution Technology Whitepaper Date: September 17, 2015 P a g e 1 Bit9 Security Slutin Technlgy Whitepaper Date: September 17, 2015 Atlanta Bstn Dallas Denver Ls Angeles Manchester (U.K.) New Yrk San Francisc Seattle Washingtn, D.C. 877.224.8077 inf@calfire.cm

More information

State of Wisconsin DET Agency Managed Virtual Services Service Offering Definition

State of Wisconsin DET Agency Managed Virtual Services Service Offering Definition State f Wiscnsin DET Agency Managed Virtual Services Service Offering Definitin Dcument Revisin Histry Date Versin Creatr Ntes 6/03/08 1.0 James Sylla Initial draft 9/21/11 1.7 Amy Dustin Annual review

More information

Business Continuity Management Systems Foundation Training Course

Business Continuity Management Systems Foundation Training Course Certificatin criteria fr Business Cntinuity Management Systems Fundatin Training Curse CONTENTS 1. INTRODUCTION 2. LEARNING OBJECTIVES 3. ENABLING OBJECTIVES KNOWLEDGE & SKILLS 4. TRAINING METHODS 5. COURSE

More information

MaaS360 Cloud Extender

MaaS360 Cloud Extender MaaS360 Clud Extender Installatin Guide Cpyright 2012 Fiberlink Cmmunicatins Crpratin. All rights reserved. Infrmatin in this dcument is subject t change withut ntice. The sftware described in this dcument

More information

THE CITY UNIVERSITY OF NEW YORK IDENTITY THEFT PREVENTION PROGRAM

THE CITY UNIVERSITY OF NEW YORK IDENTITY THEFT PREVENTION PROGRAM THE CITY UNIVERSITY OF NEW YORK IDENTITY THEFT PREVENTION PROGRAM 1. Prgram Adptin The City University f New Yrk (the "University") develped this Identity Theft Preventin Prgram (the "Prgram") pursuant

More information

Using PayPal Website Payments Pro with ProductCart

Using PayPal Website Payments Pro with ProductCart Using PayPal Website Payments Pr with PrductCart Overview... 2 Abut PayPal Website Payments Pr & Express Checkut... 3 What is Website Payments Pr?... 3 Website Payments Pr and Website Payments Standard...

More information

ITIL V3 Service Offerings and Agreements (SOA) Certification Program - 5 Days

ITIL V3 Service Offerings and Agreements (SOA) Certification Program - 5 Days ITIL V3 Service Offerings and Agreements (SOA) Certificatin Prgram - 5 Days Prgram Overview The ITIL Intermediate Qualificatin: Service Offerings and Agreements (SOA) Certificate, althugh a stand alne

More information

Audit Committee Charter. St Andrew s Insurance (Australia) Pty Ltd St Andrew s Life Insurance Pty Ltd St Andrew s Australia Services Pty Ltd

Audit Committee Charter. St Andrew s Insurance (Australia) Pty Ltd St Andrew s Life Insurance Pty Ltd St Andrew s Australia Services Pty Ltd Audit Cmmittee Charter St Andrew s Insurance (Australia) Pty Ltd St Andrew s Life Insurance Pty Ltd St Andrew s Australia Services Pty Ltd Versin 2.0, 22 February 2016 Apprver Bard f Directrs St Andrew

More information

Support Services. v1.19 / 2015-07-02

Support Services. v1.19 / 2015-07-02 Supprt Services v1.19 / 2015-07-02 Intrductin - Table f Cntents 1 Intrductin... 3 2 Definitins... 4 3 Supprt Prgram Feature Overview... 5 4 SLA fr the Supprt Services... 6 4.1 Standard Supprt... 6 4.2

More information

Intel Hybrid Cloud Management Portal Update FAQ. Audience: Public

Intel Hybrid Cloud Management Portal Update FAQ. Audience: Public Intel Hybrid Clud Management Prtal Update FAQ Audience: Public Purpse: Prepare fr the launch f the Intel Hybrid Clud Platfrm multi-user/multi-tier update Versin: Final FAQs What s new in the Intel Hybrid

More information

AuditNet Survey of Bring your own Device (BYOD) - Control, Risk and Audit

AuditNet Survey of Bring your own Device (BYOD) - Control, Risk and Audit AuditNet Survey f Bring yur wn Device (BYOD) - Cntrl, Risk and Audit The pace f technlgy mves much faster than managers and auditrs can understand and react, with updated plicies, prcedures and cntrls.

More information

Version Date Comments / Changes 1.0 January 2015 Initial Policy Released

Version Date Comments / Changes 1.0 January 2015 Initial Policy Released Page 1 f 6 Vice President, Infrmatics and Transfrmatin Supprt APPROVED (S) REVISED / REVIEWED SUMMARY Versin Date Cmments / Changes 1.0 Initial Plicy Released INTENT / PURPOSE The Infrmatin and Data Gvernance

More information

Session 9 : Information Security and Risk

Session 9 : Information Security and Risk INFORMATION STRATEGY Sessin 9 : Infrmatin Security and Risk Tharaka Tennekn B.Sc (Hns) Cmputing, MBA (PIM - USJ) POST GRADUATE DIPLOMA IN BUSINESS AND FINANCE 2014 Infrmatin Management Framewrk 2 Infrmatin

More information

FINANCIAL SERVICES FLASH REPORT

FINANCIAL SERVICES FLASH REPORT FINANCIAL SERVICES FLASH REPORT Draft Regulatry Cmpliance Management Guideline Released by the Office f the Superintendent f Financial Institutins May 5, 2014 On April 30, 2014, the Office f the Superintendent

More information

Growing Your Cloud Infrastructure: Planning, Design and Operation

Growing Your Cloud Infrastructure: Planning, Design and Operation w h i t e p a p e r p a g e 1 f 12 Grwing Yur Clud Infrastructure: Planning, Design and Operatin Abstract Clud cmputing services are expanding and evlving rapidly. But with this fast, largescale grwth

More information

CSC IT practix Recommendations

CSC IT practix Recommendations CSC IT practix Recmmendatins CSC Healthcare 28th January 2014 Versin 3 www.csc.cm/glbalhealthcare Cntents 1 Imprtant infrmatin 3 2 IT Specificatins 4 2.1 Wrkstatins... 4 2.2 Minimum Server with 1-5 wrkstatins

More information

Data Warehouse Scope Recommendations

Data Warehouse Scope Recommendations Rensselaer Data Warehuse Prject http://www.rpi.edu/datawarehuse Financial Analysis Scpe and Data Audits This dcument describes the scpe f the Financial Analysis data mart scheduled fr delivery in July

More information

Defining Sales Campaign Automation How e-mail, the Killer App, is best applied to marketing

Defining Sales Campaign Automation How e-mail, the Killer App, is best applied to marketing Defining Sales Campaign Autmatin Hw e-mail, the Killer App, is best applied t marketing Summary: Cmpanies tday are steadily adpting strategies and technlgies t reach prspects, custmers, and partners thrugh

More information

2. Are there any restrictions on when the work can be performed (e.g. only at night, only during business hours, only on weekends)? No.

2. Are there any restrictions on when the work can be performed (e.g. only at night, only during business hours, only on weekends)? No. HIPAA Technical Risk Security Assessment 1. Will yu be issuing additinal directins fr the frmatting f the final prpsal due Nvember 21 st? There is nt specific frmatting requirements, just submit the prpsal

More information

SaaS Listing CA Cloud Service Management

SaaS Listing CA Cloud Service Management SaaS Listing CA Clud Service Management 1. Intrductin This dcument prvides standards and features that apply t the CA Clud Service Management (CSM) SaaS ffering prvided t the Custmer and defines the parameters

More information

How Does Cloud Computing Work?

How Does Cloud Computing Work? Hw Des Clud Cmputing Wrk? Carl Mazzanti, CEO, emazzanti Technlgies IT Supprt and Clud Cmputing Services fr Small Business Hbken, NJ and NYC, 201-360- 4400 Owner [Pick the date] Hw des Clud Cmputing Wrk?

More information

Better Practice Guide Financial Considerations for Government use of Cloud Computing

Better Practice Guide Financial Considerations for Government use of Cloud Computing Better Practice Guide Financial Cnsideratins fr Gvernment use f Clud Cmputing Nvember 2011 Intrductin Many Australian Gvernment agencies are in the prcess f cnsidering the adptin f clud-based slutins.

More information

Christchurch Polytechnic Institute of Technology Access Control Security Standard

Christchurch Polytechnic Institute of Technology Access Control Security Standard CPIT Crprate Services Divisin: ICT Christchurch Plytechnic Institute f Technlgy Access Cntrl Security Standard Crprate Plicies & Prcedures Sectin 1: General Administratin Dcument CPP121a Principles Infrmatin

More information

Monthly All IFS files, all Libraries, security and configuration data

Monthly All IFS files, all Libraries, security and configuration data Server Backup Plicy Intrductin Data is ne f Banks DIH Limited s mst imprtant assets. In rder t prtect this asset frm lss r destructin, it is imperative that it be safely and securely captured, cpied, and

More information

Service Management - Framework 2013

Service Management - Framework 2013 Service - Framewrk 2013 Getting Started Right with Service System Netwrk Firewall Sftware Service App With the right framewrk, enterprises f almst any size small t large can implement effective functinal

More information

ITL BULLETIN FOR JANUARY 2016 SECURING INTERACTIVE AND AUTOMATED ACCESS MANAGEMENT USING SECURE SHELL (SSH)

ITL BULLETIN FOR JANUARY 2016 SECURING INTERACTIVE AND AUTOMATED ACCESS MANAGEMENT USING SECURE SHELL (SSH) ITL BULLETIN FOR JANUARY 2016 SECURING INTERACTIVE AND AUTOMATED ACCESS MANAGEMENT USING SECURE SHELL (SSH) Murugiah Suppaya, Karen Scarfne, 1 and Larry Feldman, 2 Editrs Cmputer Security Divisin Infrmatin

More information

COE: Hybrid Course Request for Proposals. The goals of the College of Education Hybrid Course Funding Program are:

COE: Hybrid Course Request for Proposals. The goals of the College of Education Hybrid Course Funding Program are: COE: Hybrid Curse Request fr Prpsals The gals f the Cllege f Educatin Hybrid Curse Funding Prgram are: T supprt the develpment f effective, high-quality instructin that meets the needs and expectatins

More information

Comtrex Systems Corporation. CISP/PCI Implementation Guidance for Odyssey Suite

Comtrex Systems Corporation. CISP/PCI Implementation Guidance for Odyssey Suite CISP/PCI Implementatin Guidance fr Odyssey Suite Applicable Applicatin Versin This dcument supprts the fllwing applicatin versin: Odyssey Suite Versin 2.0 Intrductin Systems which prcess payment transactins

More information

CDC UNIFIED PROCESS PRACTICES GUIDE

CDC UNIFIED PROCESS PRACTICES GUIDE Dcument Purpse The purpse f this dcument is t prvide guidance n the practice f Risk Management and t describe the practice verview, requirements, best practices, activities, and key terms related t these

More information

Basic concept of Cloud computing

Basic concept of Cloud computing Basic cncept f Clud cmputing Abstract:- Mnica R Kabra (Vivekanand Arts Sardar Dalipsingh Cmmerce and science cllege Aurangabad) Clud cmputing is becming a pwerful netwrk architecture t perfrm large-scale

More information

Interworks Cloud Platform Citrix CPSM Integration Specification

Interworks Cloud Platform Citrix CPSM Integration Specification Citrix CPSM Integratin Specificatin Cntents 1. Intrductin... 2 2. Activatin f the Integratin Layer... 3 3. Getting the Services Definitin... 4 3.1 Creating a Prduct Type per Lcatin... 5 3.2 Create Instance

More information

Security Services. Service Description Version 1.00. Effective Date: 07/01/2012. Purpose. Overview

Security Services. Service Description Version 1.00. Effective Date: 07/01/2012. Purpose. Overview Security Services Service Descriptin Versin 1.00 Effective Date: 07/01/2012 Purpse This Enterprise Service Descriptin is applicable t Security Services ffered by the MN.IT Services and described in the

More information

Zimbra Professional Services Portfolio, Purchasing Guide & Price List

Zimbra Professional Services Portfolio, Purchasing Guide & Price List In- Tuitin Netwrks Ltd Zimbra Prfessinal Services Prtfli, Purchasing Guide & Price List This dcument prvides an verview f In- Tuitin Netwrks Limited s range f Zimbra Prfessinal Services available n the

More information

UC4 AUTOMATED VIRTUALIZATION Intelligent Service Automation for Physical and Virtual Environments

UC4 AUTOMATED VIRTUALIZATION Intelligent Service Automation for Physical and Virtual Environments Fr mre infrmatin abut UC4 prducts please visit www.uc4.cm. UC4 AUTOMATED VIRTUALIZATION Intelligent Service Autmatin fr Physical and Virtual Envirnments Intrductin This whitepaper describes hw the UC4

More information

CMS Eligibility Requirements Checklist for MSSP ACO Participation

CMS Eligibility Requirements Checklist for MSSP ACO Participation ATTACHMENT 1 CMS Eligibility Requirements Checklist fr MSSP ACO Participatin 1. General Eligibility Requirements ACO participants wrk tgether t manage and crdinate care fr Medicare fee-fr-service beneficiaries.

More information

Gateway Agent - First Amendment to the High Level Design Document

Gateway Agent - First Amendment to the High Level Design Document Gateway Agent - First Amendment t the High Level Design Dcument Scpe The Gateway Agent HLD thrugh update 1 assumes that nly the Cntrl App, while cnnected t the prximal netwrk, can initiate new clud services.

More information

Critical Success Factors for FedRAMP Assessments A 3PAO Perspective

Critical Success Factors for FedRAMP Assessments A 3PAO Perspective Creating Mre Effective and Strategic Slutins Critical Success Factrs fr FedRAMP Assessments A 3PAO Perspective David Svec Veris Grup, LLC Summary Clud Security Prviders (CSPs) fr the gvernment have a strategic

More information

HEAL-Link Federation Higher Education & Research. Exhibit 2. Technical Specifications & Attribute Specifications

HEAL-Link Federation Higher Education & Research. Exhibit 2. Technical Specifications & Attribute Specifications HEAL-Link Federatin Higher Educatin & Research Exhibit 2 Technical Specificatins & Attribute Specificatins Trust Relatinship Trust relatinship amng the federatin, federatin members and federatin partners

More information

SECTION J QUALITY ASSURANCE AND IMPROVEMENT PROGRAM

SECTION J QUALITY ASSURANCE AND IMPROVEMENT PROGRAM Audit Manual Sectin J SECTION J QUALITY ASSURANCE AND IMPROVEMENT PROGRAM Ref. Plicy and Practice Requirements IIA Standards and Other references J 1 Plicy: The Head f Internal Audit shall develp and maintain

More information

State of Wisconsin Division of Enterprise Technology (DET) Distributed Database Hosting Service Offering Definition (SOD)

State of Wisconsin Division of Enterprise Technology (DET) Distributed Database Hosting Service Offering Definition (SOD) State f Wiscnsin Divisin f Enterprise Technlgy (DET) Distributed Database Hsting Service Offering Definitin (SOD) Distributed Database Hsting SOD Page 1 12/9/2010 Dcument Revisin Histry (Majr Pst Publishing

More information

Data Abstraction Best Practices with Cisco Data Virtualization

Data Abstraction Best Practices with Cisco Data Virtualization White Paper Data Abstractin Best Practices with Cisc Data Virtualizatin Executive Summary Enterprises are seeking ways t imprve their verall prfitability, cut csts, and reduce risk by prviding better access

More information

WHAT YOU NEED TO KNOW ABOUT. Protecting your Privacy

WHAT YOU NEED TO KNOW ABOUT. Protecting your Privacy WHAT YOU NEED TO KNOW ABOUT Prtecting yur Privacy YOUR PRIVACY IS OUR PRIORITY Credit unins have a histry f respecting the privacy f ur members and custmers. Yur Bard f Directrs has adpted the Credit Unin

More information

Securely Managing Cryptographic Keys used within a Cloud Environment

Securely Managing Cryptographic Keys used within a Cloud Environment Securely Managing Cryptgraphic Keys used within a Clud Envirnment Dr. Sarbari Gupta sarbari@electrsft-inc.cm 703-437-9451 ext 12 2012 NIST Cryptgraphic Key Management Wrkshp September 10-11, 2012 Intrductin

More information

CHANGE MANAGEMENT STANDARD

CHANGE MANAGEMENT STANDARD The electrnic versin is current, r when printed and stamped with the green cntrlled dcument stamp. All ther cpies are uncntrlled. DOCUMENT INFORMATION Descriptin Dcument Owner This standard utlines the

More information

MigrationWiz HIPAA Compliant Migration. Focus on data migration, not regulation. BitTitan Global Headquarters: 3933 Lake Washington Blvd NE Suite 200

MigrationWiz HIPAA Compliant Migration. Focus on data migration, not regulation. BitTitan Global Headquarters: 3933 Lake Washington Blvd NE Suite 200 MigratinWiz HIPAA Cmpliant Migratin Fcus n data migratin, nt regulatin. BitTitan Glbal Headquarters: 3933 Lake Washingtn Blvd NE Suite 200 Table f Cntents Kirkland, WA 98033 www.bittitan.cm sales@bittitan.cm

More information