Managing Risk and Compliance Development Heroes Enterprise Managed Services

ost organizations begin their digital journey to satisfy increasingly sophisticated customer expectations

for an intuitive, hyper-personalized customer experience. Through the process they identify opportunities to improve internal efficiencies and reduce cost. Although digital transformation offers boundless possibilities for growth, it often comes with its own set of challenges and risks.

Development Heroes Enterprise Managed Services helps organizations to navigate risk and compliance issues through a mix of planning, development and hosting services. We are focused on helping businesses in regulated industries, such as financial services and government agencies, to offer secure digital experiences that comply with industry and corporate regulations, and provide you with the tools to track and prove your compliance.

MKEY BENEFITS

ơ Hands on assistance from Development Heroes experts

ơ Ensures all aspects of your digital transformation comply with industry and corporate regulations

ơ End-to-end approach fulfils all Cloud Security, Data Privacy and Compliance needs

Managing Risk and Compliance 2(646) 844-4784

www.developmentheroes.com

Cloud SecurityWhile Amazon Web Services (AWS) manages security of the cloud, security in the cloud is the responsibility of the customer. This shared responsibility model makes it even more critical that you choose an experienced partner to manage your services. Development Heroes will configure, manage and help you to track the security of your content, platform, applications, systems and networks within the AWS cloud. By tying together governance-focused, audit-friendly service features with applicable compliance or audit standards, we help you to establish and operate in a security controlled environment.

Adobe Web Services (AWS) cloud allows your organization to scale and innovate, while maintaining a secure environment. Development Heroes will combine secure application development practices with data center and network architecture built to meet the requirements of the most security-sensitive organizations.

Development Heroes will help you configure a secure environment and implement controls to mitigate or manage risk.

• Security scales with your AWS cloud usage. No matter the size of your business the AWS infrastructure is designed to keep data safe.

• AWS manages dozens of compliance programs in its infrastructure. This means that segments of your compliance have already been completed.

• The AWS infrastructure puts strong safeguards in place to help protect customer privacy. All data is stored in highly secure AWS data centers.

“ No matter the size of your business, the AWS infrastructure is designed to keep data safe.”

Managing Risk and Compliance 3(646) 844-4784

www.developmentheroes.com

Related: AWS Risk and Compliance Whitepaper

Data Privacy We know you and your customers care deeply about privacy and data security. We’ll work with you to configure where your customer data will be stored and secure your customer content in transit or at rest. Working with AWS, we also implement responsible and sophisticated technical and physical controls designed to prevent unauthorized access to or disclosure of customer content.

Compliance Amazon Web Services Cloud Compliance enables customers to understand the robust controls in place at AWS to maintain security and data protection in the cloud. As systems are built on top of AWS cloud infrastructure, compliance responsibilities will be shared. Development Heroes will work with your organization to implement a combination of application security, AWS Infrastructure and partner tools and services to meet your specific security and compliance requirements.

Assurance Programs with AWSAWS manages dozens of compliance programs in its infrastructure. This means that segments of your compliance have already been completed. Development Heroes will work with your team to ensure your infrastructure configuration best leverages AWS compliance programs specific to your needs.

“ Development Heroes will work with your team to ensure your infrastructure configuration best leverages AWS compliance programs specific to your needs.”

Managing Risk and Compliance 4(646) 844-4784

www.developmentheroes.com

Certifications / Attestations• DoD SRG

• FedRAMP

• FIPS

• IRAP

• ISO 9001

• ISO 27001

• ISO 27017

• ISO 27018

• MLPS Level 3

• MTCS

• PCI DSS Level 1

• SEC Rule

• 17-a-4(f)

• SOC 1

• SOC 2

• SOC 3

Laws, Regulations, and Privacy• DNB (Netherlands)

EAR

• EU Model Clauses

• FERPA

• GLBA

• HIPAA

• HITECH

• IRS 1075

• ITAR

• My Number Act

(Japan)

• U.K. DPA - 1988

• VPAT / Section 508

• EU Data Protection

Directive

• Privacy Act

(Australia)

• Privacy Act (New

Zealand)

• PDPA - 2010

(Malaysia)

• PDPA - 2012

(Singapore)

Alignments / Frameworks• CJIS

• CLIA

• CMS EDGE

• CMSR

• CSA

• FDA

• FedRAMP TIC

• FISC

• FISMA

• G-Cloud

• GxP (FDA CFR 21

Part 11)

• ICREA

• IT Grundschutz

• MITA 3.0

• MPAA

• NERC

• NIST

• PHR

• Uptime Institute Tiers

• UK Cloud Security

Principles

• UK Cyber Essentials

SOC Compliance

AWS Service Organization Control (SOC) Reports are independent third-party examination reports that demonstrate how AWS achieves key compliance

Managing Risk and Compliance 5(646) 844-4784

www.developmentheroes.com

controls and objectives. The purpose of these reports is to help you and your auditors understand the AWS controls established to support operations and compliance. There are three types of AWS SOC Reports:

• AWS SOC 1 Report• AWS SOC 2: Security & Availability Report• AWS SOC 3: Security & Availability Report

SOC 1 Control Objectives

The SOC 1 reports are designed to focus on controls at a service organization that are likely to be relevant to an audit of a user entity’s financial statements. As AWS’ customer base is broad, and the use of AWS services is equally as broad, the applicability of controls to customer financial statements varies by customer. Therefore, the AWS SOC 1 report is designed to cover specific key controls likely to be required during a financial audit, as well as covering a broad range of IT general controls to accommodate a wide range of usage and audit scenarios. This allows customers to leverage the AWS infrastructure to store and process critical data, including that which is integral to the financial reporting process.

Objective Area Objective Description

Security Organization

Controls provide reasonable assurance that information security policies have been implemented and communicated throughout the organization.

Employee User Access

Controls provide reasonable assurance that procedures have been established so that Amazon employee user accounts are added, modified and deleted in a timely manner and reviewed on a periodic basis.

Managing Risk and Compliance 6(646) 844-4784

www.developmentheroes.com

Objective Area Objective Description

Logical Security Controls provide reasonable assurance that policies and mechanisms are in place to appropriately restrict unauthorized internal and external access to data and customer data is appropriately segregated from other customers.

Secure Data Handling

Controls provide reasonable assurance that data handling between the customer’s point of initiation to an AWS storage location is secured and mapped accurately.

Physical Security and Environmental Protection

Controls provide reasonable assurance that physical access to data centers is restricted to authorized personnel and that mechanisms are in place to minimize the effect of a malfunction or physical disaster to data center facilities.

Change Management

Controls provide reasonable assurance that changes (including emergency / non-routine and configuration) to existing IT resources are logged, authorized, tested, approved and documented.

Data Integrity, Availability and Redundancy

Controls provide reasonable assurance that data integrity is maintained through all phases including transmission, storage and processing.

Incident

Handling

Controls provide reasonable assurance that system incidents are recorded, analyzed, and resolved.

Development Heroes can work with you to implement specific IT Key Controls beyond those included with the AWS SOC Reports.

More detail on SOC Compliance is detailed on Page 19 of the AWS Risk and Compliance Whitepaper - June 2016.

PCI DSS Level 1 Service Provider

As a part of our Managed Services offering, Development Heroes helps merchants and financial institutions to

Managing Risk and Compliance 7(646) 844-4784

www.developmentheroes.com

configure their solutions to comply to standards that protect their payment systems from breaches and theft of cardholder data.

The Payment Card Industry Data Security Standard (also known as PCI DSS) is a proprietary information security standard administered by the PCI Security Standards Council, which was founded by American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc.

PCI DSS applies to all entities that store, process or transmit cardholder data (CHD) and/or sensitive authentication data (SAD) including merchants, processors, acquirers, issuers, and service providers. The PCI DSS is mandated by the card brands and administered by the Payment Card Industry Security Standards Council.

FISMA and DIACAP

By using AWS, Development Heroes enables US government agencies to achieve and sustain compliance with the Federal Information Security Management Act (FISMA). The AWS infrastructure has been evaluated by independent assessors for a variety of government systems as part of their system owners’ approval process. Numerous Federal Civilian and Department of Defense (DoD) organizations have successfully achieved security authorizations for systems hosted on AWS in accordance with the Risk Management Framework (RMF) process defined in NIST 800-37 and DoD Information Assurance Certification and Accreditation Process (DIACAP).

Managing Risk and Compliance 8(646) 844-4784

www.developmentheroes.com

Global Infrastructure

Improving Continuity with Replication Between Regions

In addition to replicating applications and data across multiple data centers in the same region using Availability Zones, you can also choose to increase redundancy and fault tolerance further by replicating data between geographic regions.

Fig. 1 - Regions and Number of Availability Zones

Meeting Compliance and Data Residency Requirements

You retain complete control and ownership over the region in which your data is physically located, making it easy to meet regional compliance and data residency requirements.

Development Heroes knows you care deeply about privacy and data security for your customers, and we optimize our

Managing Risk and Compliance 9(646) 844-4784

www.developmentheroes.com

application development and managed services to meet your security and compliance requirements.

Development Heroes Enterprise Managed Services Make best-in-class implementation, cloud platform hosting, and ongoing support part of your investment in Adobe Experience Manager. Development Heroes is committed to delivering the industry’s leading Managed Services for organizations looking to focus their key staff on strategic initiatives and leave the day-to-day operations to a trusted partner. Our solutions are designed to enable our partners with a higher level of performance, compliance and resiliency through the integration of our people, processes, and technology.

Licensing & Maintenance

Our AEM Enterprise Hosting allows you to utilize your on-premises AEM license while we manage your infrastructure, security, scaling, and environments.

Full-Stack System Management

System management isn’t just hardware and software, it’s the cohesive platform and all of it’s intertwining parts. - Applications - Infrastructure / OS - Networking

Enterprise Cloud Hosting

Enterprise-grade physical, data, and network security, scalable deployment and 24x7 support, monitoring and reporting.

Managing Risk and Compliance 10(646) 844-4784

www.developmentheroes.com

Multi-Tier Security

The team at Development Heroes views security from the time code is committed to production all the way through the packets of network traffic being requested of your site.

Adobe AEM Expertise

Not only do we know hosting and infrastructure, we are experts trusted by and partnered with Adobe and our clients to design, develop, and architect large-scale enterprise solutions. We are committed to delivering top-level excellence to every single one of our hosting clients

Contact Development Heroes for information about

our standard and customized options for Enterprise

Managed Services.

(646) 844-4784

contact@developmentheroes.com