Just as scalability, power density, security, and flood zoning are all important factors to consider when choosing your data centre service provider, so too is compliance absolutely essential. From FINRA to HIPAA and everything in between, keeping your customers' data safe is paramount whenever your business is handling sensitive information.
Formerly, data centres in the United States incorporated the Statement of Auditing Standards No. 70 (SAS 70) from the American Institute of Certified Public Accountants (AICPA). Today, however, the standards have been updated to a set of standards called Statements on Standards for Attestation Engagements No. 16 (SSAE 16), which is still governed by the AICPA.
Put simply, SSAE 16 is a way for a third party to measure levels and types of compliance within the world of data centres and colocation providers here in the United States.
SSAE 16 is divided into three types of Service Organisation Controls (SOC):
SOC 1: Focuses on internal controls over financial reporting, and was the replacement of the former SAS 70 standard.
SOC 2: This is the most stringent form of SOC compliance and includes an examination of adherence to, and trialling of, controls for specific "Trust Services Principles" (TSP) of criteria within each of the five reportable sections of SOC 2 (Security, Availability, Processing Integrity, Confidentiality, and Privacy).
SOC 3: Focuses on whether or not an entity meets the required standards and does not include the specific test methods, results, or opinions of the examiner.
SOC can also be clarified by type:
Type I: Accounts for the ability to test and report on the design of the controls (Answers for: has the entity accounted for all relevant variables with policies and procedures to sufficiently support?).
Type II: Accounts for the suitability of design and operating effectiveness of the controls (Answers for: are the policies and procedures applicable, implemented effectively, and used in accord with the design?)
To get back to the question of whether or not Telx’s facilities are audited by a third party, however, the answer is yes.
In 2012 Telx made the decision to upgrade from SOC1 to SOC2 compliance. The adoption of this new standard which contains many predefined criteria for compliance is a major undertaking for many organizations. At Telx, to achieve SOC2 compliance we've made a significant investment in policy, process, and systems development as well as on-going process management to ensure that we have a strong compliance foundation. We build and control to a minimum of 'Type II' reporting, and Telx undergoes (and completes) audits each year to ensure that all of our data centres continue to be SOC 2 compliant. In 2013 we successfully completed our first SOC2 audit which included 15 of our data centres. Our current SOC2 audit which completes March 31st 2014 will include all 20 Telx facilities that were in services as of the reporting period and covers the trust service principles of security and availability.
In addition to 21 data centre facilities compliant with SOC 2, our Clifton Data Centre Campus (NJR2 & NJR3) is fully PCI certified. Telx also seeks continual improvement by assessing standards such as FedRAMP, HIPAA and ISO 27001. In fact, we've included a mapping to the ISO 27001 principles in our SOC2 to ensure we cover those requirements as well. On top of that, we've engaged third party auditors to perform a complete HIPAA risk assessment and gap analysis which will complete this month.
What’s more, each new Telx facility is built to, and withstands, the same stringent requirements to ensure consistency amongst all of our facilities. We are very serious about our compliance, and part of the benefit of outsourcing your data centre services is the ease of compliance through a provider like Telx when compared to attempting to do the same thing on your own.
Today, there's no such thing as being too careful with customers'-and your own-sensitive data. And in cases of rules like HIPAA and FINRA, data sensitivity isn't just a good idea-it's the law. Here at Telx, we provide the compliant foundation you need to help keep your business' data safe, and we're audited every year for compliance with SOC 2 to prove it.
Interested in learning more about Telx, third party auditing, and compliance? See our compliance page here, or reach out to us via the contact page of our site, or by Facebook or Twitter.