Over the past few years, as we've continued expanding from our origins as an Internet services provider into the data center and managed services markets, we've been careful to not lose sight of what's gotten us this far: listening to our customers and working closely with them to find the right solutions to meet their needs. With that philosophy in mind, we've taken notice to the growing demand for our customers to satisfy both internal and external auditing and standards compliance requirements; for example, these might include basic internal policy compliance, PCI DSS for customers processing credit card transactions, or health entities' needs to meet HIPAA federal regulations. And so with Net Access often acting as a third-party provider, we recognize that, from our customers' perspective, these requirements will often directly extend to us. In this post, we hope to answer one of the more prevailing questions we've been hearing from our customers lately: "How is Net Access working to meet industry compliance requirements?"
Net Access' Overall Policy Efforts
If meeting compliance requirements is the end game, the implementation and enforcement of policies and procedures is the means. While we've always maintained formal policies for internal control objectives, the apparent growth in industry demand for third-party certified public accountant (CPA) verification of policy standards has prompted us to refocus on our commitment to organizational controls. As part of that commitment, we've undertaken the following efforts during our 2014 policies and procedures review cycle:
- Establishment of formal policy committee: By establishing a formal policy committee, we aim to provide auditors, customers, and employees with a single point of contact for all things related to policy and standards compliance. The team's responsibilities include policy design, implementation and enforcement, and maintenance as part of our scheduled periodic review cycle. The team will also keep abreast with changes in the market as it pertains to standards compliance, and work with auditors on identifying potential areas in need of policy adjustment.
- Streamlining the maintenance of company policy: As we're more often hearing questions on compliance, the need to efficiently find the answers or provide policy solutions meant a need for a more elegant system. As part of our 2014 policies and procedures review cycle, we've worked to better organize our policies structure to make it simpler for us to not only locate policies during third-party and customer audits, but also to create new policies as needed.
- Continued modernization of standards compliance: Each year, we evaluate what new compliance standards we can incorporate into our auditing process, primarily based on what we feel will benefit our customers most. This year we've included an AT 101 report on our Cloud Services portfolio, specifically oriented towards HIPAA/HITECH covered entities, which we hope will provide all the benefits of our cloud solutions to our customers in the health industry. Additionally, we have also begun preparations for a SOC 2 report in 2015.
Our 2014 compliance work involved CPA audit reports for Service Organization Controls 1 (SOC 1) standards, Payment Card Industry Data Security Standard (PCI DSS), and an AT-101 report on HIPAA/HITECH related safeguards.
- SOC 1 Type 2 : A SOC 1 report (formerly known as 'SAS 70'), is a report "intended to meet the needs of the managements of user entities and the user entities’ auditors, as they evaluate the effect of the controls at the service organization on the user entities’ financial statement assertions."  In practice, the report provides a description of Net Access services, the related controls (i.e., policies and procedures), and an attestation by our CPA that both the services and controls are implemented as described. Some of the more significant controls companies might be concerned with include those related to internal risk assessment, environmental security, and physcial access security.
- PCI DSS: A PCI DSS report "provides an actionable framework for developing a robust payment card data security process -- including prevention, detection and appropriate reaction to security incidents."  This report provides details on controls related to Net Access systems and facilities where customer electronic credit card transaction processing may take place. Some of the more significant controls companies might be concerned with include those related to internal risk assessment and physcial access security.
- AT-101 (HIPAA/HITEC) report "is utilized when engagement performance and reporting is not governed by one of these more specific attestation sections (i.e., AT Sections 201 – 801). The benefit ... is that the engagement provides a mechanism for obtaining independent third party assurance from a CPA firm regarding a variety of topics, including the clients’ services, technological infrastructure and internal controls."  For our purposes, the AT-101 report describes our Cloud Services environment, detailing our efforts to offer cloud services that are HIPAA/HITECH aware. The report includes descriptions of implemented administrative, physical, and technical safeguards, as well as our Breach Notification policy.
Current Net Access customers with related services may obtain current copies from within their Customer Care portal under the 'Resources' section.
- For more information on SOC 1 click HERE
- For more information on SOC 2 click HERE
- For more information on PCI DSS click HERE
- For more information on AT 101 click HERE
David Stanford is a member of the Net Access Managed Services team and is the Policy Coordinator for compliance efforts at the company.