SlideShare une entreprise Scribd logo

Compliance and Security Ebook

Peak 10
Peak 10

The reach of industry and government compliance requirements is long and getting longer. Every organization and enterprise with at least one paid employee has personal information that it’s legally responsible for protecting. After that, compliance and data security just keep getting more complex and costly. In addition to compliance, there’s a host of other reasons to protect data as more business operations move online, including the needs specific to different types of data such as intellectual property, market strategies, trade secrets, and material financial information, for example.

Technologie
1  sur  10
Télécharger pour lire hors ligne
Compliance & Security INTHE CLOUD Buyers Guide Ebook
T INTRO “ Achieving and sustaining compliance on your own, as well as secure servers, storage and networks, come at a cost... ” he reach of industry and government compliance requirements is long and getting longer. Every organization and enterprise with at least one paid employee has personal information that it’s legally responsible for protecting. After that, compliance and data security just keep getting more complex and costly. In addition to compliance, there’s a host of other reasons to protect data as more business operations move online, including the needs specific to different types of data such as intellectual property, market strategies, trade secrets, and material financial information, for example. Achieving and sustaining compliance on your own, as well as secure servers, storage and networks, come at a cost ... money and resources that must be diverted from the core purpose of the entity. Having a compliant environment does not ensure security, however. And a secure environment is not necessarily a compliant one. Both are necessary, but sometimes at odds with each other in terms of priorities and budgets. While it’s not possible to shed accountability for regulatory compliance, achieving it can be far simpler and efficient by outsourcing to the cloud. Similarly, maintaining a secure infrastructure can be easier and more effective. The right partner can help address both compliance and security. This guide will help you evaluate and select that partner.
S “ Audits are conducted annually by independent inspectors. -SOC IT TO ME- ome infrastructure and cloud service providers (CSPs) will say they have secure infrastructures. Others will say theirs are compliant with various industry and agency regulations such as PCI-DSS, HIPAA or Sarbanes-Oxley. Some will claim both. The standards that best indicate that a CSP has what it claims to have, does what it claims to do, and has defined control policies and procedures in place are SSAE 16, ISAE 3402 and AT-101. An attestation standard of the American Institute of Certified Public Accountants (AICPA), SSAE 16, along with AT Section 101, form the underlying platform and professional standards upon which the new AICPA SOC reporting framework is built. The framework consists of SOC 1, SOC 2 and SOC 3 reports. Service Organization Control (SOC) 3 reports, the newest of the standards, attest to the CSPs adherence to the AICPA’s and Canadian Institute of Chartered Accountants’ Trust Services Principles for Security, Availability, Processing Integrity, Confidentiality and Privacy. Audits are conducted annually by independent inspectors. Ask prospective CSPs to share these and all other audit report results with you during the evaluation process. Some CSPs will go the extra mile by having their data center(s) independently commissioned prior to opening by a quality assurance and mission-critical engineering team. This days-long process involves an investigation of all aspects of live operation, including equipment, physical infrastructure, operational procedures and much more. The qualification regime applies key standards for mission-critical data center facilities including ANSI/TIA-942 and other standards established by the Uptime Institute, ASHRAE, NFPA and critical infrastructure manufacturers. SOC 1 SOC 2 SOC 3 01
ollowing their annual assessment for meeting the Payment Card Industry (PCI) Data Security Standard (DSS), 88.9 percent of businesses fail to maintain ongoing compliance, according to Verizon’s 2014 report on PCI compliance. A PCI-DSS compliant CSP can help do a better job to not only maintain compliance with the standard, avoiding costly penalties, but to also protect valuable cardholder data, avoiding costly breaches. Compliance requires meeting 12 data security requirements ranging from system and application security to firewall management, organized under six functional areas. All processes and components under the CSP’s control must be PCI-DSS compliant, with an accompanying report on compliance from an independent auditor available for your inspection. Level 1 certification indicates that the CSP’s systems and infrastructure can scale to meet the requirements of customers that exceed six million transactions per year and that the CSP is subject to an annual onsite inspection by an independent qualified data security expert. Also, determine what the CSP’s own inspection and maintenance policies and processes are above and beyond those required by regulation. Is the provider audit- ready at a moment’s notice? Look to see if the CSP is on the approved service provider list maintained by major card brands; each bank card’s website has the approved provider list. F -SLIPPING IN AND OUT OF PCI COMPLIANCE- “ ...88.9% percent of businesses fail to maintain ongoing compliance, according to Verizon’s 2014 report on PCI compliance. ” 02
H -CSPS SHARE HIPAA RESPONSIBILITY- ealth care professionals should be wary of overreliance on claims from CSPs that they are “certified” or otherwise “compliant” with the Health Insurance Portability and Accountability Act (HIPAA), as there is no officially recognized CSP certification. The AT-101 annual audit report mentioned earlier does include a section on healthcare information privacy controls for data center operations, however. Still, the right CSP – one with a history and demonstrated commitment to industry regulatory compliance requirements (SSAE 16 and PCI-DSS, for example), and familiarity with the obligations of “business associates” as defined under HIPAA and the Omnibus Final Rule – can be a reliable partner in helping achieve and maintain HIPAA compliance. It is also likely to be more cost effective than going it alone. Here’s what to look for in HIPAA compliance in the cloud: The CSP cloud infrastructure should be architected to facilitate compliance specifically in regard to the HIPAA Security Rule. A non-exhaustive list includes multiple layers of security protection for electronic protected health information (ePHI); access control limits and monitoring of ePHI; firewall and router configurations consistent with HIPAA compliance specifications; and adherence to industry best practices for installation, configuration and patch installation of managed servers and associated network devices. In essence, meeting Security Rule requirements constitutes HIPAA- compliant services from CSPs. The CSP’s cloud services should be flexible enough to adapt to your needs, not relying on a one-size-fits-all model. For example, in a dedicated private cloud a solution can be designed to exact specifications for availability, scalability, threat prevention and other criteria. Using cloud resource pooling, as in a virtual private cloud, can combine reliable, logical segmentation and best practices with the agility and cost efficiency of multi-tenancy. “ In essence, meeting Security Rule requirements constitutes HIPAA-compliant services from CSPs.. 03
here are many industry and governments regulations weighing on the minds of the regulated that we haven’t covered here. The Federal Information Security Management Act (FISMA) for safeguarding data managed by federal agencies and their outsourced partners; and the Gramm- Leach-Bliley Act for protecting the privacy of consumer information held by financial institutions are just two of the many. While it may be too broad a statement to say that a CSP committed to SSAE 16, PCI-DSS and HIPAA compliance is well equipped to meet the requirements of other regulations, it should not be too much of a stretch to meet other obligations as well. Again, any claims by a CSP regarding compliance should be carefully vetted. A capable CSP will provide as much information as possible to assure you of its capabilities. It will also work with you collaboratively to demonstrate compliance to regulatory authorities, and offer additional guidance on sustaining and improving your ability to comply with your regulatory mandates over time. T - NAVIGATING THE REGULATORY LANDSCAPE- “ Again, any claims by a CSP regarding compliance should be carefully vetted. ” SSAE 16 PCI-DSS HIPAA 04
“ ...a virtual private network with multi-factor authentication enables secure communication between servers and the cloud. - 24/7/365 TO COMPLIANCE AND SECURITY - egulatory compliance establishes a good baseline for a secure infrastructure. At its most basic, compliance means that requirements for those specific regulations – usually for that moment in time – are being met. As noted in an earlier chapter on PCI-DSS, it’s much more demanding and difficult to remain in compliance at all times. A capable CSP makes it its business to maintain secure and compliant systems and infrastructures without exception. Many security features are integrated into basic services. More comprehensive services may be optional, which allows a customer to tailor its solution and pay only for what’s really needed. Whether advanced services are needed with the initial engagement or not, knowing they are available as your needs change and grow is good insurance to have. For example, a virtual private network with multi-factor authentication enables secure communication between servers and the cloud. Firewall configuration services and scheduled maintenance can ensure that it provides optimum security at all times. Other services may include intrusion detection and prevention, unified threat management, spam and virus protection, and data encryption support. Pre- configured security packages specifically for PCI-DSS or HIPAA compliance can take the guesswork out of proper cloud provisioning. R 05
hysical and logical infrastructure, people and best practices are essential for a secure environment. Finding out who the CSP’s technology providers are will tell you a great deal about the robustness of its infrastructure. Best-in-class hardware, software, storage and network services vendors are good indications that the CSP invests in and maintains state-of-the-art facilities. Efficiently designed facilities not only simplify operations and maintenance. They are also more cost efficient. All critical facilities systems, such as cooling, generators and uninterruptable power systems (UPS), should be redundant and maintained according to rigorous standards. Determine the extent and frequency of back- up, failover and emergency procedures testing performed by the CSP. How secure is the data center itself from unauthorized access? Physical access to facilities should be constantly monitored by trained staff, onsite 24/7/365, with video surveillance cameras throughout the building, inside and out. Only essential staff should have access to areas within the data center, requiring PIN- based cards or cards combined with biometric scans. Likewise, building access requires similar security measures. Ask your prospective CSP about staff training with regards to security protocols and regulatory compliance, as well as technical skills training to keep personnel up on the latest products and technologies. P - THE INFRASTRUCTURE BEHIND THE CLAIMS - “ Physical and logical infrastructure, people and best practices are essential for a secure environment. ” 1 4 7 2 5 8 3 6 9 06
- LOOK NO FURTHER- ince inception, Peak 10 has proactively implemented the necessary safeguards within its data centers to assist customers cost effectively meet regulatory compliance requirements. In 2011, Peak 10 was among the first in the industry to complete a Type 2 SOC 1 examination under the Statement on Standards for Attestation Engagements (SSAE) 16 and International Standard on Assurance Engagements (ISAE) No. 3402. To enhance its compliance reporting, Peak 10 successfully completed the following examinations in 2013: • Type 2, SOC 1, reporting on Controls at a Service Organization (also known as SSAE 16). This report is an important component of controls over financial reporting for purposes of compliance with laws and regulations such as the Sarbanes- Oxley Act • Type 2, SOC 2, reporting on controls at a service organization relevant to the following Trust Services principles: • Security - The system is protected against unauthorized access (both physical and logical). • Availability - The system is available for operation and use as committed or agreed. • Type 2 SOC 3, SysTrust for Service Organizations, which is an abbreviated version of Peak 10’s SOC 2 report, and is intended for broad use by interested parties. • Payment Card Industry Data Security Standard (PCI DSS) for companies that collect, store or process payment card data. • Health Insurance Portability and Accountability Act (HIPAA) for companies that need to keep electronic protected health information (ePHI) secure. • Safe Harbor, permits data transfers from the EU on the basis that U.S. companies self-certify their agreement to abide by the Safe Harbor framework, which includes seven privacy principles similar to those found in the 1995 EU Data Protection Directive. Federal Information Security Management Act (FISMA), which sets forth stringent requirements to safeguard data managed by federal agencies and their outsourced partners. S “ ...In 2011, Peak 10 was among the first in the industry to complete a Type 2 SOC 1 examination... 07
Contact Us to Learn More EMAIL SOLUTIONS@PEAK10.COM OR CALL 866.473.2510 We would welcome the opportunity to better understand your compliance and data security needs, and explore how Peak 10 managed infrastructure and cloud services can help you achieve your objectives. www.peak10.com

Recommandé

Structured and Unstructured Big Data ebook
Structured and Unstructured Big Data ebookStructured and Unstructured Big Data ebook
Structured and Unstructured Big Data ebookEmcien Corporation
 
The A-to-Z Guide to SlideShare
The A-to-Z Guide to SlideShareThe A-to-Z Guide to SlideShare
The A-to-Z Guide to SlideShareBarry Feldman
 
10-TOP-IT-INITIATIVES_6-6-16
10-TOP-IT-INITIATIVES_6-6-1610-TOP-IT-INITIATIVES_6-6-16
10-TOP-IT-INITIATIVES_6-6-16Peak 10
 
7_Questions_DR_Plan_6-23-16
7_Questions_DR_Plan_6-23-167_Questions_DR_Plan_6-23-16
7_Questions_DR_Plan_6-23-16Peak 10
 
IT Industry terms, a guide to getting it right.
IT Industry terms, a guide to getting it right.IT Industry terms, a guide to getting it right.
IT Industry terms, a guide to getting it right.Peak 10
 
TOP 10 Reasons to Make Peak 10 Your Cloud Provider of Choice
TOP 10 Reasons to Make Peak 10 Your Cloud Provider of ChoiceTOP 10 Reasons to Make Peak 10 Your Cloud Provider of Choice
TOP 10 Reasons to Make Peak 10 Your Cloud Provider of ChoicePeak 10
 
Advantages of Converged Infrastructures
Advantages of Converged InfrastructuresAdvantages of Converged Infrastructures
Advantages of Converged InfrastructuresPeak 10
 
New Tampa Data Center - Peak 10
New Tampa Data Center - Peak 10New Tampa Data Center - Peak 10
New Tampa Data Center - Peak 10Peak 10
 

Recommandé

Structured and Unstructured Big Data ebook
Structured and Unstructured Big Data ebookStructured and Unstructured Big Data ebook
Structured and Unstructured Big Data ebookEmcien Corporation
 
The A-to-Z Guide to SlideShare
The A-to-Z Guide to SlideShareThe A-to-Z Guide to SlideShare
The A-to-Z Guide to SlideShareBarry Feldman
 
10-TOP-IT-INITIATIVES_6-6-16
10-TOP-IT-INITIATIVES_6-6-1610-TOP-IT-INITIATIVES_6-6-16
10-TOP-IT-INITIATIVES_6-6-16Peak 10
 
7_Questions_DR_Plan_6-23-16
7_Questions_DR_Plan_6-23-167_Questions_DR_Plan_6-23-16
7_Questions_DR_Plan_6-23-16Peak 10
 
IT Industry terms, a guide to getting it right.
IT Industry terms, a guide to getting it right.IT Industry terms, a guide to getting it right.
IT Industry terms, a guide to getting it right.Peak 10
 
TOP 10 Reasons to Make Peak 10 Your Cloud Provider of Choice
TOP 10 Reasons to Make Peak 10 Your Cloud Provider of ChoiceTOP 10 Reasons to Make Peak 10 Your Cloud Provider of Choice
TOP 10 Reasons to Make Peak 10 Your Cloud Provider of ChoicePeak 10
 
Advantages of Converged Infrastructures
Advantages of Converged InfrastructuresAdvantages of Converged Infrastructures
Advantages of Converged InfrastructuresPeak 10
 
New Tampa Data Center - Peak 10
New Tampa Data Center - Peak 10New Tampa Data Center - Peak 10
New Tampa Data Center - Peak 10Peak 10
 
Cloud Migration
Cloud Migration Cloud Migration
Cloud Migration Peak 10
 
Buyers Guide To Cloud
Buyers Guide To CloudBuyers Guide To Cloud
Buyers Guide To CloudPeak 10
 
Governance Tips for Midmarket IT Leaders
Governance Tips for Midmarket IT LeadersGovernance Tips for Midmarket IT Leaders
Governance Tips for Midmarket IT LeadersPeak 10
 
Tips for Securing ePHI in the Cloud
Tips for Securing ePHI in the CloudTips for Securing ePHI in the Cloud
Tips for Securing ePHI in the CloudPeak 10
 
Top 10 Reasons for Colocation
Top 10 Reasons for ColocationTop 10 Reasons for Colocation
Top 10 Reasons for ColocationPeak 10
 
Tips For Being Compliance Ready
Tips For Being Compliance ReadyTips For Being Compliance Ready
Tips For Being Compliance ReadyPeak 10
 
Security Hurts Business - Don't Let It
Security Hurts Business - Don't Let ItSecurity Hurts Business - Don't Let It
Security Hurts Business - Don't Let ItPeak 10
 
How to solve your IT problems in 7 days
How to solve your IT problems in 7 daysHow to solve your IT problems in 7 days
How to solve your IT problems in 7 daysPeak 10
 
The Whats, Whys and Hows of Database as a Service
The Whats, Whys and Hows of Database as a ServiceThe Whats, Whys and Hows of Database as a Service
The Whats, Whys and Hows of Database as a ServicePeak 10
 
13 Tips for Cloud Security
13 Tips for Cloud Security13 Tips for Cloud Security
13 Tips for Cloud SecurityPeak 10
 
10 Tips for CIOs - Data Security in the Cloud
10 Tips for CIOs - Data Security in the Cloud10 Tips for CIOs - Data Security in the Cloud
10 Tips for CIOs - Data Security in the CloudPeak 10
 
10 Tech Trends for 2014
10 Tech Trends for 201410 Tech Trends for 2014
10 Tech Trends for 2014Peak 10
 
Five Workload-to-Cloud Migration Methods
Five Workload-to-Cloud Migration MethodsFive Workload-to-Cloud Migration Methods
Five Workload-to-Cloud Migration MethodsPeak 10
 
Peak 10 Cloud Delivered Desktop
Peak 10 Cloud Delivered DesktopPeak 10 Cloud Delivered Desktop
Peak 10 Cloud Delivered DesktopPeak 10
 
CIO: Your Survival Guide
CIO: Your Survival GuideCIO: Your Survival Guide
CIO: Your Survival GuidePeak 10
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxBkGupta21
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 

Contenu connexe

Plus de Peak 10

Cloud Migration
Cloud Migration Cloud Migration
Cloud Migration Peak 10
 
Buyers Guide To Cloud
Buyers Guide To CloudBuyers Guide To Cloud
Buyers Guide To CloudPeak 10
 
Governance Tips for Midmarket IT Leaders
Governance Tips for Midmarket IT LeadersGovernance Tips for Midmarket IT Leaders
Governance Tips for Midmarket IT LeadersPeak 10
 
Tips for Securing ePHI in the Cloud
Tips for Securing ePHI in the CloudTips for Securing ePHI in the Cloud
Tips for Securing ePHI in the CloudPeak 10
 
Top 10 Reasons for Colocation
Top 10 Reasons for ColocationTop 10 Reasons for Colocation
Top 10 Reasons for ColocationPeak 10
 
Tips For Being Compliance Ready
Tips For Being Compliance ReadyTips For Being Compliance Ready
Tips For Being Compliance ReadyPeak 10
 
Security Hurts Business - Don't Let It
Security Hurts Business - Don't Let ItSecurity Hurts Business - Don't Let It
Security Hurts Business - Don't Let ItPeak 10
 
How to solve your IT problems in 7 days
How to solve your IT problems in 7 daysHow to solve your IT problems in 7 days
How to solve your IT problems in 7 daysPeak 10
 
The Whats, Whys and Hows of Database as a Service
The Whats, Whys and Hows of Database as a ServiceThe Whats, Whys and Hows of Database as a Service
The Whats, Whys and Hows of Database as a ServicePeak 10
 
13 Tips for Cloud Security
13 Tips for Cloud Security13 Tips for Cloud Security
13 Tips for Cloud SecurityPeak 10
 
10 Tips for CIOs - Data Security in the Cloud
10 Tips for CIOs - Data Security in the Cloud10 Tips for CIOs - Data Security in the Cloud
10 Tips for CIOs - Data Security in the CloudPeak 10
 
10 Tech Trends for 2014
10 Tech Trends for 201410 Tech Trends for 2014
10 Tech Trends for 2014Peak 10
 
Five Workload-to-Cloud Migration Methods
Five Workload-to-Cloud Migration MethodsFive Workload-to-Cloud Migration Methods
Five Workload-to-Cloud Migration MethodsPeak 10
 
Peak 10 Cloud Delivered Desktop
Peak 10 Cloud Delivered DesktopPeak 10 Cloud Delivered Desktop
Peak 10 Cloud Delivered DesktopPeak 10
 
CIO: Your Survival Guide
CIO: Your Survival GuideCIO: Your Survival Guide
CIO: Your Survival GuidePeak 10
 

Plus de Peak 10 (15)

Cloud Migration
Cloud Migration Cloud Migration
Cloud Migration
 
Buyers Guide To Cloud
Buyers Guide To CloudBuyers Guide To Cloud
Buyers Guide To Cloud
 
Governance Tips for Midmarket IT Leaders
Governance Tips for Midmarket IT LeadersGovernance Tips for Midmarket IT Leaders
Governance Tips for Midmarket IT Leaders
 
Tips for Securing ePHI in the Cloud
Tips for Securing ePHI in the CloudTips for Securing ePHI in the Cloud
Tips for Securing ePHI in the Cloud
 
Top 10 Reasons for Colocation
Top 10 Reasons for ColocationTop 10 Reasons for Colocation
Top 10 Reasons for Colocation
 
Tips For Being Compliance Ready
Tips For Being Compliance ReadyTips For Being Compliance Ready
Tips For Being Compliance Ready
 
Security Hurts Business - Don't Let It
Security Hurts Business - Don't Let ItSecurity Hurts Business - Don't Let It
Security Hurts Business - Don't Let It
 
How to solve your IT problems in 7 days
How to solve your IT problems in 7 daysHow to solve your IT problems in 7 days
How to solve your IT problems in 7 days
 
The Whats, Whys and Hows of Database as a Service
The Whats, Whys and Hows of Database as a ServiceThe Whats, Whys and Hows of Database as a Service
The Whats, Whys and Hows of Database as a Service
 
13 Tips for Cloud Security
13 Tips for Cloud Security13 Tips for Cloud Security
13 Tips for Cloud Security
 
10 Tips for CIOs - Data Security in the Cloud
10 Tips for CIOs - Data Security in the Cloud10 Tips for CIOs - Data Security in the Cloud
10 Tips for CIOs - Data Security in the Cloud
 
10 Tech Trends for 2014
10 Tech Trends for 201410 Tech Trends for 2014
10 Tech Trends for 2014
 
Five Workload-to-Cloud Migration Methods
Five Workload-to-Cloud Migration MethodsFive Workload-to-Cloud Migration Methods
Five Workload-to-Cloud Migration Methods
 
Peak 10 Cloud Delivered Desktop
Peak 10 Cloud Delivered DesktopPeak 10 Cloud Delivered Desktop
Peak 10 Cloud Delivered Desktop
 
CIO: Your Survival Guide
CIO: Your Survival GuideCIO: Your Survival Guide
CIO: Your Survival Guide
 

Dernier

unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxBkGupta21
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESmohitsingh558521
 

Dernier (20)

unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptx
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
 

Compliance and Security Ebook

  • 2. T INTRO “ Achieving and sustaining compliance on your own, as well as secure servers, storage and networks, come at a cost... ” he reach of industry and government compliance requirements is long and getting longer. Every organization and enterprise with at least one paid employee has personal information that it’s legally responsible for protecting. After that, compliance and data security just keep getting more complex and costly. In addition to compliance, there’s a host of other reasons to protect data as more business operations move online, including the needs specific to different types of data such as intellectual property, market strategies, trade secrets, and material financial information, for example. Achieving and sustaining compliance on your own, as well as secure servers, storage and networks, come at a cost ... money and resources that must be diverted from the core purpose of the entity. Having a compliant environment does not ensure security, however. And a secure environment is not necessarily a compliant one. Both are necessary, but sometimes at odds with each other in terms of priorities and budgets. While it’s not possible to shed accountability for regulatory compliance, achieving it can be far simpler and efficient by outsourcing to the cloud. Similarly, maintaining a secure infrastructure can be easier and more effective. The right partner can help address both compliance and security. This guide will help you evaluate and select that partner.
  • 3. S “ Audits are conducted annually by independent inspectors. -SOC IT TO ME- ome infrastructure and cloud service providers (CSPs) will say they have secure infrastructures. Others will say theirs are compliant with various industry and agency regulations such as PCI-DSS, HIPAA or Sarbanes-Oxley. Some will claim both. The standards that best indicate that a CSP has what it claims to have, does what it claims to do, and has defined control policies and procedures in place are SSAE 16, ISAE 3402 and AT-101. An attestation standard of the American Institute of Certified Public Accountants (AICPA), SSAE 16, along with AT Section 101, form the underlying platform and professional standards upon which the new AICPA SOC reporting framework is built. The framework consists of SOC 1, SOC 2 and SOC 3 reports. Service Organization Control (SOC) 3 reports, the newest of the standards, attest to the CSPs adherence to the AICPA’s and Canadian Institute of Chartered Accountants’ Trust Services Principles for Security, Availability, Processing Integrity, Confidentiality and Privacy. Audits are conducted annually by independent inspectors. Ask prospective CSPs to share these and all other audit report results with you during the evaluation process. Some CSPs will go the extra mile by having their data center(s) independently commissioned prior to opening by a quality assurance and mission-critical engineering team. This days-long process involves an investigation of all aspects of live operation, including equipment, physical infrastructure, operational procedures and much more. The qualification regime applies key standards for mission-critical data center facilities including ANSI/TIA-942 and other standards established by the Uptime Institute, ASHRAE, NFPA and critical infrastructure manufacturers. SOC 1 SOC 2 SOC 3 01
  • 4. ollowing their annual assessment for meeting the Payment Card Industry (PCI) Data Security Standard (DSS), 88.9 percent of businesses fail to maintain ongoing compliance, according to Verizon’s 2014 report on PCI compliance. A PCI-DSS compliant CSP can help do a better job to not only maintain compliance with the standard, avoiding costly penalties, but to also protect valuable cardholder data, avoiding costly breaches. Compliance requires meeting 12 data security requirements ranging from system and application security to firewall management, organized under six functional areas. All processes and components under the CSP’s control must be PCI-DSS compliant, with an accompanying report on compliance from an independent auditor available for your inspection. Level 1 certification indicates that the CSP’s systems and infrastructure can scale to meet the requirements of customers that exceed six million transactions per year and that the CSP is subject to an annual onsite inspection by an independent qualified data security expert. Also, determine what the CSP’s own inspection and maintenance policies and processes are above and beyond those required by regulation. Is the provider audit- ready at a moment’s notice? Look to see if the CSP is on the approved service provider list maintained by major card brands; each bank card’s website has the approved provider list. F -SLIPPING IN AND OUT OF PCI COMPLIANCE- “ ...88.9% percent of businesses fail to maintain ongoing compliance, according to Verizon’s 2014 report on PCI compliance. ” 02
  • 5. H -CSPS SHARE HIPAA RESPONSIBILITY- ealth care professionals should be wary of overreliance on claims from CSPs that they are “certified” or otherwise “compliant” with the Health Insurance Portability and Accountability Act (HIPAA), as there is no officially recognized CSP certification. The AT-101 annual audit report mentioned earlier does include a section on healthcare information privacy controls for data center operations, however. Still, the right CSP – one with a history and demonstrated commitment to industry regulatory compliance requirements (SSAE 16 and PCI-DSS, for example), and familiarity with the obligations of “business associates” as defined under HIPAA and the Omnibus Final Rule – can be a reliable partner in helping achieve and maintain HIPAA compliance. It is also likely to be more cost effective than going it alone. Here’s what to look for in HIPAA compliance in the cloud: The CSP cloud infrastructure should be architected to facilitate compliance specifically in regard to the HIPAA Security Rule. A non-exhaustive list includes multiple layers of security protection for electronic protected health information (ePHI); access control limits and monitoring of ePHI; firewall and router configurations consistent with HIPAA compliance specifications; and adherence to industry best practices for installation, configuration and patch installation of managed servers and associated network devices. In essence, meeting Security Rule requirements constitutes HIPAA- compliant services from CSPs. The CSP’s cloud services should be flexible enough to adapt to your needs, not relying on a one-size-fits-all model. For example, in a dedicated private cloud a solution can be designed to exact specifications for availability, scalability, threat prevention and other criteria. Using cloud resource pooling, as in a virtual private cloud, can combine reliable, logical segmentation and best practices with the agility and cost efficiency of multi-tenancy. “ In essence, meeting Security Rule requirements constitutes HIPAA-compliant services from CSPs.. 03
  • 6. here are many industry and governments regulations weighing on the minds of the regulated that we haven’t covered here. The Federal Information Security Management Act (FISMA) for safeguarding data managed by federal agencies and their outsourced partners; and the Gramm- Leach-Bliley Act for protecting the privacy of consumer information held by financial institutions are just two of the many. While it may be too broad a statement to say that a CSP committed to SSAE 16, PCI-DSS and HIPAA compliance is well equipped to meet the requirements of other regulations, it should not be too much of a stretch to meet other obligations as well. Again, any claims by a CSP regarding compliance should be carefully vetted. A capable CSP will provide as much information as possible to assure you of its capabilities. It will also work with you collaboratively to demonstrate compliance to regulatory authorities, and offer additional guidance on sustaining and improving your ability to comply with your regulatory mandates over time. T - NAVIGATING THE REGULATORY LANDSCAPE- “ Again, any claims by a CSP regarding compliance should be carefully vetted. ” SSAE 16 PCI-DSS HIPAA 04
  • 7. “ ...a virtual private network with multi-factor authentication enables secure communication between servers and the cloud. - 24/7/365 TO COMPLIANCE AND SECURITY - egulatory compliance establishes a good baseline for a secure infrastructure. At its most basic, compliance means that requirements for those specific regulations – usually for that moment in time – are being met. As noted in an earlier chapter on PCI-DSS, it’s much more demanding and difficult to remain in compliance at all times. A capable CSP makes it its business to maintain secure and compliant systems and infrastructures without exception. Many security features are integrated into basic services. More comprehensive services may be optional, which allows a customer to tailor its solution and pay only for what’s really needed. Whether advanced services are needed with the initial engagement or not, knowing they are available as your needs change and grow is good insurance to have. For example, a virtual private network with multi-factor authentication enables secure communication between servers and the cloud. Firewall configuration services and scheduled maintenance can ensure that it provides optimum security at all times. Other services may include intrusion detection and prevention, unified threat management, spam and virus protection, and data encryption support. Pre- configured security packages specifically for PCI-DSS or HIPAA compliance can take the guesswork out of proper cloud provisioning. R 05
  • 8. hysical and logical infrastructure, people and best practices are essential for a secure environment. Finding out who the CSP’s technology providers are will tell you a great deal about the robustness of its infrastructure. Best-in-class hardware, software, storage and network services vendors are good indications that the CSP invests in and maintains state-of-the-art facilities. Efficiently designed facilities not only simplify operations and maintenance. They are also more cost efficient. All critical facilities systems, such as cooling, generators and uninterruptable power systems (UPS), should be redundant and maintained according to rigorous standards. Determine the extent and frequency of back- up, failover and emergency procedures testing performed by the CSP. How secure is the data center itself from unauthorized access? Physical access to facilities should be constantly monitored by trained staff, onsite 24/7/365, with video surveillance cameras throughout the building, inside and out. Only essential staff should have access to areas within the data center, requiring PIN- based cards or cards combined with biometric scans. Likewise, building access requires similar security measures. Ask your prospective CSP about staff training with regards to security protocols and regulatory compliance, as well as technical skills training to keep personnel up on the latest products and technologies. P - THE INFRASTRUCTURE BEHIND THE CLAIMS - “ Physical and logical infrastructure, people and best practices are essential for a secure environment. ” 1 4 7 2 5 8 3 6 9 06
  • 9. - LOOK NO FURTHER- ince inception, Peak 10 has proactively implemented the necessary safeguards within its data centers to assist customers cost effectively meet regulatory compliance requirements. In 2011, Peak 10 was among the first in the industry to complete a Type 2 SOC 1 examination under the Statement on Standards for Attestation Engagements (SSAE) 16 and International Standard on Assurance Engagements (ISAE) No. 3402. To enhance its compliance reporting, Peak 10 successfully completed the following examinations in 2013: • Type 2, SOC 1, reporting on Controls at a Service Organization (also known as SSAE 16). This report is an important component of controls over financial reporting for purposes of compliance with laws and regulations such as the Sarbanes- Oxley Act • Type 2, SOC 2, reporting on controls at a service organization relevant to the following Trust Services principles: • Security - The system is protected against unauthorized access (both physical and logical). • Availability - The system is available for operation and use as committed or agreed. • Type 2 SOC 3, SysTrust for Service Organizations, which is an abbreviated version of Peak 10’s SOC 2 report, and is intended for broad use by interested parties. • Payment Card Industry Data Security Standard (PCI DSS) for companies that collect, store or process payment card data. • Health Insurance Portability and Accountability Act (HIPAA) for companies that need to keep electronic protected health information (ePHI) secure. • Safe Harbor, permits data transfers from the EU on the basis that U.S. companies self-certify their agreement to abide by the Safe Harbor framework, which includes seven privacy principles similar to those found in the 1995 EU Data Protection Directive. Federal Information Security Management Act (FISMA), which sets forth stringent requirements to safeguard data managed by federal agencies and their outsourced partners. S “ ...In 2011, Peak 10 was among the first in the industry to complete a Type 2 SOC 1 examination... 07
  • 10. Contact Us to Learn More EMAIL SOLUTIONS@PEAK10.COM OR CALL 866.473.2510 We would welcome the opportunity to better understand your compliance and data security needs, and explore how Peak 10 managed infrastructure and cloud services can help you achieve your objectives. www.peak10.com