GDPR, SSAE, PCI, HIPAA - You often see these logos on providers' websites, but does it mean your company has no responsibility if you choose a data center provider with these certifications? Not so...

1. Data Center
Compliance

2. Data Center Compliance
In this presentation:
Topics
Intro
SSAE 18
SOC 1
SOC II
HIPAA
HiTrust
PCI-DSS
ISO 21001
GDPR

3. What Compliance Means for Data
Centers
 Compliance needs vary by industry
 Data center providers can meet compliance
standards for physical security and reliability

4. What Compliance Means for Data
Center Tenants
 Data center providers do not manage data, so
they cannot guarantee your compliance with
data security provisions
 Exception - Unless other services are offered
that involve managing your data - Ex. cloud
services, WAF management

5. What Is SSAE?
 The Statement on Standards for Attestation
Engagements (SSAE) is a regulation set by the
American Institute of Certified Public Accountants
(AICPA)
 The latest version is SSAE-18, updated in 2017
 Data centers can obtain SOC I and SOC II
certifications
https://www.aicpa.org/interestareas/frc/assurance
advisoryservices/downloadabledocuments/compari
sion-soc-1-3.pdf

6. SSAE - SOC II
 Public companies often
require data center
providers to have a SOC
I certification
 Mostly pertains to
control over financial
reporting
• SOC II certification
means company follows
certain information
security guidelines or
“trust principles”
• These include privacy,
security, availability,
processing integrity and
confidentiality
SSAE - SOC I

7. SOC II Trust Principles
 Security – Refers to protection against unauthorized access.
In the case of the data center provider, this is physical
access.
 Availability – Refers to the accessibility of a system
throughout the time of a contract. Normally provided as a
% in an SLA.
 Processing Integrity – Refers to data processing – the
system delivers the right data at the right time. Not
normally the responsibility of a data center provider.
 Confidentiality – access to confidential data is restricted.
 Privacy – refers to the system’s collection, use, retention,
disclosure and disposal of PII.

8. More Confusing – SOC I and II Come
with Type I or Type II Audit Reports
SOC Report Type I
 Type 1 reports contain
an opinion on the
fairness of the
organization’s (the data
center in this case)
presentation of their
systems or controls and
how the design meets
standards.
SOC Report Type II
• Type II is a more reliable
report, in that it
involves the testing of a
system or controls over
time, usually 6 months.
This report describes
the efficacy of those
systems.

9. An Example of SOC II Reports
SOC II Type I
 Type 1 report would
describe systems and
how the design meets
relevant trust principles
SOC II Type II
 Type II would describe
the efficacy of those
systems

10. HIPAA Compliance
 Established by the HITECH Act – government
regulation – no official certificates issued
Two Rules:
 Privacy Rule – protects electronic PII and gives
patients right to examine and obtain health
records and request corrections. Sets limits on
uses and disclosure of PII
 Security Rule – stipulates administrative, physical
and technical safeguards to protect the creation,
transmission and maintenance of PII

11. HIPAA Compliance
 Most HIPAA guidelines do not apply to data
center providers
 HITRUST is a methodology and certification
program that helps healthcare providers and
vendors meet HIPAA standards

12. PCI-DSS
 Stands for: Payment Card Industry Data
Security Standard
 The following Set of 12 rules make up PCI-DSS
requirements…

13. PCI-DSS
1. Install and maintain a firewall
2. Do not use default passwords
3. Protect stored cardholder data
4. Encrypt cardholder data in transit
5. Use and update antivirus software
regularly
6. Develop and maintain secure systems and
apps

14. PCI-DSS Cont…
7. Restrict access to cardholder data to business “need-
to-know”
8. Assign unique IDs to individuals with computer access
9. Restrict physical access to cardholder data
10. Track and monitor access to network resources and
cardholder data
11. Regularly test security systems and processes
12. Maintain an information security policy for employees
and contractors
*As you can see, only #9, 11 and 12 apply to data centers’
responsibilities to tenants.

15. ISO 27001
 ISO – International Organization
for Standardization
 ISO 27001 – Information Security
Management Systems
 Certification signifies an organization’s
compliance with international information
security standards

16. GDPR Compliance
 Stands for: General Data Protection Regulation
 Pertains to management of EU resident data
 Because the data center provider does not manage
customer data, your GDPR compliance cannot
be guaranteed by a
data center provider

17. Third-Party Certifications
 Why are they important?
 Means an independent party has audited the
data center and company to certify it meets
certain compliance standards
 Can take this as a trust signal, and can mean
less research for companies wanting to move
into the data center

18. End
Visit us at: