Cloudy with a Chance of Acronyms
Pay-as-you-go model where providers give you virtualized hardware and you do the rest—no physical server-hugging required.
What is IaaS (Infrastructure as a Service)?
Documented judgments about potential threats, vulnerabilities, and impacts.
What are Risk Assessments?
Virtual “moat” PCI requires to protect systems storing cardholder data.
What is a Firewall Configuration? (Or segmentation)
These are periodic inspections of access rights with removals if no longer authorized.
What are User Access Reviews?
For PCI, this formal document summarizes key findings and provides recommendations.
What is the ROC? (Report on Compliance)
This AWS service lets you rent virtual machines—like a vending machine for servers.
What is EC2 (Elastic Compute Cloud)?
Document that formally outlines the organization’s intent to maintain an ISMS.
What is the Information Security Policy?
PCI mandates this type of testing at least annually or after significant changes to the environment.
What is Penetration Testing?
This principle states that no single individual should control all critical aspects of a process.
What is Segregation of Duties (SoD)?
These are listed in a matrix within a SOC 2 report and are assumed to be implemented by clients using the audited service—so auditors can sleep at night.
What are Complementary User Entity Controls (CUECs)?
This AWS feature distributes traffic across multiple targets, like a digital traffic cop.
What is Elastic Load Balancing (ELB)?
ISO 27001’s umbrella framework for organizing security policies and objectives.
What is the Information Security Management System (ISMS)?
PCI requires these tests of your defenses at least quarterly.
What are Vulnerability Scans?
These automated logs must be protected to prevent unauthorized alteration or deletion.
What are Audit Trails?
Complement to "prevent" or "preventative" controls.
What are DETECT (or detective) Controls?
Small, geographic chunks of cloud infrastructure help reduce latency and meet local data compliance needs.
What are Availability Zones (or Data Regions)?
This is a list of reference security controls for an Information Security Management System.
What is Annex A?
PCI’s term for the places where card data is stored, processed, or transmitted.
What is the Cardholder Data Environment (CDE)?
This concept evaluates whether a control remains effective despite ITGC failures.
What is control resiliency?
For SOC 2, this is a situation where a control did not operate as intended, but the overall objective was still met.
What is a Control Deviation?
When you let the cloud provider handle everything from code deployment to scaling to fault tolerance—basically serverless heaven.
What is PaaS (Platform as a Service) or Serverless Architecture?
ISO 27001, 27701 and 42001.
What are the 3 ISO certifications AARC-360 delivers to clients?
PCI’s “Control Objectives.”
What are the 12 PCI Requirements, or the dirty dozen?
These tools detect unusual patterns across admin accounts and elevated access permissions, specifically.
What are Privileged Access Monitoring (PAM) tools?
This is a formal statement from the client acknowledging its responsibility for the control environment.
What is a Management Assertion Letter (or Representation Letter) ?