Data Center Journal

Volume 33 | August 2014

Issue link: https://cp.revolio.com/i/359333

Contents of this Issue

Navigation

Page 17 of 32

www.datacenterjournal.com COMPLIANCE IS MORE THAN CHECKING BOXES When the security of your electronic protected health information (PHI) is vital to your success, you need to be certain your HIPAA-compliant hosting provider is doing more than just checking off boxes to meet minimum criteria. e same holds true for any company that is regulated by PCI com- pliance. If compliance is a business reality for you, you need a hosting provider that goes beyond the minimum requirements—it is not simply a set it and forget it approach. For instance, many data centers have some level of compliance requirements and are therefore audited regularly. Even if external audits are performed, they do not replace the need to perform audits and checks regularly against your environment. Just because your hosting provider has their infrastructure audit does not automatically mean your environment is in scope. Ad- ditional services and assessments should be considered to ensure your environment is being looked aer. Although auditing is a part of doing business for any company that hosts sensi- tive data, having a hosting provider with experience working with auditors can also be helpful. Hosting providers can help you obtain information that assures you your systems are hosted in a secure and reliable environment. IT'S NOT ONLY ABOUT IT When we hear about breaches in the news, most oen it seems that they are IT breaches. While your hosting provider needs to obviously have best practices in place that refer to IT security, it must do the same for physical security. Physical security protects data and sys- tems from anyone who can come into direct contact with them. ere are the physical elements such as cameras, access-control systems and locks, as well as operational processes such as visitor and contractor poli- cies. Since people are the biggest threat to physical security—intentionally or uninten- tionally—the individuals that work in the facility must be trained to stick to security policy and adhere to protocol. To protect your organization, you need to ensure that your hosting provider has a policy in place where it holds every individual on site to be 100 percent accountable for their access and routinely conducts general awareness train- ing to reinforce the appropriate procedures. Beyond where systems are housed and data is stored, the disposal of hard drives and backup devices is an additional consideration. Secure data deconstruction is a crucial feature in cloud-service offerings, as cloud providers are required to follow the proper National Institute of Standards and Technology (NIST) guidelines for erasing data, rather than simply deleting files and reformatting hard drives. Make sure your hosting provider is capable of data destruc- tion that meets NIST guidelines. is can include shredding hard drives and complete destruction of any physical media that held sensitive information. SUPPORT MATTERS e painful truth of security is that you can't expect systems to be so protected they will never be compromised. Even with best practices in place and compliance needs completely addressed, companies must still remain vigilant. e right hosting provider not only understands this but helps its customers maintain vigilance by providing round-the-clock support and proactively monitoring systems to identify any issues that might put an organization at risk. is effort means going beyond having the right tools in place. Your hosting provid- er should have a security team that analyzes data from these tools to detect signs of attack before it's too late and respond immediately if unauthorized access is detected. Most successful attacks spend 243 days before they are discovered. By continuously monitoring the environment, this time can be reduced to hours, therefore limiting any damage or exfiltration of data. is process includes reviewing SIEM/FIM logs and alerting you if there is anything to be concerned about, watching for any anomalies detected by your IPS/IDS and application traffic firewall, and deciphering vulnerability scanning results. Selecting the right partner—one that not only alerts you to problems but also works with you to resolve them—can make all the difference when a small problem or a potential threat arises. And, in the mean- time, it can free you up to run your business, not worry about your systems.. n About the Author: Scott Walters is the Director of Security at INetU. To keep your facility running 24/7, you must be alerted immediately to the faintest traces of smoke – the first indication of system trouble. FAAST Fire Alarm Aspiration Sensing Technology ® from System Sensor provides very early warning of smoke, so you can respond to potential problems before disaster strikes. With FAAST, you can be the first responder. System Sensor is the world leader in smoke detection. To learn more about our award- winning FAAST aspirating smoke detector, visit: ©2014 System Sensor. All Rights Reserved. No fire. No damage. No downtime. go.systemsensor.com/ faast-dcj

Articles in this issue

Links on this page

Archives of this issue

view archives of Data Center Journal - Volume 33 | August 2014