Managed Online Backup Compliance



Similar documents
Make life simple and make more money the easy way.

MAX Insight. HIPAA Hardening & Configuration Guide for MSP s

An Effective MSP Approach Towards HIPAA Compliance

GFI Product Guide. GFI MailArchiver Archive Restrictions and Licensing Guide

GFI MAX RemoteManagement Building Blocks to Managed services

GFI Product Guide. How to create a new SQL Server Instance in Microsoft SQL Server 2012 and SQL Server Express

Archiving technologies

How to create a complex and secure backup strategy

Archive Legislation: archiving in the Netherlands. The key laws that affect your business

GFI Product Comparison. GFI LanGuard 2011 vs Retina Network Security Scanner

GFI Product Comparison. GFI LanGuard 2011 vs Microsoft Baseline Security Analyzer 2.2

MASSIVE NETWORKS Online Backup Compliance Guidelines Sarbanes-Oxley (SOX) SOX Requirements... 2

Survey: Web filtering in Small and Medium-sized Enterprises (SMEs)

Integrating faxes into today s world of healthcare e-records

GFI Product Guide. GFI MailArchiver Archive Assistant

GFI Product Guide. GFI Archiver Evaluation Guide

GFI product comparison. GFI MailArchiver vs. Symantec Enterprise Vault

GFI Product Manual. GFI MailArchiver Evaluation Guide

Quick Start Guide for administrators

How to configure IBM iseries (formerly AS/400) event collection with Audit and GFI EventsManager

GFI MailEssentials Online Archive Configuration and usage

GFI product comparison. GFI MailArchiver vs. Microsoft Exchange 2010

BUILDING BACKUP AS A SERVICE (BaaS)

GFI Archiver Evaluation guide: Online Demo Evaluation Guide

GFI Product comparison. GFI MailArchiver vs. Microsoft Exchange 2010

GFI Product Comparison. GFI MailArchiver 6.0 vs Quest Software Archive Manager

GFI MailEssentials 2014 Upgrade Guide A guide to upgrading from previous versions of GFI MailEssentials and GFI MailSecurity

GFI Product Comparison. GFI MailArchiver 6.0 vs Stimulus Software MailArchiva

Understanding data backups: why SMEs need them

How To Set Up A Journaling Mailbox In Microsoft Office 365 And Gfi Mailarchiver

WHITE PAPER. HIPAA-Compliant Data Backup and Disaster Recovery

The business implications of not having a backup strategy: where businesses get it wrong

GFI MailSecurity deployment strategies

GFI FAXmaker for Exchange/SMTP 12: An introduction to the architecture and deployment options

GFI Product Comparison. GFI MailArchiver 6.0 vs Waterford Technologies MailMeter Archive

security Cloud vs. On-premise solutions

The importance of an Acceptable Use Policy

GFI Product Manual. GFI MailArchiver Outlook Addon

GFI Product Comparison. GFI MailEssentials vs Symantec Mail Security for Microsoft Exchange 7.0

GFI Product Comparison. GFI MailArchiver 6.0 vs EMC Xtender Archive Edition

GFI Product Manual. Outlook Connector User Manual

How to keep spam off your network

Datto Compliance 101 1

Archive Legislation: archiving in Switzerland. The key laws that affect your business

GFI White Paper: GFI FaxMaker and HIPAA compliance

Endpoint Protection Performance Benchmarks

SAS 70 Type II Audits

GFI Product Guide. Archive Assistant

GFI White Paper. Going beyond Exchange Why it pays to have a dedicated archiving solution

GFI Cloud white paper. Cloud-based services: Easing the IT burden while taking control.

Product comparison. GFI LanGuard 2014 vs. Microsoft Windows InTune (October 2013 Release)

GFI Product Guide. GFI Archiver and Office 365 Deployment Guide

GFI Product Comparison. GFI MailEssentials vs Barracuda Spam Firewall

docs.rackspace.com/api

GFI White Paper. How Web Reputation increases your online protection

A to Z Information Services stands out from the competition with CA Recovery Management solutions

Social networking at work: Thanks, but no thanks?

Patch management with GFI LanGuard and Microsoft WSUS

Network Security Report:

PCI Policy Compliance Using Information Security Policies Made Easy. PCI Policy Compliance Information Shield Page 1

Product comparison. GFI LanGuard 2014 vs. Microsoft Windows Server Update Services 3.0 SP2

My Docs Online HIPAA Compliance

HIPAA Security Matrix

Mobile Banking Service Agreement (Addendum to your Primary Online Banking Service Agreement)

Projectplace: A Secure Project Collaboration Solution

Transcription:

Managed Online Backup Compliance

Introduction Many of MAXfocus s new and existing customers who have started to use Managed Online Backup [MOB] have asked for a statement of compliance against existing standards and regulations with respect to data storage. This document attempts to establish the position of MAXfocus against some of the known standards in the data storage industry today and also details information on data encryption. This may be considered to be a live document that will be updated as we learn more information about standards in different regional geographies. This document will follow a question and answer format detailing many of the questions we have been asked to date with respect to compliance. MOB Compliance What data centers do MAXfocus use? UK, London: http://www.equinix.com/locations/emea/uk/london-data-centres [located in Slough] USA, Atlanta: http://www.equinix.com/locations/americas/us/atlanta-data-centers/ Australia, Sydney: http://www.equinix.com/locations/australia/sydney-data-centers/ Germany, Dusseldorf: http://www.equinix.com/locations/emea/germany/dusseldorf-data-centers What level of uptime do the Equinix data centers support? 99.9999% This far exceeds that stipulated for Teir 4 data centers. What level of data compliance do the data centers support that MAXfocus use? DATA CENTRE COMPLIANCE ATLANTA SSAE16 SOC1 (formerly SAS70) ISO 9001: 2008 - Quality Management OHSAS 18001:2007 - Health & Safety Management ISO/IEC 27001:2005 - Information Security Management [see detail below] LONDON Specifies the requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving a documented Information Security Management System within the context of the organization's overall business risks. It specifies requirements for the implementation of security controls customized to the needs of individual organizations or parts thereof. Is designed to ensure the selection of adequate and proportionate security controls that protect information assets and give confidence to interested parties. Is intended to be suitable for several different types of use, including the following: MAX RemoteManagement Managed Online Backup Compliance 2

1. use within organizations to formulate security requirements and objectives; 2. use within organizations as a way to ensure that security risks are cost effectively managed; 3. use within organizations to ensure compliance with laws and regulations; 4. use within an organization as a process framework for the implementation and management of controls to ensure that the specific security objectives of an organization are met; 5. definition of new information security management processes; 6. identification and clarification of existing information security management processes; 7. use by the management of organizations to determine the status of information security management activities; 8. use by the internal and external auditors of organizations to determine the degree of compliance with the policies, directives and standards adopted by an organization; 9. use by organizations to provide relevant information about information security policies, directives, standards and procedures to trading partners and other organizations with whom they interact for operational or commercial reasons; 10. implementation of business-enabling information security; 11. use by organizations to provide relevant information about information security to customers DUSSELDORF SYDNEY ISO/IEC 27001 [See above London for more detail] ISO/IEC 27001:2005 [See above London for more detail] Do we comply with Health Insurance Portability and Accountability [HIPAA] requirements? HIPAA REQUIREMENT Electronic personal health information (ephi) must be protected against any reasonably anticipated threats or hazards. Access to ephi must be protected against any reasonably anticipated uses or disclosures that are not permitted or required by the Privacy Rule. Maintenance of record of access authorizations If the data is processed through a third party, entities are required to enter into a chain of trust partner agreement MAXfocus RESPONSE At MAXfocus, data is housed in data centres from Equinix. These data centres are designed with power systems that have built-in redundancy, full Uninterruptible Power Supply (UPS) systems with N+1 levels or greater, and backup generator systems in the event of a local utility failure. Data is encrypted before transmission and is always maintained in an encrypted state at the data centre. The Backup Manager records when data has been uploaded and restored. We have a EULA that customer need to agree to before proceeding. MAX RemoteManagement Managed Online Backup Compliance 3

Do we comply with Sarbanes-Oxley [SoX] requirements? SOX REQUIREMENT Record material must be accessible. Information cannot be tampered with or altered by any employee. Certain data must be retained for a minimum of 7 years Information is available only to clients authorised personnel? MAXfocus RESPONSE All stored material is accessible and even in the event that the internet is down material may be recovered from the Local Speed Vault [LSV] if enabled. All data is encrypted before being sent to the data centre. As long as the MSP does not delete the client Storage Account the data will be held indefinitely. In the first release MAXfocus will retain the encryption keys. In a future release we will allow the option for the client to manage their own encryption keys. Do we comply with Payments Card Industry [PCI] requirements? PCI REQUIREMENT Protect cardholder data Encryption across all public networks MAXfocus RESPONSE All stored material is accessible and even in the event that the internet is down material may be recovered from the Local Speed Vault [LSV] if enabled. All data is encrypted before being sent to the data centre. What encryption standard do you use? AES 128 bit. Why did you elect to go with AES 128 bit as opposed to AES 256 bit? This is the standard protocol used for all secure web transactions today. It is exceptionally secure. Consider the example below. Using one trillion computers each generating 1 billion key attempts per second it would still take 4 billion years to run through all available key combinations. By that time the sun would have turned in to a red giant and the earth would be incinerated anyway! Who will hold the encryption key? In the initial release MAXfocus will hold the encryption key. In the future we will consider the option of allowing the Managed Service Provider/IT Service Company to hold the key. However in this case there will be no way for MAXfocus to retrieve this data if the key is lost, as it will only be known by the customer. MAX RemoteManagement Managed Online Backup Compliance 4

I understand there is a video tour of the London and Sydney data centers, where can I find this? London: http://www.equinix.com/en_us/insight-center/videos/tour-ibx-by-market/london-ibx Sydney: http://www.equinix.com/en_us/insight-center/videos/tour-ibx-by-market/sydney-ibx MAX RemoteManagement Managed Online Backup Compliance 5

USA, Canada, Central and South America 4309 Emperor Blvd, Suite 400, Durham, NC 27703. USA Europe and United Kingdom Vision Building, Greenmarket, Dundee, DD1 4QB, UK Australia and New Zealand 2/148 Greenhill Road, Parkside, SA 5063 www.maxfocus.com/contact SB0047-v1.0-EN 2014 LogicNow Ltd. All rights reserved. All product and company names herein may be trademarks of their respective owners. The information and content in this document is provided for informational purposes only and is provided as is with no warranty of any kind, either express or implied, including but not limited to the implied warranties of merchantability, fitness for a particular purpose, and non-infringement. LogicNow is not liable for any damages, including any consequential damages, of any kind that may result from the use of this document. The information is obtained from publicly available sources. Though reasonable effort has been made to ensure the accuracy of the data provided, LogicNow makes no claim, promise or guarantee about the completeness, accuracy, recency or adequacy of information and is not responsible for misprints, out-of-date information, or errors. LogicNow makes no warranty, express or implied, and assumes no legal liability or responsibility for the accuracy or completeness of any information contained in this document. If you believe there are any factual errors in this document, please contact us and we will review your concerns as soon as practical. MAX RemoteManagement Managed Online Backup Compliance 6

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information