Do you think that by handing over your systems and data to a data center, you also hand over compliance issues?
While data center compliance is often a priority for the service provider, whether internal or external to your organization, as a CEO, you retain ultimate responsibility for the IT assets of your organization, including its information.
Nonetheless, certain compliance trends could help you steer clear of problems.
1. Growing Use of SSAE 16
Once upon a time, under the old SAS 70 model, data centers declared that they were fiscally compliant. This was useful for financial audits and Sarbanes-Oxley compliance. However, it gave no operational assurances about system availability, confidentiality, data privacy, processing integrity, or security – in short, the so-called Trust Principles that an organization must also respect and uphold.
The recent switch to SSAE 16 (Statement on Standards for Attestation Engagements 16) now includes this in its SOC 2 (Service Organization Control 2) version.
2. International Compliance
SSAE 16 is a US compliance standard. There are also international standards for data center compliance, such as ISAE 3402, which is similar to SSAE 16.
ISO 27001 is also internationally used, but the differences compared to SSAE 16 are more marked.
Nonetheless, they have a big point in common in their use in testing controls related to IT and security.
3. Uptime Institute Tier Certification
Uptime Institute is a consortium formed in 1993 whose goal is to maximize the effectiveness of data centers. It has defined data center “tier standards” as a way to classify availability in a facility. The range of certification is from Tier I (basic infrastructure) to Tier IV (full fault-tolerant site).
Which one is right for your organization? You might want to consult your CIO and, if you have one, your Chief Compliance Office – see below.
(Editor’s Note: The Uptime Institute announced a few months back that it was overhauling its tier-based certification program. )
4. Corporate IT Governance
Corporate IT governance has been growing over the last decade or two. As part of this governance, IT must communicate to the business the technical and technological requirements for compliance of data center operations in a form that senior management can understand.
Conversely, senior management must be aware of the business's particular requirements to comply with the Trust Principles above and drive IT to satisfy them. Typical business needs are the protection of customer data and the assurance that business-critical applications are always running.
5. The Chief Compliance Officer
The “In Focus: Compliance Trends Survey” from Deloitte shows that 53% of consumer and industrial products companies now have a Chief Compliance Officer, compared with 37% the year before. On the other hand, only 29% think their compliance department’s IT systems can meet the compliance reporting requirements of the business. In other words, CCOs may need to get their own IT systems in order before they can reasonably investigate the compliance of any data center used by their organization.
The Bottom Line
CEOs must keep a watchful eye on compliance in the data center. This is true whether the data center is owned by their organization or offered as a service by a third party. Compliance standards, corporate IT governance, and perhaps a Chief Compliance Officer are all part of the support to help a CEO ensure appropriate action. However, the buck stops on the CEO’s desk at the end of the day!
Which type of data center compliance is most important to your organization? Give us your point of view with a note in the Comments section below.