A Guide to Compliance
Although they vary by business type, any company operating out of a data center must deal with an alphabet soup of regulatory bodies who have a keen interest in what you’re doing, how you’re doing it and who you’re doing it with. Effectively navigating this sea of regulatory acronyms requires that you understand each one that affects you, and that you have a data center partner that is able to work with you to ensure your operational compliance.
Why Should I Care?
For most things in life, “why should I care” is quite a reasonable response. Your neighbor wants to sacrifice a goat in his backyard, no problem, since after all, what a guy does in his spare time is his own business, right? Unfortunately, when it comes to compliance related issues, non-compliance is the leading cause of large financial penalties and middle-aged men in orange jumpsuits. While Sarbanes-Oxley may be the Godfather of regulatory statutes impacting data centers, individual industries (HIPPA for the health care industry, or PCI DSS for the credit card business) or disciplines like SOC for service organizations or ISO 27001 for information security can also combine to form an intricate compliance web that can potentially prove to be lethal should you stray outside of their boundaries.
Just to keep things simple, there two (2) types of regulatory requirements (it only seems like there are more):
Statutory requirements are those defined by law (ex: HIPAA or Sarbanes-Oxley), and compliance is not optional (refer to the earlier reference to steep fines and orange jumpsuits). To make sure that everyone is playing by the rules, your organization is typically going to have to undergo a formal audit by a recognized third-party auditor.
Standards are requirements that are developed by established bodies to define specific methods of operation or performance criteria. These regulatory bodies can represent entire industries like credit cards (PCI DSS) or general disciplines (ISO). Like their statutory counterparts, these organizations typically require a written confirmation of your business’ compliance from a recognized third party.
How Do Data Center Providers Support Compliance Efforts?
When talking to prospective providers about your compliance efforts you should look for four (4) critical attributes (Note: Pretty much everyone can do the first two):
- Understanding of your operational regulatory environment- As previously discussed, depending on the nature of your business, one or more regulatory standards requirements may apply. For example, If you’re storing medical information you may be subject to HIPAA guidelines, but if you are offering this as a subscription service to physicians you may also need to adhere to PCI DSS requirements if you are accepting payment by credit card. Potential providers should be able to understand the nature of your business and ensure that your compliance efforts address all applicable rules and regulations.
- Clearly demonstrate what particular aspects of the applicable rules and regulations fall within the specific purview of the provider themselves. Most typically, the specific requirements that are incumbent on the provider will fall within the realm of physical security.
- The ability to support your compliance plans. Unfortunately, this is not as simple as it sounds. Most data center providers have compliance programs, their shortcoming, however, is that you also have to comply to them. In other words, if the compliance procedures that you painstakingly developed and used at your old or other data center(s) don’t correspond to those of your potential provider, it’s you that’s going to have to change. Although they may be great at attributes one and two, and really, really want to be your “compliance partner” they are, in effect, working against you and not with you.
- The ability to help you develop your compliance plan. The issues related to compliance are often arcane and nuanced. If you don’t have a compliance plan in place, your provider should possess the expertise to assist you in its development. Even if they have a compliance plan of their own, this does not mean that your potential provider is capable of assisting you in developing yours. In today’s hyper regulated environment this can be a costly shortcoming for you.
As more and more data passes through, and finds residence within, data centers, so will the statutory and regulatory rules pertaining to a vast array of elements including: who can (and can’t see it), how it should be stored and transmitted, and where it can go amongst other things. All this means that issues related to compliance will become increasingly important for data center customers. The first step in successfully addressing them will be locating a provider that can meets all four (4) critical compliance attributes. To do otherwise only makes a complex task even more difficult.