Scribd Logo
Upload

Welcome to Scribd!

  • 77 views

    Alibaba Cloud Security Compliance

    Uploaded by

    Reza Gan

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd

    Alibaba Cloud Security Compliance

    Uploaded by

    Reza Gan
    77 views15 pages

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Download as pdf or txt
    77 views15 pages

    Alibaba Cloud Security Compliance

    Uploaded by

    Reza Gan

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Download as pdf or txt
    of 15

    Alibaba Cloud Indonesia

    Security Compliance
    Your Digital Transformation Expert
    in Age of Intelligent Business
    World Class Security, Global Compliance

    Security Compliance
    Global
    We engage with independent third parties to verify the
    compliance of Alibaba Cloud according to various
    adheres to international requirements. Certified by more than 10 agencies across the
    information security standards, globe, Alibaba Cloud is a cloud service provider with the
    and we are committed to using most complete range of certifications in Asia.
    international best practices.

    Regional Privacy Protection


    adheres to domestic information Alibaba Cloud is committed to protect customers' personal
    security standards in all regions information and guarantees that such information is only used for
    where we provide cloud the purposes agreed by customers.
    products and services.

    General Data Protection Regulation (GDPR)


    Alibaba Cloud is GDPR ready by the effective date of
    Industry May 25, 2018.

    adheres to industry best practices


    by conducting self-assessments
    and adopting a series of
    certifications.
    ISO 27001

    ISO/IEC 27001:2013 is a widely-adopted global security standard that


    outlines the requirements for information security management
    systems and provides a systematic approach to managing company
    and customer information based on periodic risk assessments. The
    latest standard, ISO/IEC 27001:2013, was published on September 25,
    2013 by the International Organization of Standardization (ISO) and
    the International Electrotechnical Commission (IEC) under the joint
    ISO and IEC subcommittee.
    ISO 20000

    ISO/IEC 20000-1:2011 is a service management system (SMS)


    standard. It specifies requirements for the service provider to plan,
    establish, implement, operate, monitor, review, maintain and improve
    an SMS. The requirements include the design, transition, delivery and
    improvement of services to fulfill agreed service requirements.
    ISO 22301

    ISO 22301:2012 specifies requirements to plan, establish, implement,


    operate, monitor, review, maintain and continually improve a
    documented management system to protect against, reduce the
    likelihood of occurrence, prepare for, respond to, and recover from
    disruptive incidents when they arise.
    ISO 9001

    ISO 9001:2015 specifies requirements for a quality management


    system when an organization:
    a) needs to demonstrate its ability to consistently provide products
    and services that meet customer and applicable statutory and
    regulatory requirements, and
    b) aims to enhance customer satisfaction through the effective
    application of the system, including processes for improvement of the
    system and the assurance of conformity to customer and applicable
    statutory and regulatory requirements.
    ISO 27017

    ISO/IEC 27017:2015 gives guidelines for information security controls


    applicable to the provision and use of cloud services by providing:
    - additional implementation guidance for relevant controls specified in
    ISO/IEC 27002;
    - additional controls with implementation guidance that specifically
    relate to cloud services.
    CSA STAR

    CSA STAR certification is a new and targeted international


    professional certification program by the founders of global standards
    - the British Standards Institution (BSI) and the international Cloud
    Security Alliance (CSA), aimed at coping with specific problems
    related to cloud security.
    CSA STAR Certified cloud vendors provide service capabilities
    transparently, helping customers to make more informed decisions
    when buying and using services.
    Alibaba Cloud is the first company in the world to obtain the CSA
    STAR gold medal certification, which testifies our dedication to and
    leadership in cloud security.
    In addition, Alibaba Cloud also completed a self-assessment of the
    CSA Consensus Assessment Initiative Questionnaire (CAIQ) to
    describe our compliance with the best practices issued by CSA and
    let our customers understand how Alibaba Cloud meets these
    requirements. Our completed CAIQ could be found here .
    SOC Report

    Alibaba Cloud System and Organization’s Controls (SOC) Reports


    are independent third-party audit reports concerning the internal
    controls over the services offered by Alibaba Cloud as a service
    organization. The SOC Reports are valuable resources for Alibaba
    Cloud’s customers and their auditors to understand the organization
    controls and assess the risks associated with their outsourced
    services. Alibaba Cloud’s customers can review our system and
    organization controls by accessing the following SOC Reports:

    SOC 1 Type 2 Report: This is an independent audit report performed


    according to the SSAE No. 18 Attestation Standards AT-C section in
    320 entitled,Reporting on an Examination of Controls at a Service
    Organization Relevant to User Entities’ Internal Control Over Financial
    Reporting about the internal controls to achieve the control objectives
    defined by Alibaba Cloud.

    Note: SOC Documents can be retrieved based on customer’s request


    SOC Report

    SOC 2 Type 2 Report: This report describes Alibaba Cloud’s internal


    controls based on the specific criteria outlined in DC section 200
    entitled, Description Criteria for a Description of a Service
    Organization’s System in a SOC 2® Report with an opinion from the
    independent auditor to assure that the controls have been designed
    and operated effectively to achieve the AICPA Trust Services Criteria
    relevant to security, availability, and confidentiality outlined in TSP
    section 100 entitled, Trust Services Criteria for Security, Availability,
    Processing Integrity, Confidentiality, and Privacy.

    Note: SOC Documents can be retrieved based on customer’s request


    SOC Report

    SOC 3 Report: This is an independent audit report generally


    describing the service commitments and system requirements of
    Alibaba Cloud that were designed and operated according to the trust
    services criteria relevant to security, availability, and confidentiality
    outlined in TSP section 100 entitled,Trust Services Criteria for
    Security, Availability, Processing Integrity, Confidentiality, and Privacy
    (AICPA, Trust Services Criteria.)

    Alibaba Cloud issues SOC reports twice a year with a reporting period
    of 12 months on a continuous rolling basis (1 April to 31 March and 1
    October to 30 September). The latest SOC reports are available in
    May and November each year.

    Note: SOC Documents can be retrieved based on customer’s request


    PCI DSS

    PCI DSS comprises with 12 requirements covering 6 categories,


    including build and maintain a secure network and systems, protect
    cardholder data, maintain a vulnerability management program,
    implement strong access control measures, regularly monitor and test
    networks and maintain an information security policy, for the
    applicable entities to assess whether they have maintained a secure
    environment for the protection of their affiliated payment card account
    data.

    Alibaba Cloud engaged with PCI SSC Approved Qualified Security


    Assessor (QSA) to conduct annual onsite assessment, i.e., PCI DSS
    v3.2.1 level 1 certified. The scope of the PCI DSS assessment
    includes cloud products, security services and CDN services that are
    available in 12 global regions (including Hong Kong). The Attestation
    of Compliance (AOC) report is available for downloading. For detailed
    scope information, please refer to the AOC report.

    https://www.alibabacloud.com/trust-center/pci-dss?spm=a3c0i.17650567.2445100110.11.15582ae3deHGjA
    PCI 3DS

    Three-Domain Secure (3DS or 3-D Secure) is a protocol designed to add additional security layer for card-not-present (CNP)
    transactions, reducing the likelihood of fraudulent usage of payment cards by providing abilities to authenticate cardholders with card
    issuers. The three domains consist of the acquirer domain, issuer domain, and the interoperability domain (e.g. payment systems).
    EMVCo developed a new industry specification, EMV 3-D Secure, which supports new payment channels other than traditional
    browser-based e-commerce transactions, like app-based transactions.

    PCI 3DS is core security standard established by PCI Security Standards Council (PCI SSC), providing a framework for three critical
    EMV 3DS components - Access Control Server (ACS), Directory Server (DS), and 3DS Server (3DSS)- to implement physical and
    logical security controls to support the integrity and confidentiality of the 3DS transaction process. The PCI 3DS core security standard
    composes of baseline security requirements and 3DS security requirements, to protect 3DS data, technologies, and processes.

    Alibaba Cloud demonstrated compliance with applicable PCI 3DS requirements based on the provided cloud computing
    products/services. Please refer to 3DS Attestation of Compliance (AOC) for detailed information. By complying with PCI 3DS core
    security standard, Alibaba Cloud assures the customers of providing cloud infrastructure and cloud products that can support them to
    build a secure environment where ACS, DS, and/or 3DSS functions are performed.

    https://www.alibabacloud.com/trust-center/pci-3ds?spm=a3c0i.17650567.2445100110.12.15582ae3deHGjA
    EU GDPR

    The EU GDPR is a consolidated legal framework intend to ensure the protection of “fundamental rights and freedoms of natural persons and in
    particular their right to the protection of personal data”. It is a mandatory law requiring compliance with provisions that apply throughout the
    European Union to the business usage of personal data. It substituted the patchwork of existing regulations and frameworks and the 20-year-
    old Directive (95/46/EC).

    Alibaba Cloud GDPR Compliance Highlights:


    • Account Deletion
    • Privacy Policy
    • Security
    • Privacy Readiness

    https://www.alibabacloud.com/trust-center/gdpr?spm=a3c0i.17650567.5959942230.1.15582ae3deHGjA
    ISO 27018

    ISO/IEC 27018:2014 establishes commonly accepted control


    objectives, controls and guidelines for implementing measures to
    protect Personally Identifiable Information (PII) in accordance with the
    privacy principles in ISO/IEC 29100 for the public cloud computing
    environment.

    In particular, ISO/IEC 27018:2014 specifies guidelines based on


    ISO/IEC 27002, taking into consideration the regulatory requirements
    for the protection of PII which might be applicable within the context of
    the information security risk environment(s) of a provider of public
    cloud services.

    You might also like