© 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

4/28/2015

Compliance Beyond the

Checkbox

Bill Shinn

AWS Principal Security Solutions Architect

Key AWS Certifications and Assurance Programs

St. James’s Place Migrates FCA Compliant Resources

St. James’s Place is a U.K. wealth-management

company managing over £52 billion of client funds.

We were able to double our capacity

during the peak tax season, and then

contract it back down when it was no

longer required.

Andy Montgomery

Head of Division for IT Operations and Solution

Design, St James’s Place

”

“ Needed flexible IT resources that could

scale with the business as its customer

base grows by 50% every year.

SJP had to ensure that any new solution

would provide a high level of data security

and comply with Financial Conduct

Authority (FCA) regulations

Migrated 85 percent of its applications to

AWS and expects a full migration by 2016.

Orion Health – Cloud-based Health Information Exchange

Orion Health is an award-winning health specific

software company that develops modern and creative

solutions for healthcare organizations across the globe.

“AWS, with its HIPAA compliance

capability - and some of the work we're

doing with Logicworks - was key in our

decision in moving to AWS.

Dave Bennett

EVP of Healthier Populations

Orion Health

”

“ Needed to scale Health Information

Exchange for Cal INDEX to handle millions

of patient records and improve population

health management

Needed a secure solution architected for

HIPAA-compliance

Partnered with AWS Marketplace

Healthcare Competency partner

Logicworks

AWS Foundation Services

Compute Storage Database Networking

AWS Global Infrastructure

Regions

Availability Zones

Edge Locations

Identity Data Infrastructure

Customer applications & contentYou get to define

your controls IN

the Cloud

AWS takes care

of the security

OF the Cloud

You

AWS And You Share Responsibility for Security

What this means

You benefit from an environment built for the most security

sensitive organizations

You get to define the right security controls for your

workload sensitivity & compliance requirements

You always have full ownership and control of your data

Typical Compliance Domains

Physical

Security

Data

Center

Operations

Data

Center

Personnel

Application

Security

Data

Security

Identity

Mgmt

Risk Mgmt

Compliance

Mgmt

Incident

Response

Disaster

Recovery

Change

Mgmt

Network

Security

System

Security

Asset

MgmtMonitoring

Out of scope Reduced ScopeTools to

help

Let’s you

concentrate on

Beyond the Checkbox

Security

cartography

Evidence

measures reality

Automate

evidence

collection

Security Cartography – Rosetta Stone?

Many custom control frameworks are based on NIST 800-53

or ISO 27001 (“control coverage”)

CCM v3.0.1 includes a comprehensive mapping (AICPA, BITS AUP/SIG,COBIT, NIST 800-53, ISO27001, HIPAA Security Rule,

PCI DSS 3.0)

Shared Assessment SIG maps to ISO27001

NIST 800-53 Appendix H includes a “SECURITY CONTROL

MAPPINGS FOR ISO/IEC 27001 AND 15408”

Security Cartography – NIST vs. ISO

Security Cartography – NIST vs. HIPAA

NIST SP 800-66 - Appendix D: Security Rule Standards and Implementation Specifications

Crosswalk

Automate Evidence Collection

Asset Management

Access Control

Logging and Monitoring

Asset Management

ISO 27001:2013

A.8 Asset management

A.8.1 Responsibility for Assets

NIST 800-53 rev 4

Configuration Management (CM)

CM-8 Information System Component Inventory

Access Control

ISO 27001:2013

A.9 Access control

A.9.2 User access management

A.9.2.3 Management of privileged access rights

NIST 800-53

Access Control (AC)

(AC-3) Access Enforcement

Access Control

ISO 27001:2013

A.12 Operations security

A.12.4 Logging and Monitoring

NIST 800-53

Auditing and Accountability (AU)

(AU-12) Audit Generation

Evidence Measures Reality

Validating controls

Detecting Change

Thank you!