Jim Henry of Iron Mountain Data Centers shares how comprehensive data center compliance and certification programs can help organizations mitigate data center risk.
Jim Henry, Global Compliance Analyst, Iron Mountain Data Centers
Today’s interconnected world poses challenges to protecting data and digital assets. With new web services, applications, and AI advancements, cyber threats are increasing. The level of scrutiny is rising, too.
While the urgent demand for security grows, having a comprehensive compliance program that is constantly reviewed, tested and updated based on the latest best practices can return a sense of control. A strong compliance program operates like a machine, ensuring all systems are in place and working 24/7 to recognize, address and remediate risks.
What Role Does Your Colocation Provider Play?
Many organizations choose colocation to ensure and maintain compliance with physical and environmental controls. Meeting regulatory compliance standards for data management is a necessity for almost every company, but it’s no small task.
A colocation provider mitigates risk through physical and environmental controls from an operational and security standpoint, ensuring maximum security, availability and integrity. Ensuring proper maintenance and operation of critical infrastructure, along with upkeep and continual improvement of a physical security program, are part of a comprehensive compliance program.
Ongoing audits are integral to compliance, but they are expensive and time consuming. Report keeping is arduous, and compliance regulations change, forcing organizations to adapt or fall behind.
Partnering with the right colocation provider can take much of this work out of the equation for the customer.
What are Best Practices?
From a compliance standpoint, your colocation provider should have a SOC 2 Type II report and ISO27001 implemented at a minimum. These two frameworks can provide customers and third parties assurance that a proper Information Security Management System is in place, and that technical audits occur regularly.
These frameworks provide a full customer facing report detailing the controls that the colocation provider is subject to. It also details how they performed. Depending on your industry, you may also require frameworks outside of SOC and ISO.
What Goes into Data Center Certification?
Certifications are a team effort. Think of a Formula One race car. Everything is built to precise specifications and expected to operate at extreme tolerances in even the most dynamic and unpredictable environments. That is how a proper compliance program runs.
Compliance as a department is dependent on operations, network, security, and human resources for a large bulk of the artifacts reviewed during an audit.
In addition to this, time is a factor. Even outside of “audit season,” compliance teams must work together to address risks, recognize gaps, and execute process engineering in order to make things run appropriately. A big part of this process is analysis and reviewing data. Data are the drivers for most of the continual improvement measures put in place to make an Information Security Management System thrive.
Cost is often a consideration that helps determine what frameworks to aim for. When it comes to security, your industry is often the driving factor in those decisions, and anything beyond that should make sense for your business.
What to Ask Your Data Center Provider
It’s important to understand your colocation provider’s compliance program. While colocation offers clear benefits, it’s vital to find the right colocation provider for your business.
In the colocation arena, whether it’s for retail, hyperscale, or wholesale, the most important compliance question is what certifications and/or reports are present at the prospective site. Certifications and reports should align with your compliance and business needs to ensure the proper physical and environmental controls are in place.
If the mandates and/or social responsibility of your organization are centered around other aspects of compliance, such as safety, quality or environmental/energy management, it’s good to voice those needs to the colocation provider.
As the nature of the data center business changes, it’s becoming more and more important to align yourself with a provider that speaks the same language. Beyond the certifications and reports, at a more granular level, it’s important to ask about physical security policies, personnel security policies, service delivery, and availability and change practices.
Going over these ahead of contract execution will provide due diligence that the colocation provider is operating at all levels expected by your organization, outside of what certifications and reports can communicate.
It’s important to understand your colocation provider’s compliance program. While colocation offers clear benefits, it’s vital to find the right colocation provider for your business.
Secondly, it’s good to understand if compliance is not only a function, but also a culture at the colocation provider. It’s one thing to talk the talk, walking it is next level.
This can be reflected in many ways but having a solid compliance point of contact at the colocation provider is a great first step. Establishing that relationship from the beginning and knowing that POC is there for you when you need support is key.
After all, you are outsourcing your stake in your operations to the colocation provider, so compliance, security, availability and integrity are of upmost importance.
Colocation providers like Iron Mountain Data Centers have met and implemented the security frameworks required to allow organizations to securely host their data and applications in compliant data centers.
Jim Henry is a Global Compliance Analyst for Iron Mountain Data Centers, where he manages various aspects of the multifaceted, industry leading Information Security, Quality, Environmental, and Energy Compliance program.
Iron Mountain Data Centers has one of the most comprehensive IT Security Compliance programs in the world. This culture stems from the reputation and tradition that we have followed for more than 60 years as trusted guardians of customer assets.
At Iron Mountain Data Centers, we provide a federal-grade, multi-layered approach to security that includes a combination of technical and human security measures. Our onsite security and trained personnel help to mitigate risk.
Iron Mountain’s comprehensive compliance alignments, reports, and certifications include HIPAA, NIST 800-53, FISMA High, PCI-DSS, ISO 27001 and SOC 2/3, ensuring even the most highly regulated customers are in compliance.
