1

vCloud Air Network Compliance Glossary

The decision to migrate key workloads and IT infrastructure to the cloud is not a matter of if, but when. As companies begin mapping out how to integrate their IT landscape with the cloud, one of the biggest concerns is how to mitigate risk—specifically as it relates to compliance.

VMware vCloud Air Network cloud providers can help organizations integrate the cloud and IT environments without compliance risks through their compliant cloud services. This glossary gives a bird’s eye view of the cloud industry’s compliance landscape.

Audit/Assurance Standards that report on a companies’ internal controls

Management Relevant to the managing of certain systems, such as quality management

Education Certification including but not limited to the protection of student education records

Environment Standards that set out guidelines for environmental management systems

Finance Regulations and standards that govern cloud storage of financial records

Healthcare Safeguards for health records, insurance, and information technology

Partnerships SAP-Certified hosting and cloud services

Security Certifications and standards for the securing and protection of information in the cloud

2

Compliance Jurisdiction Audit / AssuranceISAE 3000 International ISAE is an international assurance standard for reporting on non financial, internal

IT controls. It also includes a statement on the operation of control procedures.

ISAE 3402 International ISAE is an international assurance standard for reporting on financial, internal IT controls. It also includes a statement on the operation of control procedures.

SSAE 16 USA Statement on Standards for Attestation Engagements. SSAE is an American assurance standard for reporting on internal IT controls. It also includes a system description and written statement of assertion

SSAE 16 SOC 1 USA Essentially, SOC 1 reports on controls that are relevant to internal control over financial reporting (ICFR)

SSAE 16 SOC 2 USA Essentially, SOC 2 reports on controls according to trust service principles. These trust service principles are:

1. Security2. Availability3. Processing Integrity4. Confidentiality5. Privacy

SSAE 16 SOC 3 USA SOC 3 reports on controls according to general Systrust or Webtrust standards. Webtrust is designed moreso for evaluating trust service principles for ecom-merce. Meanwhile, Systrust is intended for IT-based systems

CSAE 3416 Canada A Canadian standard for assurance report, a response to ISAE 3402 and SSAE 16.

Audit / Assurance

MENU

3

Compliance Jurisdiction ManagementMTCS Tier 3 Certification

Singapore This certification is applicable and given by certified companies in Singapore. The purpose of this certification program is to encourage the adoption of sound risk management and security practices for cloud computing.

ISO 20000 International ISO 20000 sets the international standard for IT management. It describes a cohesive set of management processes, which form a system of service manage-ment for the effective delivery of services. There are three parts of this standard

1. Formal specification and definition of the requirements for a service management system

2. Guidelines for the application of service management systems3. Guidelines on scope, definition, and applicability of Part 1

ISO 18001 (OHSAS 18001)

International OHSAS 18001, also sometimes referred to as ISO 18001, is the internationally accepted standard for assessing and auditing occupational health and safety management systems.

ISO 9001 International Compliance with ISO 9001 requires that a company’s quality management system meets certain standards.

1. System definition2. Management of documentation3. Corrective and preventive measures4. Ongoing support and training5. Regular internal quality auditing

Compliance Jurisdiction EducationFERPA USA This law is intended to protect the privacy of student education records. It is ap-

plicable to all schools that receive funding from an applicable program of the U.S. Department of Education.

Management-

Education

MENU

4

Compliance Jurisdiction EnvironmentISO 14000 International The ISO 14000 are standards that set out guidelines for environmental manage-

ment systems.

ISO 14001 International 14001 sets a framework for setting up an effective environmental management system.

ISO 14004 International 14004 sets guidelines on establishing, implementing, maintaining, and improving an environmental management system as well as its coordination with other man-agement systems.

ISO 14005 International 14005 is intended moreso for small and medium enterprises, but is universally ap-plicable. It provides guidance on the phased development, implementation, main-tenance, and improvement of an environmental management system. Additionally, the integration and use of environmental performance evaluation techniques are included.

ISO 14006 International 14006 focuses on ecodesign. It details guidelines that are intended to assist orga-nizaitons in their establishment, documentation, implementation, maintainence, and continuous improvement of their management of their ecodesign as part of an EMS (environmental management system).

Compliance Jurisdiction FinanceGram-Leach-Bliley Act

USA Also known as “Financial Services Modernization Act of 1999”. It requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data.

Sarbanes-Oxley USA Generally shortened to SOX, it is legislation that was passed in order to give pro-tection to shareholders and the general public from accounting errors and fraudu-lent practices in business. It also improves the accuracy of corporate disclosure.

Environment-

Finance

MENU

5

Compliance Jurisdiction HealthcareHIPAA USA HIPAA is the Health Insurance Portability and Accountability Act. It provides a mul-

titude of safeguards regarding health insurance. As it pertains to cloud providers, to be HIPAA compliant one must follow the mandated industry-wide standards for health care information on electronic billing and other processes, as well as protect and handle confidentially protected health information.

Hitech USA Designed for the promotion of adoption and proper use of health information technology. It also addresses privacy and security concerns that are often associ-ated with electronic transmission of health information.

Compliance Jurisdiction PartnershipsSAP Hosting Partner

International Partners operate and maintain SAP applications and offer complete hosting pack-ages tailored to the customer’s SAP product portfolio. Extensive technical SAP administration skills and experience are mandatory.

SAP Cloud Partner International SAP Cloud Partner offers cloud services that are certified by SAP as well as on-demand infrastructure and services for SAP products.

Healthcare-

Partnerships

MENU

6

Compliance Jurisdiction SecurityPCI-DSS International A security standard for the payment card industry set forth by the security stan-

dards council. There are six main objectives that a company, in order to be compli-ant, must reach:

1. Build and maintain a secure network2. Protect cardholder data3. Maintain a vulnerability management program4. Implement strong access control measures5. Regularly monitor and test networks6. Maintain an information security policy

ISO 27001 International ISO 27001 is a standard set by the international standards organization, which de-tails the requirements for “establishing, implementing, maintaining, and continually improving an information security management system…”

ISO 27002 International Guidelines provided by ISO regarding organizational information security stan-dards and information security management, which includes the selection, imple-mentation, management of controls that are taken in consideration to the organi-zation’s information security risk environment

ISO 27017:2015 International It provides guidelines for information security controls applicable to the provision and use of cloud services. This is achieved by providing:

1. additional implementation guidance for relevant controls specified in ISO/IEC 27002

2. additional controls with implementation guidance that specifically relate to cloud services

ISO 27018:2014 International 27018 concerns the protection of personally identifiable information. This standard establishes control objectives, controls, and measures for protecting this informa-tion in the public cloud computing environment in accordance with ISO/IEC 29100 privacy principles.

Security

MENU

7

Compliance Jurisdiction Security (continued)

Star self-assessment, CSA

International Self assessment that is offered by the cloud security alliance. There are two self assessments:

1. Consensus Assessments Initiative Questionnaire: provides industry-accepted ways to document what security controls exist in IaaS, PaaS and SaaS offerings

2. Cloud Controls Matrix: provides controls frameworks that of security concepts and principles in alignment with the Cloud Security Alliance

FedRAMP (SM) USA FedRAMP is a government wide program. It authorizes cloud systems in three steps:

1. Security Assessment: use of standardized set of requirements in accordance with FISMA to perform a security assessment

2. Leveraging and Authorization: “federal agencies view security authorization packages in the FedRAMP repository and leverage the security authorization packages to grant a security authorization at their own agency.”

3. Ongoing Assessment & Authorization: Once authorized, assessment is ongoing

FISMA USA FISMA is the Federal Information Security Management Act of 2002. This act re-quires each federal agency develops, documents, and implements an agency-wide program to provide information security for the information and information sys-tems that support operations and assets of the agency.

RMF USA RMF is a set of guidelines put together by the National Institute of Standards and Technology intended to minimize risk of security control selection.

Security

MENU

8

Compliance Jurisdiction Security (continued)

NIST 800-171 USA Final version of guidelines for the handling of confidential, sensitive information by nonfederal information systems and organizations for the federal government.

IRAP Australia IRAP is the Information Security Registered Assessors Program. Those that are IRAP compliant have had an assessment done by an IRAP assessor. Altogether, this audit assesses the implementation, appropriateness, and effectiveness of the system’s security controls. Delving a little deeper, there are two stages to this audit:

1. Identify security deficiencies, which the system owner rectifies or mitigates2. Assess residual compliance

Cyber Essentials Plus

UK A UK Government-backed and industry-supported certification program in the UK that is designed to help organizations showcase their operational security against common cyber-attacks.

IT-Grundschutz Germany IT Grundschutz is a methodology that describes how information security man-agement can be set up and operated. It provides guidelines for:

1. Production of a practical security concept2. Selection of appropriate security safeguards3. Identification of important elements when implementing the security

concept4. Ongoing improvement and maintenance of information security

Security

MENU

9

MENU

No matter how complex the challenge or diverse your needs, you’ll find a cloud compliant partner with VMware vCloud Air Network.

Find your cloud provider at vcloudairnetwork.com

VMware, Inc. 3401 Hillview Avenue Palo Alto CA 94304 USA Tel 877-486-9273 Fax 650-427-5001 www.vmware.comCopyright © 2016 VMware, Inc. All rights reserved. This product is protected by U.S. and international copyright and intellectual property laws. VMware products are covered by one or more patents listed at http://www.vmware.com/go/patents. VMware is a registered trademark or trademark of VMware, Inc. in the United States and/or other jurisdictions. All other marks and names mentioned herein may be trademarks of their respective companies.