What You Don't Know Could Hurt You. Prominent Regulations You Should Know About.
June 05, 2018
For data centers, privacy and physical security of servers and switches has always been a critical priority, but increased migration towards remote edge compute sites and mulitenant data centers (MTDC) has made remote management and access control of the data center cabinet more complex and challenging.
In order to stay compliant, it's important to be aware and understand regulations and requirements.
Here are a few prominent regulations worth knowing more about:
Federal Information Security Modernization Act (FIMSA)
- Based on the 2013 Executive Order, "Improving Critical Infrastructure Cybersecurity," the National Institute of Standards and Technology (NIST) published a cybersecurity framework to guide companies' cybersecurity risk management processes.
- Access control is an elements of the frameworks' core function.
- Identities and credentials are managed for authorized devices and users.
- Remote access and access permissions are managed.
Health Insurance Portability and Accountability Act (HIPAA)
- The Centers for Medicare and Medicaid Services has the rule titled, "Security Standards for the Protection of Electronic Protected Health Information," which sets requirements for covered entities.
- Physical access to electronic information systems and the facility or facilities in which they are housed is limited.
- Access attempts, dates and reason for access must be documented. These notes can vary from a simple logbook to a more comprehensive electronic database.
Payment Card Industry Data Security Standard (PCI DSS)
- The PCI Security Standard Council (PCISSC) recreated the PCI DSS to protect cardholder data in the digital age.
- Use appropriate facility-entry controls to limit and monitor physical access to systems where data is stored.
- Use a visitor log to maintain a physical audit trail of visitor information and activity.
General Data Protection Regulation (GDPR)
- Part of the European Union's data protection reform.
- While EU countries must comply, any organization collecting or processing data for individuals within the EU should also be developing their compliance strategy.
- Data centers must demonstrate examples of preventing unauthorized access to electronic communications networks.
System of Organization Control (SOC) reporting for service organizations (Saas SOC-2)
- Developed by the American Institute of Certified Public Accountants (AICPA).
- User identification, authentication, authorization and credentials management must be documented.
- Operating location and data center physical security and environmental safeguards must be in place.
To learn more about these regulations and requirements and to review actionable considerations, please read the full article.