managed services

PCI DSS Compliance for Service Providers | A Growing Trend

PCI DSS compliance for service providers is growing at quite an astonishing rate, to say the least. One of the biggest contributors is that of data centers, co-location facilities, and other types of organizations providing managed services. In short, they are quickly being identified as “in scope” and in the loop in regards to storing, processing or transmitting cardholder data. Compliance for many of these service providers is not as explicit as it is for merchants; this due in large part to the unique service offerings provided by each respective service provider themselves.

Listed below are some common examples of Service Providers that are now being requested to become Payment Card Industry Data Security Standards (PCI DSS) compliant:

Transaction Processors
Payment Gateways
Web Hosting companies
Data Centers
Managed Service providers.

And the major payment brands have varying terms for what they actually call a service provider. Some are called a “Third Party Processor”, a “Data Storage Entity”, or a “Payment Service Provider”.

Two things to remember: First, compliance for service providers will continue to grow, and rapidly. Second, storing, processing, or transmitting data in any type of capacity will immediately place you under the category of a merchant or a service provider.

Visit the official PCI DSS Resource Guide to learn more about PCI compliance.

SAS 70 Audits for Data Centers | Why the Trend will Continue

SAS 70 audits have quickly become a high priority for data centers, co-location entities and managed service providers as of late. And there are plenty of reasons why this trend will continue go grow. The number of organizations that have buried the client server architecture is growing every day, resulting in a huge surge for data centers. In fact, most quality data centers in the United States are having little or no challenges in filling up their data center floor space. From traditional ping, power and pipe to fully managed services, data centers are becoming a necessity for most businesses today. As a result of this, their respective compliance requirements will continue to expand also. From SAS 70 to PCI DSS, just to name a few, data centers are being hit hard with the regulatory compliance bug.

Add to the fact that many data centers are now physically housing sensitive health care and financial information for many of their clients. As such, client requests for the security, confidentiality and integrity of this data are being validated via SAS 70 Type II audits. This “trend” if you want to call it that, will become a mandatory requirement for any data center seeking to grow and prosper in the coming years.

Visit the official SAS 70 Resource Guide to learn more about SAS 70 Type I and Type II audits.

HIPAA Compliance for Data Centers | The How and Why

HIPAA compliance for data centers is fast becoming a hot topic in regulatory compliance. It first started with Statement on Auditing Standards No. 70 (SAS 70), it is now moving onto the Payment Card Industry Data Security Standards (PCI DSS) provisions, and how the Health Information Portability and Accountability Act (HIPAA) mandates may very well be next on the horizon.

In short, it is a string of compliance requirements that has and will continue to be had for data centers, co-location, and managed service entities. And why? Because these types of businesses are at the forefront of virtualization, cloud computing, hybrid clouds, software as a service (SaaS) platforms

So, if a data center undertakes a HIPAA assessment or audit, are they HIPAA compliant, do they get a HIPAA certificate, etc? The best way to answer that is an accounting firm would undertake an Agreed Upon Procedure (AUP) audit an the audit itself would test the requirements as stated in the HIPAA provisions. You would then end up with a data center that is compliant with these very provisions.

In subsequent blogs, i’ll discuss the scope of a HIPAA assessment/audit for a data center.

PCI DSS for DATA CENTERS | It’s only going to become MORE of a Requirement

I attended a recent compliance conference for data centers and the phrase that kept coming up was PCI DSS. That’s right, the Payment Card Industry Data Security Standards, simply known as PCI DSS to millions, is spreading like a virus throughout the business community. Merchants were the first set of businesses to be hit with the compliance mandate, quickly followed by “service providers” that also “process, store, and transmit” cardholder data or transaction data.

Data centers, co-locations, and managed service entities are now quickly getting up to speed with PCI DSS compliance. These types of businesses will fall under the realm of a “service provider”, thus most will more than likely “have to” go through an actual on-site PCI DSS assessment by a Qualified Security Assessor, known as a QSA. The real big news about PCI DSS and data centers is not so much that they are having to become compliant, but what truly is the “scope” of the assessment. I’ll cover that in subsequent blogs, but for now, just be aware of the growing importance of PCI DSS compliance for data centers, co-location, and managed service entities.

To learn more about PCI DSS compliance, visit the official PCI Resource Guide.

SAS 70 Audits for Data Centers | It’s a “SaaS”y Environment

SAS 70 audits are being performed at a record pace these days on data centers, managed service providers and co-location entities. The big question is why? Well, there are many general answers that we all hear, such as “Oh, it’s just today’s compliance environment” or “SOX has really affected our business”.

Sure, these are true statements, somewhat boiler plate, but they are true.

In reality, dig a little deeper and stretch a little further into the insight and analysis and you will find that a large number of entities are operating in a Software as a Service (SaaS) mode and function, which essentially has resulted in the explosive growth for many data centers. These companies who have a SaaS business model are being hit quite hard by the SAS 70 compliance mantra from their clients and as such, the down stream effect is that data centers are now included in the scope of many SaaS entities. Amazing what 2 to 3 years can do to the I.T. industry. I say this because it was not that long ago (2005 or so) that a large number of Data Centers were not SAS 70 compliant…and i argue that a big reason for this change has been that SaaS entities occupy racks and racks of space now days.

So there is your SAS 70 and SaaS connection.

But hey, as a SAS 70 Auditor, it’s just my opinion.

SAS70 Audit Reports for Data Centers |Important Facts to Know

SAS70 audits have quickly become a mainstay in the world of data centers, managed services and co-location entities, and this will no doubt continue to grow. This is happening for a large number of reasons, but primarily data centers (and any variant thereof, such as managed services, co-location entities with “ping, power and pipe”) are hosting and residing an ever growing and enormous amount of information for many service providers. These service providers are commonly being asked to be SAS70 Type II compliant. As such, the data centers used by these very service organizations are commonly included within the scope of the SAS70 audit.

And what should data centers take from this? A good idea would be to become SAS70 compliant, and here’s why.

1. SAS70 compliance help mitigate and possibly eliminate many of these specialized requests your clients are asking for in helping them facilitate their own SAS70 compliance.

2. It greatly helps with business development and marketing for data centers.

3. It helps unearth any weaknesses or deficiencies you may have within your control environment.

To learn more about SAS70 audits and data centers and to receive a complimentary SAS70 Type II audit report, visit the official SAS70 Resource Guide.

SAS 70 Audits for Data Centers & Managed Services

If you are a data center or manged services provider and need a SAS 70 audit, then here are some helpful tips and strategies for finding the right firm, getting a fair and equitable fee, and for ensuring you have the proper scope for the audit.

Today’s data center are complex entities, providing customers with a broad array of services, thus it’s important your SAS 70 report meets and exceeds the objectives of the audit for you and your customers.

1. First and foremost, find a CPA firm that specializes in not only SAS 70 audits, but one that has a strong understanding of the services offered by your organization. From ping, power, and pipe to highly complex managed services, it’s important to remember to keep all critical services within the scope of the audit.

2. Get a fixed fee for your audit. With the rising cost of expenses, such as gas, travel and other ancillary services ,getting a “fixed fee” for your SAS 70 audit ensures that costs are contained, and you have an exact idea of what you will be paying for the audit. SAS 70 audits that do not include expenses will ending costing data centers approximately an additional 20% or more over the original agreed fee. Hourly rates for auditing data centers should be considered a thing of the past-work hard to get a fixed. fee.

3. Scope the audit correctly by making sure the CPA firm conducting the SAS 70 audit includes the following areas for examination and testing:

• Executive Tone
• Human Resources
• Customer Contract Process
• Customer Provisioning Process
• Incident Management
• Change Management
• Logical Security
• Network Security
• Physical Security
• Environmental Security
• Computer Operations

There also a number of Data Center best practices that should be in place for helping facilitate the overall success of the SAS 70 audit.

To learn more about SAS 70 audits or to receive a SAS 70 sample report, visit the official SAS 70 Resource Guide.