July 27, 2012
Don't Overlook Compliance When Choosing a Data Center Provider
By Mae Kowalke
The digital age has brought many efficiencies to business; in only a few hours a company can create an online presence, accept electronic payments and start selling globally. But not all is roses; the digital revolution has also created challenges.
One complication magnified by the digital age is compliance. From Sarbanes Oxley to HIPAA, PCI (News - Alert) (News - Alert) DSS to the Financial Privacy Act, nearly every American business must contend with some form of compliance. Outsourcing IT environments to a third party can make compliance much more challenging than in the past if the right provider is not chosen, according to “Leveraging Your Hosting Service Provider to Achieve Compliance,” a white paper just released by ViaWest, the largest privately held data center service provider in North America.
The cost of a data breach is staggering. According to The Ponemon Institute (News - Alert) (News - Alert), the cost of a data breach currently stands at around $214 per record.
When hackers accessed 70 million Sony PlayStation Network and Qriocity accounts in April, 20011, for instance, it cost the company massive negative publicity, a $1 billion dollar lawsuit and months of lost revenue, the ViaWest report noted.
Data center providers can help if they have appropriate systems in place, or they can jeopardize a company’s ability to comply if the provider is not adequately prepared for compliance issues, the white paper pointed out.
Guided by PCI DSS 2.0 – a rigorous global data security standard adopted and enforced by all the major international credit card companies as a guide – the ViaWest paper highlighted six major areas of data security that firms must watch: The building and maintenance of a secure network, data protection, the maintenance of a vulnerability management program, implementation of strong access control measures, regular network monitoring and testing and the maintenance of an information security policy.
The two key areas where a data center provider can help or hinder are with implementation of strong access control measures and the maintenance of an information security policy, ViaWest noted in its paper. Specifically, “physical control and security over the data center and everything inside it,” as well as “processes, policies and procedures that are used to operate the data center.”
ViaWest recommended examination of a data center’s Statement on Auditing Standards (SAS (News - Alert) (News - Alert)) 70 report or its Service Organization Control (SOC) reports to gauge how well a provider will support a firm’s compliance obligation. These audit reports outline whether a provider has proper controls in place.
Firms doing international business also will want to make sure the provider’s report follows SSAE 16 as well as ISAE 3403 standards.
Those evaluating data center providers should take note if the provider can only furnish an SAS 70 audit report, which is an older and less rigorous audit standard, ViaWest advised in its white paper. If the provider does not have an SOC report, it could be because “management is unwilling to affirmatively state that they have adequate processes and controls in place,” or the internal belief that more rigor will lead to a negative audit opinion, the paper noted.
In addition, ViaWest recommended that firms should question data center providers about the extent of the provider’s compliance resources. The lack of dedicated compliance team could indicate that future compliance issues might not get the attention they need.
The digital revolution has provided opportunities, but companies should make sure it doesn’t also bring negative consequences.
To find out more about VIAWEST visit the company at ITEXPO West. To be held Oct. 2-5 at the Austin Convention Center in Austin, TX, ITEXPO (News - Alert) West is the world’s largest communications and technology even. Visit VIAWEST in booth # 1226. For more information on ITEXPO West, click here.
Edited by Rich Steeves