GDPR, SSAE, PCI, HIPAA - You often see these logos on providers' websites, but does it mean your company has no responsibility if you choose a data center provider with these certifications? Not so...
2. Data Center Compliance
In this presentation:
Topics
Intro
SSAE 18
SOC 1
SOC II
HIPAA
HiTrust
PCI-DSS
ISO 21001
GDPR
3. What Compliance Means for Data
Centers
Compliance needs vary by industry
Data center providers can meet compliance
standards for physical security and reliability
4. What Compliance Means for Data
Center Tenants
Data center providers do not manage data, so
they cannot guarantee your compliance with
data security provisions
Exception - Unless other services are offered
that involve managing your data - Ex. cloud
services, WAF management
5. What Is SSAE?
The Statement on Standards for Attestation
Engagements (SSAE) is a regulation set by the
American Institute of Certified Public Accountants
(AICPA)
The latest version is SSAE-18, updated in 2017
Data centers can obtain SOC I and SOC II
certifications
https://www.aicpa.org/interestareas/frc/assurance
advisoryservices/downloadabledocuments/compari
sion-soc-1-3.pdf
6. SSAE - SOC II
Public companies often
require data center
providers to have a SOC
I certification
Mostly pertains to
control over financial
reporting
• SOC II certification
means company follows
certain information
security guidelines or
“trust principles”
• These include privacy,
security, availability,
processing integrity and
confidentiality
SSAE - SOC I
7. SOC II Trust Principles
Security – Refers to protection against unauthorized access.
In the case of the data center provider, this is physical
access.
Availability – Refers to the accessibility of a system
throughout the time of a contract. Normally provided as a
% in an SLA.
Processing Integrity – Refers to data processing – the
system delivers the right data at the right time. Not
normally the responsibility of a data center provider.
Confidentiality – access to confidential data is restricted.
Privacy – refers to the system’s collection, use, retention,
disclosure and disposal of PII.
8. More Confusing – SOC I and II Come
with Type I or Type II Audit Reports
SOC Report Type I
Type 1 reports contain
an opinion on the
fairness of the
organization’s (the data
center in this case)
presentation of their
systems or controls and
how the design meets
standards.
SOC Report Type II
• Type II is a more reliable
report, in that it
involves the testing of a
system or controls over
time, usually 6 months.
This report describes
the efficacy of those
systems.
9. An Example of SOC II Reports
SOC II Type I
Type 1 report would
describe systems and
how the design meets
relevant trust principles
SOC II Type II
Type II would describe
the efficacy of those
systems
10. HIPAA Compliance
Established by the HITECH Act – government
regulation – no official certificates issued
Two Rules:
Privacy Rule – protects electronic PII and gives
patients right to examine and obtain health
records and request corrections. Sets limits on
uses and disclosure of PII
Security Rule – stipulates administrative, physical
and technical safeguards to protect the creation,
transmission and maintenance of PII
11. HIPAA Compliance
Most HIPAA guidelines do not apply to data
center providers
HITRUST is a methodology and certification
program that helps healthcare providers and
vendors meet HIPAA standards
12. PCI-DSS
Stands for: Payment Card Industry Data
Security Standard
The following Set of 12 rules make up PCI-DSS
requirements…
13. PCI-DSS
1. Install and maintain a firewall
2. Do not use default passwords
3. Protect stored cardholder data
4. Encrypt cardholder data in transit
5. Use and update antivirus software
regularly
6. Develop and maintain secure systems and
apps
14. PCI-DSS Cont…
7. Restrict access to cardholder data to business “need-
to-know”
8. Assign unique IDs to individuals with computer access
9. Restrict physical access to cardholder data
10. Track and monitor access to network resources and
cardholder data
11. Regularly test security systems and processes
12. Maintain an information security policy for employees
and contractors
*As you can see, only #9, 11 and 12 apply to data centers’
responsibilities to tenants.
15. ISO 27001
ISO – International Organization
for Standardization
ISO 27001 – Information Security
Management Systems
Certification signifies an organization’s
compliance with international information
security standards
16. GDPR Compliance
Stands for: General Data Protection Regulation
Pertains to management of EU resident data
Because the data center provider does not manage
customer data, your GDPR compliance cannot
be guaranteed by a
data center provider
17. Third-Party Certifications
Why are they important?
Means an independent party has audited the
data center and company to certify it meets
certain compliance standards
Can take this as a trust signal, and can mean
less research for companies wanting to move
into the data center