Data Centers Can Use SSAE 16, PCI, Cybertrust Standards to Validate Physical Security
September 23rd, 2013 By: Industry Perspectives
Michelle Ziperstein is the Marketing Communications Specialist at Cervalis LLC, which provides data backup and disaster recovery solutions for mission-critical data.MICHELLE ZIPERSTEIN
Data centers protect their companies’ or clients’ operations by securing operating perimeters, controlling access to data and equipment, providing protection against environmental threats, and more.
Data centers hold a lot of secure information. So, it is important to know whether they are providing effective and adequate safeguard against data theft and other potential problems. This can be known by an assessment of their physical security.
There are three main certifications for assessing physical security. These are SSAE 16, PCI, and Verizon Cybertrust. Some data centers like, Cervalis’ continually maintain SSAE 16 and PCI compliance as well as Verizon Cybertrust certification.
Data centers can help companies comply with regulations. Let’s take a closer look into the three physical security certifications.
SSAE 16 is the standard for attesting physical security issued by the American Institute of Certified Public Accountants’ Auditing Standards Board.
There are two types of SSAE reports – Type I and Type II. The Type I report is rather basic – it’s a relatively cursory report on the service provider’s internal controls and processes. For this report, the management submits a written description and the auditor issues an opinion on whether the service provider has adequate controls to provide services and handle emergencies. For a truly wide-ranging attestation, your company should schedule a Type II report, which not only assesses the company’s capacity but also tests it over a period of time. Most publicly traded companies, especially in highly regulated industries such as financial services and cloud computing, are all but required to pass SSAE 16 Type II, since many companies are leery of partnering with businesses that lack certification. These days, many companies are leery of partnering with businesses who are not SSAE 16 compliant.
SSAE 16 has replaced SAS 70, the earlier standard. There are mainly two differences. The management of a company now has to provide the service auditor with a description of its system and a written assertion.
Before a data center can become SSAE 16 compliant, it has to undergo an audit of its infrastructure, environmental safeguards, customer service, communications, user controls, insurance coverage, and management.
While SSAE 16 is a very wide-ranging report that examines companies in many different industries, it has a number of categories that apply specifically to data centers. SSAE 16 will determine if the data center has
- Adequate backup power and data redundancy
- Adequate monitoring of environmental conditions, such as temperature
- Is diligent at recording and reviewing alerts
- Has proper monitoring and protection against fire and water
- Has sufficient physical security solutions, such as biometric access controls, CCTV surveillance, guards, man traps.
Unlike SSAE 16 and its predecessor SAS 70, which were developed by an accounting organization, the PCI Security Standard Council was founded by credit card companies and comes from a place of stressing data security in particular when it comes to payment processing, credit card and other financial information.
The PCI Security Standards Council website shows PCI standards as available to merchants, financial institutions, software and hardware companies, and finally professionals and services. The PCI Security Standards comprise the Data Security Standard, the PIN Transaction Security, and the Payment Application Data Security Standard.
The standards basically serve as various ways to assess and improve the security of data on payment cards. As of now, there are six control objectives. These include:
- Building and maintaining a secure data network, and having good security practices in place to prevent vulnerabilities and leaks
- Protecting cardholder data by safeguarding data storage and using encryption while transmitting data
- Maintaining a vulnerability management program by using and updating antivirus and anti-hacking programs, and using secure applications and hardware
- Putting in place strong access control, such as allowing a minimum of need-to-know access to data, tracking system users with a unique identifier and putting barriers to physical access of data
- Regular testing and monitoring by tracking all access to data and hardware and testing systems against vulnerabilities
- Maintaining a policy for information security and make sure all personnel are aware of the policy and practicing it.
Verizon Cybertrust Certification
Cybertrust was a digital security company that was bought out by Verizon, and has become the cornerstone of the service provider’s security certification. Verizon offers a number of certifications and seals, for Verizon Cybertrust Security Certified Enterprise, Perimeter, Application, Business and Site.
The perimeter security program from Verizon Cybertrust assesses parameters ranging from system and network vulnerability analysis to physical and policy evaluation. Six types of risks are covered under the program: downtime issues, electronic threats, human factors, malicious code, physical security, and privacy.
In addition to assessing the security status of a business, location or application, Verizon also offers cyber security services, such as access & identity management, threat assessment and security compliance.
Industry Perspectives is a content channel at Data Center Knowledge highlighting thought leadership in the data center arena. See our guidelines and submission process for information on participating. View previously published Industry Perspectives in our Knowledge Library.