CyrusOne – Security and Compliance in Data Centers
International Organization for Standardization (ISO 27001)
CyrusOne successfully attained the International Organization for Standardization (ISO 27001) certification at 18 facilities located across six states, including Arizona, Illinois, Indiana, Kentucky, Ohio, and Texas. ISO 27001 is a globally recognized information security certification that validates the Information Security Management System of companies that have a strong system of internal controls and information security processes.
The scope of data center colocation services covered includes physical controls, environmental safeguards, and telecommunication connectivity as well as support provided by CyrusOne’s client service, legal/compliance, facility management, and information technology departments.
Certification was conducted under the guidance of A-lign Security and Compliance Services, LLC. A-lign is an ISO 27001 Certification Body accredited by the ANSI-ASQ National Accreditation Board (“ANAB”) to perform ISO 27001 Information System Management System certification audits to certify companies’ compliance with the requirements of ISO 27001.
CyrusOne Data Centers have met and conformed to OIX standards, using systems and processes that have proved successful in our carrier neutral facilities since our founding in 2000. On January 21, 2014 it was announced that CyrusOne had become the first data center company to receive multiple data center OIX certifications.
Certification will act as the bedrock for a new and resilient interconnection marketplace in CyrusOne data centers allowing content and ISP’s to have diverse locations for peering and transactional interconnection. This OIX accreditation enables a mutual model for interconnection that is the best for the future of the Internet. The OIX platform echoes the aims of the North American community as represented by the Open-IX initiative.
Payment Card Industry Data Security Standard (PCI DSS)
The Payment Card Industry Data Security Standard (PCI DSS) was created to meet the rising threat to individuals’ payment card information. Compliance with PCI DSS is mandatory for all organizations dealing with credit, debit and ATM cards, as defined by the PCI Security Standards Council, which includes industry giants like Visa, Master Card and American Express.
PCI DSS is a comprehensive set of standards requiring merchants and service providers that store, process, or transmit customer payment card data to adhere to strict information security controls and processes. The standard includes twelve requirements that include the following:
- Security management
- Policies and procedures
- Network architecture
- User access management
- Network and systems monitoring
- Software development.
CyrusOne provides physical security access to customer equipment through a combination of management systems and physical access safeguards and procedures. CyrusOne does not monitor or have access to customer data, so applicability is only to physical security and management processes that govern physical security.
Health Insurance Portability and Accountability Act (HIPAA)
The Health Insurance Portability and Accountability Act (HIPAA) regulation impacts those in healthcare that exchange patient information electronically. HIPAA regulations were established to protect the integrity and security of health information, including protecting against unauthorized use or disclosure of the information.
HIPAA states a security management process must exist in order to protect against “attempted or successful unauthorized access, use, disclosure, modification, or interference with system operations.”
HIPAA sets the standard for protecting sensitive patient data. Data centers must have certain administrative, physical and technical safeguards in place, according to the U.S. Department of Health and Human Services.
With colocation experts and secure facilities, staffed 24×7, CyrusOne can support your HIPAA compliance needs. CyrusOne meets required physical and administrative security controls, supporting your HIPAA physical security compliance through the following deliverables:
- Controlled Secure Facility
- 24/7 Physical Security Monitoring
- 90-Day Video Surveillance & Retention
- Cabinet/Cage Perimeter Security
- Badge and Biometrics
- Compliance Base Audit Reports
- Security Incident Response Notification.
Compliance is a shared responsibility. Your company must address, implement and manage all other technical and administrative controls outside of physical safeguards.
Federal Information Security Management Act (FISMA)
CyrusOne completed an independent security assessment of the information security controls outlined in the National Institute of Standards and Technology (NIST) Special Publication 800-53 revision 3 (SP 800-53.) NIST 800-53 outlines the controls that are required to comply with the Federal Information Security Management Act, or FISMA.
All government agencies, government contractors, and organizations that deal and exchange data with government systems must follow FISMA compliance guidelines. Organizations have to monitor, retain and maintain audit records of all security events as per FISMA (Federal Information Security Management Act).
The objective of FISMA compliance is to ensure that Federal departments and agencies observe measures to mitigate the security risks to critical data.
For federal agencies to use the services of a provider, the services must be based in a FISMA compliant data center that meets the stringent security requirements mandated by the Federal Information Security Management Act (FISMA). The National Institute of Standards and Technology (NIST) creates and maintains the specific security standards that agencies and their vendors are required to follow to remain compliant.
Agency compliance is ensured by the Office of Management and Budget (OMB), which each year reviews federal agencies’ IT programs to verify that they are FISMA compliant whether hosted on-premise or off-premise. The scope of the assessment included CyrusOne’s documented policies and procedures as well as controls implemented for its data centers. The controls that made up the assessment were awareness and training, incident response, maintenance, physical and environmental, personal security, and risk assessment.
U.S. Green Building Council – LEED
The U.S. Green Building Council’s LEED green building certification system is the foremost program for the design, construction and operation of green buildings. Over 33,000 projects are currently participating in the commercial and institutional LEED rating systems, comprising over 9.7 billion square feet of construction space in all 50 states and 114 countries. In addition, nearly 6,000 homes have been certified under the LEED for Homes rating system, with nearly 25,000 more homes registered. By using less energy, LEED-certified buildings save money for families, businesses and taxpayers; reduce greenhouse gas emissions; and contribute to a healthier environment for residents, workers and the larger community. For more information, visit www.usgbc.org.
SSAE 16 (SOC 1 Type II)
Statement on Standards for Attestation Engagements No. 16 (“SSAE 16″) is attestation standards put forth by the Auditing Standards Board (“ASB”) of the American Institute of Certified Public Accountants (“AICPA”). This report is intended to be relied upon by the financial statement auditors of CyrusOne customers.
The SSAE 16 assesses the physical security, environmental safeguards and network monitoring controls implemented by CyrusOne. Assessing these controls through the SSAE 16 demonstrates CyrusOne’s commitment to the protection of our customers’ assets.