When researching colocation facilities, customers want to be assured that their sensitive information and equipment will be maintained in a safe, secure, and resilient environment.
Whether a customer chooses to manage their data in-house or opts to outsource within a data center, staying up-to-date on the latest industry standards and compliance terms is critical for business operations. In turn, data centers should be equally vigilant in their commitment to colocation compliance, ensuring that all industry standards are being met with the proper controls, processes, and procedures in place. A colocation facility that prioritizes industry guidelines will not only excel in the industry, but will be in a better position to protect and maintain vital customer assets. Here are some of today’s most common colocation compliance standards:
SSAE 16 Compliance
The Statement on Standards for Attestation Engagements (SSAE) No. 16, Reporting on Controls at a Service Organization, is a set of auditing standards from the American Institute of Certified Public Accounts (AICPA). Colocation facilities in North America regard SSAE 16 as a means by which third parties are able to measure compliance within the data center industry. An SSAE audit reduces the need for multiple auditors to examine the same set of controls that oversee a company’s services. The SSAE 16 certification measures the following:
The SOC 1 is a report on controls at a service organization level, measuring the controls of a colocation facility as they pertain to financial reporting. There are two types of SOC reports – Type 1 reports on the organization’s system and whether or not its controls are suitable to achieve the objectives included in the system description, while Type 2 reports on the fairness of the presentation of the management’s description of the organization’s system and control design.
The SOC 2 is a report that inspects and tests data center controls for adherence to a set of criteria called Trust Service Principles (TSP). TSPs are broken down into five categories – security, availability, processing integrity, confidentiality, and privacy. The SOC 2 report is specific to colocation and data center providers and evaluates the data center on a whole, including its system, suitability and design of controls, and the verification of an auditor’s opinion on the operating effectiveness of controls. Once again, there are two types of SOC 2 reports – Type 1 reports on the management’s description of an organization’s system and its control suitability, while Type 2 reports on the management’s description of an organization’s system and the suitability of the design and operating effectiveness of its controls
The SOC 3 is a report assessing whether or not a facility meets the required industry standards. This report is more general in nature and does not include much of the technical information listed above – test methods, results, opinions, etc. Rather, the SOC 3 serves as additional verification of compliance that can be used on websites and other documents external to the organization.
PCI DSS Compliance
The Payment Card Industry Data Center Standard (PCI DSS) is a set of regulations compiled by the PCI Security Standards Council. The PCI DSS was created for companies that accept, store, process and transmit credit card information. Colocation facilities can obtain record of their compliance through an independent audit. It’s important to note that a PCI DSS certified data center does not transfer its certification to customers by default of hosting within its facility. However, colocation facilities may be able to provide information to help customers fulfill the PCI requirements for their own business needs.
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) includes several sanctions: the HIPAA Privacy Rule, the HIPAA Security Rule, the HIPAA Breach Notification Rule, and the confidentiality provision of the Patient Safety Rule. Each of these monitors the protection of health information for individuals.
HIPAA mandates laws that secure protected health information (PHI) or patient health data/medical records. As in any industry, data center providers need to ensure HIPAA compliance for the safety and security of the sensitive information they host. HIPAA compliance – like the PCI DSS – can also be verified through an independent audit to ensure that a data center has the proper policies and procedures in place to provide HIPAA hosting services to potential customers.
Leadership in Energy and Environmental Design (LEED) is a green building certification system. Developed by the U.S. Green Building Council (USGBC), the LEED rating system offers various certification levels for buildings – Certified, Silver, Gold, and Platinum – that can be obtained by earning points across sustainability categories. The categories include sustainable sites, water efficiency, energy and atmosphere, materials and resources, and indoor environmental quality. LEED is a voluntary certification that can be obtained by data centers exhibiting LEED-compliant design, construction, operation and maintenance – i.e. a “green” data center.
Third-Party Audits and Conclusion
Evaluating a data center’s compliance is one of the first steps in determining a facility’s ability to host and secure a customer’s critical information. As a customer, maintaining an awareness of industry standards is important in order to verify and continually assess a facility’s adherence to current guidelines, and to ensure that business critical information is in good hands. If a data center is up-to-date in all of its compliance certifications, a customer can be assured that his or her data will be maintained in a reliable facility catered to its customers’ business needs.