ControlsWe understand that our customers are subject to varying compliance and regulatory obligations. In order to effectively meet our customers’ needs, we created a security, governance and risk management framework of policies, procedures and standards that draws on many areas. Our policies, procedures and standards are based on aspects of the following control specifications:
- ISO/IEC 27000 series
- NIST 800-53
- Information Technology Infrastructure Library (ITIL)
- Health Insurance Portability and Accountability Act (HIPAA) Security Rule
- Federal Information Security Management Act (FISMA)
- Gramm-Leach-Bliley Act (GLBA) Interagency Guidelines
- Payment Card Industry (PCI) Data Security Standard v2.0
- Trust Services Principles and Criteria
Often, our customers have requirements above and beyond what our standard process or product offerings provide. In these situations, we will work with you, our customer, to tailor products or processes where possible and develop an ideal solution that is centered around you.
Reports and AccreditationsOur in-house compliance team obtains independent auditor reports and certifications annually. These provide our customers and their auditors the information on the design and operating effectiveness of our operational controls that is likely to be relevant to our customers’ internal control systems. By obtaining these reports, we save our customers the time and expense of sending in their own auditors in addition to providing our customers the assurance they need regarding the assets and information within our data centers.
The independent auditor reports or certifications that we obtain include:
SOC 1/SSAE 16/ISAE 3402 SOC 1 Type II Report
We have obtained a Service Organization Controls 1 (SOC 1), Type II report. The audit for this report is conducted in accordance with the Statement on Standards for Attestation Engagements No. 16 (SSAE 16) and the International Standards for Assurance Engagements No. 3402 (ISAE 3402) professional standards. This dual-standard report is specifically intended to meet the needs of our customers and their auditors, as they evaluate the effect of the controls at CorePLUS on their financial statement assertions. The SOC 1 report attests that ViaWest’s control objectives are appropriately designed and operating effectively.
SOC 2 on the Security and Availability Trust Services Principles
In addition to the SOC 1 report, we obtain a Service Organization Controls 2 (SOC 2), Type II report. Similar to the SOC 1 in the evaluation of controls, the SOC 2 report is an attestation report that is an evaluation of controls specific to the criteria set forth by the American Institute of Certified Public Accountants (AICPA) Trust Services Principles. These principles define leading practice controls relevant to security, availability, processing integrity, confidentiality, and privacy applicable to service organizations such as CorePLUS. The SOC 2 is an evaluation of the design and operating effectiveness of controls that meet the criteria for the security and the availability principles set forth in the AICPA’s Trust Services Principles criteria. This report provides additional transparency into our security and availability controls based on a pre-defined industry standard of leading practices and further demonstrates our commitment to providing our customers with assurance, confidence and transparency.
SOC 3 on the Security and Availability Trust Services Principles
The SOC 3 report is a Trust Services Report (Trust Services Principles, Criteria, and Illustrations) specifically designed to meet the needs of customers and potential customers who want assurance about ViaWest controls related to one or more of the Trust Services Principles (security, availability, processing integrity, confidentiality, or privacy) but do not need the level of detail provided in a SOC 2 Report.
HIPAA Report for Physical Controls
Though we do not store, transmit, or process electronic Protected Health Information (ePHI), we acknowledge that our customers might. As a result, we engaged Coalfire Systems, a leading IT Governance, Risk and Compliance firm, to conduct an independent assessment of the physical components of our Colocation and Managed Service hosting offerings for compliance with the physical security-related safeguards associated with the Health Insurance Portability and Accountability Act (HIPAA) of 1996, as well as the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009.
The Payment Card Industry (PCI) Data Security Standard (DSS) was developed to encourage, enhance and facilitate the broad adoption of consistent data security measures for cardholder data globally. PCI DSS provides a baseline of technical and operational requirements designed to protect cardholder data. PCI DSS applies to all entities involved in payment card processing – including merchants, processors, acquirers, issuers, and service providers, as well as all other entities that store, process or transmit cardholder data.
Compliance with the standard requires organizations to:
- Build and maintain a secure network - PCI DSS sections 1 & 2
- Protect cardholder data - PCI DSS sections 3 & 4
- Maintain a vulnerability management program - PCI DSS sections 5 & 6
- Implement strong security measures - PCI DSS sections 7, 8 & 9
- Regularly test and monitor networks - PCI DSS sections 10 & 11
- Maintain an information security policy - PCI DSS section 12
This compliance has been validated by an authorized independent Qualified Security Assessor.
United States- European Union Safe Harbor Privacy Framework
US-EU Safe Harbor is a streamlined process for US companies to comply with the EU Directive 95/46/EC on the protection of personal data. The process was developed by the US Department of Commerce in consultation with the EU. The Safe Harbor Principles are designed to prevent accidental information disclosure or loss. We annually reregister its adherence to the program.
These achievements demonstrate our commitment to processes and standards that enable us to maintain the governance and security controls our customers need to help meet their regulatory obligations. By having a dedicated compliance department we believe we are uniquely qualified to provide high-quality services to our customers.