Security and Compliance OverviewCompliance Regulations and Standards
Today’s environment brings increasing regulation to our customers. While this may be viewed as tedious, it is also necessary and our mission is to deliver peace of mind with compliant solutions.
Global Data Vault enables compliance with a variety of standards and regulations. Our compliance is accomplished through physical controls, logical controls, and policy controls. Below, we’ve summarized the high-level controls in place, but invite you to contact us so we can go into more detail. At that time, we can also review our controls compared to your needs outside the regulations and standards listed here.
|HIPAA||Health Insurance Portability and Accountability Act||US Federal Law||Regulation||Companies that keep any patient health information|
|PCI||Payment Card Industry||Companies that issue credit cards||Standard||Companies that store credit card numbers|
|NIST||National Institute of Standards and Technology||US Federal Government||Standard||US Federal Government entities and their vendors|
|DFARS||Defense Federal Acquisition Regulation Supplement||US DoD||Regulation||Companies serving the US DoD|
|SOX||Sarbanes-Oxley||US Federal Law||Regulation||US companies with publicly traded securities|
|SSAE 16 SOC 1 / SOC 2||Statement on Standards for Attestation Engagements / Service Organization Controls||American Institute of Certified Public Accountants (AICPA)||Standard||Data center operational controls|
The Health Insurance Portability and Accountability Act of 1996 (HIPAA), Public Law 104-191, mandates that all covered entities fulfill certain requirements for data backup, data storage, and data recovery. It was created to protect Personally Identifiable Information and regulate the use and disclosure of protected health information (PHI). These requirements are listed in the Security section of the Administrative Simplification Act.
Global Data Vault’s HIPAA compliant cloud storage is a highly secure, online data backup and data recovery system that allows you to meet HIPAA requirements while realizing significant cost savings.
HIPAA Security Checklist
Administrative Procedures Requirements
How GDV Supports the Requirement
Data Backup – ability to maintain and access retrievable, exact copies of your data
GDV’s online backup software is an easy-to-use software solution that backs up your critical data.
HIPAA Disaster Recovery – ability to restore data in the event of a data loss resulting from fire, vandalism, natural disaster, or system failure
GDV’s online backup software allows you to restore your critical data files with a few mouse clicks.
Physical Safeguards Requirements
How GDV Supports HIPAA Compliance
Data storage retention of data in a secure location
GDV provides highly secure and redundant offsite data storage. Your data is stored in a secure data center.
HIPAA Business Associate Agreement
If your organization receives protected health information (PHI), Global Data Vault will provide a Business Associate Agreement. This agreement covers our responsibility with regard to the protected health information and provides assurances about the safeguards we employ in protecting that data.
If you store or process credit card data, PCI is important to you. The Payment Card Industry Data Security Standard (PCI DSS) is not a law but is a thorough set of rules put forth by the five major issuers of credit cards. The PCI Data Security Standard specifies twelve requirements for compliance, organized into six logically related groups called “control objectives.”
These six PCI DSS groups are:
- Build and Maintain a Secure Network and Systems
2. Protect Cardholder Data
3. Maintain a Vulnerability Management Program
4. Implement Strong Access Control Measures
5. Regularly Monitor and Test Networks
6. Maintain an Information Security Policy
For complete compliance, the customer’s primary environment must be PCI compliant. If an audit or certification program has not been undertaken, we recommend completing the Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire A and Attestation of Compliance. GDV customers who are subject to the PCI DSS should notify GDV of this requirement and their intention and plan to comply.
GDV layers our compliance with PCI by combining your compliance with our adherence to a thorough list of internal controls and policies.
NIST 800-53 Compliance
What is NIST 800-53?
NIST SP 800-53 stands for the National Institute of Standards and Technology Special Publication 800-53, Security and Privacy Controls for Federal Information Systems and Organization.
NIST is a non-regulatory agency of the U.S. Commerce Department which encourages and supports innovation and science through the promotion and maintenance of the NIST SP 800-53 industry standards and guidelines. These standards help federal agencies and contractors meet the requirements set by the Federal Information Security Management Act (FISMA).
Maintaining NIST 800-53 Compliance with Global Data Vault
Global Data Vault maintains compliance with NIST 800-53. We retain an independent security consulting firm, BitLyft, to perform routine External Vulnerability Assessments. NIST Special Publication 800-53 covers the steps in the Risk Management Framework that address security controls selection for federal information systems in accordance with the security requirements under Federal Information Processing Standard (FIPS) 200. This includes selecting an initial set of baseline security controls based on a FIPS 199 worst-case impact analysis, tailoring the baseline security controls, and supplementing the security controls based on an organizational assessment of risk. The security rules cover 17 areas including access control, incident response, business continuity, and disaster recoverability.
What is the Sarbanes-Oxley Act of 2002?
The Sarbanes-Oxley Act of 2002 (SOX) ushered in a new era of business rules regarding the storage and management of corporate financial data. Sarbanes-Oxley Compliance holds many publicly held companies and all registered public accounting firms to a rigorous set of standards. These rules set guidelines for how data should be stored, accessed, and retrieved.
Section 103: Auditing, Quality Control, And Independence Standards and Rules – The Board Shall:
- Register public accounting firms;
- Establish or adopt by rule “auditing, quality control, ethics, independence, and other standards relating to the preparation of audit reports for issuers;” requires firms to “prepare, and maintain for a period of not less than 7 years, audit work papers, and other information related to any audit report, in sufficient detail to support the conclusions reached in such a report.”
Global Data Vault’s solution supports efforts to prepare documents for a SOX Compliance audit and inspection. It captures and stores data to a remote server where the files are stored securely and safely until inspection. A backed-up file can remain indefinitely on our servers until it is needed for audit or inspection. Our remote backup system allows access only with the correct username/password combination. As such, the file can be restored to a local desktop, either via the software client or through our Web Restore interface.
Section 104: Inspections of Registered Public Accounting Firms
· Quality Inspections must be conducted annually. The SEC or the Board may order impromptu inspections of any firm at any time.
Global Data Vault’s solution gives users on-demand access to their data. An inspector may access any file stored on the GDV remote backup system in order to perform the required inspection. Additionally, different historical versions of a file can be restored and inspected to compare and contrast a document’s revisions.
Section 105(d): Investigations and Disciplinary Proceedings – Reporting of Sanctions
· All documents prepared or received by the Board are regarded “confidential and privileged as an evidentiary matter (and shall not be subject to civil discovery or other legal process) in any proceeding in any Federal or State court or administrative agency. This section continues…unless and until presented in connection with a public proceeding or [otherwise] released” in connection with a disciplinary action.
When you use Global Data Vault’s solution to back up your data, you are using some of the best encryption and data protection tools available to maintain complete confidentiality. From the moment you perform your first backup, your data is encrypted using 448-bit encryption, the strongest available. The files themselves are encrypted on your computer before leaving your office and remain encrypted until you access them again. Files are sent over port 308, a non-standard port designed to avoid the high-traffic ports usually associated with Internet communications and hacking. Once stored on our servers, the files stay encrypted.
Title VIII: Corporate and Criminal Fraud Accountability Act of 2002
· “Knowingly” destroying or creating documents to “impede, obstruct or influence” any federal investigation, whether it exists or is contemplated, is a felony.
We employ the latest backup technology available to prevent unauthorized access to your data, and our data center is restricted to our administrators only. The data center uses state-of-the-art security including:
- Gigabit Internet connection
- 24/7 technical support, monitoring and remote hands
- N+1 redundancy on power, HVAC
- Fire, smoke and heat detection
- UPS and onsite diesel generators
- Controlled physical access
Section 802: Mandatory Document Retention
- This section instructs auditors to maintain “all audit or review work papers” for five years from the end of the fiscal period during which the audit or review was concluded. It also directs the Securities and Exchange Commission (SEC) to disseminate, within 180 days, any necessary rules and regulations relating to the retention of relevant records from an audit or review. Section 802 makes it unlawful to knowingly and willfully violate these new provisions — including any rules and regulations disseminated by the SEC — and imposes fines, a maximum term of 10 years imprisonment or both.
Global Data Vault’s solution supports Sarbanes-Oxley Compliance requirements for mandatory document retention by storing audit and review work papers for an indefinite amount of time. It captures multiple historical versions of those documents enabling auditors to access to multiple versions of the same document as it changed over time.
Section 1102: Tampering with a Record or Otherwise Impeding an Official Proceeding
- This section criminalizes knowingly altering, destroying, mutilating, or concealing any document with the intent to impair the object’s integrity.
As a Veeam Service Provider, Global Data Vault’s solution provides world-class data protection and compliance. We protect your business by storing historical versions of documents that could potentially be the target of malicious destruction. Any file maliciously destroyed on a local PC or server could be restored in minutes from our secure servers. Global Data Vault’s online backup software effectively mitigates your risk of prosecution by protecting data integrity and availability for official proceedings.
SSAE 16 (formerly SAS 70) Type 2
The new service organization reporting standard, Statement on Standards for Attestation Engagements SSAE 16, is effective as of June 15, 2011. SSAE 16 supersedes Statement on Auditing Standards SAS 70 with the professional guidance on performing the service auditor’s examination.
Our data centers have obtained a Service Organization Controls 1 (SOC 1), Type II report. The audit for this report is conducted in accordance with the Statement on Standards for Attestation Engagements (SSAE 16) and the International Standards for Assurance Engagements 3402 (ISAE 3402) professional standards. This dual-standard report is specifically intended to meet the needs of our customers and their auditors, as they evaluate the effect of the controls on their financial statement assertions. The SOC 1 report attests that our data centers’ control objectives are appropriately designed and operating effectively.
Global Data Vault can provide these reports upon request. These reports explain the internal control descriptions and security procedures in place to assist you in meeting your compliance requirements.
SOC 2 on the Security and Availability Trust Services Principles
In addition to the SOC 1 report, our data center obtains a Service Organization Controls 2 (SOC 2), Type II report. Similar to the SOC 1 in the evaluation of controls, the SOC 2 report is an attestation report that is an evaluation of controls specific to the criteria set forth by the American Institute of Certified Public Accountants (AICPA) Trust Services Principles. The principles define leading practice controls relevant to security, availability, processing integrity, confidentiality, and privacy applicable to service organizations. SOC 2 is an evaluation of the design and operating effectiveness of controls that meet the criteria for the security and the availability principles set forth in the AICPA’s Trust Services Principles criteria.
Upon request and under NDA, this report is also available to our customers.
This back to the basics cybersecurity webinar explores the difference between BaaS and DRaaS with a bit of Veeam and Global Data Vault thrown in for good measure!