Certifications Add Value to Your Data Hosting

Posted by Annie Eissler on September 25, 2018

We don't have to tell you why data security is important - as an industry leader, you already know how crucial it is to protect your company's most valuable asset. But with an ever-growing and changing list of standards and legislation, staying in-the-know of the latest data center certifications and accreditations can be difficult.

In this post, we'll review five of ByteGrid's accreditations and certifications including:

  1. SOC Type 2
  2. PCI DSS
  3. ISO 9001
  4. ISO 27001
  5. EHNAC

We'll walk you through how organizations like ByteGrid achieve these certifications and more importantly, how they add value to your hosting services by minimizing risk and ensuring your data is managed properly and securely.

1. SOC 2 Type 2

System and Organization Controls (SOC) 2 Type 2 is a certification offered by The American Institute of CPAs (AICPA) that ensures accredited organizations securely manage customer data based on one or more of these five principles:

  • Security
  • Availability
  • Processing integrity
  • Confidentiality
  • Privacy

How do you get certified?

To achieve this certification, organizations are required to undergo regular audits by accredited outside auditors who verify if companies comply with one or more of the five principles listed above.

2. PCI DSS

The Payment Card Industry Data Security Standard (PCI DSS) is a certification by the PCI Security Standards Council that's designed to ensure organizations protect your sensitive identity and payment data. ByteGrid’s scope of assessment includes physical security controls (badge authorizations, access logs, CCTV systems, etc.) and incident/vulnerability management procedures.

How do you get certified?

All compliant organization must implement the following best practices:

  • Build and maintain a secure network
  • Protect cardholder data
  • Maintain a Vulnerability Management Program
  • Implement strong access control measures
  • Regularly monitor and test networks
  • Maintain an Information Security Policy

To receive the certification, all organizations must also undergo the following:

  • Perform an assessment of their hosting environment
  • Complete the applicable reports for the assessment (i.e., Self-Assessment Questionnaire (SAQ) or Report on Compliance (ROC)
  • Complete the Attestation of Compliance document for Service Providers or Merchants, as applicable. This is available for download on the PCI SSC website.
  • Submit the SAQ or ROC, and the Attestation of Compliance, along with any other requested documentation

3. ISO 9001

The International Organization for Standardization (ISO) sets the standards for ISO 9001 which is an important achievement when it comes to customer satisfaction. This certification ensures that an organization consistently meets customer requirements for their quality management systems based on the principles below:

  • Customer focus
  • Leadership
  • Engagement of people
  • Process approach
  • Improvement
  • Evidence-based decision making
  • Relationship management

How do you get certified?

While ISO develops the standards, it doesn't give out this certification. All ISO 9001 certifications are granted by independent certifiers who verify if a company's quality management system is in compliance and meets customer expectations.

4. ISO 27001

ISO 27001 includes a large focus on the management of physical and logical security controls via an Information Security Management System (ISMS).

How do you get certified?

Like the ISO 9001, the ISO 27001 certification isn't given out by ISO, but by an accredited independent certifier that conducts a three-step audit:

  • A review of the Information Security Management System (ISMS), i.e., reviewing documentation such as the organization's information security policy, Statement of Applicability (SoA) and Risk Treatment Plan (RTP)
  • A formal compliance audit that tests the ISMS against the ISO/IEC 27001 requirements
  • Periodic re-assessment audits to confirm the ISMS continues to operate as intended. These are conducted at least once a year but often happen more frequently.

5. EHNAC

The Electronic Healthcare Network Accreditation Commission (EHNAC) is an independent non-profit that evaluates and recognizes organizations who handle healthcare data electronically. This certification validates if a HIPAA hosting supplier is capable of hosting your data in a consistently compliant manner.

How do you get certified?

In order to achieve EHNAC accreditation, companies have to undergo the following:

  • Submit an application and self-assessment
  • Complete a multi-phased, strict evaluation including onsite visits
  • Demonstrate that your company complies with the requirements of the specific EHNAC accreditation program that applies to you
  • Achieve a minimum score
  • Pay the fees

 Learn how EHNAC delivers top value and security for healthcare data hosting.