The reach of industry and government compliance requirements is long and getting longer. Every organization and enterprise with at least one paid employee has personal information that it’s legally responsible for protecting. After that, compliance and data security just keep getting more complex and costly.
In addition to compliance, there’s a host of other reasons to protect data as more business operations move online, including the needs specific to different types of data such as intellectual property, market strategies, trade secrets, and material financial information, for example.
2. T
INTRO
“
Achieving and sustaining compliance on your own, as well
as secure servers, storage and networks, come at a cost...
”
he reach of industry and government
compliance requirements is long and
getting longer. Every organization
and enterprise with at least one paid employee
has personal information that it’s legally
responsible for protecting. After that, compliance
and data security just keep getting more complex
and costly.
In addition to compliance, there’s a host of other
reasons to protect data as more business operations
move online, including the needs specific to
different types of data such as intellectual property,
market strategies, trade secrets, and material
financial information, for example.
Achieving and sustaining compliance on
your own, as well as secure servers, storage
and networks, come at a cost ... money and
resources that must be diverted from the core
purpose of the entity. Having a compliant
environment does not ensure security,
however. And a secure environment is not
necessarily a compliant one. Both are necessary,
but sometimes at odds with each other in terms
of priorities and budgets.
While it’s not possible to shed accountability
for regulatory compliance, achieving it can
be far simpler and efficient by outsourcing
to the cloud. Similarly, maintaining a secure
infrastructure can be easier and more effective.
The right partner can help address both
compliance and security. This guide will help
you evaluate and select that partner.
3. S
“
Audits are conducted annually
by independent inspectors.
-SOC IT TO ME-
ome infrastructure and cloud service
providers (CSPs) will say they have
secure infrastructures. Others will
say theirs are compliant with various industry
and agency regulations such as PCI-DSS,
HIPAA or Sarbanes-Oxley. Some will claim
both. The standards that best indicate that a
CSP has what it claims to have, does what it
claims to do, and has defined control policies
and procedures in place are SSAE 16, ISAE
3402 and AT-101.
An attestation standard of the American Institute
of Certified Public Accountants (AICPA),
SSAE 16, along with AT Section 101, form the
underlying platform and professional standards
upon which the new AICPA SOC reporting
framework is built. The framework consists of
SOC 1, SOC 2 and SOC 3 reports.
Service Organization Control (SOC) 3 reports,
the newest of the standards, attest to the
CSPs adherence to the AICPA’s and Canadian
Institute of Chartered Accountants’ Trust Services
Principles for Security, Availability, Processing
Integrity, Confidentiality and Privacy.
Audits are conducted annually by independent
inspectors. Ask prospective CSPs to share these
and all other audit report results with you
during the evaluation process.
Some CSPs will go the extra mile by having their
data center(s) independently commissioned
prior to opening by a quality assurance and
mission-critical engineering team. This days-long
process involves an investigation of all aspects
of live operation, including equipment, physical
infrastructure, operational procedures and much
more. The qualification regime applies key
standards for mission-critical data center facilities
including ANSI/TIA-942 and other standards
established by the Uptime Institute, ASHRAE,
NFPA and critical infrastructure manufacturers.
SOC 1 SOC 2 SOC 3
01
4. ollowing their annual assessment for
meeting the Payment Card Industry
(PCI) Data Security Standard (DSS),
88.9 percent of businesses fail to maintain
ongoing compliance, according to Verizon’s 2014
report on PCI compliance. A PCI-DSS compliant
CSP can help do a better job to not only maintain
compliance with the standard, avoiding costly
penalties, but to also protect valuable cardholder
data, avoiding costly breaches.
Compliance requires meeting 12 data security
requirements ranging from system and
application security to firewall management,
organized under six functional areas. All
processes and components under the CSP’s
control must be PCI-DSS compliant, with an
accompanying report on compliance from an
independent auditor available for your inspection.
Level 1 certification indicates that the CSP’s
systems and infrastructure can scale to meet
the requirements of customers that exceed
six million transactions per year and that the
CSP is subject to an annual onsite inspection
by an independent qualified data security
expert. Also, determine what the CSP’s
own inspection and maintenance policies
and processes are above and beyond those
required by regulation. Is the provider audit-
ready at a moment’s notice?
Look to see if the CSP is on the approved
service provider list maintained by major
card brands; each bank card’s website has
the approved provider list.
F
-SLIPPING IN AND OUT OF PCI COMPLIANCE-
“
...88.9% percent of businesses fail to
maintain ongoing compliance, according to
Verizon’s 2014 report on PCI compliance.
”
02
5. H
-CSPS SHARE HIPAA RESPONSIBILITY-
ealth care professionals should be
wary of overreliance on claims from
CSPs that they are “certified” or
otherwise “compliant” with the Health
Insurance Portability and Accountability Act
(HIPAA), as there is no officially recognized
CSP certification. The AT-101 annual audit
report mentioned earlier does include a section
on healthcare information privacy controls for
data center operations, however.
Still, the right CSP – one with a history
and demonstrated commitment to industry
regulatory compliance requirements (SSAE
16 and PCI-DSS, for example), and familiarity
with the obligations of “business associates” as
defined under HIPAA and the Omnibus Final
Rule – can be a reliable partner in helping
achieve and maintain HIPAA compliance. It
is also likely to be more cost effective than
going it alone. Here’s what to look for in
HIPAA compliance in the cloud:
The CSP cloud infrastructure should
be architected to facilitate compliance
specifically in regard to the HIPAA Security
Rule. A non-exhaustive list includes multiple
layers of security protection for electronic
protected health information (ePHI); access
control limits and monitoring of ePHI;
firewall and router configurations consistent
with HIPAA compliance specifications;
and adherence to industry best practices
for installation, configuration and patch
installation of managed servers and associated
network devices. In essence, meeting Security
Rule requirements constitutes HIPAA-
compliant services from CSPs.
The CSP’s cloud services should be flexible
enough to adapt to your needs, not relying
on a one-size-fits-all model. For example,
in a dedicated private cloud a solution
can be designed to exact specifications for
availability, scalability, threat prevention and
other criteria. Using cloud resource pooling,
as in a virtual private cloud, can combine
reliable, logical segmentation and best
practices with the agility and cost efficiency
of multi-tenancy.
“
In essence, meeting Security Rule requirements
constitutes HIPAA-compliant services from CSPs..
03
6. here are many industry and
governments regulations weighing
on the minds of the regulated that we
haven’t covered here. The Federal Information
Security Management Act (FISMA) for
safeguarding data managed by federal agencies
and their outsourced partners; and the Gramm-
Leach-Bliley Act for protecting the privacy
of consumer information held by financial
institutions are just two of the many.
While it may be too broad a statement to say
that a CSP committed to SSAE 16, PCI-DSS
and HIPAA compliance is well equipped to
meet the requirements of other regulations, it
should not be too much of a stretch to meet
other obligations as well. Again, any claims
by a CSP regarding compliance should be
carefully vetted.
A capable CSP will provide as much
information as possible to assure you of
its capabilities. It will also work with you
collaboratively to demonstrate compliance to
regulatory authorities, and offer additional
guidance on sustaining and improving your
ability to comply with your regulatory
mandates over time.
T
- NAVIGATING THE REGULATORY LANDSCAPE-
“
Again, any claims by a CSP regarding
compliance should be carefully vetted.
”
SSAE 16 PCI-DSS HIPAA
04
7. “
...a virtual private network with multi-factor
authentication enables secure communication
between servers and the cloud.
- 24/7/365 TO COMPLIANCE AND SECURITY -
egulatory compliance establishes
a good baseline for a secure
infrastructure. At its most basic,
compliance means that requirements for those
specific regulations – usually for that moment
in time – are being met. As noted in an earlier
chapter on PCI-DSS, it’s much more demanding
and difficult to remain in compliance at all times.
A capable CSP makes it its business to
maintain secure and compliant systems and
infrastructures without exception. Many
security features are integrated into basic
services. More comprehensive services may be
optional, which allows a customer to tailor its
solution and pay only for what’s really needed.
Whether advanced services are needed with
the initial engagement or not, knowing they are
available as your needs change and grow is good
insurance to have.
For example, a virtual private network with
multi-factor authentication enables secure
communication between servers and the cloud.
Firewall configuration services and scheduled
maintenance can ensure that it provides
optimum security at all times. Other services
may include intrusion detection and prevention,
unified threat management, spam and virus
protection, and data encryption support. Pre-
configured security packages specifically for
PCI-DSS or HIPAA compliance can take the
guesswork out of proper cloud provisioning.
R
05
8. hysical and logical infrastructure,
people and best practices are essential
for a secure environment. Finding
out who the CSP’s technology providers are will
tell you a great deal about the robustness of its
infrastructure. Best-in-class hardware, software,
storage and network services vendors are good
indications that the CSP invests in and maintains
state-of-the-art facilities.
Efficiently designed facilities not only simplify
operations and maintenance. They are also
more cost efficient. All critical facilities systems,
such as cooling, generators and uninterruptable
power systems (UPS), should be redundant and
maintained according to rigorous standards.
Determine the extent and frequency of back-
up, failover and emergency procedures testing
performed by the CSP.
How secure is the data center itself from
unauthorized access? Physical access to facilities
should be constantly monitored by trained
staff, onsite 24/7/365, with video surveillance
cameras throughout the building, inside and
out. Only essential staff should have access to
areas within the data center, requiring PIN-
based cards or cards combined with biometric
scans. Likewise, building access requires similar
security measures.
Ask your prospective CSP about staff training
with regards to security protocols and
regulatory compliance, as well as technical
skills training to keep personnel up on the latest
products and technologies.
P
- THE INFRASTRUCTURE BEHIND THE CLAIMS -
“
Physical and logical infrastructure,
people and best practices are essential
for a secure environment.
”
1
4
7
2
5
8
3
6
9
06
9. - LOOK NO FURTHER-
ince inception, Peak 10 has proactively
implemented the necessary safeguards
within its data centers to assist customers
cost effectively meet regulatory compliance
requirements. In 2011, Peak 10 was among
the first in the industry to complete a Type 2
SOC 1 examination under the Statement on
Standards for Attestation Engagements (SSAE)
16 and International Standard on Assurance
Engagements (ISAE) No. 3402.
To enhance its compliance reporting, Peak
10 successfully completed the following
examinations in 2013:
• Type 2, SOC 1, reporting on Controls at a Service
Organization (also known as SSAE 16). This
report is an important component of controls over
financial reporting for purposes of compliance
with laws and regulations such as the Sarbanes-
Oxley Act
• Type 2, SOC 2, reporting on controls at a service
organization relevant to the following Trust
Services principles:
• Security - The system is protected against
unauthorized access (both physical and logical).
• Availability - The system is available for operation
and use as committed or agreed.
• Type 2 SOC 3, SysTrust for Service
Organizations, which is an abbreviated version
of Peak 10’s SOC 2 report, and is intended for
broad use by interested parties.
• Payment Card Industry Data Security
Standard (PCI DSS) for companies that collect,
store or process payment card data.
• Health Insurance Portability and
Accountability Act (HIPAA) for companies
that need to keep electronic protected health
information (ePHI) secure.
• Safe Harbor, permits data transfers from the
EU on the basis that U.S. companies self-certify
their agreement to abide by the Safe Harbor
framework, which includes seven privacy
principles similar to those found in the 1995 EU
Data Protection Directive.
Federal Information Security Management
Act (FISMA), which sets forth stringent
requirements to safeguard data managed by
federal agencies and their outsourced partners.
S
“
...In 2011, Peak 10 was among the first in the
industry to complete a Type 2 SOC 1 examination...
07
10. Contact Us to Learn More
EMAIL SOLUTIONS@PEAK10.COM
OR CALL 866.473.2510
We would welcome the opportunity to better understand your compliance and
data security needs, and explore how Peak 10 managed infrastructure and cloud
services can help you achieve your objectives.
www.peak10.com