Pursuing Compliance in the Public Cloud

Size: px
Start display at page:

Download "Pursuing Compliance in the Public Cloud"

Transcription

1 white paper Pursuing Compliance in the Public Cloud Identifying the right compliance strategy for your business in the cloud Introduction Organisations considering moving IT assets or applications from an onpremise installation to the cloud face a bewildering array of compliance options and certifications. Organisations commonly ask themselves these questions when developing their own compliance roadmap and strategy: Which certifications do I need to achieve directly? For which certifications can I leverage my data centre provider? Do I need to bring in an outside auditor or can I conduct a self-audit? What are my competitors doing in terms of compliance? Should my strategy be the same? What will my clients expect of me in the sales process? The key to successfully navigating the compliance waters is to determine which of the many available certifications are relevant to your business and which add more cost and complexity to your business than they re worth. Given that each of the common compliance standards is accompanied by significant costs, correctly identifying the requirements from your internal stakeholders and clients is a critical initial step when developing your compliance strategy. In this paper, we ll discuss several of the most common compliance standards to help determine the applicability of each to your business. These include: AICPA Statement on Standards for Attestation Engagements No. 16 (SSAE 16) Payment Card Industry Data Security Standard (PCI DSS) The Health Insurance Portability and Accountability Act of 1996 (HIPAA) US EU Safe Harbor Framework International Standards Organization (ISO) / International Standards Organization (ISO) Food and Drug Administration (FDA) Title 21, Code of Federal Regulations (CFR) Part 11 Federal Information Processing Standards (FIPS) / Federal Information Security Management Act (FISMA) / The Federal Risk and Authorization Management Program (FedRAMP) Sarbanes Oxley Act (SOX) Gramm Leach Bliley Act (GLBA)

2 Commonly used terminology To aid in the detailed evaluation of each of the above certifications, it s important to establish the terminology that we ll use throughout this paper. Control objectives versus control procedures and activities Control objectives provide high-level goals that organisations try to achieve using policies, procedures, and systems. Control procedures and activities are the actual policies and procedures that are put in place to achieve the objectives. Best practice versus prescriptive standards Best practice standards define control objectives, goals or methods that work across many organisations but allow organisations to choose which ones to use and how to implement them. Prescriptive standards provide detailed control requirements that need to be met exactly as outlined in order to meet the standard. Organisations considering moving IT assets or applications from an on-premise installation to the cloud face a bewildering array of compliance options and certifications. Attestation versus certification Attestation is the result of an audit conducted to measure compliance with control objectives set by an organisation. The auditor measures whether the control objectives are met by the control procedures in place. The auditor attests to the organisation s ability to meet its own standards but does not determine whether the standards are valid. In this case, because there are no prescriptive standards, there s no easy way to compare organisations simply by establishing whether an attestation standard has been completed. Certification is the result of an audit conducted to measure compliance with prescriptive standards. The auditor can explicitly certify whether those standards have been met. From a buyer s perspective, these standards can be used to directly compare service providers given that the standards for each organisation are the same. 01

3 Detailed review of compliance and common security standards SSAE 16 (Formerly SAS70) The Statement on Standards for Attestation Engagements (SSAE) 16 is an attestation standard used by auditors to evaluate the internal systems of a service provider. Systems are generally defined as the services provided, along with the supporting processes, policies, procedures, personnel and operational activities that constitute the service organisation s core activities that are relevant to user entities. SSAE 16 is not a prescriptive standard. Instead, it reviews whether an organisation s control procedures are followed and whether those procedures achieve the organisation s control objectives. The audit does not make a judgment as to whether the control objectives are good or will meet security or other objectives. However, companies are now required to submit a management assertion as part of the SSAE process attesting (among other items) that the control objectives were suitably designed, and that the description of the system is accurate. SSAE 16 control objective example: An organisation could define an SSAE 16 control objective that stipulates only individuals with a green identity badge are allowed access to the data centre, and a control activity that the posted security guard will allow anyone into the data centre as long as their identity badge meets this criterion. In this case, as part of the SSAE 16 review, outside auditors will evaluate whether the control activity (the security guard s ability to enforce the control objective) is sufficient to meet the control objective, and ask for proof (documentation) that the control activity was consistently followed. So long as this documentation exists, this control objective will be achieved. While this is a bad control objective from a security point of a view, as long as an organisation shows that it meets the stated objective, it will be considered to be compliant from an SSAE 16 point of view. There are two types of SSAE 16 audits, usually performed sequentially: SSAE 16 Type I Type 1 is a point in time audit that evaluates the control procedures at a single point in time, identifying whether the control procedures will meet the control objectives. SSAE 16 Type II Type II evaluates the effectiveness of control procedures over a period of time, so the auditor looks to make sure the control procedures are being followed. The result of a completed SSAE 16 audit is a SOC 1 (service organisation control) report. Prevalence and relevance: From a service provider perspective, the SSAE 16 Type II audit is generally considered table stakes in the world of service providers of public cloud, managed hosting, and co-location services. It should be a must-have for any commercial application hosting. The standard is most common in North America, with acceptance among many global organisations as well. While the controls and scope of an SSAE audit vary greatly for the reasons explained above, generally, there are three broad areas of scope for an SSAE audit: Software development control objectives Operational control objectives Data centre/facility control objectives In the best case, a service provider can cover only two of these three, given that it has no involvement in a client s software development process. If a client manages its own environment (software deployment, change control, patching procedures, etc.) which is typical then the provider s operational controls are of limited value to a prospective client in a sales cycle given that the independent software vendor (ISV) will be responsible for managing its own operational controls. In this case, relying on a provider s SSAE audit covers only one of three areas of scope of the SSAE audit. Service providers offering managed services that extend the management of the client s application (i.e. Application Operations from Dimension Data) extend coverage to two of the three areas of scope, which can offer prospective clients more assurance than if an ISV s operational processes are unaudited. Service provider versus ISV/ enterprise While considered a must-have for service providers, the requirement for an independent software vendor or enterprise to complete its own audit is far less definite. In some cases, ISVs can leverage the SSAE certification of the data centre provider in its sales cycles to satisfy their clients control requirements. However, sophisticated buyers of IT services or software-as-a-service (SaaS) offerings will often insist on seeing the enterprise/isv s SSAE audit results as well. The costs of any audit discussed in this paper include a combination of hard costs (money paid to an outside firm to complete the audit, hardware and software costs to meet various security requirements, etc.) as well as personnel costs related to the time required to prepare for the audit, implement the required organisational controls, and work with the auditors throughout their review to ensure a successful result. In many cases, the latter category of soft costs is far more expensive than the fees paid to the auditors. These soft costs are also more difficult to generalise, as each organisation s experience will differ. Our advice is to work with your auditor to assess the time required before beginning any outside audit process. This will ensure that internal expectations are properly established to successfully complete the audit in the established timelines. In general, the hard costs of an SSAE attestation paid to an outside firm range from USD 15,000-25,000 per site being inspected, with significant variation depending on the scope of audit. As mentioned above, in the case of SSAE the organisational costs of SSAE compliance (including the costs to prepare and gather documentation for the audit, employment of an internal security/control officer, costs of ongoing internal audit activities throughout the year to maintain compliance, etc.) easily outweigh the hard costs. 02

4 When selling a service to a commercial or enterprise market (i.e. non-consumer services), SSAE-related questions will commonly come up in pre-sales conversations. If your organisation has the operational discipline to meet the control objectives you define (generally through a culture of strict adherence to process, heavy documentation, and internal audit reinforcement), and you can justify the costs of your own SSAE audit, our recommendation is that you pursue your own audit to remove barriers in the presales process. By selecting a service provider that has completed its own audit, you can often limit the costs and scope of your own audit by carving out the portions of the controls already met by your service provider, and limit the scope of your own audit to only those items for which your organisation is directly responsible. Due to the costs of an SSAE audit as well as the maturity of organisational processes and controls required, many smaller or early-stage organisations cannot justify the conducting their own SSAE audit. In this case, organisations commonly utilise their service provider s SSAE compliance (generally at the facility level). Organisations can leverage more meaningful and extensive SSAE compliance by selecting a vendor with a managed service offering that extends its SSAE compliance through the operational controls related to the specific application being hosted. This allows the ISV/enterprise to confidently respond to pre-sales questions regarding SSAE compliance covering both facilities and operational controls, without incurring the significant costs of an individual SSAE audit. Lastly, regardless of whether you choose to pursue your own SSAE audit, ensure that you carefully review your provider s SSAE report (generally under a non-disclosure agreement). The details of these tests will vary from one provider to another, and it is critical to your own risk mitigation strategy to understand the scope and detailed results of each provider s audit. Payment Card Industry Data Security Standard (PCI DSS) PCI DSS is a prescriptive data security standard that applies when storing, processing, or transmitting credit and debit card data. The security standards are agreed to by the major credit issuers (Visa, MasterCard, etc.) to eliminate the establishment of separate standards for each issuer. All credit card companies require adherence to these standards in their terms of service. Acquiring banks (banks processing the issuer s credit card transactions) are responsible for ensuring that their merchants are compliant with the PCI Data Security Standard and that the merchants use PCI-certified service providers. Acquiring banks generally pass through this requirement in their agreement with their merchants, meaning that the merchants are financially responsible for any losses if they are not compliant or were using non-compliant service providers. There are currently four different levels of certification and related requirements*: Level 1 (> 6 million transactions per year, credit card processors/payment gateway): Requires an annual on-site audit and quarterly network scan Level 2 (> 1million credit/debit transactions per year): Requires an annual on-site audit and quarterly network scan or self-assessment questionnaire (requirements vary depending on issuing bank) Level 3 (< 1million transactions per year): Requires an annual self-assessment questionnaire and quarterly network scan Level 4 (20k 1million transactions per year): Requires an annual self-assessment questionnaire and quarterly network scan Prevalence and relevance: PCI is the compliance standard and the definitive standard for any organisation processing credit card data. Prospective buyers of SaaS or infrastructure-as-a-service (IaaS) often include PCI compliance in their checklist of requirements without a complete understanding of the complexities involved in pursuing a PCI compliance strategy. Similar to SSAE 16, PCI compliance can be achieved with varying audit scopes. For a complete PCI compliance strategy, an organisation must be compliant at the hardware, process, software, and facilities levels. A data centre provider s PCI compliance cannot legitimately cover all of these areas for a third-party hosting within their facilities (see best practices below for further information). Costs for a full-scale PCI audit vary significantly. The initial consulting fees to establish the scope of the analysis and any gaps in current procedures commonly ranges from USD 25, ,000+ depending on the size of the organisation and established scope. A bare-bones onsite PCI audit could cost as little as USD 20,000-30,000 per year, with in-depth audits for large organisations easily costing more than USD 100,000 annually. Key soft costs to consider: The organisational process changes required to adhere to PCI compliance can be significant. Among other things, organisations must nominate (or hire) an internal security officer who will be responsible for managing compliance internally between audit periods. The first distinction that we recommend clients make when pursuing PCI-compliant hosting is to decide whether they are pursuing a PCI-compliant provider solely for marketing value (i.e. making the claim that the application is hosted in PCI-compliant facilities), or whether the organisation actually intends to pursue its own PCI audit of the application being hosted. * Note that each major card issuer has slightly varying requirements for Level 1 through 4. The information above is a generalisation of the different issuers. 03

5 While we do not generally dispute the marketing value of the former strategy, from a security perspective, this is not a model that will carry significant value with an experienced INFOSEC organisation. If your application is processing or storing any credit card data, to be compliant with the card issuer s terms of service, your organisation must complete its own PCI audit. Similar to SSAE, portions of the PCI requirements can be carved out of your own audit based on your service provider having completed a separate audit, but the application itself must undergo its own evaluation. Health Insurance Portability and Accountability Act (HIPAA) The sections of HIPAA relevant to data centre service providers relate to the security of patient data processed or stored by covered entities. Covered entities include those with a direct patient relationship, such as hospitals, doctors, pharmacies and insurance companies. These entities must be HIPAA compliant under the provisions of the law. This definition of covered entities makes it technically impossible for any data centre service provider to be HIPAA compliant because they are not covered entities under the law s provisions. For this reason, we advise that organisations seeking data centre providers proceed with caution when dealing with a service provider claiming HIPAA compliance. While service providers cannot be HIPAA compliant, they may qualify as a business associate of a HIPAA-covered entity if involved in a function or activity involving the use or disclosure of protected health information. Generally this means that if any patient data is stored in the application running in a service provider s infrastructure, a service provider is obligated as a business associate under HIPAA. Prevalence and relevance: HIPAA is a common compliance standard (though often misunderstood) and the definitive standard for any organisation processing patient healthcare data. HIPAA-covered medical organisations are required to contractually obligate business associates to utilise security mechanisms and privacy procedures that include (but are not limited to): Security mechanisms that ensure all transmissions of data are authorised and employ the standards necessary to protect the integrity and confidentiality of the data that is transmitted. Privacy procedures that require any unauthorised use or disclosure of protected health information to be reported to the medical organisation. Security mechanisms that protect records and other data from improper access. Privacy policies that bind the service provider s agents and subcontractors to the same restrictions on the use and disclosure of protected health information as those imposed upon the service provider. In addition, the covered entity s business associate agreement (BAA) with the service provider must include specific procedures for the storage and transfer of patient data in the event that the contract is terminated, the service provider goes out of business, and/or is acquired by or merged into an organisation that is unsatisfactory to the entity. HIPAA-Related: The HITECH Act of 2009 and the HIPAA Omnibus rule of 2013 The Health Information Technology for Economic and Clinical Health (HITECH) Act strengthened enforcement of civil and criminal liability penalties for violations of HIPAA data privacy rules. It established four categories of possible violations with corresponding penalties. Also, under the Act, covered entities were no longer able to avoid penalties in cases where due diligence was applied and the covered entity was unaware of the violation. Lastly, and importantly, it provided protection for covered entities who commit violations and correct those violations within thirty days (so long as the violation was not due to wilful neglect). The Omnibus rue of 2013 formally incorporated the HITECH rules into HIPAA. The most relevant changes for service providers included increased liabilities and civil penalties for Business Associates and more stringent notification requirements for the sharing or sale of personal health information. While there are several organisations available to help you develop your HIPAA compliance strategy, there is no thirdparty data centre audit requirement under HIPAA, so there s no formal attestation or certification that service providers can achieve. As a result, costs here are less definitive but may include items such as backup software, data archiving tools, write-once storage media, etc. A service provider experienced with HIPAA hosting will be able to provide for many of these requirements within its standard offering. Given the structure outlined above, the key distinction when seeking out service providers to host HIPAA-related data is that they are willing to accept liability for breach of the confidentiality of the data they re hosting. This is key to fulfilling an organisation s responsibilities under HIPAA and ensures that the risk for data confidentiality flows through to all organisations involved in the processing or storage of the related data. While there are general requirements for HIPAA hosting, there is not one standard set of contract or security terms related to HIPAA, so expect some discussion with your provider regarding your specific BAA and the best way to meet the requirements under its specific business associate agreement. US EU Safe Harbor European Union (EU) law prohibits the transfer of an individual s personal data to non-eu nations that do not meet the European adequacy standard for privacy protection. To provide a streamlined means for US organisations to comply with the law, the United States Commerce Department developed the Safe Harbor framework of prescriptive security standards.

6 Safe Harbor certification will assure EU that your company provides adequate privacy protection. Safe Harbor requires you put in place a privacy policy and procedure that covers the gathering and use of personal information. At a high level, the policy needs to cover several areas: Notice you must provide notification about the purpose for which you collect and use information about individuals, and explain disclosures to third parties. You also have to provide individuals with a way to contact the company with inquiries or complaints. Choice you must give individuals the ability to opt out of having their personal information disclosed to a third party. Third parties any third parties to which you disclose information must follow the same policies. Access you must give individuals the ability to correct, amend, or delete collected information if it is inaccurate. Security you must take reasonable precautions to protect the data. Data integrity you must have a relevant purpose for maintaining and using any personal data collected. Enforcement you must implement systems to enforce these policies and fix any problems identified. Service provider versus ISV/ enterprise This standard generally applies to enterprises, ISVs, and data centre providers. It s uncommon for organisations to rely completely on their data centre provider for this certification. Safe Harbor is a self-audit certification. Certification consists primarily of developing a qualifying privacy policy (for which you may wish to engage outside expertise) and identifying a company officer who will certify that the organisation will follow the policy and Safe Harbor requirements. You must also identify all data you are collecting about EU citizens. This information must be submitted to the Commerce Department for review, after which the US Government will certify you under Safe Harbor. There are no audit or application costs for achieving this certification. It s our recommendation that clients dealing with European organisations pursue their own Safe Harbor certification in addition to ensuring that their data centres are compliant. International Standards Organization / ISO was renamed to ISO but references to both are still regularly found. ISO provides best practice recommendations for information security management, covering all information (files, paper, faxes, phone calls, , etc.) within an organisation. These recommendations may not all apply and do not all need to be used. Organisations are expected to review and decide what is relevant for their specific use case. The standard includes 134 specific controls, categorised into approximately 36 control objectives covering areas such as: 1. Risk assessments and treatment 2. System policy 3. Organising information security 4. Asset management 5. Human resources security 6. Physical and environmental security 7. Communications and operations management 8. Access control 9. Information systems acquisition, development and maintenance 10. Information security incident management 11. Business continuity management 12. Compliance Information security is defined within the standard in the context of three areas Confidentiality: ensuring that information is accessible only to those authorised to have access. Integrity: safeguarding the accuracy and completeness of information and processing methods. Availability: ensuring that authorised users have access to information when required. Prevalence and relevance: Like the other ISO standards, this is most commonly pursued by global organisations. Due to the self-audit nature of this standard, organisations serving a global market but without the budget or desire to pursue ISO certification may prefer to adhere to this standard, or portions of this standard, as an interim step. International Standards Organization: ISO ISO provides a prescriptive specification for an organisation s information security management system (ISMS), which includes all of the policies, procedures, roles, responsibilities, resources, and structures that are used to protect an organisation s information, as well as the management and control of the security risks associated with the information. ISO is based on ISO / ISO However, unlike ISO 27002, ISO is a standard an organisation can be certified against. The audit is normally conducted in two stages: A review of the existence and completeness of key documentation such as the organisation s security policy, statement of applicability (SoA) and risk treatment plan (RTP). An actual audit to test the existence and effectiveness of the ISMS controls stated in the SoA and RTP, as well as their supporting documentation. Prevalence and relevance: The various ISO certifications are generally preferred by organisations with operations outside North America (in contrast to SSAE, which is more commonly accepted or preferred by organisations within North America). Service provider versus ISV/ enterprise Similar to SSAE 16, this is an audit that can be valid for both service providers and enterprises. Due to the costs of this audit, however, it is not commonly pursued by small or mid-market organisations, particularly those organisations without global operations.

7 Estimated hard costs: These vary widely based on the size of the organisation and auditing firm, but generally run between USD 50, ,000 with certifications valid for up to three years. Years two and three each require a smaller scale, followup audit that generally costs an additional USD 5,000-10,000. Key soft costs to consider: Due to the prescriptive and detailed nature of this certification, the soft costs of implementation can be significant. These costs come chiefly from establishing policy documents, changing existing operational process to comply with ISO standards, and the internal controls that must be implemented to ensure compliance with the standards between the formal external audit periods. For organisations dealing primarily with North American customers, an ISO certification may not be as cost-effective or important as completing a well-scoped, in-depth SSAE audit. Due to the nonprescriptive nature of SSAE, that audit can actually be developed to meet many or all of the same standards as ISO. While this strategy will not allow you to claim official ISO compliance, it will allow you to provide prospective clients with an SSAE attestation and report showing the specific areas that were audited, which will suffice in many situations. For organisations dealing primarily with clients outside of North America, ISO certification is a requirement you will want to seriously consider. Other less commonly cited certifications in the managed hosting / cloud service provider industry include ISO 9001 (covering product quality management systems), ISO (also covering product quality management systems, but those directly related to how a product is produced), ISO (covering energy management systems), and OHSAS (standards for occupational health and safety management systems). FDA Title 21, CFR Part 11 This FDA regulation applies to all entities regulated by the FDA except food manufacturers. Common examples are drug manufacturers, medical device manufacturers and biotechnology companies. This regulation requires such companies to implement various controls, audits, validation systems and documentation for software and systems related to electronic records and signatures maintained by the organisations under FDA regulation. These tend to be records or signatures that are being submitted to the FDA or stored as part of an approval process for a new product At a high level, the requirements include: Systems validation all computer systems have to be validated. Essentially, the company must identify and document what the system will be used for and who will use it, and ensure that the hardware and software are adequate for the task (all verified through production testing). Record retention will vary depending on the FDA regulation to which the records are related. Records security securing data so only authorised users have access. Audit trails maintenance of audit trails for the creation, modification, and deletion of records, including who made the change and when. Electronic signatures includes fingerprints, retinal scans, or ID names and passwords that meet certain requirements. Signatures must include certain data (commonly the name of person, whether the signature is providing an approval or denial, and a date and time). They must also be protected so they cannot be modified once captured. It is uncommon and improbable that service providers will need to meet this requirement directly. Usually, the organisations outlined above are responsible for meeting these standards. A data centre provider s responsibility typically involves providing supporting hardware and tools such as write once, read many (WORM) storage infrastructure. Given that this is an enterprise-only requirement, the service provider can provide only limited assistance in helping you maintain compliance with this regulation. As such, we recommend that you ensure your cloud provider has dealt with these requirements before and can recommend technologies to meet your specific FDA requirements. FIPS, FISMA, and FedRAMP FIPS are Federal Information Processing Standards, many of which are incorporated into FISMA, the Federal Information Security Management Act (2002). The act requires all federal agencies and their contractors to safeguard their electronic systems (regardless of whether these agencies or systems involve cloud providers). FedRAMP is the Federal Risk and Authorization Management Program (2012). It requires that all federal organisations that use or plan to use a cloud environment implement the security controls of this program. FedRAMP contains additional controls, not present in a FISMA assessment, specific to cloud environments. FedRAMP was created to establish a risk management programme that could be applied to the entire federal government. At a high level, it covers four steps before establishing a cloud-based service: Initiating: agencies or cloud service providers (CSPs) initiate the FedRAMP programme by pursuing a security authorisation. Assessing: based on the NIST SP Rev. 3 requirements, CSPs must hire a third-party assessment organisation to perform an independent assessment.

8 Authorising: upon completion, the security assessment package will then be forwarded to the FedRAMP Joint Authorization Board (otherwise known as JAB) for review. Leveraging: the CSP will then continue to work with the executive departments and agencies for authority to operate (ATO) permissions. Because of the scope of these federal compliance standards, in general ISVs or enterprises must obtain their own compliance as well as operate in a data centre that meets these standards. Like other audits, FedRAMP costs vary, but range from USD 40, ,000. The soft costs are far more significant, with the average assessment process requiring six months or more. Companies whose government clients make up a large portion of their revenue will likely have no choice but to pursue the FedRAMP certification process. As FedRAMP is still an emerging standard as of the date of this paper, expect changes in the coming year as the government formalises the programme. Due to the significant costs of compliance and limited relevancy outside government agencies, non-government-centric organisations are not likely to pursue this standard. Sarbanes Oxley (SOX) Compliance In 2002, the US Congress enacted the Sarbanes Oxley (SOX) Act. The act was targeted at changing the way public companies report their financial results and carried with it a significant impact to IT organisations due to the heavy logging and documentation requirements included in the act. The act also contains additional controls related to record retention, which must be carefully implemented into any hosting strategy. Section 404 of SOX covers the assessment of internal controls (to be conducted by an outside party). COBIT stands for Control Objectives for Information and Related Technology. These objectives require logging and reporting of key activities such as application level access control changes, events triggering access changes, transaction types, user IDs, and date and timestamps for all such activities. All unauthorised attempts to access the application must also be logged and reported with a time and IP address. Due to the financial reporting focus of the SOX Act, data centre service providers cannot provide SOX compliance for their clients. However, the internal controls of the service provider can make an outside SOX audit far easier to complete successfully. In many cases, the controls from other, more directly relevant IT standards such as SSAE 16 or ISO can also be used to help verify SOX compliance. In addition, public cloud providers with user-based permissions, individual account logins, and in-depth logging built into the application can make SOX compliance far easier. Apart from the infrastructure controls in place, an ISV or enterprise must implement additional controls at the server or application level to meet the requirements of SOX. Gramm Leach Bliley Act (GLBA) The GLBA was originally passed in 1999 and its implications were largely for financial institutions. In the Act, financial institutions are defined as all businesses, regardless of size, that are significantly engaged in providing financial products or services. This includes, for example, cheque-cashing businesses, payday lenders, mortgage brokers, non-bank lenders, personal property or real estate appraisers, professional tax preparers, and courier services. Two specific rules in the act are most directly relevant to conducting business in the cloud. The Financial Privacy Rule, which governs the collection and disclosure of customers personal financial information by financial institutions. It also applies to companies, regardless of whether they are financial institutions, that receive such information companies like cloud providers. The Safeguards Rule requires all financial institutions to design, implement and maintain a comprehensive information security programme to protect non-public customer information. It requires period testing of the programme as well. Lastly, prior to allowing a service provider to access customers personal information, the financial institution must: Take reasonable steps to select and retain service providers that are capable of maintaining appropriate safeguards for the customer information. Require the service providers, under contract, to implement and maintain such safeguards. Cloud providers are included in the scope of the Financial Privacy Rule above. Prior to disclosing any information to a cloud provider, cloud customers must enter into a contract with the provider which prohibits the provider from disclosing or using the affected data in any manner other than to carry out the purposes for which the information was disclosed. In practice, this is a common legal provision in most cloud contracts. The GLBA also requires that all financial institutions provide their clients with the right to opt out of sharing their personal financial information with non-affiliated third parties. In this case, the enterprise must carefully develop provisions to remove specific client data from external storage systems as soon as such a request is received.

9 For financial institutions considering storing data in a cloud environment: ensure that the internal operational controls and security policies put in place to comply with GLBA can be extended into your cloud environment. Not all cloud providers are equal when it comes to security within the environment. Be sure to review the relevant details carefully to understand whether GLBA can be maintained in the cloud environment of your choice. Clients with GLBA exposure may also want to explore hosted private cloud alternatives where greater degrees of data separation can be achieved. Lastly, ensure that you follow the stipulations above regarding the Privacy Rule and related contractual requirements to maintain compliance with GLBA when working with a third-party cloud provider. Dimension Data cloud compliance Dimension Data operates numerous data centre facilities around the world, and as such, our compliance audits and certifications vary by location. In combination, Dimension Data and/or the facilities in which we operate our data centres meet the following compliance standards: SSAE 16 Type II PCI Level 1 EU Safe Harbor ISO 9001(2008) ISO 27001(2005) ISO 50001(2011) OHSAS 18001(2007) In addition, while Dimension Data or its facilities cannot be directly certified against the following standards (given that data centre providers are not the focus of these standards), we regularly help clients achieve and maintain their own compliance against these standards: HIPAA, the HITECH Act, and the HIPAA Omnibus Rule of 2013 EU Safe Harbor FDA Title 21, CFR Part 11 Sarbanes Oxley (SOX) Gramm Leach Bliley Act (GLBA) Successfully complying with any of these standards typically involves a joint effort between the Dimension Data team and our client. We have significant experience in operating under all of these compliance standards and would welcome the opportunity to answer any questions you have about maintaining these standards in a cloud environment. CS / DDMS-1220 / 04/13 Copyright Dimension Data 2013

10 Middle East & Africa Asia Australia Europe Americas Algeria Angola Botswana Congo Burundi Democratic Republic of the Congo Gabon Ghana Kenya Malawi Mauritius Morocco Mozambique Namibia Nigeria Oman Rwanda Saudi Arabia South Africa Tanzania Uganda United Arab Emirates Zambia China Hong Kong India Indonesia Japan Korea Malaysia New Zealand Philippines Singapore Taiwan Thailand Vietnam Australian Capital Territory New South Wales Queensland South Australia Victoria Western Australia Belgium Czech Republic France Germany Italy Luxembourg Netherlands Spain Switzerland United Kingdom Brazil Canada Chile Mexico United States For contact details in your region please visit

Governance, Risk and Compliance Assessment

Governance, Risk and Compliance Assessment Governance, Risk and Compliance Assessment Information security is a pervasive business requirement and one that no organisation can afford to get wrong. If it s not handled properly, your business could

More information

best practice guide The Three Pillars of a Secure Hybrid Cloud Environment

best practice guide The Three Pillars of a Secure Hybrid Cloud Environment best practice guide The Three Pillars of a Secure Hybrid Cloud Environment best practice guide The Three Pillars of a Secure Hybrid Cloud Environment Introduction How sound risk management, transparency

More information

Four steps to improving cloud security and compliance

Four steps to improving cloud security and compliance white paper Four steps to improving cloud security and compliance Despite the widespread proliferation of cloud computing, IT decision makers still express major concerns about security, compliance, and

More information

Software-as-a-service Delivery: The Build vs. Buy Decision

Software-as-a-service Delivery: The Build vs. Buy Decision white paper Software-as-a-service Delivery: The Build vs. Buy Decision Introduction In order to deliver software on-demand, companies must either build and manage an infrastructure capable of supporting

More information

Contact Centre Integration Assessment

Contact Centre Integration Assessment Contact Centre Integration Assessment How well are your business objectives aligned with the right contact centre technologies? Knowing how the technology in your contact centre supports service delivery

More information

Cloud Readiness Consulting Services

Cloud Readiness Consulting Services Cloud Readiness Consulting Services Globalisation and economic pressures are changing the business landscape, increasing the pressure to expedite time-to-market with new products and services, while keeping

More information

Managed Service for Visual Communications

Managed Service for Visual Communications Managed Service for Visual Communications Managed Service for Visual Communications Videoconferencing can have multiple benefits in your organisation. It can help your employees be more productive and

More information

Flexible Cloud Services to Compete

Flexible Cloud Services to Compete white paper Service Providers Need Flexible Cloud Services to Compete Enterprise Customers Demand Flexible Cloud Solutions When the concept of cloud services first came about, there was a great deal of

More information

Dimension Data s Uptime Support Service

Dimension Data s Uptime Support Service Dimension Data s Uptime Support Service As more technology enters the world, and is introduced into organisations, the typical IT environment increases in complexity. Businesses require higher levels of

More information

Cloud Readiness Workshop

Cloud Readiness Workshop Globalisation and economic pressures are changing the business landscape, increasing the pressure to expedite time-to-market with new products and services, while keeping costs down. In addition, for many

More information

Hybrid Wide-Area Network Application-centric, agile and end-to-end

Hybrid Wide-Area Network Application-centric, agile and end-to-end Hybrid Wide-Area Network Application-centric, agile and end-to-end How do you close the gap between the demands on your network and your capabilities? Wide-area networks, by their nature, connect geographically

More information

opinion piece Eight Simple Steps to Effective Software Asset Management

opinion piece Eight Simple Steps to Effective Software Asset Management opinion piece Eight Simple Steps to Effective Software Asset Management Contents Step 1: Collate your licence agreements 01 Step 2: Determine your actual licence position 01 Step 3: Understand your existing

More information

Dimension Data s Uptime Maintenance Service

Dimension Data s Uptime Maintenance Service Dimension Data s Uptime Maintenance Service The pace of business today simply doesn t allow for downtime. When systems go off-line, productivity drops, time and money go to waste and opportunities are

More information

Cloud Services for Microsoft

Cloud Services for Microsoft The success of your business depends on your ability to adapt to a dynamic market environment, where globalisation and economic pressures are reshaping the landscape. To remain competitive, your organisation

More information

opinion piece IT Security and Compliance: They can Live Happily Ever After

opinion piece IT Security and Compliance: They can Live Happily Ever After opinion piece IT Security and Compliance: They can Live Happily Ever After Contents Pitfalls, misconceptions and mistakes 01 It s not all doom and gloom 01 Take the right steps towards compliance and IT

More information

3D Workspace: a new dimension to your desktop

3D Workspace: a new dimension to your desktop 3D Workspace: a new dimension to your desktop The desktop management landscape has changed As the world of work changes, so do the mechanics of IT management and delivery. Technology advances like virtualised

More information

IP Trading Solutions

IP Trading Solutions In many mature financial organisations, middle-and back-office functions already collaborate via high-quality, well-integrated voice and video traffic. Their trading floors, on the other hand, still operate

More information

Sustainable Solutions. Switch to future thinking

Sustainable Solutions. Switch to future thinking Switch to future thinking Increased global competition, rapid advances in technology, risks from natural disasters, resource shortages today s business leaders must adapt to operating in a changing world,

More information

We d Like That on Our Laptops, Notebooks, Tablets and Smartphones, Please

We d Like That on Our Laptops, Notebooks, Tablets and Smartphones, Please latest thinking We d Like That on Our Laptops, Notebooks, Tablets and Smartphones, Please Enabling enterprise mobility with Microsoft System Center and cloud Enterprise mobility is no longer the domain

More information

Security Assessment and Compliance Services

Security Assessment and Compliance Services Security Assessment and Compliance Services Despite the best efforts of IT security teams, hackers and malicious code continue to find their way into corporate networks. Adding to the pressure is the fact

More information

best practice guide Moving Exchange to the Cloud: 5 Really Practical Best Practices

best practice guide Moving Exchange to the Cloud: 5 Really Practical Best Practices best practice guide Moving Exchange to the Cloud: 5 Really Practical Best Practices To successfully replicate your environment, you need a thorough understanding of what it comprises and how it s used.

More information

I can finally afford UC without making a huge upfront investment. COO, market leader in the health care industry

I can finally afford UC without making a huge upfront investment. COO, market leader in the health care industry 1 I can finally afford UC without making a huge upfront investment. COO, market leader in the health care industry 2 Contents 01 Investing in an anytime, anywhere, connected workforce 02 On-premise, hybrid,

More information

How do you manage the brain of the business in a way that supports the opportunities your organisation wants to take advantage of?

How do you manage the brain of the business in a way that supports the opportunities your organisation wants to take advantage of? As the world becomes a more competitive place, businesses need to respond at lightning speed to take advantage of new opportunities or avoid risks. To enable this, the data centre needs to be a dynamic

More information

Private Cloud for Every Organization

Private Cloud for Every Organization white paper Private Cloud for Every Organization Leveraging the community cloud As more organizations today seek to gain benefit from the flexibility and scalability of cloud environments, many struggle

More information

It s critical to be able to correlate threats pre-emptively and respond to them immediately.

It s critical to be able to correlate threats pre-emptively and respond to them immediately. Security has become a much deeper executive discussion because of the modern diversity of channels through which businesses can be attacked. Mobility, bring your own device, virtualisation, the cloud,

More information

best practice guide How to measure the real ROI of virtualisation

best practice guide How to measure the real ROI of virtualisation best practice guide How to measure the real ROI of virtualisation In the face of a global economic crisis, the CFO is often found at the helm of the company. This is because IT spending constitutes a significant

More information

best practice guide BYO-What? 6 Lessons Learnt in Making Mobility Work

best practice guide BYO-What? 6 Lessons Learnt in Making Mobility Work best practice guide BYO-What? 6 Lessons Learnt in Making Mobility Work Businesses are immersed in an era of mobility. Whether it s connecting workers on the road, developing work-from-home policies, or

More information

Understanding the 12 Requirements of PCI DSS

Understanding the 12 Requirements of PCI DSS opinion piece Understanding the 12 Requirements of PCI DSS Practical steps to achieve and maintain compliance Regardless of whether you are a retailer, service provider or a bank, if you process any form

More information

Desktop Virtualisation Solutions. Adapting to a new reality in client computing

Desktop Virtualisation Solutions. Adapting to a new reality in client computing Desktop Virtualisation Solutions Adapting to a new reality in client computing Adapting to a new reality Businesses today are increasingly realising not only the inevitability of consumer-owned, mobile

More information

opinion piece Cloud Computing The journey begins

opinion piece Cloud Computing The journey begins opinion piece Cloud Computing The journey begins Many CIOs view cloud computing as their salvation in the current economic downturn, as it promises to deliver IT services to subscribers at a lower cost.

More information

best practice guide 7 Best Practices to Make Telecom Expense Management Work for Your Business

best practice guide 7 Best Practices to Make Telecom Expense Management Work for Your Business best practice guide 7 Best Practices to Make Telecom Expense Management Work for Your Business With a global economy that remains under pressure, organisations around the world are looking for reliable

More information

Big Gets Bigger, Smaller Gets Smaller

Big Gets Bigger, Smaller Gets Smaller latest thinking Big Gets Bigger, Smaller Gets Smaller The data centre market is entering a period of unprecedented transition. With this shift comes a number of significant and perhaps surprising changes.

More information

opinion piece Meeting the Challenges of Supplier Relations in a Multisourcing Environment

opinion piece Meeting the Challenges of Supplier Relations in a Multisourcing Environment opinion piece Meeting the Challenges of Supplier Relations in a Multisourcing Environment New approaches and skills are required to effectively manage the increased volume and complexity of relationships

More information

best practice guide Software-as-a-service Operations: Step-by-Step Best Practices

best practice guide Software-as-a-service Operations: Step-by-Step Best Practices best practice guide Software-as-a-service Operations: Step-by-Step Best Practices Introduction Faced with intensifying competition, as well as a desire for more stable revenue streams and stronger customer

More information

Burning Dollars Top Five Trends in US Telecom Spend

Burning Dollars Top Five Trends in US Telecom Spend white paper Burning Dollars Top Five Trends in US Telecom Spend Telecom costs are among the largest operating expenses for organizations worldwide. Yet, they re often the most inconsistently managed. So

More information

Procurement and Logistics Service. Overcoming the challenges and complexities of international business

Procurement and Logistics Service. Overcoming the challenges and complexities of international business Procurement and Logistics Service Overcoming the challenges and complexities of international business There are massive benefits in expanding your organisation into new international territories. You

More information

opinion piece Fragmenting DLP assessment, implementation, and management is counter-intuitive

opinion piece Fragmenting DLP assessment, implementation, and management is counter-intuitive opinion piece Fragmenting DLP assessment, implementation, and management is counter-intuitive Contents Introduction 01 Having the cake and eating it 01 Holistic = end to end 01 The devil is in the detail

More information

Managed Service for IP Telephony. Enabling organisations to focus on core revenue generating activities

Managed Service for IP Telephony. Enabling organisations to focus on core revenue generating activities Enabling organisations to focus on core revenue generating activities Your business needs reliable, flexible and secure communication tools to enable better connectivity and collaboration with your employees,

More information

HIPAA security rules of engagement

HIPAA security rules of engagement healthcare HIPAA security rules of engagement The use of health information technology continues to expand in healthcare. Healthcare organizations are using web-based applications and other portals that

More information

Security Solutions Much of the pressure lands on the IT team. mobile and geographically dispersed workforce conducting regular assessments turn this

Security Solutions Much of the pressure lands on the IT team. mobile and geographically dispersed workforce conducting regular assessments turn this Security Solutions Today, your business doesn t just rely on IT, it s dependent on secure IT. Against the backdrop of a constantly evolving security threat landscape, increased demands around compliance

More information

Ensure Optimal Infrastructure Support for Mobility

Ensure Optimal Infrastructure Support for Mobility white paper Ensure Optimal Infrastructure Support for Mobility The technology industry has reached a watershed moment. Today, the enterprise is on the move as employee adoption of mobile devices, like

More information

Application Security No Longer a Pipe Dream

Application Security No Longer a Pipe Dream opinion piece opinion piece Application Security No Longer a Pipe Dream Application Security No Longer a Pipe Dream Security professionals who find themselves struggling to chart a course through the application

More information

best practice guide Rise Above Unreliable Videoconferencing

best practice guide Rise Above Unreliable Videoconferencing best practice guide Rise Above Unreliable Videoconferencing It s no secret that videoconferencing can have a positive impact on employee productivity, business agility, time-to-market, collaboration and

More information

INSITE. Dimension Data s monitoring offering

INSITE. Dimension Data s monitoring offering Dimension Data s offering What s on your mind? Is your infrastructure management strategy optimal? Are you achieving optimum ROI on your infrastructure management investment? Are you employing the latest

More information

Consulting and Professional Services. Strategic, architectural, operational and implementation expertise

Consulting and Professional Services. Strategic, architectural, operational and implementation expertise Consulting and Professional Services Strategic, architectural, operational and implementation expertise How do you ensure the seamless integration of new and existing technologies and services not just

More information

white paper Technology Internet Protocol Lays a Path to Flexibility and Cost Reduction

white paper Technology Internet Protocol Lays a Path to Flexibility and Cost Reduction white paper Technology Internet Protocol Lays a Path to Flexibility and Cost Reduction Executive summary Contact centres historically conservative in their technology approach are being forced to make

More information

Managed Secure Infrastructure Service

Managed Secure Infrastructure Service Managed Secure Infrastructure Service A constantly evolving security threat landscape, increased pressure around compliance and the potentially devastating impact of a security breach means that businesses

More information

Strategic, User-Driven, and Managed: The Future Of Unified Communications and Collaboration Executive Summary

Strategic, User-Driven, and Managed: The Future Of Unified Communications and Collaboration Executive Summary Strategic, User-Driven, and Managed: The Future Of Unified Communications and Collaboration Executive Summary Key findings from a major global Dimension Data and Ovum study highlights Create a UCC strategy

More information

Security Consulting. Services Overview

Security Consulting. Services Overview Services Overview Dimension Data is a global technology services company, assisting its customers in planning, building and supporting their IT infrastructures. Dimension Data combines its expertise in

More information

Securing today s data centre

Securing today s data centre white paper Securing today s data centre The intelligent use of data is core to achieving business success. There is, therefore, an indisputable need to safeguard the data centre, where most data in its

More information

The Future of Unified Communications & Collaboration India highlights. Key findings from a major global Dimension Data and Ovum study

The Future of Unified Communications & Collaboration India highlights. Key findings from a major global Dimension Data and Ovum study The Future of Unified Communications & Collaboration India highlights Key findings from a major global Dimension Data and Ovum study highlights UCC uptake in India is behind the global trend, but firms

More information

Contact Centre-as-a-Service a compelling suite of best-in-class contact centre functionality, delivered via the cloud.

Contact Centre-as-a-Service a compelling suite of best-in-class contact centre functionality, delivered via the cloud. Contact Centre-as-a-Service a compelling suite of best-in-class contact centre functionality, delivered via the cloud. Brought to you by Dimension Data Wholly-owned subsidiary of the USD 100 billion NTT

More information

white paper Ten Steps to Turn Visual Communications Technology into Real Business Value

white paper Ten Steps to Turn Visual Communications Technology into Real Business Value white paper Ten Steps to Turn Visual Communications Technology into Real Business Value Organisations around the globe are continuing to seek out new and more cost-effective ways of communicating and collaborating.

More information

best practice guide Network Management How to Lose the Frustration, Not the Control

best practice guide Network Management How to Lose the Frustration, Not the Control best practice guide Network Management How to Lose the Frustration, Not the Control best practice guide Network Management How to Lose the Frustration, Not the Control So much of your organisation s success

More information

Global Privacy and Data Security in the Cloud September 14, 2011 Miriam Wugmeister

Global Privacy and Data Security in the Cloud September 14, 2011 Miriam Wugmeister 2011 Morrison & Foerster LLP All Rights Reserved mofo.com Global Privacy and Data Security in the Cloud September 14, 2011 Miriam Wugmeister Presenter Miriam Wugmeister Morrison & Foerster LLP New York

More information

Top 5 IT security trends to watch in 2015

Top 5 IT security trends to watch in 2015 What does 2015 hold in store from an IT security perspective? Read on as Dimension Data experts discuss the top trends to watch and their expected impact on business. Introduction The security industry

More information

The Future of Unified Communications & Collaboration South Africa. Key findings from a major global Dimension Data and Ovum study

The Future of Unified Communications & Collaboration South Africa. Key findings from a major global Dimension Data and Ovum study The Future of Unified Communications & Collaboration South Africa Key findings from a major global Dimension Data and Ovum study highlights UCC uptake in South Africa is ahead of the global curve, with

More information

Secure Mobility Survey Report. A critical gap exists between the enterprise mobility vision and real-world implementations

Secure Mobility Survey Report. A critical gap exists between the enterprise mobility vision and real-world implementations Secure Mobility Survey Report A critical gap exists between the enterprise mobility vision and real-world implementations introduction Enterprise mobility and trends like bring your own device (BYOD) aren

More information

The Future of Unified Communications & Collaboration Netherlands. Key findings from a major global Dimension Data and Ovum study

The Future of Unified Communications & Collaboration Netherlands. Key findings from a major global Dimension Data and Ovum study The Future of Unified Communications & Collaboration Netherlands Key findings from a major global Dimension Data and Ovum study highlights UCC uptake in the Netherlands mirrors global trends, with some

More information

3 Steps to Transform your Business with Next-Generation Networking

3 Steps to Transform your Business with Next-Generation Networking e-guide The Wireless Revolution 3 Steps to Transform your Business with Next-Generation Networking Welcome to the era of the Wireless Revolution! With easy access to technology, setting up a wireless network

More information

360 o View of. Global Immigration

360 o View of. Global Immigration 360 o View of Global Immigration In a fast moving global economy, remaining compliant with immigration laws, being informed and in control is more challenging than ever before. We are a globally linked

More information

Telephony Telephony a platform to connect, communicate and collaborate with confidence

Telephony Telephony a platform to connect, communicate and collaborate with confidence Telephony a platform to connect, communicate and collaborate with confidence Your business needs reliable, flexible and secure communication tools to interact with your employees, customers and business

More information

The Anti-Corruption Compliance Platform

The Anti-Corruption Compliance Platform The Anti-Corruption Compliance Platform DATA COLLECTION RISK IDENTIFICATION SCREENING INTEGRITY DUE DILIGENCE CERTIFICATIONS GIFTS, TRAVEL AND ENTERTAINMENT TRACKING SECURITY AND DATA PROTECTION The ComplianceDesktop

More information

Dimension Data helps Unilever boost global collaboration and hit sustainability goals with innovative Videoconferencing-as-a-Service

Dimension Data helps Unilever boost global collaboration and hit sustainability goals with innovative Videoconferencing-as-a-Service Global Manufacturing Dimension Data helps boost global collaboration and hit sustainability goals with innovative Videoconferencing-as-a-Service As part of the Sustainable Living Plan, we re on a mission

More information

The Future of Unified Communications & Collaboration Canada. Key findings from a major global Dimension Data and Ovum study

The Future of Unified Communications & Collaboration Canada. Key findings from a major global Dimension Data and Ovum study The Future of Unified Communications & Collaboration Canada Key findings from a major global Dimension Data and Ovum study highlights UCC uptake in Canada mirrors global trends, but is more advanced in

More information

The Future of Unified Communications & Collaboration France. Key findings from a major global Dimension Data and Ovum study

The Future of Unified Communications & Collaboration France. Key findings from a major global Dimension Data and Ovum study The Future of Unified Communications & Collaboration France Key findings from a major global Dimension Data and Ovum study highlights UCC infrastructure uptake in France is very advanced, but the French

More information

Top 5 data centre trends to watch in 2015

Top 5 data centre trends to watch in 2015 Top 5 data centre trends to watch in 2015 What does 2015 hold in store for data centre professionals? Read as Dimension Data experts discuss the top trends to watch and their expected impact on business.

More information

Advanced Infrastructure

Advanced Infrastructure Your infrastructure is the backbone of your business The Information Economy, the Digital Age, the Virtual Generation and online replacing in-line is a reality and forms part of our daily lives. Each of

More information

Performance Optimisation

Performance Optimisation Performance Optimisation What could a 50% improvement in network performance mean to your business? At its most simple, performance optimisation is the addition of technology to a network, in order to

More information

The Future of Unified Communications & Collaboration United Kingdom. Key findings from a major global Dimension Data and Ovum study

The Future of Unified Communications & Collaboration United Kingdom. Key findings from a major global Dimension Data and Ovum study The Future of Unified Communications & Collaboration United Kingdom Key findings from a major global Dimension Data and Ovum study highlights UCC uptake in the UK mirrors global trends, but is more advanced

More information

HIPAA Omnibus & HITECH Rules: Key Provisions and a Simple Checklist. www.riskwatch.com

HIPAA Omnibus & HITECH Rules: Key Provisions and a Simple Checklist. www.riskwatch.com HIPAA Omnibus & HITECH Rules: Key Provisions and a Simple Checklist www.riskwatch.com Introduction Last year, the federal government published its long awaited final regulations implementing the Health

More information

EMEA BENEFITS BENCHMARKING OFFERING

EMEA BENEFITS BENCHMARKING OFFERING EMEA BENEFITS BENCHMARKING OFFERING COVERED COUNTRIES SWEDEN FINLAND NORWAY ESTONIA R U S S I A DENMARK LITHUANIA LATVIA IRELAND PORTUGAL U. K. NETHERLANDS POLAND BELARUS GERMANY BELGIUM CZECH REP. UKRAINE

More information

7 Demands Enterprises Must Make from Cloud Providers

7 Demands Enterprises Must Make from Cloud Providers 7 Demands Enterprises Must Make from Cloud Providers When choosing a provider for your enterprise cloud, there is plenty to consider. How do you know a provider is actually enterprise-ready, despite their

More information

AN OVERVIEW OF INFORMATION SECURITY STANDARDS

AN OVERVIEW OF INFORMATION SECURITY STANDARDS AN OVERVIEW OF INFORMATION SECURITY STANDARDS February 2008 The Government of the Hong Kong Special Administrative Region The contents of this document remain the property of, and may not be reproduced

More information

opinion piece Consolidation Drives Network Performance 6 Feet Under

opinion piece Consolidation Drives Network Performance 6 Feet Under opinion piece Consolidation Drives Network Performance 6 Feet Under Contents Consolidation drives network performance 6 feet under 01 Centralisation, consolidation and virtualisation... is there a universal

More information

A Flexible and Comprehensive Approach to a Cloud Compliance Program

A Flexible and Comprehensive Approach to a Cloud Compliance Program A Flexible and Comprehensive Approach to a Cloud Compliance Program Stuart Aston Microsoft UK Session ID: SPO-201 Session Classification: General Interest Compliance in the cloud Transparency Responsibility

More information

white paper Strategy and Development: The Expanding Role of the Contact Centre

white paper Strategy and Development: The Expanding Role of the Contact Centre white paper Strategy and Development: The Expanding Role of the Contact Centre white paper The Expanding Role of the Contact Centre Executive summary Contact centres are assuming a more prominent role

More information

MASSIVE NETWORKS Online Backup Compliance Guidelines... 1. Sarbanes-Oxley (SOX)... 2. SOX Requirements... 2

MASSIVE NETWORKS Online Backup Compliance Guidelines... 1. Sarbanes-Oxley (SOX)... 2. SOX Requirements... 2 MASSIVE NETWORKS Online Backup Compliance Guidelines Last updated: Sunday, November 13 th, 2011 Contents MASSIVE NETWORKS Online Backup Compliance Guidelines... 1 Sarbanes-Oxley (SOX)... 2 SOX Requirements...

More information

Data Centre Relocation

Data Centre Relocation opinion piece Data Centre Relocation Not just two guys and a truck Contents Foreword 01 Planning relocation: Everyone is a stakeholder 01 Logic, then physics 02 Prepare the target site 03 Execution: scheduling

More information

Privacy, the Cloud and Data Breaches

Privacy, the Cloud and Data Breaches Privacy, the Cloud and Data Breaches Annelies Moens Head of Sales and Operations, Information Integrity Solutions Legalwise Seminars Sydney, 20 March 2013 About IIS Building trust and privacy through global

More information

DSV Air & Sea, Inc. Aerospace Sector. DSV Air & Sea, Inc. Aerospace

DSV Air & Sea, Inc. Aerospace Sector. DSV Air & Sea, Inc. Aerospace DSV Air & Sea, Inc. Aerospace Sector DSV Air & Sea, Inc. Aerospace Introduction to DSV DSV is a global supplier of transport and logistics services. We have offices in more than 70 countries and an international

More information

Cloud Security: Developing a Secure Cloud Approach

Cloud Security: Developing a Secure Cloud Approach white paper Cloud Security: Developing a Secure Cloud Approach Critical questions you should ask your cloud provider Businesses are facing IT and data management challenges unlike those they ve ever experienced.

More information

SOC on Amazon Web Services (AWS) What You Need To Know Understanding the regulatory roadmap for SOC on AWS

SOC on Amazon Web Services (AWS) What You Need To Know Understanding the regulatory roadmap for SOC on AWS SOC on Amazon Web Services (AWS) What You Need To Know Understanding the regulatory roadmap for SOC on AWS Jeff Cook November 2015 Summary Service Organization Control (SOC) reports (formerly SAS 70 or

More information

Maintaining the Balance Between User Experience and Security

Maintaining the Balance Between User Experience and Security white paper Maintaining the Balance Between User Experience and Security Organisations are seeing a growing preference among employees for using their personal smartphones and tablets for business. Accelerating

More information

opinion piece Security Consolidation and Optimisation

opinion piece Security Consolidation and Optimisation opinion piece Security Consolidation and Optimisation Are you maximising the return on your IT assets? Given the proliferation of security applications designed to combat IT breaches, you, like many organisations

More information

Acquia Comments on EU Recommendations for Data Processing in the Cloud

Acquia Comments on EU Recommendations for Data Processing in the Cloud Acquia Comments on EU Recommendations for Data Processing in the Cloud Executive Summary On July 1, 2012, European Union (EU) data protection regulators provided guidelines for service providers processing

More information

Compliance and Industry Regulations

Compliance and Industry Regulations Compliance and Industry Regulations Table of Contents Introduction...1 Executive Summary...1 General Federal Regulations and Oversight Agencies...1 Agency or Industry Specific Regulations...2 Hierarchy

More information

Amazon Web Services: Risk and Compliance May 2011

Amazon Web Services: Risk and Compliance May 2011 Amazon Web Services: Risk and Compliance May 2011 (Please consult http://aws.amazon.com/security for the latest version of this paper) 1 This document intends to provide information to assist AWS customers

More information

HIPAA Omnibus Compliance How A Data Loss Prevention Solution Can Help

HIPAA Omnibus Compliance How A Data Loss Prevention Solution Can Help HIPAA Omnibus Compliance How A Data Loss Prevention Solution Can Help The Health Information Portability and Accountability Act (HIPAA) Omnibus Rule which will begin to be enforced September 23, 2013,

More information

Chart 1: Zambia's Major Trading Partners (Exports + Imports) Q4 2008 - Q4 2009. Switzernd RSA Congo DR China UAE Kuwait UK Zimbabwe India Egypt Other

Chart 1: Zambia's Major Trading Partners (Exports + Imports) Q4 2008 - Q4 2009. Switzernd RSA Congo DR China UAE Kuwait UK Zimbabwe India Egypt Other Bank of Zambia us $ Million 1. INTRODUCTION This report shows Zambia s direction of merchandise trade for the fourth quarter of 2009 compared with the corresponding quarter in 2008. Revised 1 statistics,

More information

Welcome & Introductions

Welcome & Introductions Addressing Data Privacy and Security Compliance in Cloud Computing Benjamin Hayes, Director of Legal Services, Data Privacy Compliance North America Accenture Copyright 2011 Accenture All Rights Reserved.

More information

Information Security Handbook

Information Security Handbook Information Security Handbook Adopted 6/4/14 Page 0 Page 1 1. Introduction... 5 1.1. Executive Summary... 5 1.2. Governance... 5 1.3. Scope and Application... 5 1.4. Biennial Review... 5 2. Definitions...

More information

Dimension Data Cloud Services

Dimension Data Cloud Services Cloud Services Cloud Services Today, organisations of all sizes are facing challenges unlike any they ve experienced before. Globalisation and economic pressures are changing the business landscape, increasing

More information

HIPAA, PHI and Email. How to Ensure your Email and Other ephi are HIPAA Compliant. www.fusemail.com

HIPAA, PHI and Email. How to Ensure your Email and Other ephi are HIPAA Compliant. www.fusemail.com How to Ensure your Email and Other ephi are HIPAA Compliant How to Ensure Your Email and Other ephi Are HIPAA Compliant Do you know if the patient appointments your staff makes by email are compliant with

More information

PII Compliance Guidelines

PII Compliance Guidelines Personally Identifiable Information (PII): Individually identifiable information from or about an individual customer including, but not limited to: (a) a first and last name or first initial and last

More information

Data Management Session: Privacy, the Cloud and Data Breaches

Data Management Session: Privacy, the Cloud and Data Breaches Data Management Session: Privacy, the Cloud and Data Breaches Annelies Moens Head of Sales and Operations, IIS President, iappanz IACCM APAC Australia Sydney, 1 August 2012 Overview Changing privacy regulation

More information

opinion piece Compliance in the Payment Card Industry

opinion piece Compliance in the Payment Card Industry opinion piece Compliance in the Payment Card Industry Contents Introduction 01 Requirement of the PCI DSS 01 PCI DSS regulations Level of PCI compliance 03 Steps to achieving and maintaining PCI DSS Compliance

More information

Sustainable Data Centre

Sustainable Data Centre white paper Sustainable Data Centre Tackling the Ever-rising Data Centre Energy Costs Why Only Do Half the Job? By Kari Baden Managing Director, Dimension Data Advanced Infrastructure A whitepaper on tackling

More information

BUSINESS ASSOCIATE PRIVACY AND SECURITY ADDENDUM RECITALS

BUSINESS ASSOCIATE PRIVACY AND SECURITY ADDENDUM RECITALS BUSINESS ASSOCIATE PRIVACY AND SECURITY ADDENDUM This Business Associate Addendum ( Addendum ), effective, 20 ( Effective Date ), is entered into by and between University of Southern California, ( University

More information

Vendor Management Best Practices

Vendor Management Best Practices 23 rd Annual and One Day Seminar Vendor Management Best Practices Catherine Bruder CPA, CITP, CISA, CISM, CTGA Michigan Texas Florida Insight. Oversight. Foresight. SM Doeren Mayhew Bruder 1 $100 billion

More information