Compliance 2018-03-06T09:30:48+00:00

Compliance Icon

COMPLIANCE STANDARDS FOR HOSTING

US Cloud is committed to providing Cloud Solutions that comply with the mandates, standards and acts set forth to regulate and protect the industries that host with us.

Get a Quote

We are ready to take on the burden of your IT compliance

Many of these standards require audits and reviews from outside parties to ensure the
privacy and safety of your data. Regardless of your industry, you can be sure that US Cloud
upholds the highest standards and fulfills all requirements necessary for you to confidently
host your data with us.

Server Icon

Server/Client Auditing

Record Icon

Records Management

Bar Code Icon

Bar Codes & Labeling

Information Icon

Information Rights

Signature Icon

Digital Signatures

Workflow Icon

Workflow Management

US Cloud Compliances

US Cloud Tier III

US Cloud’s Tier III Data Center Standard means that all our hosting facilities comply with the Uptime Institute data center standards.

Data center standards determine the level of reliability you can expect from your hosting facility as developed and measured by the Uptime Institute, the industry specialist. Tier III builds upon the redundancy and reliability of the first two tiers and adds a level of resilience known as N+1 redundancy that ensures system availability in the case of component failure.

Why is the Tier III Data Center Standard important?

  • The Tier III standard is known for its impressive ability to comply with small to large businesses.
  • Meets or exceeds all Tier 1 and Tier 2 requirements.
  • Multiple independent distribution paths serving the IT equipment.
  • Dual-powered, fully compatible IT equipment.
  • Expected availability of at least 99.982%

SSAE 18 Type 2 SOC 2 Compliance logo

SSAE18 Type 2 SOC 2 Certified Data Centers

SSAE18 Type 2 SOC 2, is an internationally recognized auditing standard developed by the American Institute of Certified Public Accountants (AICPA).

A SSAE18 Type 2 SOC 2 audit is widely recognized because it represents that a service or outsourcing organization has been through an in-depth audit of their control activities, which generally include controls over information technology and related processes. As one of the highest industry accepted auditing standards for service companies, SSAE 16 SOC II certification provides customers with guaranteed security and reliability for their systems.

Why is SSAE18 Type 2 SOC 2 Important to You?

  • Anyone who is concerned about data security should trust only SSAE18 Type 2 SOC 2 Certified Hosting Providers like US Cloud.
  • Demonstrates the establishment of control objectives and effectively designed control activities
  • If you are part of a publicly traded company that must comply with Sarbanes-Oxley or HIPAA compliances, you are required to obtain this audit report.
  • This third party perception provides instant credibility and differentiates from the competition
  • Provides reassurance that your data is being handled by service professionals that have a clearly defined and secure process for data eradication

Sarbanes Oxley Compliance

The Sarbanes-Oxley Act outlines strict governance and control standards for public companies & public accounting firms and provides additional oversight to corporate accounting.

Also known as SOX, Sarbox or the Public Company Accounting and Investor Protection Act of 2002, is a compliance standard required of all corporations, public companies or public accounting firms. US Cloud provides a way to reduce the infrastructure and management cost of SOX compliance by hosting our solutions in a SOX 404 compliant environment.

Why is Sarbanes Oxley Compliance important?

  • SOX Compliance is a costly burden for large corporations and public auditors.
  • US Cloud removes this compliance burden from your data management team.
  • You gain a better understanding of control design and operating effectiveness.
  • It’s easier to discover duplicate controls that must be eliminated.
  • SOX combats fraud, improves reliability of financial reporting and restores investor confidence.

National Institute of Standards and Technology (NIST)

US Cloud’s Data Centers follow standards set by NIST (National Institute of Standards and Technology), a US Government agency within the Commerce Department.

“The National Institute of Standards and Technology (NIST) is a non-regulatory federal agency under the Department of Commerce. It is the National Measurement Institute for the United States. The NIST’s mission is to support and develop measurement standards and technology in order to improve efficiency, facilitate trade, and enhance the quality of life.”
www.professionalequipment.com

Why is NIST Compliance important?

  • Data Centers are measured by their infrastructure and deployment of IT and applications.
  • NIST works in collaboration with government, industry and standards bodies to boost the adoption of cloud computing by the federal government.
  • NIST develops standards that ensure the conformity and enhance the quality of products.
  • These NIST standards support interoperability, portability and security requirements
  • Meeting NIST compliance standards is just another way that US Cloud provides a trusted hosting experience for our customers.

PCI Compliant Hosting

The Payment Card Industry Security Standards Council outlines the national standard taken to combat credit card fraud and increase the amount of controls placed on any cardholder data.

The PCI Security Standards Council was founded by American Express, Discover Financial Services, JCB International, MasterCard, and Visa Inc. to increase security around payment account data while also raising education and awareness of the PCI Security Standards. PCI compliance protects transaction data and follows security standards set for account data protection.

Why is PCI Compliance important?

  • Secures any organization handling cardholder information for the major debit, credit, prepaid, e-purse, ATM and POS cards.
  • Information security is pivotal for any business, specifically when dealing with ecommerce.
  • Compliance fosters trust and confidence in doing business with sensitive payment card information
  • US Cloud’s various hosting solutions are PCI compliant-ready so there is no question that your customer’s information is safe with you, and your business is safe with US Cloud.

IPv6 Compliant Hosting

IPv6 anticipates the eventual problem of IPv4 running out of internet addresses. IPv6 uses 128-bit addresses and has 7.9×1028 times more addresses IPv4, which uses 32-bit addresses.

Developed by the Internet Engineering Task Force, the latest Internet Protocol version 6 promises to solve and accommodate the issue of consumers utilizing more and more devices to access the internet. While IPv4 only allowed 4,294,967,296 unique addresses worldwide (or less than one address per person alive in 2012), IPv6 allows for 4.8×1028 addresses per person.

Why is IPv6 Compliance important?

  • It follows a recent Government mandate for all Government external facing sites.
  • US Cloud is IPv6 compliant with dual stack capabilities, offering both IPv4 and IPv6.
  • With 4.8×1028 addresses per person, IPv6 provides enough addresses to never run out.

HIPAA Compliant Hosting

The Health Insurance Portability and Accountability Act (HIPAA) outlines the national standards for security and privacy of Healthcare information.

US Cloud’s HIPAA-compliant data center facilities provide secure cloud hosting for electronic healthcare records & patient data. Specifically for hosting and records management, HIPAA outlines the compliance requirements for health care electronic transactions and identifiers for providers, health plans, and employers.

Why is HIPAA Compliance important?

  • HIPAA regulations protect healthcare patients and their information and coverage.
  • This compliance benefits the environment by reducing paper in the industry.
  • This standardizes all healthcare data and helps coordinate insurance benefits and payments.
  • HIPAA helps eliminate health plan-specific reporting and filing requirements for hospitals.
  • HIPAA compliance hosting places administrative, physical and technical safeguards around your data.

FDA Part 11 Compliance

Part 11 of the Code of Federal Regulations is directed at the Food and Drug Administration (FDA) regarding specific guidelines on electronic records and signatures.

FDA Part 11 compliance applies to any organization that must meet the requirements and compliance policies set forth by the FDA for electronic records management. Typically involves pharmaceutical industry, drug makers, biotech industry, medical device manufacturers, CROs and more.

Why is FDA Part 11 Compliance important?

  • These requirements make organizations trustworthy and reliable.
  • Compliant records and signatures can be treated the same as paper documents.
  • Businesses can substitute paper records and handwritten documents with electronic records and electronic signatures to improve efficiency.
  • Compliant documents benefit from user/time stamping of records.

Cloud Security Alliance

US Cloud is an active member of Cloud Security Alliance (CSA). As a member US Cloud shares cloud security knowledge with the organization and its members for faster threat intelligence synergy. US Cloud also uses the Cloud Controls Matrix (CCM) as a standard framework for its cloud security customers.

About CSA

The Cloud Security Alliance is the world’s leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment. CSA harnesses the subject matter expertise of industry practitioners, associations, governments, and its corporate and individual members to offer cloud security-specific research, education, certification, events and products. CSA’s activities, knowledge and extensive network benefit the entire community impacted by cloud—from providers and customers, to governments, entrepreneurs and the assurance industry—and provide a forum through which diverse parties can work together to create and maintain a trusted cloud ecosystem.

CSA Milestones

  • Not-for-profit association, launched in April 2009
  • Issued the first comprehensive best practices for secure cloud computing, “Security Guidance for Critical Areas of Focus for Cloud Computing”
  • Created the first and only user credential for cloud security, the Certificate of Cloud Security Knowledge (CCSK), named the top cloud computing certification by CIO.com only three years after its introduction
  • Created and maintains the Cloud Controls Matrix (CCM), the world’s only meta-framework of cloud-specific security controls, mapped to leading standards, best practices and regulations
  • Maintains a registry of cloud provider security practices, the CSA Security, Trust and Assurance Registry (STAR), and offers certification and attestation

International Traffic in Arms Regulations (ITAR)

ITAR overview

The International Traffic in Arms Regulations (ITAR) is a U.S. government export regulation that covers the manufacture, sales, and distribution of defense and space-related articles and services on the United States Munitions List (USML). Administered by the U.S. State Department Directorate of Defense Trade Controls, the legislation is designed to control access to specific types of technology and associated data.
The law primarily applies to defense contractors that manufacture and/or export products on the USML, but all companies in the supply chain for such products must register to obtain the appropriate import or export license and meet the ITAR requirements. The USML includes items that are specifically designed, developed, configured, adapted or modified for a military application. However, the law also covers applicable data and information about the items on the list.

ITAR Requirements

ITAR stipulates that regulated technical data – regardless of its form – may be used solely by U.S. persons employed by the U.S. government or a U.S. company. A U.S. person is defined as a U.S. citizen, permanent resident, political asylee, government agency, or corporation. Furthermore, all U.S. companies that manufacture, export, or handle data for items on the USML are required to register with the government and obtain prior authorization to export USML items to a foreign person or government. They must also obtain a specific license exemption to export the data to a U.S. person located outside the U.S., such as to share it with a U.S. employee stationed in another country.

There are several types of export authorizations:

  • Foreign military sales (FMS) – in which the U.S. government sells items on the USML to a foreign government
  • Export license (e.g. DSP-5) – a temporary or permanent export of technology or technology data to a foreign person, but not technical services
  • Warehouse and Distribution Agreement – allows a company to establish a warehouse to export USML items to approved foreign entities
  • Technical Assistance Agreement (TAA) – authorization to provide defense-related services to foreign entities
  • Manufacturing License Agreement (MLA) – authorization to export manufacturing knowledge to a foreign entity

Technical data pertaining to items on the USML is considered to be regulated. Data that is covered under ITAR generally pertains to the design, development, production, manufacture, assembly, operation, repair, testing, maintenance, or modification of defense articles. The law also regulates software that includes system functional design, logic flow, algorithms, application programs, operating systems and support software for design, implementation, test operation, diagnostics, and repair.

  • Ensure that controlled data is encrypted with strong encryption at all times, such as FIPS 140-2. Data should be persistently encrypted during transmission to the cloud and at rest on cloud storage servers.
  • The data owner must maintain complete control over the encryption keys at all times, and no personnel from the cloud service provider should have access to the keys.
  • Only authorized individuals can access controlled data.
  • Individuals are uniquely identified and access to data is protected by strong authentication of the individual.
  • Individual access rights are routinely reviewed for ongoing need.
  • An individual’s access to data is promptly de-provisioned when it is no longer needed.
  • All events pertaining to data access are captured and logged for monitoring and reporting purposes. This includes who, what, when, and where.
  • Notifications or alerts are sent to individuals or work group members when a change to data records or files occurs.

EU Privacy Shield

The EU-U.S. Privacy Shield Framework was designed by the U.S. Department of Commerce and European Commission to provide companies on both sides of the Atlantic with a mechanism to comply with EU data protection requirements when transferring personal data from the European Union to the United States in support of transatlantic commerce.

The Privacy Shield Framework replaced the US-EU Safe Harbor Framework in 2016. BBB EU Privacy Shield offers compliance assistance and independent dispute resolution services to U.S. companies adhering to the Framework. The Framework also provides a set of robust and enforceable protections for the personal data of EU individuals. It provides transparency regarding how participating companies use personal data, strong U.S. government oversight, and increased cooperation with EU data protection authorities (DPAs).

The Privacy Shield Framework offers EU individuals access to multiple avenues to address any concerns regarding participants’ compliance with the Framework. The Framework ensures a continuing level of protection consistent with Privacy Shield Principles when personal data collected under the Framework is transferred to third parties. The Framework also makes it easier for EU individuals to understand and exercise their rights.

US Cloud’s Privacy Policy

FedRAMP logo

FedRAMP

The Federal Risk and Authorization Management Program (FedRAMP) is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. The FedRAMP program has also established a Joint Accreditation Board (JAB) consisting of Chief Information Officers from DoD, DHS, and GSA.

FedRAMP benefits

  • Increase re-use of existing security assessments across agencies
  • Save significant cost, time, and resources – “do once, use many times”
  • Improve real-time security visibility
  • Provide a uniform approach to risk-based management
  • Enhance transparency between government and Cloud Service Providers (CSPs)
  • Improve the trustworthiness, reliability, consistency, and quality of the Federal security authorization process

DFARS Compliant

DFARS

NIST Special Publication 800-171 Protecting Covered Defense Information in Nonfederal Systems and Organizations, otherwise known as DFARS, outlines 14 families of security requirements for protecting the confidentiality of CDI you must meet in order to continue providing services and products to large defense organizations such as the Department of Defense.

Within those 14 families, there are 110 controls you must address, including mandatory security information and event management (SIEM), multi-factor authentication, encryption of all data (at rest and in transit), and policies and written authentication for your security procedures and protocol.

HITRUST

The Health Information Trust Alliance, or HITRUST, is a privately held company located in the United States that, in collaboration with healthcare, technology, and information security leaders, has established a Common Security Framework (CSF) that can be used by all organizations that create, access, store or exchange sensitive and/or regulated data.

The HITRUST CSF, a certifiable framework that provides organizations with a comprehensive, flexible and efficient approach to regulatory compliance and risk management.

Developed in collaboration with information security professionals, the HITRUST CSF rationalizes relevant regulations and standards into a single overarching security framework. Because the HITRUST CSF is both risk- and compliance-based, organizations can tailor the security control baselines based on a variety of factors including organization type, size, systems, and regulatory requirements.

By continuing to improve and update the framework, the HITRUST CSF has become the most widely-adopted security framework in the U.S. healthcare industry. This commitment and expertise demonstrated by HITRUST ensures that organizations leveraging the framework are prepared when new regulations and security risks are introduced.

  

Certified Ethical Hacker

A Certified Ethical Hacker is a skilled professional who understands and knows how to look for weaknesses and vulnerabilities in target systems and uses the same knowledge and tools as a malicious hacker, but in a lawful and legitimate manner to assess the security posture of a target system(s). The CEH credential certifies individuals in the specific network security discipline of Ethical Hacking from a vendor-neutral perspective.

  • Establish and govern minimum standards for credentialing professional information security specialists in ethical hacking measures
  • Inform the public that credentialed individuals meet or exceed the minimum standards
  • Reinforce ethical hacking as a unique and self-regulating profession

EnCase Certified Examiner

The EnCase® Certified Examiner (EnCE®) program certifies both public and private sector professionals in the use of Guidance Software’s EnCase computer forensic software.

Recognized by both the law enforcement and corporate communities as a symbol of in-depth computer forensics knowledge, EnCE certification illustrates that an investigator is a skilled computer examiner.

Computer Hacking Forensic Investigator

CHFI certifies individuals in the specific security discipline of computer forensics from a vendor-neutral perspective. The CHFI certification will fortify the application knowledge of law enforcement personnel, system administrators, security officers, defense and military personnel, legal professionals, bankers, security professionals, and anyone who is concerned about the integrity of the network infrastructure.

  • Perform incident response and forensics
  • Perform electronic evidence collections
  • Perform digital forensic acquisitions
  • Perform bit-stream Imaging/acquiring of the digital media seized during the process of investigation.
  • Examine and analyze text, graphics, multimedia, and digital images
  • Conduct thorough examinations of computer hard disk drives, and other electronic data storage media
  • Recover information and electronic data from computer hard drives and other data storage devices
  • Follow strict data and evidence handling procedures
  • Maintain audit trail (i.e., chain of custody) and evidence integrity
  • Work on technical examination, analysis and reporting of computer-based evidence
  • Prepare and maintain case files
  • Utilize forensic tools and investigative methods to find electronic data, including Internet use history, word processing documents, images and other files
  • Gather volatile and non-volatile information from Windows, MAC and Linux
  • Recover deleted files and partitions in Windows, Mac OS X, and Linux
  • Perform keyword searches including using target words or phrases
  • Investigate events for evidence of insider threats or attacks
  • Support the generation of incident reports and other collateral
  • Investigate and analyze all response activities related to cyber incidents
  • Plan, coordinate and direct recovery activities and incident analysis tasks
  • Examine all available information and supporting evidence or artefacts related to an incident or event
  • Collect data using forensic technology methods in accordance with evidence handling procedures, including collection of hard copy and electronic documents
  • Conduct reverse engineering for known and suspected malware files
  • Perform detailed evaluation of the data and any evidence of activity in order to analyze the full circumstances and implications of the event
  • Identify data, images and/or activity which may be the target of an internal investigation
  • Establish threat intelligence and key learning points to support pro-active profiling and scenario modelling
  • Search file slack space where PC type technologies are employed
  • File MAC times (Modified, Accessed, and Create dates and times) as evidence of access and event sequences
  • Examine file type and file header information
  • Review e-mail communications including web mail and Internet Instant Messaging programs
  • Examine the Internet browsing history
  • Generate reports which detail the approach, and an audit trail which documents actions taken to support the integrity of the internal investigation process
  • Recover active, system and hidden files with date/time stamp information
  • Crack (or attempt to crack) password protected files
  • Perform anti-forensics detection
  • Maintain awareness and follow laboratory evidence handling, evidence examination, laboratory safety, and laboratory security policy and procedures
  • Play a role of first responder by securing and evaluating a cybercrime scene, conducting preliminary interviews, documenting crime scene, collecting and preserving electronic evidence, packaging and transporting electronic evidence, reporting of the crime scene
  • Perform post-intrusion analysis of electronic and digital media to determine the who, where, what, when, and how the intrusion occurred
  • Apply advanced forensic tools and techniques for attack reconstruction
  • Perform fundamental forensic activities and form a base for advanced forensics
  • Identify and check the possible source/incident origin
  • Perform event co-relation
  • Extract and analyze logs from various devices such as proxies, firewalls, IPSes, IDSes, Desktops, laptops, servers, SIM tools, routers, switches, AD servers, DHCP servers, Access Control Systems, etc.
  • Ensure that reported incident or suspected weaknesses, malfunctions and deviations are handled with confidentiality
  • Assist in the preparation of search and seizure warrants, court orders, and subpoenas
  • Provide expert witness testimony in support of forensic examinations conducted by the examiner

Certified Digital Forensics Examiner

The Certified Digital Forensics Examiner vendor neutral certification validates Cyber Crime and Fraud Investigators know electronic discovery and advanced investigation techniques.

A Certified Digital Forensics Examiner grasps the methodology for conducting a computer forensic examination. They possess the forensically sound investigative techniques in order to evaluate the scene, collect and document all relevant information, interview appropriate personnel, maintain chain-of-custody, and write a findings report.

  • Forensic Examination
  • Tools of the trade
  • Seizure Concepts
  • Incident Investigation
  • Fundamentals of conducting an effective computer forensic examination
  • Electronic Discovery and Digital Evidence

GLBA Compliance

The Gramm-Leach-Bliley Act (GLB Act or GLBA) is also known as the Financial Modernization Act of 1999. It is a United States federal law that requires financial institutions to explain how they share and protect their customers’ private information. To be GLBA compliant, financial institutions must communicate to their customers how they share the customers’ sensitive data, inform customers of their right to opt-out if they prefer that their personal data not be shared with third parties, and apply specific protections to customers’ private data in accordance with a written information security plan created by the institution.

The primary data protection implications of the GLBA are outlined its Safeguards Rule, with additional privacy and security requirements issued by the FTC’s Privacy of Consumer Financial Information Rule (Privacy Rule), created under the GLBA to drive implementation of GLBA requirements. The GLBA is enforced by the FTC, the federal banking agencies, and other federal regulatory authorities, as well as state insurance oversight agencies.

  • Private information must be secured against unauthorized access
  • Customers must be notified of private information sharing between financial institutions and third parties and have the ability to opt out of private information sharing
  • User activity must be tracked, including any attempts to access protected records

The GLBA requires that financial institutions act to ensure the confidentiality and security of customers’ “nonpublic personal information,” or NPI. Nonpublic personal information includes Social Security numbers, credit and income histories, credit and bank card account numbers, phone numbers, addresses, names, and any other personal customer information received by a financial institution that is not public. The Safeguards Rule states that financial institutions must create a written information security plan describing the program to protect their customers’ information. The information security plan must be tailored specifically to the institution’s size, operations, and complexity, as well as the sensitivity of the customers’ information.

Get a Quote