PCI DSS 4.0 Released with Big Changes
Released March 31, 2022, PCI DSS v4.0 contains significant changes including increased focus on risk analysis, which may open organizations up to legal risks.
Partnering for IT Security and Compliance
IT staffs have their hands full staying on top of constantly changing technologies, keeping their user base happy (and equipped with the latest applications, software, and updates), and just maintaining normal day-to-day IT operations. Managing the security and compliance of their organizations’ IT infrastructure consumes even more time and can add greater complexity. Many companies lack the in-house expertise to battle constantly emerging security threats and keep pace with new or changing regulatory requirements.
It would be great to just hand off the responsibility for IT security, cyber security, information security, and compliance to an IT solutions provider that specializes in those areas. Some vendors may even lead you to believe that you can by touting their “highly secure” or “compliant” cloud or colocation services.
Unfortunately, vendors can only do so much. Your organization is ultimately responsible for meeting its IT security and compliance requirements. However, you can “share” some of the responsibility with a vendor. The key is to understand who will handle what and at what level of service.
The US Signal Model
When an organization partners with US Signal, both entities work together to determine who will be responsible for the security of each aspect of the IT infrastructure solution. This entails defining and fully describing what is involved for each task; discussing the arrangements to ensure complete understanding; and then agreeing to the division of responsibilities.
In most cases, that division of responsibilities has US Signal protecting the underlying infrastructure that powers the colocation, network services and cloud services. This includes the physical layer of the cloud — the computer, storage and network subsystems, the software (virtualization layer), the network infrastructure, and operating and securing the data centers.
Unless otherwise specified, US Signal handles the security configuration tasks such as patching and firewall configuration. However, customers are responsible for their account credentials.
Customers are also responsible for the security of their data, applications and operating systems, as well as any equipment they own (in the case of colocation services). This includes limiting access to the root account, encrypting data at rest and in transit, managing and controlling the encryption keys, abiding by US Signal security protocols at the data center, and managing the data center access list for employees and vendors.
As mentioned earlier, customers are also responsible for meeting any requirements to comply with PCI-DSS, HIPAA or other regulations or legislative acts. However, US Signal’s audit-ready facilities, compliant cloud infrastructure, and certifications can be leveraged to ensure the security and availability of a customer’s applications and data —and help meet that customer’s IT compliance requirements.
For example, US Signal can assist in mapping current controls from existing compliance activities to specific customer requirements, as well as respond to auditors’ requests for information or relevant documentation. In addition, US Signal can partner with customer organizations to determine strategies to meet security and compliance requirements for international data privacy or address related issues.
Know Your Responsibilities
While the division of compliance and security responsibilities will differ with each vendor and each IT solution, here are some tips to make sure you are getting what you think you’re getting from your IT solutions provider when it comes to IT security, cyber security, and information security.
- Ask for a complete run-down on the provider’s security protocols — logical and physical. You’ll also want to know who will have access to or can see your data from the provider’s organization.
- Carefully study the service level agreement. Ask questions if you don’t understand or agree with something. Make sure to have your legal representative review it as well. Remember, these things may be open to negotiation.
- Sit down with the vendor and define your security and compliance needs, determine who will be responsible for meeting the needs, and importantly, agree to the division of responsibility. The assignment of roles and responsibilities should be documented.
- Be sure to understand your compliance requirements. Requirements change, so it’s important to be up to date on the most recent regulations, government mandates, and industry standards. Bring in a third-party compliance expert if necessary. Some IT solutions providers also have compliance officers on staff that can assist you.
- Request documentation and/or copies of the IT solution provider’s certifications and any relevant reports on compliance (ROC).
- Work with your IT solutions provider to map its controls to your compliance requirements to help you identify gaps.
- Ask for references from the IT solutions providers, as well as recommendations from peers. Don’t be afraid to ask the hard questions. Security and compliance are too important of issues to just let slide.
If you have specific questions about how US Signal can help with your IT security and compliance, call 866.274.4625 or email [email protected].
Related Blog Posts
The US Signal Approach to IT Security
The US Signal approach to IT security entails joint responsibility, regularly tested processes and protocols, and the benefits of a private network.
IT for Remote Work
Preparation is everything. Just ask the IT team at Christian Brothers Services (CBS), a nonprofit organization that provides benefits programs to congregations, organizations, and dioceses throughout the United States and Canada. When the COVID-19 pandemic hit and the organization needed to switch to work-from-home [...]