MASSIVE NETWORKS Online Backup Compliance Guidelines Sarbanes-Oxley (SOX) SOX Requirements... 2

Transcription

1 MASSIVE NETWORKS Online Backup Compliance Guidelines Last updated: Sunday, November 13 th, 2011 Contents MASSIVE NETWORKS Online Backup Compliance Guidelines... 1 Sarbanes-Oxley (SOX)... 2 SOX Requirements... 2 MASSIVE NETWORKS ONLINE BACKUP SOX Compliance Gramm-Leach-Bliley Financial Services Modernization Act of GLBA Requirements... 2 MASSIVE NETWORKS ONLINE BACKUP GLBA Compliance... 3 HIPAA - Health Insurance Portability and Accountability Act of HIPAA Requirements... 3 MASSIVE NETWORKS ONLINE BACKUP HIPAA Compliance... 3 SAS 70 Type 2 Certified Datacenters In Use by MASSIVE NETWORKS Online Backup... 4 SAS 70 Background... 5 SAS 70 Who is Affected... 5 PCI DSS

2 Sarbanes-Oxley (SOX) The Sarbanes-Oxley Act of 2002 is landmark legislation designed to make public companies more transparent in their financial reporting and more proactive in sharing material information with other participants in the financial reporting chain such as auditors, audit committees, analysts and investors. It requires CEO s, CFO s and auditors of companies to certify accuracy of financial statements and disclosures and report on deficiencies in the design or operation of internal controls. It requires a business continuity / disaster recovery plan be in place. Recent legislation activity, if passed, extends the requirements of Sarbanes-Oxley to privately owned businesses. SOX Requirements CEO s and CFO s must personally certify financial statements and filings, as well as affirm that they are responsible for establishing and enforcing disclosure controls and procedures at all levels of their corporation. It also requires an annual evaluation of internal controls and procedures for financial reporting, document retention, retrieval, and disaster recovery. The corporation must document its existing controls that have a bearing on financial reporting, test them for efficacy and report on gaps and deficiencies, and verify they can recover data and documents in the event of a disaster, natural or intentional. MASSIVE NETWORKS ONLINE BACKUP SOX Compliance In addition to achieving and maintaining in-house compliance, corporations must verify that its suppliers and other partners comply with the level or control, reporting and testing. All partners must have auditable and documented standards, industry best practices and standardized processes. MASSIVE NETWORKS ONLINE BACKUP partners with Sarbanes-Oxley compliant companies. MASSIVE NETWORKS ONLINE BACKUP has, through the completion of our SAS 70 audit, process and procedure surrounding all activities. Our large storage network and vaulting options is qualified and meets all industry regulated compliances and requirements to act as the repository of your company s data. Gramm-Leach-Bliley Financial Services Modernization Act of 1999 The Gramm-Leach-Bliley Financial Services Modernization Act (GLBA) addresses the protection of nonpublic personal information by all financial institutions. The new government regulations are not only for publicly traded companies. As a business, best practices require you also know the important sections of current regulations, and that you incorporate the spirit of these into your activity. GLBA Requirements GLBA is intended to ensure the confidentiality and security of customers against any reasonably anticipated internal or external threat or hazard while protecting them against unauthorized access to or use of such data that would result in substantial harm or inconvenience. GLBA requires financial institutions (defined as banks, thrifts and credit unions, as well as numerous non-depository institutions) to develop a written security plan that MASSIVE NETWORKS Online Backup does best their protection programs for customer information (defined as any record containing nonpublic, personal information about a customer, whether in paper, electronic or other form, that is maintained by or on behalf of the institution).

3 MASSIVE NETWORKS ONLINE BACKUP GLBA Compliance Auditors are specifically asking for documented policies for MASSIVE NETWORKS Online Backup to bring the controls on the security and integrity of personal and private financial data. They are also looking for copies of business continuity plans and manuals and want to see evidence of general testing of deployed solutions in addition to improvements from test to test. They are also asking for proof of Statement of Auditing Standards (SAS) 70 compliance, which seeks evidence of effectively designed control objectives and control activities and sometimes requiring network diagrams. HIPAA - Health Insurance Portability and Accountability Act of 1996 In February 2003 the Department of Health and Human Services released the final security standards of the Health Insurance Portability and Accountability Act (HIPAA). HIPAA Requirements The IT areas of covered entities (CE s) including organizations that transmit health information in electronic form such as health plans, healthcare clearinghouses and healthcare providers make changes to their technology processes to secure customer information. It covers administrative, physical and technical safeguards to protect the confidentiality, integrity and availability of electronic protected health information and require CE s to implement basic safeguards to keep electronic protected health information from unauthorized access, alteration, deletion and transmission. Compliance is due by February The government will not conduct regular reviews, but will investigate based on complaints they receive, punishable by fines as well as MASSIVE NETWORKS Online Backup min. prosecution. CE employees can be sued individually and as members of the organization. MASSIVE NETWORKS ONLINE BACKUP HIPAA Compliance In addition to achieving and maintaining in-house compliance, a CE must also verify that its suppliers and other partners who share electronic protected health information have addressed the Administrative, Physical and Technical safeguards. The legislation requires the establishment and maintenance of contracts or other arrangements with every business associate in a chain of trust. These contracts must show how information will be protected as it is electronically transmitted, and business associates must notify CE s of security breaches. SAS 70 Type 2 Certified Datacenters in Use by MASSIVE NETWORKS Online Backup Anyone preparing to comply with important legislation such as Sarbanes-Oxley, HIPAA, or Gramm- Leach-Bliley, or even Federal Rules 26 and 34* understands the need to partner with those who have performed the due diligence to ensure our standards exceed that of the typical co-location industry. MASSIVE NETWORKS Online Backup has made the commitment as well as dedicated the time and resources to guarantee that it works with a qualified partner. Making the time and devoting the resources to a SAS 70 audit is a significant process. Statement on Auditing Standards (SAS) No. 70, Service Organizations, is an internationally recognized auditing standard developed by the American Institute of Certified Public Accountants (AICPA).

4 A SAS 70 audit or examination is widely recognized, because it represents that a service organization has been through an in-depth audit of their control activities, which generally include controls over information technology and related processes. In today's global economy, service organizations or service providers must demonstrate that they have adequate controls and safeguards when they host or process data belonging to their customers. SAS No. 70 is the authoritative guidance that allows service organizations to disclose their control activities and processes to their customers and their customers' auditors in a uniform reporting format. A SAS 70 examination signifies that a service organization has had its control objectives and control activities examined by an independent accounting and auditing firm. A formal report including the auditor's opinion ("Service Auditor's Report") is issued to the service organization at the conclusion of a SAS 70 examination. SAS 70 provides guidance to enable an independent auditor ("service auditor") to issue an opinion on a service organization's MASSIVE NETWORKS Online Backup option of controls through a Service Auditor's Report (see below). SAS 70 is not a pre-determined set of control objectives or control activities that service organizations must achieve. Service auditors are required to follow the AICPA's standards for fieldwork, quality control, and reporting. A SAS 70 examination is not a "checklist" audit. SAS No. 70 is generally applicable when an auditor ("user auditor") is auditing the financial statements of an entity ("user organization") that obtains services from another organization ("service organization"). Service organizations that provide such services could be application service providers, bank trust departments, claims processing centers, Internet data centers, or other data processing service bureaus. In an audit of a user organization's financial statements, the user auditor obtains an understanding of the entity's internal control sufficient to plan the audit as required in SAS No. 55, Consideration of Internal Control in a Financial Statement Audit. Identifying and evaluating relevant controls is generally an important step in the user auditor's overall approach. If a service organization provides transaction processing or other data processing services to the user organization, the user auditor may be required to gain an understanding of the controls at the service organization. * Overview Federal Rules of Civil Procedure Rule 26: General Provisions Governing Discovery; Duty of Disclosure Rule 34: Production of Documents and Things and Entry Upon Land for Inspection and Other Purposes. SAS 70 Background The Federal Rules of Civil Procedure govern the conduct of civil actions brought in Federal district courts. Rules 26 and 34 govern discovery and disclosure of information relevant to the civil actions. In 1993, Rule 26 was amended substantially to accelerate the exchange of information. SAS 70 Who is Affected Entities affected by these Rules are: Organizations facing litigation Organizations that are aware that a discovery request may be made

5 In addition, since any entity may face litigation concerning activities long after the activities were carried out, each organization should consider its ability to comply with Rules 26 and 34 as it conducts its business in the ordinary course, so that it is able to comply with the Rules' requirements if a litigation event occurs. In many instances it may be too late to respond efficiently when faced with litigation if the groundwork for compliance was not in place when relevant records were created. Payment Card Industry Data Security Standard (PCI Compliance) Version 2.0 of PCI DSS was released on 26 October 26, PCI DSS version 2.0 must be adopted by all organizations with payment card data by January 1 st, 2011, and from January 1 st, 2012 all assessments must be against version 2.0 of the standard. The 12 requirements for compliance are: 1. Build and maintain a secure network 2. Protect cardholder data a. Encrypt transmission of cardholder data across networks. 3. Maintain a vulnerability management program 4. Implement strong access control measures 5. Regularly monitor and test networks 6. Maintain an information security policy a. Maintain a policy that addresses information security