In the world of server colocation, it is imperative that service providers (colocation facilities) are compliant with current rules and regulations regarding data breaches and information security. As the number of data breaches around the world continues to grow almost exponentially, and the rate at which consumers have their personal information exposed to thieves and hackers increases, it has become more and more important for colocation providers and businesses of all stripes to do all within their power to ensure that information is protected at all times.
To help organizations and businesses address the threat of information security, international bodies, the federal government in the US, state governments and industry watchdog groups have created a number of standards that must be adhered to at all times. Two that you will hear more frequently within the colocation industry, as well as the financial sector are ISO 27001 and PCI-DSS. What are they, and what do they mean?
ISO 27001
We’ll start with a look at ISO 27001. ISO is the largest and most widely accepted developer of international standards. ISO 27001 establishes an information security management system within an organization. The most recent version was compiled in 2013, and these standards apply to all organizations and businesses, regardless of industry, size, scope, number of employees or other factors.
ISO 27001 consists of 11 clauses (numbered 0 through 10). It also includes 13 groups of controls, as well as 114 security controls designed specifically to be cross-organization applicable (able to be applied to any organization). Compliance with ISO 27001 is completely voluntary, though. Designed to help companies develop a workable, effective information security management system, it provides input on how to conduct a risk assessment, risk treatment, how to support the wider initiative across the company and the importance of stakeholder buy-in, how to ensure the system operates correctly, and how to take corrective action.
The standards can be downloaded from ISO for a fee (the document is not free). However, understand that this only lists the standards. It does not provide information for organizations seeking to institute those standards. ISO 27002 is needed for that. This is their best practices document, and explains how to comply with the standards spelled out in ISO 27001.
With all that being said, companies at different stages of development will implement ISO 27001 in different ways. For example, a new company just getting started would be able to build from the ground up with these standards in mind. However, most companies already have their hardware and software in place. In this instance, implementing the standards is not really concerned with changing out those assets, but in developing rules and guidelines that apply to how information is accessed and protected, and then instituting them across the entire organization with the appropriate management and oversight to ensure that they are followed at all times by all employees.
PCI-DSS
PCI-DSS has many similarities to ISO 27001, but they are far from being identical. PCI was developed by the credit card industry, and only applies to companies that “process, store or transmit credit card data”. As you can imagine, that’s quite a wide range of businesses, although it does not cover all of them, nor can it be applied to all businesses the way that ISO 27001 can be. Unlike ISO 27001, compliance with PCI is mandatory, although the level of involvement with credit card data does introduce a few differences and requirements.
PCI includes 12 requirements and over 200 individual controls. The requirements include:
- Installation and maintenance of a firewall
- Changing passwords from the vendor default
- How to protect cardholder information stored in the organization’s system
- Encrypting transmissions that contain cardholder information on open networks
- Malware protection and antivirus software
- Secure systems and applications development
- Restricting access to cardholder information from those within the business without a need to know
- Restricting physical access to cardholder information
- Identification and authentication for system access
- Monitoring and tracking cardholder information and network resources
- Testing all security systems in place on a regular basis
- Creating and maintaining an information security policy that applies across the organization
- Shared hosting providers are required to protect the environment
Different but Compatible
While some organizations will use ISO 27001, and many organizations are required to follow PCI-DSS and obtain certification, some are opting to blend the two sets of standards. It works very well, as both sets are compatible with one another and can build on the strengths of each. With that being said, for organizations that do not work with credit card information in any way, there is little point in obtaining PCI compliance certification, unless you intend to begin working with this information down the road. In that event, building your management system and integrating these standards early makes a lot of sense.
Most businesses (not tied to PCI by credit card information) will find that it’s simpler to begin the process with ISO 27001 and 27002 (the standards and best practices sets). Once the management system is in place, you will find it a simple matter to integrate PCI into the organization, allowing the creation of a completely integrated system capable of safeguarding both credit card information and other personal information, as well as other business data.
Another benefit to wedding the two standards systems together is the ability to better meet customer needs and expectations, even exceeding them by providing robust protection for all of their information within an organization. As customers become more and more aware of the risk to their personal and financial information, and the number of breaches inevitably increases, consumers will increasingly focus on businesses capable of providing this type of safety for their data.