DATA CENTER CERTIFICATIONS
Data center certifications enable data centers to keep up with the quick and ever changing trends in technology. As new or innovative technology enters the market, new legislation, codes of conduct, and more competition urges data center owners and operators to make sure they have an in compliance data center.
Each of Colocation America's 22 data centers nationwide have received the following certifications to give our customers peace of mind on how their data are stored.
Below are some of the best certifications a data center could have:
What Are the Best Data Center Certification Standards?
Colocation America adheres to the standards set forth by The Health Insurance Portability and AccvA). An audit system was established by HIPAA to ensure data center facilities are following a strict code of Federal Regulation set forth by independent inspectors.
This system was established to secure the transfer and storage of Protected Health Information (PHI) of patients. Our data center are in compliance with all 19 HIPAA standards, meaning all server hosted are secure enough to store PHI which is important for those working within the healthcare industry. (Read more)
Colocation America Data Centers are PCI compliant and offer your business trusted and secure support for all credit card transactions processed on line. PCI DSS standards were created in 2004 to curb high-profile security breaches by the founding brands of the PCI Security Standards Council. Those brands included the following: American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc. International.
The Payment Card Industry Data Security Standard (PCI DSS) protects consumer security for all businesses that process transactions using credit cards. (Read more) Our specialist’s work hard to ensure consumer identity is protected and that all controls are in place at all times. (Read more).
Uptime Institute Tier Certifications
All of Colocation America’s 22 data centers adhere to the standards set by the Uptime Institute. The Uptime Institute uses a somewhat mysterious four-tier ranking system as a benchmark for determining the reliability of a data center.
Unfortunately, the Uptime Institute has chosen not to fully publish the evaluation criteria for these different tier levels. Few data centers have tier certifications from the Uptime Institute. Only 38 facilities or design documents for facilities have official tier certifications at this point; these are primarily enterprise data centers.
The result is that the Uptime Institute’s definitions have been misused by the industry, ignorantly in many cases. Facility builders, designers and owners have tried to tweak the terminology slightly to give it their own unique flavor.
Colocation America, however gives you the full specifications of their 22 data center locations so that even the ones not certified by the Uptime Institute can still meet the requirements set by them. (Read More).
Data Center Security Certifications
Colocation America is in full compliance with SSAE 18 type II standards set forth by a certified independent CPA. SSAE 18 is a set of guidelines for reporting on the level of controls at a service organization. All data stored within the server adheres to the SSAE 18 security guidelines.
The data center is built in compliance with the SSAE 18 requirements and certified controls to secure the transfer of sensitive business data. Our data center technicians adhere to the strict guidelines to ensure servers are managed in accordance to SSAE standards. (Read more)
The Statement on Standards for Attestation Engagements or SSAE is the auditing standard produced by AICPA. SSAE regulates how companies conduct business. It also defines how companies report on compliance controls. These reports are known as SOC 1, SOC 2, and SOC 3.
These are the specific reports used as the standard. A Service Organization Control (SOC) report is a central part of data center compliance. Let’s break down the three different types of SOC reports.
Service Organization Control (SOC)
The SOC reporting framework consists of 3 types of reporting standards; the SOC 1, SOC 2, and SOC 3.
The SOC 1 report’s focal point is the internal controls the service organization has in place that could apply to a customer's financial reporting. SOC 1 reports are usually done to determine if the proper controls and procedures are in place to protect its client’s financial information. Cloud and data center providers process transactions which is why SOC 1 reports are important.
SOC 2 reports are a vital compliance attestation that data centers should provide for their clients. This provides documentation that the particular facility has the correct security controls and documentation that these security controls work. This is a crucial report for all colocation providers.
SOC 2 attestations have a couple of different types. Type 1 is the evaluation of the company’s system and security controls. It assesses the various processes and procedures outlined by the Trust Services Criteria outlined by the AICPA or Association of International Certified Professional Accountants.
Depending on the particular business, Trust Services Criteria will include some of all of the following: privacy, security, confidentiality, availability, and processing integrity.
While the first two reports are meant for the data center’s clients, the SOC 3 report is made for the general public. It provides attestation to the same information, but it doesn’t give specific details. This can useful for potential clients without providing any privately-owned information from existing customers.
SOC is designed to be a reporting standard for a business’ financial reports, highlighting its financial accounting and reporting practices. Although it is similar to the SAS 70 reports it is not relevant to service organizations like data centers which manage a business’ IT infrastructure.
ISO 27001 is the security standard that summarizes the recommended requirements for building, monitoring and improving the ISMS or Information Security Management System.
This is the set of policies for safeguarding and handling a company’s sensitive information, financial data, employee records, and all intellectual property. This certification provides external documentation to enhance confidence for both current and potential clients.
How Does a Data Center Become Compliant?
To keep things clear, data center compliance certification comes in two types: statutory and standard.
Data Center Compliance Levels:
Statutory certifications are required by law—e.g. HIPAA.
Standard certifications are requirements put in place by authoritative bodies which define specific criteria for performance operations. This would be akin to the American Kennel Club's (AKC) requirements for dog shows.
While not lawfully required by any government agency, the rules still apply and it makes AKC certified dog shows more authoritative than others. This is true for data centers as well. Tier standards are not required by law, but they hold much more weight than data centers not graded by the Uptime Institute for data center tier certification.
A data center becomes statutory required right off the bat—it's not optional. Once the data center is ready for operation a recognized third party auditor will make sure it abides by all laws before the lights come on, so to speak.
To become standard certified it's all up to the data center owner. This is where data center compliance can get rather tricky. Owners have their own compliance plans based on the costs, needs, and demand for their center.
A data center that's not as regulated as others will, while cheaper, will soon gain an tarnished reputation. The balance between cost and compliance is a tricky one, especially for newer data centers. A well certified data center is always best.
Colocation America Compliance
As a trusted data center provider, we are responsible for designing, implementing, operating, and maintaining effective controls within Colocation America’s system. We are to provide reasonable assurance that our service commitments and system requirements are relevant to Security, Availability, and Confidentiality.
We have evaluated the effectiveness of the controls within the system to provide reasonable assurance of service commitments and system requirements are achieved based on the trust services criteria relevant to Security, Availability, and Confidentiality.
There are inherent limitations in any system of internal control, including the possibility of human error and the circumvention of controls. Because of these inherent limitations, a service organization may achieve reasonable, but not absolute, assurance that its service commitments and systems requirements are achieved.