When businesses are selecting a data center to host their workloads, they need to understand data center compliance, and which requirements and certifications are relevant to their business. This complete guide addresses what data center compliance is, why it’s important, and the common certifications data centers obtain.
What is Data Center Compliance?
Data center compliance refers to the adherence of a data center to industry standards and regulations that ensure the security, privacy, and integrity of the data and systems stored and processed within it.
Data centers, whether carrier-neutral or carrier-specific, need to verify that they are meeting the requirements of relevant laws, regulations, and industry standards when applicable. Abiding by these rules is how a data center can show compliance. Organizations need to work with compliant data centers to ensure they also meet the regulatory requirements pertinent to their business.
How Data Centers Demonstrate Compliance
Compliance can be demonstrated in a few different ways: self-assessments, certifications, and third-party audits.
The easiest method is through self-assessment, where data centers can examine their own infrastructure and identify areas for improvement. While it’s a good starting place, if it isn’t recognized by a third-party, it may not be as valuable to businesses looking for a data center.
Data centers can bring in third-party auditors to perform similar work. These auditors may uncover opportunities for improvement not caught by internal parties.
Most formally, data centers can work to receive validation of compliance from certifying bodies. Certifications and attestations can include ISO, HIPAA, PCI DSS, FISMA, and more. Obtaining formal certifications can require documentation and relevant evidence, onsite assessment, or exams, depending on the standard.
Why Are Data Center Compliance Regulations Important?
Ensuring compliance is important for the data center, the customers, and the end-users whose data is being hosted at the facility. Most standards are concerned with how the confidentiality, availability, and integrity of data is being handled. A compliant data center can stay out of legal trouble, keep user data safe, and build trust with customers.
Is Data Center Compliance Important in the Age of Cloud?
In short, yes.
In some ways, it may be even more important in the age of cloud than it was before. For example, while cloud providers also offer certain levels of compliance for customers, they may not have all the necessary certifications. Plus, there are certain security measures that will still need to be implemented to ensure there is data protection. Cloud providers are not immune to breaches, either. Offering an additional layer of compliance and safeguarding at the data center level can reduce security risks.
Data Center Compliance Certifications and Regulations
The following are some of the most common certifications and regulations a data center may have:
ISO
ISO (International Organization for Standardization) is an independent, non-governmental international organization that develops and publishes standards for various industries. ISO standards provide guidance, specifications, and requirements for products, services, and processes, with the aim of ensuring quality, safety, and efficiency. One of the most common certifications is ISO 27001.
ISO 27001 is considered the “gold standard” when it comes to information security management. To receive this certification, data centers need to develop an information security policy, identify and evaluate risks, implement the proper controls to minimize these risks, regularly review the effectiveness of their systems, and keep information on their security environment up to date.
SSAE
The American Institute of Certified Public Accountants (AICPA) has established SSAE, which stands for Statement of Standards for Attestation Engagements. Data centers that host financial data need to have certain controls in place, such as environmental and physical security. This is also a relevant standard for web hosting providers. A data center needs to have a documented set of controls, a process for testing and monitoring controls, and a plan to report on the controls’ effectiveness to meet key requirements of the SSAE.
SOC 1 Type II
A SOC 1 Type II report is a counterpart to SSAE, attesting to the operating effectiveness of data center controls that could impact an entity’s financial reporting. Typically required by banks and other financial institutions, an independent auditor reviews the policies and procedures created by the data center and tests the controls to confirm they are effective.
SOC 2 Type II
While SOC 1 focuses on controls impacting financial reporting, SOC 2 Type II is more concerned with a more comprehensive overview of controls, including security, availability, privacy, confidentiality, and processing integrity of data. This broader range of controls is more applicable and used by more organizations.
HIPAA and HITECH
Any health information that is exchanged electronically needs to be protected, and that is what HIPAA is about. Health information can be used to steal identities and commit fraudulent acts because of the contents of this sensitive data. Data centers need to abide by HIPAA regulations by safeguarding electronic protected health information (ePHI) with physical security measures, technical security measures, and proper employee training.
The American Recovery and Reinvestment Act of 2009 led to the enaction of the Health Information Technology for Economic and Clinical Health (HITECH) Act. While similar and complementary to HIPAA, the act is focused on more specific guidelines regarding health information technology and how it’s being adopted and used. The Act also expanded enforcement actions and safeguarding requirements for both covered entities and business associates.
HITRUST
The HITRUST Common Security Framework (CSF) gives organizations an approach to risk management and security and privacy compliance that is efficient, flexible, and comprehensive. A wide range of regulations and standards fall under this framework, which is industry-agnostic and vendor-neutral. Data centers that follow this framework can demonstrate they meet several standards at the same time, including PCI DSS, HIPAA, GLBA, and ISO 27001.
GLBA
The Gramm-Leach-Bliley Act (GLBA) is a law that requires financial institutions to protect the privacy of their customers’ financial information. Even though GLBA mainly applies to financial institutions, data centers that store and process sensitive financial information also need to be compliant with the law.
PCI DSS
PCI DSS stands for “Payment Card Industry Data Security Standard.” It is a set of security standards that were developed to protect credit and debit card transactions and ensure that customer data is kept secure. PCI DSS was created by the Payment Card Industry to help reduce the risk of fraud and data breaches in the payment
card industry. The standard includes a set of guidelines and requirements that merchants and service providers who accept credit card payments must follow.
NIST SP 800-53
NIST SP 800-53 was developed by the National Institute of Standards and Technology (NIST) as a catalog of privacy and security controls for organizations and information systems. Data centers that meet NIST standards have demonstrated that they have implemented controls that protect the privacy, integrity, confidentiality, and availability of data for their customers. The 20 families of controls under this standard are not mandatory but are seen as a best practice for security.
NIST SP 800-171 / CMMC
NIST SP 800-171 was also developed by the National Institute of Standards and Technology (NIST) to set forth the recommended security requirements for protecting Controlled Unclassified Information in nonfederal systems and organizations. These requirements form the basis for the Cybersecurity Maturity Model Certification (CMMC) program which is aligned with the US Department of Defense (DoD) information security requirements for Defense Industrial Base (DIB) partners.
ITAR
Protecting national security and United States foreign policy interests is top-of-mind for the International Traffic in Arms Regulations (ITAR). This set of regulations controls the export and import of defense-related services and articles. While it may not sound like ITAR would apply to data centers, it does because data centers can store information about defense-related matters. Data centers that need to meet ITAR must obtain appropriate licensure and register with the Department of State’s Directorate of Defense Trade Controls (DDTC). They also have to train employees, maintain physical security, and keep records of all applicable transactions.
Privacy Shield
The Privacy Shield Principles laid out a set of requirements governing participating US-based organizations’ use and treatment of personal data received from the EU and Switzerland to meet the EU’s General Data Protection Regulation (GDPR). While Privacy Shield was recently invalidated by the EU Court of Justice due to its failure to adequately protect European Economic Area (EEA) users from US government surveillance, entities that previously registered with Privacy Shield must continue to abide by the requirements of the program. The EU and the US have worked on a new EU-US Data Privacy Framework. GDPR requires data controllers and data processors to enter into data processing agreements in contracts that include requirements to protect personal data and abide by the privacy principles set forth in framework.
FedRAMP
FedRAMP, the Federal Risk and Authorization Management Program, is a United States Government program that assesses the cybersecurity of cloud services on behalf of all US government agencies. It was created to provide a consistent security framework and streamline the process for federal agencies to adopt cloud services. This helps agencies reduce risk and increase efficiency of cloud adoption. The FedRAMP compliance process includes security assessments to authorize cloud solutions, which includes a review of Cloud Service provider security controls. Cloud Service Providers are required to meet requirements based on NIST
standards. Upon authorization, providers are listed in the FedRAMP marketplace, where agencies can compare and select the best provider for their needs.
TierPoint Compliance: Choosing a Trusted Data Center Provider
TierPoint data centers can handle compliance certifications, registrations, and attestations that are most relevant to our clients. This includes ISO 27001, HIPAA/HITECH, SOC 1 Type II & SOC 2 Type II, NIST SP 800-53, rev 4, SOC 2 + HITRUST, ITAR, PCI DSS v3.2.1, and Privacy Shield. We help our customers address compliance needs so they can focus on more important parts of their business. Contact us to learn more about our data centers.
FAQs
Data center standards are best practices and guidelines data centers can use to ensure their data centers are secure, reliable, efficient, and compliant with certain laws and regulations.
Data center security plays an important role in several different regulatory standards. To be compliant with HIPAA, for example, a data center needs to demonstrate their physical and technical security measures are up to par.
A data center that is non-compliant runs the risk of exposing customer data to security breaches, which can cause greater consequences. Non-compliance can also result in fines, legal action, and an erosion of trust.
To verify a data center meet certain standards, it may undergo a compliance audit, which is generally conducted by a third party. This can be done to qualify for a specific certification or meet more wide-ranging standards that could apply to multiple certifications.