certifications of a data center
Really awesome stuff happens inside data centers. Giant, towering constructions housing the world’s information in a cacophony of generators, fans, and electricity.
Unfortunately, data centers are also giant targets for filthy, no-fun criminals trying to make the world a better place for them and not the other billions of people they share the planet with.
That’s why data centers have securities in place to try and prevent any cyber-crimes from happening in the form of data center certifications.
Data center certifications enable data centers to keep up with the quick and ever changing trends in technology. As new or innovative technology enters the market, new legislation, codes of conduct, and more competition urges data center owners and operators to make sure they have an in compliance data center.
The most popular and most important data center certs are as follows:
Without those certifications, or the ability to acquire them, a data center would be scoffed at and ridiculed.
The most important aspects of people’s lives—medical records, credit card information, personal identification records—are behind walls and walls of not only physical security on-site, mountains of encryption and cyber-security are in place to protect all of that.
Now let’s delve into the meat of these certs and see why they’re so important.
In order for a data center to be HIPAA compliant they must first pass a rigorous audit to ensure that the facility follows the Code of Federal Regulation (CFR) set by HIPAA inspectors. The inspectors take a detail look into the inner workings of a data center to ensure that any and all data stored inside are protected and only available to those authorized to view them.
They also check to see if a Business Associate Agreement (BAA) is made between the hosting provider and clients with data that are PHI. Any violation of a patient’s PHI are reported to the Office of Civil Rights (OCR). A Business Association Agreement binds employees of both parties to report any such violations.
Data centers must provide adequate HIPAA data security measures to protect the data of their clients. These security measures include:
Just like with PCI DSS compliance, to be certified as a HIPPA compliant data center, one must follow strict encryption and decryption guidelines. From hipaacentral.com:
Now that we’ve discussed health information, let’s move onto payment card security.
PCI DSS standards were created in 2004 to curb high-profile security breaches by the founding brands of the PCI Security Standards Council, which include but are not limited to, American Express, Discover Financial Services, JCB International, Mastercard Worldwide and Visa Inc. International.
The Payment Card Industry Data Security Standard (PCI DSS) serves the purpose of protecting consumer security for all businesses that process transactions using credit cards.
Through the use of PCI hosting standards, server hosting procedures are implemented to ensure a secure environment for credit card processing.
The standards are updated by the Council, as needed, to stay up-to-date with new or modified requirements. To be considered PCI compliant, businesses must meet all of the required standards sufficiently.
Guaranteeing security and meeting requirements can be a tricky task for some businesses and the fine imposed for violations doesn’t make it any easier.
A good rule of thumb is to never store cardholder data unless there is a legitimate and crucial business need. Those who fail to meet this rule are subject to a fine or further legal prosecution.
Check out the table below for some PCI compliant hosting Data Storage guidelines.
The Statement on Standards for Attestation Engagements No. 16, or simply SSAE 16, is a set of guidelines for reporting on the level of controls at a service organization. The guidelines were created by the AICPA and went into effect June 15, 2011; replacing SAS 70 as an auditing standard for service organization.
The new standard of reporting on internal controls of a service organization was drafted in order to update organizations in the US service industry to reporting standards that complies with the International Standard on Assurance Engagements No. 3402 (ISAE 3402). There are two types of reports for SSAE 16 along with the addition of a new reporting framework, the Service Organization Control (SOC).
With the new framework of the SOC reports added to the SSAE 16 standards, SSAE 16 can now replace SAS 70 for service organizations to report on its internal business practices and system controls. The SOC reporting framework consists of 3 types of reporting standards; the SOC 1, SOC 2, and SOC 3.
SOC 1 reporting uses the SSAE 16 professional standard and is more geared towards reports on the Internal Control over Financial Reporting (ICFR).
It is designed to be a reporting standard for a business’ financial reports, highlighting its financial accounting and reporting practices. Although it is similar to the SAS 70 reports it is not relevant to service organizations like data centers which manage the IT infrastructure of multiple businesses.
SOC 2 and SOC 3 reports are issued under the guidelines set forth by the AT Section 101 attest standard. The report details the service organization’s internal system architect focusing on the following criteria:
Due to the rise in data center hosting, SaaS, and cloud hosting, the new SOC framework was put in place by the AICPA in order to separate service organizations into different categories.
In short, an SOC 1 report detail the controls over financial reporting of an organization while SOC 2 and SOC 3 reports are about the internal controls of the system that host the financial accounts and records of an organization.
Both SOC 2 and SOC 3 reports are more relevant for a business that are looking for a detailed reports over the internal controls a data center provider have set in place to protect against security breaches and prevention of data corruption.
Merchant Level | Description |
1 | Any merchant—regardless of acceptance channel—processing over $6 million Visa transactions per year. |
2 | Any merchant—regardless of acceptance channel—processing $1-6 million transactions per year |
3 | Any merchant processing $20,000 to $1 million e-commerce transactions per year. |
4 | Any merchant processing fewer than $20,000 Visa e-commerce transactions per year, and all other merchants—regardless of acceptance channel—processing up to $1 million Visa transactions per year. |
*Table information via pcicomplianceguide.org.