PCI DSS 4.0 Released with Big Changes
Released March 31, 2022, PCI DSS v4.0 contains significant changes including increased focus on risk analysis, which may open organizations up to legal risks.
The Division of Responsibilities for Colocation and Cloud Compliance
IT staffs have their hands full staying on top of constantly changing technologies, keeping their user base happy (and equipped with the latest applications, software, and updates), and just maintaining normal day-to-day IT operations. Managing the security and compliance of their organizations’ IT infrastructure consumes even more time and can add greater complexity. Many companies lack the in-house expertise to battle constantly emerging security threats or to keep pace with new or changing regulatory requirements.
It would be great to just hand off the responsibility for security and compliance to an IT solutions provider that specializes in those areas. Some vendors may even lead you to believe that you can by touting their “highly secure” or “compliant” cloud or colocation services.
Unfortunately, vendors can only do so much. Your organization is ultimately responsible for meeting its IT security and compliance requirements. However, you can “share” some of the responsibility with a vendor. The key is to understand who will handle what and at what level of service.
The US Signal Model
When an organization works with US Signal, both entities work together to determine who will be responsible for the security of each aspect of the IT infrastructure solution. This includes defining and fully describing what is entailed for each responsibility; discussing the arrangements to ensure complete understanding; and then agreeing to the division of responsibilities.
In most cases, that division of responsibilities for data center (colocation) and cloud services has US Signal protecting the underlying infrastructure that powers our colocation and network services and its cloud services. This includes the physical layer of the cloud — the compute, storage and network subsystems, as well as operating and securing the data centers. It also includes the software (virtualization layer) and network infrastructure. Unless otherwise specified, US Signal also handles the security configuration tasks such as patching and firewall configuration. However, your organization is still responsible for handling secure account credentials.
The customer is responsible for the security of its data, applications and the operating system, as well as any equipment it owns (in the case of colocation services). This includes limiting access to the root account, encrypting data at rest and in transit, managing and controlling the encryption keys, abiding by US Signal security protocols at data center, and managing the data center access list for your employees and vendors.
As mentioned earlier, the customer is responsible for meeting any requirements to comply with PCI-DSS, HIPAA or other regulations or legislative acts. However, US Signal’s audit-ready facilities, compliant cloud infrastructure, and certifications can be leveraged to ensure the security and availability of a customer’s applications and data —and help meet that customer’s IT compliance requirements. That includes US Signal aiding in mapping current controls from existing compliance activities to specific customer requirements, as well as responding to auditors’ requests for information or relevant documentation. In addition, US Signal can partner with customer organizations to determine strategies for meeting security and compliance requirements for international data privacy or addressing related issues.
Know Your Responsibilities
While the division of compliance and security responsibilities will differ with each vendor and each IT solution, here are some tips to make sure you are getting what you think you’re getting from your IT solutions provider.
- Ask for a complete run-down on the provider’s security protocols — logical and physical. You’ll also want to know who will have access to or can see your data from the provider’s organization.
- Carefully study the service level agreement. Ask questions if you don’t understand something or agree with something. Make sure to have your legal representative review it as well. Remember, these things may be open to negotiation.
- Sit down with the vendor and define your security and compliance needs, determine who will be responsible for meeting the needs, and importantly, agree to the division of responsibility. The assignment of roles and responsibilities should be documented.
- Be sure to understand your compliance requirements. Bring in a third-party compliance expert if necessary. Some IT solutions providers also have compliance officers on staff that can assist you.
- Request documentation and/or copies of the IT solution provider’s certifications and any relevant reports on compliance (ROC).
- Work with your IT solutions provider to map their controls to your compliance requirements to help you identify gaps.
- Ask for references from the IT solutions providers, as well as recommendations from peers. Don’t be afraid to ask the hard questions. Security and compliance are too important of issues to just let slide.
To learn more about partnering with a vendor to help meet your compliance requirements, download this free US Signal eBook:
Partnering for Compliance in the Cloud
Related Blog Posts
Partnering for IT Security and Compliance
When an organization works with US Signal, both entities work together to determine who will be responsible for the security of each aspect of the IT infrastructure solution. This includes defining and fully describing what is entailed for each responsibility; discussing the arrangements to ensure complete understanding; [...]
The US Signal Approach to IT Security
The US Signal approach to IT security entails joint responsibility, regularly tested processes and protocols, and the benefits of a private network.